This Privacy Policy ("Policy") describes how Marketlock ("Marketlock," "we," "us," or "our") collects, uses, retains, and shares personal information about users and customers ("you," "your") in connection with our AI visibility monitoring and directory management platform. This Policy is intended to comply with the California Consumer Privacy Act of 2018 ("CCPA") as amended by the California Privacy Rights Act of 2020 ("CPRA"), the CAN-SPAM Act, and other applicable privacy laws.
This Policy applies to all personal information we collect through our website (marketlock.app), client portal, checkout and onboarding flows, email communications, and related services (collectively, the "Service").
In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA/CPRA:
| Category | Examples | Collected? |
|---|---|---|
| Identifiers | Name, email address, phone number, IP address, account username | Yes |
| Business / Customer Records | Business name, business address, service category, city, website URL, physical address | Yes |
| Commercial Information | Subscription plan, billing history, payment method type (via Stripe — we do not store card numbers), transaction records | Yes |
| Internet / Network Activity (Usage Data) | Portal login timestamps, pages visited, features used, report views, scan history, click events, session duration, browser type, operating system | Yes |
| AI Monitoring Data | Visibility scores, AI platform mention frequency, competitor mention data, citation audit results, listing scores generated by our monitoring queries | Yes |
| Consent and Authorization Records | Timestamp and IP address of Terms of Service acceptance, directory authorization consent, pilot agreement consent | Yes |
| Communication Records | Support emails, chat inquiries, unsubscribe requests, email open/click analytics (aggregate) | Yes |
| Inferences | Service performance scores, action plan recommendations, competitive positioning inferences derived from monitoring data | Yes |
| Financial Information | Payment card data — processed exclusively by Stripe; we receive only the last 4 digits, card type, and billing status | Limited (via Stripe) |
| Geolocation Data | City and state of business (provided by you); IP-derived approximate location (login security) | Limited |
| Sensitive Personal Information | See Section 8 | Minimal — see below |
We collect personal information from the following categories of sources:
We collect and use personal information for the following business and commercial purposes:
We disclose personal information to the following categories of third parties for the stated business purposes:
| Third Party Category | Data Shared | Purpose |
|---|---|---|
| Stripe, Inc. (payment processor) | Name, email, billing address, payment method (card data processed directly by Stripe) | Payment processing and subscription management |
| AI Platforms (OpenAI, Anthropic, Perplexity, Google, etc.) | Business name, city, service category (as query terms only — no user PII transmitted) | Read-only visibility monitoring queries on your behalf |
| Directory and Citation Sites (Yelp, Google Business, Bing Places, Apple Maps, and similar — Dominator tier only) | Business name, address, phone, website, service category, business description (as authorized by you) | Directory submission and citation management with your explicit authorization |
| Postmark / Email Service Provider | Name, email address, email content | Transactional email delivery (reports, billing, alerts) |
| Render (Hosting Provider) | All data processed through the Service (infrastructure-level access) | Cloud hosting and infrastructure services |
| Legal / Law Enforcement | Any data required by valid legal process | Compliance with court orders, subpoenas, or legal obligations |
| Business Successors | All personal information held at time of transaction | Merger, acquisition, or sale of substantially all assets (you will be notified) |
We do not disclose personal information to any third party for direct marketing purposes without your explicit consent. We do not permit third parties to use your personal information for their own independent purposes beyond what is stated in this Policy.
✓ We do NOT sell your personal information to third parties.
✓ We do NOT share your personal information for cross-context behavioral advertising.
✓ We do NOT use your personal information for targeted advertising on third-party platforms.
Under the CCPA/CPRA, "selling" includes exchanging personal information for monetary or other valuable consideration. "Sharing" includes disclosing personal information for cross-context behavioral advertising. Marketlock does neither.
Because we do not sell or share personal information for advertising purposes, there is no opt-out of sale or sharing to exercise. However, California residents retain all other rights described in Section 7, and you may contact us at any time to confirm our data practices.
We do not use or disclose sensitive personal information (as defined under CPRA) for purposes beyond those listed in Section 8, and we do not use sensitive personal information to infer characteristics about you.
We retain personal information only as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required by law.
| Data Category | Retention Period | Basis |
|---|---|---|
| Account and identity data (name, email, business info) | Duration of active subscription + 90 days post-cancellation | Service delivery; contractual obligation |
| Payment and billing records | 7 years from transaction date | Tax and financial compliance |
| Consent and authorization records (ToS acceptance, directory authorization, IP/timestamp) | 7 years from date of consent | Legal defensibility and regulatory compliance |
| Usage / activity logs (portal events, login history) | 12 months from collection | Security, fraud prevention, product analytics |
| AI monitoring data (visibility scores, reports) | Duration of active subscription + 90 days post-cancellation | Service delivery; report access |
| Support communications | 3 years from last communication | Customer service quality and dispute resolution |
| Deleted account data (post-deletion request) | 30 days (purge window) after confirmed deletion | Backup and recovery; then permanently deleted |
After the applicable retention period, data is deleted or de-identified. Some data may be retained in anonymized, aggregated form for analytics and product improvement indefinitely, where it can no longer be linked to an individual.
California Residents: The CCPA/CPRA provides you with specific rights regarding your personal information. This section describes those rights and how to exercise them.
You have the right to request that we disclose to you, for the 12-month period preceding your request:
You have the right to request that we delete the personal information we collected from you, subject to certain exceptions. We may deny a deletion request if retaining the information is necessary to:
If we deny your deletion request, we will explain why. Where deletion is granted, we will delete your personal information from our records and direct our service providers to do the same.
You have the right to request that we correct inaccurate personal information we maintain about you. We will use commercially reasonable efforts to correct your information, taking into account the nature and purposes for which it is processed. Corrections to certain account data can also be made directly within the client portal.
You have the right to opt out of the sale or sharing of your personal information for cross-context behavioral advertising. As stated in Section 5, we do not sell or share personal information. No opt-out action is required, but you may contact us to confirm this at any time.
You have the right to limit our use of sensitive personal information to only those purposes necessary to perform the Service. We do not use sensitive personal information beyond the purposes described in Section 8.
We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not:
To exercise your rights, submit a request by emailing: privacy@marketlock.app
Subject line: CCPA Privacy Rights Request
We will acknowledge your request within 10 business days and respond within 45 calendar days (extendable by an additional 45 days with notice).
Your request must include sufficient information for us to verify your identity (see Section 9). You may make a verifiable consumer request up to twice within a 12-month period.
The CPRA establishes special protections for "sensitive personal information." Based on the nature of our Service (B2B AI visibility monitoring for local businesses), we collect minimal sensitive personal information.
We do not collect Social Security numbers, driver's license numbers, financial account credentials, health or medical information, genetic data, biometric identifiers, information about racial or ethnic origin, religious beliefs, union membership, sexual orientation, or contents of private communications unrelated to support.
Sensitive personal information we collect is used solely to:
We do not use sensitive personal information to infer characteristics about you beyond what is necessary to provide the Service, and we do not disclose sensitive personal information to third parties for purposes beyond those listed above.
To protect your personal information, we must verify your identity before fulfilling a verifiable consumer request. The verification process varies based on the type of request and the sensitivity of the information involved.
If we cannot verify your identity after reasonable attempts, we will notify you and explain why we cannot fulfill the request. We are not obligated to fulfill requests from unverified individuals. This does not affect your right to opt out of sale/sharing (which requires no verification).
You may designate an authorized agent to submit privacy rights requests on your behalf under the CCPA/CPRA.
We will verify that the authorized agent is permitted to act on your behalf before processing any request. Unverified agent requests will not be fulfilled. We may contact you directly at your registered email address to confirm the authorized agent relationship.
We use cookies and similar tracking technologies on our website and in the client portal to ensure functionality, security, and analytics.
| Cookie Type | Purpose | Duration |
|---|---|---|
| Session / Authentication | HttpOnly cookies to maintain your logged-in session in the client portal; magic link session management | Session to 30 days (depending on login type) |
| Security | CSRF state tokens for OAuth flows; rate limiting identifiers | Session |
| Functional | User preferences (e.g., demo mode, UI state), last-viewed report | Up to 1 year |
| Analytics | Anonymous page view counts, feature usage statistics, error tracking (server-side aggregation, not behavioral profiling) | Session to 12 months |
You may control cookies through your browser settings. Note that disabling session or authentication cookies will prevent you from accessing the client portal. Analytics cookies can be disabled without affecting core functionality. For browsers that support "Do Not Track" (DNT), we respect DNT signals by limiting analytics collection to essential, non-identifiable data.
We send the following types of emails in compliance with the CAN-SPAM Act of 2003 and applicable anti-spam regulations:
These emails are required for the operation of your account and cannot be opted out of while your account is active:
These emails are optional and you may opt out at any time:
All commercial emails we send comply with the following CAN-SPAM requirements:
To stop receiving marketing emails, click the Unsubscribe link at the bottom of any marketing email, or email us at privacy@marketlock.app with the subject line "Unsubscribe." We will process your request within 10 business days. Opting out of marketing emails does not affect delivery of transactional service emails.
We implement industry-standard security measures to protect your personal information:
No security system is impenetrable. In the event of a data breach that materially affects your rights and freedoms, we will notify affected individuals and applicable regulators as required by law.
The Service is intended exclusively for business use by adults (18 years of age or older). We do not knowingly collect personal information from children under 16 years of age. If we become aware that we have inadvertently collected personal information from a person under 16, we will delete such information as quickly as practicable. If you believe we have collected information from a minor, please contact us at privacy@marketlock.app.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes to this Policy, we will:
Non-material changes (such as typographical corrections, clarifications, or contact detail updates) may be made without prior notice. Your continued use of the Service after the effective date of any change constitutes your acceptance of the updated Policy. If you do not agree to the updated Policy, you must stop using the Service and may request account deletion per Section 7(B).
We encourage you to review this Policy periodically. The current version is always available at marketlock.app/privacy.
For privacy inquiries, to exercise your CCPA/CPRA rights, or to report a privacy concern, please contact us using one of the following methods:
| Method | Details |
|---|---|
| Privacy Email | privacy@marketlock.app (designated privacy inbox — monitored) |
| General Support | support@marketlock.app |
| Subject Line for CCPA Requests | "CCPA Privacy Rights Request" or "Authorized Agent Request — CCPA" |
| Response Time | Acknowledgment within 10 business days; full response within 45 calendar days |
Marketlock is operated by [Marketlock, LLC — legal entity information to be confirmed by attorney prior to filing].
Attorney Review Notice: This Privacy Policy is drafted to comply with CCPA/CPRA, CAN-SPAM, and applicable U.S. privacy laws as of the effective date above. It should be reviewed by qualified legal counsel prior to final publication, particularly with respect to: (1) governing entity legal name and registered address, (2) California-specific CPRA safe harbor provisions, and (3) any industry-specific regulations applicable to your business category.