Privacy Policy
Last updated: February 27, 2026
Marshall ("we," "us," or "our") operates the Marshall AI Data Loss Prevention service, including the website at trymarshall.com, the Marshall admin dashboard, and the Marshall browser extension (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.
1. Data Collection
Information You Provide
When you register for an account, subscribe to a plan, or contact us, we may collect:
- Account information: name, email address, company name, job title, and industry
- Billing information: payment card details (processed and stored by our payment processor, Stripe), billing address, and transaction history
- Organization data: company size, industry vertical, and team member email addresses added by administrators
- Communications: support requests, feedback, and correspondence with our team
Information Collected Automatically
When you use the Service, we automatically collect:
- Usage data: pages visited, features used, timestamps, and interaction patterns within the dashboard
- Browser extension data: metadata about AI tool interactions (which AI platforms are accessed), flagged content snippets that match your organization's DLP policies, and incident logs
- Device and connection data: browser type, operating system, IP address, and referring URLs
- Cookies and similar technologies: session cookies for authentication, preference cookies for dashboard settings
Important Note on Monitored Content
The Marshall browser extension monitors text inputs to AI platforms (such as ChatGPT, Claude, and Gemini) solely to detect potential data loss incidents. When a DLP policy violation is detected, we log the incident metadata and a redacted snippet of the flagged content. We do not store the full text of employee inputs to AI tools. Our detection operates on pattern matching and classification, not bulk data collection.
2. How We Use Data
We use the information we collect to:
- Provide, maintain, and improve the Service, including DLP monitoring, incident logging, and compliance reporting
- Process transactions and manage your subscription
- Send transactional communications such as account verification, billing receipts, and security alerts
- Generate compliance reports and analytics for your organization's dashboard
- Provide customer support and respond to inquiries
- Detect, prevent, and address technical issues, fraud, or abuse
- Comply with legal obligations and enforce our Terms of Service
- Improve our detection algorithms and policy templates (using anonymized, aggregated data only)
3. Data Sharing
We do not sell your personal information. We may share data with:
- Service providers: trusted third parties that help us operate the Service, including Stripe (payment processing), Resend (transactional email), Railway (hosting), Vercel (dashboard hosting), and Sentry (error monitoring). These providers are bound by contractual obligations to protect your data.
- Your organization: if you are an employee using the extension, your organization's administrator can view incident reports and compliance data associated with your account.
- Legal requirements: we may disclose information if required by law, subpoena, or other legal process, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
- Business transfers: in the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.
4. Cookies
We use the following types of cookies:
- Essential cookies: required for authentication and core functionality. These cannot be disabled.
- Preference cookies: store your dashboard settings and display preferences.
- Analytics cookies: help us understand how visitors interact with our website to improve the experience. These are anonymized.
You can control cookie preferences through your browser settings. Disabling essential cookies may prevent you from using parts of the Service.
5. Data Retention
We retain your data according to the following schedule:
- Account data: retained for the duration of your active subscription, plus 90 days after account closure to allow for reactivation
- Incident logs: retained for the period configured by your organization's administrator (default: 12 months), after which they are automatically purged
- Billing records: retained for 7 years to comply with tax and financial reporting obligations
- Aggregated analytics: retained indefinitely in anonymized form
Upon account deletion, we will remove your personal data within 30 days, except where retention is required by law.
6. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Access: request a copy of the personal data we hold about you
- Correction: request correction of inaccurate or incomplete data
- Deletion: request deletion of your personal data, subject to legal retention requirements
- Portability: request a copy of your data in a structured, machine-readable format
- Objection: object to processing of your data for certain purposes
- Restriction: request that we limit how we use your data
To exercise any of these rights, please contact us at privacy@trymarshall.com. We will respond within 30 days.
7. Data Security
We implement industry-standard security measures to protect your data, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Regular security audits and vulnerability assessments
- Role-based access controls for internal systems
- Secure credential storage using bcrypt hashing
- Two-factor authentication support for admin accounts
8. Children's Privacy
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal data, we will take steps to delete such information.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes are posted constitutes acceptance of the revised policy.
10. Contact Information
If you have questions or concerns about this Privacy Policy, please contact us: