Markloop — Privacy Policy
Last updated: 18 June 2026
Friendly summary (not part of the legal text): This Policy explains what personal data we collect when you use Markloop, why we use it, who we share it with, and the rights you have. It covers the data we are responsible for — your account, billing, the people you invite, and basic usage data. It does not cover the personal data you put inside your own documents and feedback: that stays under your control, and how we handle it for you is set out in our Terms of Service (§15). Short version: we collect the minimum we need to run the Service, we don't sell your data, and we never use your documents to train AI.
1. Who is responsible for your data
The controller of the personal data described in this Policy is:
Marcin Perłak, sole proprietor trading as Marcin Perłak Mroomy
ul. Zamknięta 10 lok. 1.5, 30‑554 Kraków, Poland
NIP: 2220668250 · REGON: 241547654
Email: hi@markloop.io
If you ever have a question about your data, that email reaches a real person. We have not appointed a Data Protection Officer (we are not legally required to), so privacy questions go to the same address.
2. What this Policy does and does not cover
- It covers the personal data we collect and use as a controller — to create and run your account, take payment, invite Reviewers, provide support, keep the Service secure, and understand how the website is used.
- It does not cover the personal data inside your Content (your documents and the feedback on them). For that data you are the controller and we act as your processor; the rules are in our Terms of Service (§15 and §15.1, our built‑in data processing agreement).
3. What we collect, why, and our legal basis
| Data | What it includes | Why we use it | Legal basis (GDPR Art. 6) |
|---|---|---|---|
| Account data | Name, email, password (stored hashed), workspace and team‑member details | Create and run your account, let you log in, provide the Service | Performance of a contract — Art. 6(1)(b) |
| Billing data | Billing name, address, plan, transaction history, the last digits/brand of your card (full card data is held by Stripe, not us) | Take payment, manage your subscription, issue invoices | Contract — Art. 6(1)(b); legal obligation (tax/accounting) — Art. 6(1)(c) |
| Reviewer contact data | Email and name used to invite and identify Reviewers you add | Send invitations and show who left which feedback | Our legitimate interest in providing the Service you asked for — Art. 6(1)(f) |
| Support data | The messages you send us and our replies | Answer questions and resolve issues | Legitimate interest — Art. 6(1)(f) |
| Usage & technical data | IP address, device/browser type, log and security data, actions in the app | Keep the Service secure, prevent abuse, fix problems, improve the product | Legitimate interest — Art. 6(1)(f) |
| Cookies & analytics | See §7 | Run the Service and understand how it's used | Essential cookies: legitimate interest — Art. 6(1)(f). Our analytics don't use tracking cookies or identify you, so no consent is needed |
| Transactional emails | Email address | Send invitations, receipts, and security or service notices you need | Contract — Art. 6(1)(b); legitimate interest — Art. 6(1)(f) |
| Marketing (if any) | Email address | Send product updates or news, only if you opt in | Consent — Art. 6(1)(a), withdrawable anytime |
We collect only what we need. You don't have to give us this data, but without the essentials (like your email) we can't provide the Service.
4. Where your data comes from
Mostly from you — when you sign up, subscribe, invite Reviewers, or contact us. Some technical data (like IP and log data) is generated automatically when you use the Service. If you are a Reviewer, your contact details usually come from the Creator who invited you.
5. Who we share it with
We don't sell your personal data. We share it only with service providers who help us run Markloop, and only as needed:
- Stripe — processes payments on our behalf, and is also an independent controller for its own fraud‑prevention, regulatory (e.g. anti‑money‑laundering) and financial‑reporting purposes, under Stripe's own privacy terms.
- Vercel — application hosting and delivery.
- Neon — our database, where account data and your Content are stored.
- Cloudflare — infrastructure, and — where it generates preview thumbnails of uploaded documents — a subprocessor of your Content, governed by the data processing agreement in our Terms of Service (§15.1) rather than this Policy.
- Simple Analytics — privacy‑friendly, cookieless website analytics (EU‑based; does not collect personal data or use cookies).
- PostHog — product analytics, to understand how the app is used and improve it.
- Resend — email delivery, used to send transactional emails (invitations, receipts, security notices).
These providers act as our processors (except Stripe, as described above). A current list of subprocessors that process Content on our behalf is kept under §15.1 of our Terms. We may also disclose data where the law requires it (for example, a valid request from a public authority), or to protect our rights, users, or the Service.
6. International transfers
Some of our providers (such as Vercel, Neon, Cloudflare, and PostHog) may process data on infrastructure located outside the European Economic Area, including in the United States. When that happens, we rely on the safeguards the law requires — such as an adequacy decision, certification under the EU–US Data Privacy Framework, or the European Commission's Standard Contractual Clauses — so your data keeps an equivalent level of protection. You can ask us for a copy of these safeguards at hi@markloop.io. Where a provider offers EU‑region hosting, we prefer it. Simple Analytics is EU‑based and does not transfer your data outside the EEA.
7. Cookies
We try to keep cookies to a minimum — in fact, we use no tracking cookies at all:
- Essential cookies — needed to log in and keep the Service working (for example, your session). These can't be switched off.
- Website analytics (markloop.io) — Simple Analytics. We measure website traffic with Simple Analytics, which is cookieless and does not collect personal data. That's why our website shows no cookie banner and asks for no consent.
- Product analytics (app.markloop.io) — PostHog. Inside the logged‑in app we use PostHog to understand how features are used. We don't use it to place tracking cookies on your device or to identify you individually, so it doesn't ask for your consent.
8. How long we keep it
- Account data — kept while your account is active and deleted within 90 days of account closure, except records we must keep for tax or other legal reasons.
- Billing and invoice data — for as long as tax and accounting law requires (in Poland, generally 5 years from the end of the relevant year).
- Backups — kept for a limited period, normally up to 30 days, then overwritten.
- Support messages — kept up to 2 years after the matter is resolved.
- Usage and security logs — kept up to 12 months, then deleted or anonymised.
9. How we protect your data
We use reasonable technical and organisational measures — such as encryption in transit, access controls, and scoping Reviewer access to a single project (Reviewers only ever see the rendered document, never your source files). No online service can be perfectly secure, but we take protecting your data seriously and, if a personal‑data breach occurs, we will — where the law requires — notify the supervisory authority and any affected individuals.
10. Your rights
Under the GDPR you have the right to:
- access your data and get a copy;
- correct data that's wrong or incomplete;
- erase your data ("right to be forgotten") in certain cases;
- restrict or object to processing based on our legitimate interests;
- port your data to another provider in a structured, machine‑readable format;
- withdraw consent at any time, where we rely on consent (this doesn't affect processing already done).
To exercise any of these, email hi@markloop.io. We'll respond within one month (and tell you if we need longer because the request is complex). Exercising your rights is free unless a request is clearly unfounded or excessive.
You also have the right to lodge a complaint with a supervisory authority. In Poland that is:
Prezes Urzędu Ochrony Danych Osobowych (PUODO)
ul. Stawki 2, 00‑193 Warszawa, Poland · uodo.gov.pl
You can also complain to the supervisory authority in your own country of residence.
11. Automated decisions and AI
We do not make decisions about you that have legal or similarly significant effects using solely automated processing. We do not use your account data or your Content to train AI models.
12. Children
Markloop is not intended for anyone under 18, and we don't knowingly collect data from children. If you believe a child has given us data, contact us and we'll delete it.
13. Changes to this Policy
We may update this Policy from time to time. We'll change the date at the top and, for important changes, let you know by email or in the app. The current version always lives on this page.
14. Contact
Questions about your privacy or this Policy? Email hi@markloop.io — we're happy to help.