Privacy Policy

Last updated: 31 May 2026

Marlaio is operated by KEI HOLDINGS LIMITED (NZ), trading as Marlaio (“we”, “us”). This policy explains what personal information we collect, how we use it, and your rights under the New Zealand Privacy Act 2020 and Australian Privacy Act 1988.

What we collect

• Account data: your email address (required for sign-in via magic link).
• Business data you provide: the Google Place ID of your business, your website URL, the marketing intent and inventory details you type in (offer text, prices, dates, etc.).
• Public business data we fetch on your behalf: Google Places API public details (address, hours, ratings, reviews, types) and your public website’s HTML text.
• Generated content: the social posts, emails, and ads Marlaio creates for you, along with the AI compliance check results.
• Payment data: card numbers and bank details are collected and stored by Stripe, not by us. We only receive a Stripe customer ID and subscription state.
• Usage data: cookies (session, UTM attribution), aggregated event counts (signups, generations) — never the prompt content or any identifying customer data — and AI API usage (token counts, cost) for billing and product analytics.

Information about third parties (IPP 3A)

Where the public data we fetch on your behalf (Google Places reviews, your website’s HTML) contains personal information about third parties — for example, staff names on your About page, or names of reviewers visible on your Google Business Profile — we treat that data as sourced from publicly available information. We do not enrich it, contact those individuals, or feed it into AI training. We rely on the “publicly available information” exception in IPP 3A of the New Zealand Privacy Act 2020 (in force 1 May 2026). If you are a third party who appears in this data and would like it removed, please use our takedown request form. We respond to takedown requests within 24 hours of receipt (Monday-Friday NZST; weekend requests answered the next business day).

How we use it

• To run the generation pipeline (feed enrichment + intent specifics into AI models).
• To bill you and process refunds (via Stripe).
• To improve compliance heuristics (anonymised aggregate, not individual content).
• To send transactional emails (sign-in links, receipts, account changes).
• To detect abuse (rate limiting, blocking spam).

Who we share data with

We use the following third-party processors:

• Supabase (database + auth) — hosted in Sydney, AU on ISO/IEC 27001-certified infrastructure
• Stripe (payments + subscription billing + tax) — under their Data Processing Agreement
• Resend (email delivery) — for sign-in and transactional email
• Google Places API (your business’s public data only, never private)
• OpenRouter, Anthropic, OpenAI (AI generation and compliance check). For routine traffic we use zero-retention API tiers where available, meaning the AI provider does not store the prompt and does not train on it. When we fall back to direct providers, prompts may be retained by the provider for up to 30 days for abuse-monitoring purposes (Anthropic / OpenAI default) but are not used for training.
• Sentry (error tracking) — error context only, no full request bodies.
• Langfuse (AI quality observability) — AI prompt / response traces for our internal compliance audit. Retained 90 days, then automatically purged.
• Vercel (web hosting)

We do not sell your data. We do not share data with advertisers, brokers, or analytics resellers.

Where your data lives

Primary database is hosted in Sydney, AU. Some processors (Stripe, OpenAI, Anthropic, Resend, Vercel, Sentry, Langfuse) are based in the United States. We disclose data to these processors only under written contracts requiring them to protect your personal information to a standard comparable to the NZ Privacy Act 2020 (IPP 12) and the Australian Privacy Principles (APP 8). We also use AI providers on their zero-retention API tiers wherever available.

Marlaio is built for AU and NZ small businesses and does not target customers in the EU, UK, or US. If you sign up from one of those regions, we still apply the same NZ Privacy Act 2020 / AU Privacy Act 1988 protections to your data, and your local data rights (e.g., GDPR Article 15 access) can be exercised by using our contact form. We do not have an EU representative under GDPR Article 27 because we are not targeting EU customers.

Automated decisions (AU APP 1.7)

Marlaio uses an automated compliance system that may refuse to generate marketing drafts when your inputs lack support for the specific claim (e.g., a “limited to 5” headline with no quantity in your inventory specifics). The decision is automated and applies only to draft generation — it never affects your account, billing, subscription rights, or any other access to the service. If you believe a refusal was incorrect, you can request human review via our contact form. This disclosure satisfies Australian Privacy Principle 1.7 (effective 10 December 2026).

Data security and breach notification

We follow reasonable-security obligations under IPP 5 of the NZ Privacy Act 2020 and APP 11 of the AU Privacy Act 1988 (encryption in transit, RLS-enforced database access, hard credit ledger, no card data ever touches our servers). Our data layer runs on Supabase, whose infrastructure is ISO/IEC 27001 certified — the internationally recognised standard for information security management.

If we discover a notifiable privacy breach — one likely to cause serious harm — we will notify affected individuals and the relevant Privacy Commissioner as soon as practicable. The NZ Privacy Commissioner expects notification within 72 hours of our becoming aware of a notifiable breach. We will tell you what was accessed, what we are doing, and what (if anything) you should do.

How long we keep it

• Account + subscription data: while your account is active, plus 7 years after closure (NZ tax law).
• Generated content: until you delete it or close your account.
• Compliance check logs: 36 months (to support internal audit of compliance heuristics and to enable a defence under s 43A Fair Trading Act 1986).
• Langfuse AI quality traces: 90 days then auto-purged.
• Aggregated usage metrics: indefinitely (no longer linkable to you).

Your rights

• Access a copy of your data — sign in and click Download my data (JSON) on your account page (one-click export, no email required).
• Correct inaccurate data — most fields you can edit in-app.
• Delete your account and associated data — email us; we’ll comply within 30 days (except where retention is legally required).
• Object to processing — though this may mean we can’t provide the service.
• Complain to the NZ Privacy Commissioner or the OAIC (AU).

Marlaio’s own emails

We send transactional emails (sign-in links, receipts, account changes) automatically — these are necessary to operate your subscription and are not marketing under the NZ Unsolicited Electronic Messages Act 2007 or the Australian Spam Act 2003.

We send product-update or marketing emails (weekly briefs, reactivation reminders, occasional product news) only with your express consent given at signup. Every such email:

• Identifies KEI HOLDINGS LIMITED (NZ) as the sender.
• Includes a one-click unsubscribe link in the footer.
• Honours unsubscribe requests within 2 business days (faster than the 5-business-day cap under the AU Spam Act 2003).
• Can also be turned off from your account page.

We never send marketing on your behalf — Marlaio generates drafts that you approve and send yourself.

Cookies

We use essential cookies (sign-in session) and one analytics cookie (_marlaio_utm, 30-day expiry) to attribute signups to marketing channels. We do not use third-party advertising or tracking cookies.

Contact

For privacy questions, use our contact form. We read every submission and reply within 48 hours (Monday-Friday NZST).