marmello.← Back to site

Privacy policy

How we handle your data.

Effective 16 June 2026

Marmello is a managed marketing platform. We collect what we need to run our clients' content and ads, and nothing else. This page tells you exactly what that means.

Who this applies to

Two groups of people interact with our data: our clients (small businesses who pay us to manage their content and ads) and their prospects (people who fill in a Meta Lead Ad form run on a client's Facebook Page). The policy below covers both.

What we collect from clients

  • Account details — name, email address, role.
  • Business context — name, description, services, tone of voice, target audience, reference accounts. This feeds the AI that drafts content and emails on your behalf.
  • Content you create or upload — calendar entries, captions, briefs, comments, footage references.
  • An encrypted Facebook Page access token, only when you choose to connect your Page. The token is encrypted at rest with a key only our server holds. We never expose it to the browser.

What we collect from prospects

When someone submits a Meta Lead Ad form for one of our clients, Facebook sends us the responses via webhook. We typically receive:

  • The person's name, email, and phone (whatever fields the form asked for).
  • The Page and form the lead came from, and the time it was submitted.

The data is stored against the client's account inside Marmello, used to generate a first-response email draft, and shown to the client so they can follow up. It is not shared with third parties, used for advertising, or sold.

What we do with the data

  • Run the platform: render dashboards, send notifications.
  • Generate AI drafts for emails, content briefs, and weekly recap summaries. We use Anthropic's Claude API for this; only the specific text needed for a draft is sent, never bulk exports.
  • Send emails on behalf of the client (lead replies, weekly recaps). Delivered via Resend. No marketing emails to prospects.

Who can see it

  • The client whose account the data sits in.
  • Marmello team members assigned to that account (directors and staff). We log every meaningful action so the audit trail exists.

No one else. We do not sell data. We do not share it across clients. We do not use one client's data to train AI for another.

Where it lives

Application data is stored in Supabase (PostgreSQL) in the EU region. Encrypted Page access tokens are stored alongside the rest of the data but encrypted with AES-256-GCM at the application layer, so a database compromise alone cannot decrypt them. Hosting is on Vercel (Frankfurt region). Email delivery via Resend. AI inference via Anthropic.

How long we keep it

  • Account data: while the account is active, plus 90 days after closure.
  • Lead data: same lifecycle as the client account that received it.
  • Activity logs: 12 months rolling.

Your rights

Under UK GDPR you have the right to access, correct, or delete the personal data we hold about you, and to object to or restrict processing. To exercise any of these, email hello@marmello.media. We respond within 30 days. See our data deletion page for the specific deletion procedure.

Disconnecting Facebook

A client can disconnect their Facebook Page from Marmello at any time. When they do we delete the encrypted Page access token, unset the linked Page ID, and ask Meta to unsubscribe the Page from our leadgen webhook. Leads received before disconnection remain in the client's account; the client can request deletion at any point.

Cookies

We use one essential cookie for the signed-in session and short-lived cookies during the Facebook OAuth flow (for CSRF protection). No analytics, tracking, or advertising cookies.

Changes

If we change this policy materially we'll email everyone with an active account at least 14 days before the change takes effect.

Contact

Marmello is operated by Dizzy Otter Ltd, Exeter, United Kingdom. Reach us at hello@marmello.media for anything privacy-related.