Privacy Policy

Effective: 19 May 2026 · Last updated: 19 May 2026

Marma ("we", "our", "Marma") respects your privacy. This Privacy Policy explains what data we collect when you use the Marma mobile and web application, how we use it, and the choices you have. By using Marma, you agree to the practices described here.

1. Who we are

Marma is operated by the developer at the address shown in our Google Play and Apple App Store listings. For any privacy question, write to [email protected].

2. What we collect

Account data

• Anonymous user ID assigned by Firebase Authentication on first launch. Required to track your free-decode quota and purchase entitlement.
• Optional Google account if you choose to link one (for restoring premium across devices).
• Subscription status (active, in trial, on hold, expired) received from Google Play.

Usage data

• Decode requests: the text you paste is sent over an encrypted connection to our backend (Firebase Cloud Functions) which forwards it to Anthropic Claude for analysis. We do not store the text of your decode requests after the response is returned. Only metadata (timestamp, context category, was-it-successful) is retained for fraud detection and analytics.
• Daily counter: we track how many decodes and rewarded ads you have used today, reset at UTC midnight.
• Device information (OS version, app version, install source) for crash diagnostics.

Ads & consent

• If you watch a rewarded ad, the Google AdMob SDK collects standard ad metrics (impression, completion, click) per its own policies.
• If you live in the EEA, UK, or India, Google's User Messaging Platform asks for your consent before serving personalized ads. If you decline, you will see non-personalized ads only.

3. How we use the data

• To process your decode request and return a result.
• To enforce your free quota, ad unlocks, and premium subscription state.
• To detect fraud (e.g. ad reward replay, multi-account abuse).
• To diagnose crashes and improve the app.
• To comply with legal obligations.

4. What we do NOT do

• We do not sell your personal data to third parties.
• We do not retain the text content of your decode requests after returning the result.
• We do not use your decode content to train any AI model.
• We do not read or share your messages outside the on-demand decode call.

5. Third parties we work with

• Anthropic (Claude API) — processes your decode text in transit; Anthropic's privacy policy applies to that processing. We send your text without your account identity attached.
• Google Firebase (Auth, Firestore, Cloud Functions, App Check) — stores your entitlement state and powers backend services.
• Google Play Billing — handles all payments. We never see your card number.
• Google AdMob — serves rewarded ads (free-tier users only).

6. Where the data lives

Firebase data is stored in Google Cloud's nam5 multi-region (US). Subscriptions and decode metadata are retained for the lifetime of your account plus 90 days for billing reconciliation. Cancel your account anytime to trigger deletion.

7. Your rights

EU / UK (GDPR)

• Right to access — request a copy of your data via [email protected].
• Right to erasure — request deletion. Subscription history may be retained for legal/tax reasons.
• Right to portability — request an export in a machine-readable format.
• Right to withdraw consent at any time.
• Right to lodge a complaint with your data protection authority.

California (CCPA/CPRA)

• Right to know what we collect (above).
• Right to delete your data.
• Right to opt out of any sale or sharing of personal data — Marma does not sell or share personal data.

India (DPDP Act 2023)

• Right to access, correct, and erase your data.
• Right to grievance redressal via [email protected].
• Children under 18: Marma is not directed at children. We do not knowingly collect data from users under 18.

8. Security

We use TLS in transit, Firebase App Check (Play Integrity) to bind requests to genuine app installations, and server-side validation for all subscription receipts and ad rewards. The Anthropic API key, Google Play service account, and AdMob verifier keys are never bundled with the client; they live exclusively in our backend secret manager.

9. Children

Marma is not intended for children under 13 (US) / 16 (EU) / 18 (India). We do not knowingly collect data from anyone in those age ranges. If you believe a child has used Marma, contact us and we will delete their data.

10. Changes to this policy

We may update this policy occasionally. Material changes will be announced in-app at least 14 days before they take effect. The latest version is always at marma.app/privacy.

11. Contact

Privacy questions, data requests, or DPDP grievances:
[email protected]