Privacy Policy
This Privacy Policy explains how Marcus Intelligence collects, uses, and protects your personal data when you use our Service. We comply with India’s Digital Personal Data Protection (DPDP) Act 2023 and applicable international data protection standards.
Contents
1. Introduction
Marcus Intelligence (“we”, “us”, “our”) operates the AI-powered test automation platform available at marcusai.in (“Service”). We are based in India and this policy is drafted in compliance with the Digital Personal Data Protection (DPDP) Act, 2023.
By using the Service, you consent to the collection and use of your data as described in this policy. If you do not agree, please do not use the Service.
2. Data We Collect
We collect the following categories of data:
Account Data
- Email address (required for all accounts)
- Name (optional, from Google OAuth profile if you sign in with Google)
- Password hash (stored by Supabase Auth; we never see your plaintext password)
- Google OAuth profile picture URL (if you sign in with Google)
Usage Data
- URLs you submit for scraping or testing
- BRD / requirements documents you upload
- AI-generated test cases
- Test execution results (pass/fail verdicts and reasons)
- Run history and analytics within your plan’s retention period
Billing Data
- Plan tier and subscription status (stored by us)
- Payment card data is processed exclusively by Razorpay and is never stored by Marcus Intelligence
Log & Technical Data
- IP addresses, request timestamps, HTTP status codes
- Browser type and operating system (from HTTP headers)
- Error stack traces (sent to Sentry for debugging)
- Log data is retained for up to 30 days
Cookies
We use one session cookie issued by Supabase Auth to maintain your login session. We do not use advertising, analytics, or third-party tracking cookies.
3. How We Use Your Data
We use your data solely for the following purposes:
- Authenticating you and maintaining your session
- Generating AI test cases from the URLs and BRD documents you provide
- Executing tests in a real browser and storing results in your account
- Calculating usage against your plan limits
- Processing payments via Razorpay
- Sending transactional emails (email verification, password reset, billing receipts)
- Monitoring service health and fixing errors (via Sentry)
- Improving the Service (in aggregate, de-identified form only)
We do not:
- Sell your personal data to any third party
- Use your data for advertising or behavioural profiling
- Share your data with third parties except as described in Section 7 (Sub-Processors)
4. AI Processing Disclosure
Important: Your content is sent to OpenAI.
When you generate test cases, the URLs you submit and the content of any BRD documents you upload are sent to OpenAI’s API for processing. This is necessary to generate relevant test cases.
Please do not upload BRD documents or submit URLs containing:
- Personally identifiable information (PII) of third parties
- Financial data, health records, or other sensitive personal data
- Trade secrets or confidential business information beyond what is necessary
- Data whose transfer to a US-based AI provider is restricted by contract or regulation
OpenAI’s handling of API data is governed by OpenAI’s Privacy Policy and their API data usage policies (API data is not used to train OpenAI models by default as of their current policy).
5. Data Storage & Security
Your data is stored in a Supabase PostgreSQL database hosted on Amazon Web Services (AWS). We apply the following security measures:
- Row-Level Security (RLS): Database policies ensure each organisation can only read and write its own data. Cross-organisation data access is not possible at the database level.
- Encryption in transit: All data transferred between your browser, our servers, and Supabase uses TLS 1.2 or higher.
- Encryption at rest: Supabase encrypts stored data at rest using AES-256.
- Access controls: Employee access to production data is restricted to the minimum necessary for service operations and support.
- Login credentials for deep crawl: If you provide website login credentials for deep crawl, they are used in-memory during the crawl session only and are never stored in our database or logs.
Despite these measures, no system is perfectly secure. We cannot guarantee absolute security of data transmitted over the internet. Please notify us immediately at privacy@marcusai.in if you believe your data has been compromised.
6. Data Retention
We retain different types of data for different periods:
| Data Type | Retention Period |
|---|---|
| Test history (Free plan) | 7 days |
| Test history (Standard plan) | 30 days |
| Test history (Team plan) | 90 days |
| Test history (Enterprise plan) | Configurable |
| Server logs | 30 days |
| Account data | Until account deletion |
| Data after account deletion | Removed within 30 days |
You can delete your account at any time from Settings → Account. This permanently removes your profile, organisation, and all associated data within 30 days. Some data may be retained longer if required by law or for legitimate business purposes (e.g., billing records).
7. Sub-Processors
We share your data with the following sub-processors as necessary to operate the Service:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Supabase | Database & authentication | USA (AWS) |
| OpenAI | AI test case generation | USA |
| Razorpay | Payment processing | India |
| Sentry | Error monitoring | USA |
| Vercel | Frontend hosting & edge network | USA / Global |
We will update this list if we add or change sub-processors and notify you of material changes.
8. Your Rights
Under India’s Digital Personal Data Protection (DPDP) Act 2023 and, where applicable, the EU General Data Protection Regulation (GDPR), you have the following rights:
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate or incomplete personal data.
- Erasure: Request deletion of your personal data (subject to legal retention obligations).
- Portability: Request your data in a structured, machine-readable format.
- Objection: Object to processing of your data where we rely on legitimate interests.
- Grievance: Raise a grievance with us before escalating to the Data Protection Board of India (once established).
To exercise any of these rights, email privacy@marcusai.in. We will respond within 30 days. Some requests may require identity verification before we can act on them.
9. International Data Transfers
Your data may be processed outside India (primarily in the United States by OpenAI, Sentry, Supabase, and Vercel). By using the Service, you consent to such transfers.
Where required, we rely on contractual safeguards (data processing agreements with sub-processors) to ensure your data receives an adequate level of protection when processed outside India.
10. Children
The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, please contact privacy@marcusai.in and we will delete it promptly.
12. Changes & Contact
We may update this Privacy Policy from time to time to reflect changes in the Service or applicable law. We will notify you of material changes via email or in-app notice at least 14 days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance.
For privacy questions, data requests, or complaints: privacy@marcusai.in