MariMari
Legal

Privacy Policy

What Mari collects, why, who else touches it, how long it stays, and how to take it back.

Mari standing in a calm warm study room beside a tall wooden cabinet with frosted-glass panels and a brass keyhole. Soft late-afternoon light bars cross the wall.
EffectiveMay 25, 2026Versionv1.3RegionEU · eu-central-1

How Mari handles your data.

This Privacy Policy describes how CODEDUNES SOLUTIONS – FZCO (“Mari”, “we”) processes personal data in connection with the Mari service. It is written to comply with the UAE Federal Personal Data Protection Law (Federal Decree-Law No. 45 of 2021, “UAE PDPL”) and the EU General Data Protection Regulation 2016/679 (“GDPR”), and to be plain-language readable where the law allows. It should be read alongside the Terms of Service.

Read the summary·Email privacy@mari.bot
Contents
  1. Plain-language summary
  2. 1. Who we are
  3. 2. Scope of this policy
  4. 3. What data we collect
  5. 4. How we use your data
  6. 5. Legal bases for processing
  7. 6. Who we share data with
  8. 7. International data transfers
  9. 8. How long we keep data
  10. 9. Your rights
  11. 10. Data of your contacts
  12. 11. AI processing transparency
  13. 12. Security
  14. 13. Cookies and local storage
  15. 14. Children
  16. 15. Changes to this policy
  17. 16. Contact and complaints

Plain-language summary

  • Mari processes the things she needs to do her job: your account info, the channels you connect, your messages, your contacts, your files, and the tasks the Agent runs for you.
  • All primary storage lives in AWS Frankfurt (eu-central-1). LLM inference goes to Anthropic through Cloudflare. We never train on your data.
  • The full subprocessor list is in Section 6. The map of who sees what is in Section 7.
  • You can ask for a copy of your data, correction, or deletion at any time by writing to privacy@mari.bot.
  • Mari does not use end-to-end encryption for messages inside the platform, the AI needs to read them to answer. We are honest about this in Section 3.6.
  • On this marketing site we use Google Analytics and PostHog (EU region) with a cookie consent banner, default denied. If you accept, aggregated, anonymised page views and product events are recorded. If you decline, nothing is collected. You can change your mind anytime from the footer.
  • We will tell you, by email and in-product banner, at least 30 days before any material change to this policy.

1. Who we are

The data controller for personal data processed in connection with the Mari service is:

  • CODEDUNES SOLUTIONS – FZCO
  • License Number: 28506
  • International Free Zone Authority (IFZA), Dubai Silicon Oasis, DDP, Building A1, Dubai, United Arab Emirates
  • Privacy contact: privacy@mari.bot
  • Data Protection Officer: dpo@mari.bot

2. Scope of this policy

This policy covers personal data processed when you use the Mari service (the marketing site, the Owner dashboard, and any API) and personal data of your Contacts that you bring into Mari for the Agent to act on.

It does not describe the practices of third-party platforms (Telegram, WhatsApp, Apple, Google, Zoom, Anthropic, Cloudflare, AWS, ElevenLabs, OpenAI). Their own policies govern their processing.

3. What data we collect

3.1 Account data

  • Email address and hashed password (if email sign-up)
  • OAuth identifiers and profile fields from Google, Apple, or Telegram OIDC if you sign in that way (provider, provider user id, name, email, avatar)
  • Display name and account preferences

3.2 Session and device data

  • IP address
  • User-agent and a coarse device fingerprint
  • Login timestamps and session expiry

3.3 Connected channels and integrations

  • Telegram bot tokens and session credentials (encrypted at rest with AWS KMS)
  • WhatsApp Web session state (encrypted at rest)
  • OAuth access and refresh tokens for Google (Gmail, Calendar, Drive, Meet) and Zoom (encrypted at rest with AWS KMS)
  • Connection type per channel: owner_account, agent_bot, or dedicated_account

3.4 Contacts

  • Contact display name, phone, email, avatar URL, trust level, tags, notes
  • Cross-platform identities (Telegram id, WhatsApp number) we resolve to a single person
  • Message count, last interaction time, interaction history
  • Per-Contact memory snapshots used by the Agent to maintain context

3.5 Communications content

  • Message text, direction, channel, timestamps
  • Metadata (sender id, sender name, media type, platform message ids)
  • Synced media referenced by id; the underlying file lives on the platform's servers unless explicitly downloaded by the Agent

3.6 No end-to-end encryption inside Mari

Message content stored in Mari is encrypted in transit (TLS) and at rest (AWS-managed encryption), but it is not end-to-end encrypted between you and Mari. The Agent needs to read messages to classify and respond to them. In owner-mode, this includes inbound messages from people who may not themselves be Mari users. We disclose this prominently so you can decide what to channel through the service.

3.7 Tasks, watches, and commitments

  • Task description, status, priority, results, tool calls
  • Commitment descriptions, deadlines, escalation policies
  • Schedule expressions, last run, next run
  • Long-running watches with context summaries

3.8 Billing

  • Credit balance and ledger
  • Transactions: amount, type, description, metadata
  • Card-payment events received from the payment processor (we do not see or store your full card number)

3.9 Technical and observability data

  • Cloudflare access logs (forwarded to S3 in eu-central-1)
  • In-product activity events (event type, payload, timestamp)
  • Administrative audit log of privileged actions
  • Token-usage metrics for cost accounting
  • LLM observability traces (request, response, latency)

3.10 What we do not collect

  • Full card numbers or CVCs (handled by the payment processor)
  • Government identity numbers
  • Advertising cookies, third-party marketing trackers, or cross-site profiling. The only analytics we use on the public site is Google Analytics 4 with explicit opt-in (Section 13)
  • Special-category data within the meaning of GDPR Article 9 (health, biometric, political opinions, sexual orientation, religion). Mari is not designed for it and you should not push it through the service.

One nuance worth calling out: when a backend service hits an error, or when an unhandled exception is thrown in your browser while using the Owner dashboard, the Admin panel, or the public marketing site, an error report is sent to Sentry in the European Union so we can diagnose and fix it. The report contains a stack trace, the request URL and method (or page URL for browser errors), our internal owner_id if the error occurred inside an authenticated request, and an anonymised IP. Authentication tokens, cookies, message bodies, contact data, and other obvious secrets are scrubbed before send. The browser SDK additionally filters network noise from adblockers and we do not run session replay. See Section 6 for the subprocessor entry and Section 13.3 for what we do not use Sentry for.

4. How we use your data

We process personal data for the following purposes:

  • Provide the service. Authenticate your account, route messages, run tasks, fulfil integrations, store your settings and memory.
  • Operate billing. Track Credit balance, process top-ups through the payment processor, issue invoices, comply with UAE tax reporting.
  • Keep the service secure. Detect abuse, prevent fraud, apply rate limits, maintain audit trails, respond to security incidents.
  • Improve the service. Aggregate performance metrics, debug issues, monitor LLM behaviour. We do not use your data to train models, our own or anyone else's.
  • Communicate with you. Transactional emails (sign-in, top-up, security). Marketing emails only with explicit opt-in.
  • Comply with the law. Retain audit logs as required, respond to lawful requests from regulators or law enforcement.

5. Legal bases for processing

Under GDPR Article 6, our processing relies on the following legal bases:

Data
Legal basis
Purpose
  • Account credentials, sessions
    Contract (Art. 6(1)(b))
    Authenticate you and provide the service
  • Billing data
    Contract + Legal obligation (Art. 6(1)(b), (c))
    Charge for usage, comply with tax law
  • Contact data and messages
    Contract + Legitimate interest (Art. 6(1)(b), (f))
    Route and process messages on your behalf
  • Security logs, audit trail
    Legitimate interest + Legal obligation (Art. 6(1)(f), (c))
    Protect the service and meet compliance retention
  • Service-quality metrics, LLM traces
    Legitimate interest (Art. 6(1)(f))
    Diagnose and improve the service
  • Essential cookies
    Strict necessity (Art. 6(1)(f))
    Keep you signed in
  • Marketing communications
    Consent (Art. 6(1)(a))
    Send opt-in newsletters and product updates

Under the UAE PDPL, consent has a more central role than under GDPR. We rely on consent for new and optional purposes and on contractual necessity, legitimate interest, and legal obligation where these are the more appropriate base. You can withdraw consent at any time for any consent-based purpose without affecting the lawfulness of earlier processing.

6. Who we share data with

Mari uses the following subprocessors. We only share what they need to do their part of the job.

  • Anthropic
    Role
    LLM inference (Claude family)
    Location
    USA (and EU endpoints where available)
    Data
    Message content, system prompt, conversational context, owner_id, action type
  • Cloudflare
    Role
    Edge ingress, DNS, AI Gateway, DDoS protection, access logs
    Location
    Global edge; logs to S3 in eu-central-1
    Data
    Request metadata, headers, access logs, prompt traffic to Anthropic
  • Amazon Web Services (EMEA SARL)
    Role
    Primary infrastructure (database, cache, queues, object storage, secrets, KMS, load balancer)
    Location
    eu-central-1 (Frankfurt, Germany)
    Data
    All persistent data
  • Google LLC
    Role
    Gmail, Calendar, Drive, Meet when you explicitly connect; OAuth identity if you sign in with Google
    Location
    USA and global
    Data
    OAuth tokens, scoped API calls (read or send mail, calendar events, drive files, meet rooms)
  • Telegram FZ-LLC
    Role
    Messaging channel (bot API plus user-session API for owner-mode) and OIDC sign-in
    Location
    Telegram infrastructure
    Data
    Bot tokens, session credentials, message metadata
  • Apple Inc.
    Role
    Sign in with Apple
    Location
    USA
    Data
    Apple identity token, email or relay-email
  • Zoom Communications
    Role
    Meeting management when you connect Zoom
    Location
    USA
    Data
    OAuth tokens, meeting metadata
  • ElevenLabs
    Role
    Text-to-speech
    Location
    USA
    Data
    Text to be spoken
  • OpenAI
    Role
    Text-to-speech (secondary)
    Location
    USA
    Data
    Text to be spoken
  • Payment processor
    Role
    Card payments and invoicing (PCI-DSS compliant)
    Location
    Processor region
    Data
    Card details (handled entirely by the processor), payment confirmation, billing address
  • Google (Google Analytics 4)
    Role
    Aggregated, anonymised site analytics on mari.bot (the public marketing site only). Loaded with Consent Mode v2: nothing is sent until you accept the cookie banner
    Location
    USA and EU
    Data
    Page URL, page title, referrer, anonymised IP, browser, device class, country (no PII, no user-level profiles)
  • Functional Software, Inc. (Sentry)
    Role
    Error tracking and performance monitoring across all three runtimes: Go backend services (mari-sso, mari-gateway, mari-integration-svc, mari-telegram-bot-svc), Python backend services (mari-task-svc, mari-telegram-svc, mari-ai-svc, mari-whatsapp-svc, mari-thumbnail-svc), and browser errors from home.mari.bot, admin.mari.bot, and the public marketing site mari.bot. PII scrubbing applied before send; the browser SDK additionally filters adblocker-induced network noise.
    Location
    European Union (Sentry .de region)
    Data
    Error stack traces, HTTP request URL + method, user-agent, anonymised IP, server name, environment tag, our internal owner_id when an error occurs in their request context, and (for browser errors only) page URL and a release version. Auth tokens, cookies, message bodies, contact data, and other secrets are scrubbed before send. No session replay.
  • PostHog Inc. (PostHog)
    Role
    Product analytics: event-level usage data so we can measure activation funnel, retention, and where users get stuck. Server-side capture for auth and key product actions (sign-up, login, oauth-start, channel-connect, first task) plus optional in-product event capture on home.mari.bot once you accept the cookie banner. PostHog also captures a small sampled share of in-product session recordings with all text inputs masked by default; we use these only to diagnose specific UX bugs. Disabled entirely on the public marketing site until you accept the cookie banner. Backend events are tied to your owner_id so we can compute funnels; we do not send message bodies, contact lists, or task contents.
    Location
    European Union (PostHog EU region — Frankfurt)
    Data
    Event name + properties (e.g. method=email, provider=google, surface=home), your email and owner_id on identified events, page URL, device class, country, and a stable browser distinct_id. Auth tokens and cookies are never sent. Session recordings: masked DOM with all input fields hidden, blocked on settings/billing pages, sampled at a low rate.

7. International data transfers

Mari operates across jurisdictions: the operator is in the United Arab Emirates, primary storage is in the European Union, and several subprocessors are in the United States or on global edge networks. The principal flows are:

  • You to AWS Frankfurt (EU). Primary storage.
  • AWS Frankfurt to Anthropic (US or EU). LLM inference through Cloudflare AI Gateway.
  • AWS Frankfurt to Google or Zoom (US). For integration calls you explicitly authorise.
  • AWS Frankfurt to Cloudflare edge (global). Ingress and AI gateway.
  • AWS Frankfurt to Telegram (global). Messaging.
  • AWS Frankfurt to UAE operator. Administrative access by the Mari team.

For transfers from the European Economic Area to third countries we rely on the European Commission's Standard Contractual Clauses (Module 2, controller-to-processor; or Module 3, processor-to-processor where applicable), supplemented by the EU-US Data Privacy Framework where the recipient is certified. We apply additional safeguards: encryption in transit (TLS), encryption at rest (AWS KMS), least-privilege access controls, and pseudonymisation where feasible (for example, we pass owner_id rather than your email in LLM metadata).

For transfers from the European Economic Area to the United Arab Emirates (operator access by the Mari team) we use Standard Contractual Clauses. For transfers under the UAE PDPL (Articles 22 and 23), we rely on consent, contractual necessity, or contractual safeguards with the recipient as the basis allows.

8. How long we keep data

  • Account record
    Until you delete the account
  • Sessions
    Until expiry; revoked on sign-out
  • OAuth tokens
    Until you disconnect the integration
  • Contacts and contact identities
    Until you delete the contact or the account
  • Message history
    180 days
  • In-product activity events
    90 days
  • Administrative audit log
    365 days (compliance)
  • Billing transactions
    5 to 7 years (UAE tax retention)
  • Database automated backups
    7 days
  • LLM observability traces
    Retained per the observability provider's policy
  • Cloudflare access logs
    Retained per Cloudflare's policy

8.1 Account closure

On a deletion request we apply a 30-day grace period during which the request can be reversed by signing in. After that we delete account data on a cascade across contacts, messages, integrations, sessions, tasks, commitments, watches and Credit balance. Records we are required to keep, the administrative audit log (365 days) and billing records (UAE tax retention), are preserved with access limited to the minimum personnel required.

9. Your rights

Depending on where you live you have rights under one or more of the following regimes: UAE PDPL (UAE residents), GDPR (EU residents), UK GDPR (UK residents), CCPA and CPRA (California), LGPD (Brazil), PIPL (China), PDPA (Singapore). We honour the strongest applicable regime by default.

9.1 What you can ask for

  • Access, a copy of your personal data (GDPR Art. 15 and PDPL Art. 14)
  • Correction, fix inaccurate or incomplete data (GDPR Art. 16 and PDPL Art. 15)
  • Erasure, delete your data, subject to legal exceptions (GDPR Art. 17 and PDPL Art. 16)
  • Restriction, pause processing while a dispute is resolved (GDPR Art. 18 and PDPL Art. 17)
  • Portability, receive your data in a machine-readable format (GDPR Art. 20 and PDPL Art. 18)
  • Objection, to processing based on legitimate interest or direct marketing (GDPR Art. 21)
  • No automated decision, Mari does not make decisions with legal effect about you (GDPR Art. 22 is not triggered by what the service does today; see Section 11.4)
  • Withdraw consent, at any time, for any consent-based purpose (GDPR Art. 7(3))
  • Complain, to a supervisory authority (Section 16)

9.2 How to exercise a right

Write to privacy@mari.bot. We will verify your identity using the minimum information required, log the request, and respond within 30 days (extendable to 90 days for complex requests, with notice). The response is free of charge unless the request is manifestly unfounded or excessive.

10. Data of your contacts

Mari processes personal data of people who are not themselves Mari users, the Contacts you communicate with. The roles depend on the mode the Agent operates in (see Terms § 4.3):

  • Owner-mode (A). You are the controller for your conversation history with that Contact. Mari is the processor.
  • Agent-bot mode (B). The Contact chose to start a conversation with the bot. Mari and you may act as joint controllers for that interaction.
  • Dedicated-account mode (C). You are the controller, Mari is the processor.

You are responsible for informing your Contacts of the AI involvement and for having a lawful basis to store and process their data through Mari. Mari supplies the tooling (deletion of a Contact and associated history, pause of an Agent on a channel).

10.1 Direct requests from Contacts

A Contact may write to privacy@mari.botwith a request to access or delete their data even if they are not a Mari user. We will verify the Contact's identity, locate the data, and act on the request within 30 days. Where the law allows we may notify the Owner; where the law requires us to act regardless of the Owner's objection, we will.

11. AI processing transparency

11.1 Models we use

Mari uses large language models from Anthropic (the Claude family) accessed through Cloudflare AI Gateway. ElevenLabs is the primary text-to-speech provider; OpenAI is the secondary. We may switch or add providers and update the subprocessor list accordingly.

11.2 What gets sent

For an inference call we send: the content of the messages that form the conversation context, your system prompt, relevant Contact metadata, your Agent settings, an opaque owner_id, and the type of action being performed. We do not send your email address, payment details, or any identifier that is not needed for the model to do its job.

11.3 No training on your data

Mari does not use your data to train its own models. Our use of the Anthropic API is subject to terms that prevent your data from being used to train Anthropic's models.

11.4 No legally significant automated decisions

Mari does not perform automated decision-making with legal or similarly significant effects on Contacts within the meaning of GDPR Article 22, no credit scoring, no profiling for hiring or service refusal, no risk assessment about people.

11.5 EU AI Act Article 50

The EU AI Act requires that natural persons interacting with an AI system be informed of that fact. As Owner, when you operate in owner-mode (A) you are the “deployer” of the system and you carry that obligation. The Terms ask you to inform your Contacts and provide suggested wording.

12. Security

12.1 Technical measures

  • Encryption in transit (TLS) on all network boundaries
  • Encryption at rest on the database and object storage
  • AWS KMS for application-level encryption of sensitive fields (OAuth tokens, session credentials)
  • Row-level security in the database partitioning data by Owner
  • Mutual TLS between internal services
  • Password hashing with modern key-derivation functions; refresh tokens hashed
  • HashiCorp Vault for managing encryption keys

12.2 Organisational measures

  • Least-privilege database roles per service; no service has super-user rights
  • Privileged-action audit log
  • Code review and security review on changes

12.3 Network

  • Database and queues in private subnets
  • Cloudflare Tunnel; no public endpoint for internal services
  • Mutual TLS between internal services

12.4 Incident response

If we discover a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware, in line with GDPR Article 33. Where the breach is likely to result in a high risk, we will inform affected users without undue delay, as required by GDPR Article 34 and the equivalent UAE PDPL provisions. Report suspected incidents to security@mari.bot.

For early detection, our backend services (Go and Python) and our frontend applications emit error reports to Sentry (Section 6) and we receive alerts on unusual error rates or specific error classes that may indicate an attack or data leak. This is one input to our incident-response process and does not replace the legal notification obligations above.

13. Cookies, analytics, and local storage

13.1 Strictly necessary cookies

The Owner dashboard sets two cookies that are required to keep you signed in. These do not require consent under ePrivacy because the service cannot function without them:

  • mari_access_token, short-lived API access token (HttpOnly, Secure, SameSite)
  • mari_refresh_token, long-lived refresh token (HttpOnly, Secure, SameSite)

13.2 Analytics, with your consent

On the public marketing site (mari.bot) we use Google Analytics 4 to understand which pages people find useful. It is configured with Google Consent Mode v2: until you click Accept on the cookie banner, no analytics cookies are written and no data leaves your browser. If you accept, GA4 records aggregated, anonymised page views (page URL, referrer, anonymised IP, country, browser, device class). We have disabled Google Signals, advertising personalisation, and IP-level reporting.

Your choice is remembered in your browser's local storage under mari.consent. You can change your mind at any time using the Manage cookies link in the footer; the banner will reappear and you can switch the choice.

13.3 No other trackers

We do not set advertising cookies, do not run Mixpanel, Amplitude, PostHog, Hotjar, FullStory, Meta Pixel, TikTok Pixel, or any third-party tracking on the public site or in the dashboard.

One clarification on Sentry: we use it for error tracking across our Go backend, our Python backend, and the browser (Section 6 lists it as a subprocessor; Section 3.10 describes what gets sent). The browser SDK only captures unhandled exceptions and the minimum diagnostic context needed to reproduce them, with aggressive filtering of adblocker-induced network noise. We do not run session replay, do not record keystrokes or pointer movements, and do not track page-view analytics through Sentry. Nothing about your routine browsing behaviour or in-app activity is sent to Sentry from your device, only the diagnostic envelope attached to an actual error.

13.4 Local storage

The applications may persist UI preferences (last selected workspace, last selected agent, your cookie consent choice) in browser local storage. These are not personal data on their own and never leave your device.

14. Children

Mari is not directed to and is not intended for use by persons under 18. We do not knowingly collect personal data from minors. If you believe a minor has created an account, please notify us at privacy@mari.bot and we will close the account and delete the associated data.

15. Changes to this policy

We may update this policy as the service, the subprocessor list, or the law changes. Material changes are announced at least 30 days before the new effective date by email to the address on your account and by an in-product banner. The version and effective date at the top of this page always reflects the live document. Prior versions are available on request.

16. Contact and complaints

16.1 Contacting us

16.2 Supervisory authorities

If you believe we are not handling your data properly you may complain to a supervisory authority, without having to come to us first.

  • UAE residents: UAE Data Office, established under the UAE PDPL.
  • EU residents: your local supervisory authority.
  • UK residents:the Information Commissioner's Office (ICO), ico.org.uk.

© 2026CODEDUNES SOLUTIONS – FZCO. All rights reserved. Version v1.3 · Effective May 25, 2026.