Privacy Policy

Last updated: May 12, 2026

1. What this policy covers

This Privacy Policy describes how Markspot ("we", "us", or "our") collects, uses, and protects personal data when you create an account, upload content, publish shoppable image embeds, or otherwise interact with the service at markspot.app and any associated APIs. It does not cover third-party sites that display our embed widget — those sites have their own privacy practices.

2. Information we collect

We collect information in three ways:

  • Information you provide directly — your email address and name when you register; images, product hotspot data, and project structure you upload; messages you send us via contact forms or support requests.
  • Information generated by your use — impression and click counts on published embeds; audit log entries for security-relevant actions (plan changes, ownership transfers, publish events); rate-limit telemetry keyed on your user ID; browser type and approximate timezone collected during authentication.
  • Information from third parties — if you sign in via a third-party identity provider, we receive a stable identifier and email address from that provider. Stripe shares a customer identifier and subscription state with us when you subscribe or update billing details; we do not receive or store full card numbers.

Free-tier images are stored only in your browser's IndexedDB and never transmitted to our servers unless you upgrade to a paid plan. No image data leaves your device on the free tier.

3. How we use information

We use the information we collect to:

  • Create and maintain your account and organisation.
  • Serve and render your published embed widgets to visitors on third-party sites.
  • Enforce subscription plan limits and rate limits.
  • Process payments and manage your billing relationship via Stripe.
  • Send transactional emails (account activation, billing events, org lifecycle notices) via Resend.
  • Detect and prevent fraud, abuse, and security incidents.
  • Provide customer support and respond to your enquiries.
  • Improve the product — understanding which features are used and where errors occur.

We do not sell personal data. We do not use your content to train machine-learning models.

4. How we share information

We share personal data only in the following circumstances:

  • Subprocessors — we use Supabase (database, authentication, file storage), Stripe (payment processing), Resend (transactional email), and Vercel (hosting and edge delivery). Each is contractually bound to process data only as directed by us.
  • Your organisation members — admins and editors in your organisation can see project names, image metadata, and publish status. They cannot access billing details unless they hold the Owner role.
  • Public embeds — when you publish an image, the embed endpoint is publicly accessible by design. Anyone with the embed ID can request the hotspot data needed to render the widget.
  • Legal obligations — we may disclose data if required by law, court order, or to protect the rights, property, or safety of Markspot, our users, or the public.
  • Business transfers — if Markspot is acquired or merges, user data may be transferred as part of that transaction. We will notify you before your data becomes subject to a materially different privacy policy.

5. Cookies & local storage

We use the following browser storage mechanisms:

  • Authentication cookies — first-party, HttpOnly cookies that store your session token. Required to keep you signed in. These are set by our authentication layer (Supabase Auth) and expire when you sign out or after the session lifetime.
  • IndexedDB (free tier only) — if you use the free tier, your uploaded images are stored in your browser's IndexedDB under the database name cachedImagesDB. This data never leaves your device and is not accessible to us. Clearing site data in your browser will remove it.
  • Local preferences — small localStorage entries may be written to remember UI preferences such as billing cycle toggle state or sidebar collapse state.

We do not use third-party advertising cookies or cross-site tracking pixels.

6. Retention & deletion

We retain data for as long as your account is active or as needed to provide the service:

  • Active accounts — account data, images, and embed records are retained while your organisation is active.
  • Payment failure — if a payment fails, your organisation is paused. Paused organisations and their data are retained for 30 days, after which the organisation is queued for deletion.
  • Deletion queue — organisations in the deletion queue are permanently deleted (including all images and storage files) after 60 additional days. This process is irreversible.
  • Audit logs — security-relevant audit records are retained for up to 12 months for fraud detection and legal compliance purposes.
  • Account deletion — you may delete your account from your profile page at any time. This initiates immediate deletion of your personal data subject to the retention periods above.

7. Your rights

Depending on your country or region, you may have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Correction — request correction of inaccurate or incomplete data.
  • Deletion — request erasure of your personal data (subject to retention obligations above).
  • Portability — receive your data in a structured, machine-readable format.
  • Restriction — request that we restrict processing of your data in certain circumstances.
  • Objection — object to processing based on legitimate interests.

You can exercise many of these rights directly from your account (profile page, billing page). For requests we cannot fulfil in-app, contact us using the details in Section 12. We will respond within 30 days. If you are in the EEA or UK, you also have the right to lodge a complaint with your local supervisory authority.

8. Security

We apply industry-standard security measures: TLS encryption for all data in transit; encryption at rest for database records and stored files via Supabase and Vercel infrastructure; row-level access controls enforced at the database layer; application-level ownership checks on every mutation endpoint; and audit logging for security-relevant actions. Access to production infrastructure is restricted to authorised personnel only.

No system is perfectly secure. If you discover a potential vulnerability, please report it responsibly via our contact page before public disclosure. We take security reports seriously and will respond promptly.

9. Children

Markspot is not directed to children under the age of 13 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal data from children. If we learn that we have inadvertently collected data from a child under the applicable minimum age, we will delete it promptly. If you believe we have collected such data, please contact us immediately.

10. International transfers

Markspot's infrastructure is operated by Supabase and Vercel, whose servers are located in multiple regions including the United States and European Union. By using Markspot, you acknowledge that your data may be transferred to and processed in countries other than your own, which may have different data protection laws.

Where transfers of personal data from the EEA, UK, or Switzerland to third countries occur, we rely on appropriate safeguards, including Standard Contractual Clauses with our subprocessors or the subprocessor's own adequacy mechanism. You can request details of the safeguards we use by contacting us.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and notify active account holders in-app or by email at least 14 days before the changes take effect. Continued use of Markspot after the effective date of a change constitutes acceptance of the updated policy.

12. Contact

For privacy-related questions, requests to exercise your rights, or to report a concern, please reach us via the contact page. We aim to respond to all privacy enquiries within 30 days.