Marbles: Privacy Policy

Last updated: May 18, 2025

1. Introduction and Definitions

This Privacy Policy applies to the Marbles application and website (collectively referred to as the "Service") operated by InfoNominal d.o.o., Ulica Brune Bušića 36, 10020 Zagreb, Croatia, VAT number 77309841348 (hereinafter "we," "our," "us," or the "Company").

For the purpose of this Privacy Policy, the following terms shall have the following meanings:

• Personal Data: Any information relating to an identified or identifiable natural person ('data subject').
• Processing: Any operation performed on personal data, whether or not by automated means.
• Data Controller: InfoNominal d.o.o., which determines the purposes and means of processing personal data.
• Data Processor: A natural or legal person who processes personal data on behalf of the Controller.
• User: Any individual who uses our Service and is the subject of Personal Data.
• Service: The Marbles application and website at www.yourmarbles.app
• Cookies: Small files stored on your device containing information about your preferences and usage patterns.

2. Data Controller and Contact Information

The Data Controller for your personal data is:

InfoNominal d.o.o.
Ulica Brune Bušića 36
10020 Zagreb
Croatia

For any privacy-related inquiries, you can contact us at support@yourmarbles.app

3. Information We Collect and Process

3.1 Information You Provide Directly

• Account information (email address, name, password hash)
• User-generated content (journal entries, habits, lists, notes)
• Profile settings and preferences
• Communication with our support team

3.2 Information Collected Automatically

• Device information (type, operating system, browser type and version)
• IP address and location data (country and city level only)
• Usage data (features accessed, interaction patterns, timestamps)
• Performance and error data
• Local storage data and cache information

3.3 Technical Data and Cookies

We use the following types of cookies and technical storage:

Essential Technical Storage:

• Authentication tokens (session management)
• Security-related cookies
• User interface customization cookies

Functional Storage:

• Language preferences
• Theme settings
• Local data cache

Analytics Storage:

• Google Analytics cookies

Local Application Storage:

• IndexedDB storage for offline functionality
• LocalStorage for application state
• Service Worker cache for PWA functionality

4. Legal Bases for Processing

We process your personal data on the following legal bases under GDPR Article 6(1):

4.1 Contract Performance (Article 6(1)(b))

• Account creation and management
• Providing core service functionality (journaling, habit tracking, notes)
• Processing and storing user-generated content
• Technical service delivery

4.2 Legitimate Interests (Article 6(1)(f))

• Service improvement and optimization
• Bug fixing and error tracking
• Security monitoring and fraud prevention
• Analytics and usage patterns analysis

4.3 Legal Obligations (Article 6(1)(c))

• Compliance with tax regulations
• Responding to legal requests
• Maintaining security logs as required by law

4.4 Consent (Article 6(1)(a))

• Non-essential cookies and tracking
• Marketing communications

5. Data Sharing and Processors

5.1 Categories of Recipients

We share your personal data with the following categories of recipients:

5.1.1 Infrastructure and Hosting

Amazon Web Services (AWS) - Server hosting and storage

• Location: US East (N. Virginia)
• Purpose: Application hosting and data storage

5.1.2 Analytics and Monitoring

Google Analytics

• Location: EU and US
• Purpose: Usage analytics and service optimization
• Safeguards: Standard Contractual Clauses

5.1.3 Error Tracking

Sentry

• Location: EU
• Purpose: Application monitoring and error tracking

5.1.4 Email Services

Brevo (formerly Sendinblue)

• Location: EU (France, Paris)
• Purpose: Transactional emails and marketing communications
• Infrastructure providers: AWS and OVH Cloud(EU)

5.1.5 Payment Processing

We use Paddle (Paddle.com Market Limited) as our payment service provider:

• Location: UK and EU
• Purpose: Payment processing, subscription management, tax compliance
• Role: Merchant of Record (MoR)
• Data Processed:
  • Transaction information
  • Payment method details
  • Billing information
  • Tax-related information
• Data Retention: 7 years for tax compliance

5.2 Data Protection Agreements

All third-party processors are bound by Data Processing Agreements that ensure compliance with GDPR requirements and appropriate technical and organizational measures.

6. Technical and Security Measures

6.1 Data Security

• Encryption at rest and in transit (TLS 1.3)
• Regular security assessments and penetration testing
• Access control and authentication mechanisms
• Regular backup procedures
• End-to-end encryption for selected items (Premium feature)

6.2 Technical Implementation

• PWA (Progressive Web Application) implementation
• Service Worker caching strategies
• IndexedDB data structure and encryption
• Secure authentication token management

6.3 Monitoring and Incident Response

• 24/7 infrastructure monitoring
• Automated threat detection
• Incident response procedures
• Regular security audits

7. Your Rights Under GDPR

7.1 Rights Overview

Under the GDPR, you have the following rights:

• Right to Access (Article 15): Obtain confirmation of processing and access to your personal data.
• Right to Rectification (Article 16): Correct inaccurate or incomplete personal data.
• Right to Erasure (Article 17): Request deletion of personal data under certain circumstances.
• Right to Restriction (Article 18): Limit the processing of your personal data.
• Right to Portability (Article 20): Receive and transfer your personal data.
• Right to Object (Article 21): Object to processing based on legitimate interests.
• Right to Withdraw Consent (Article 7): Withdraw previously given consent.

7.2 Implementation of Rights

7.2.1 Data Access and Portability

• Access your data through the account settings panel
• Download your data in common formats (JSON, CSV)
• Request complete data archive via email

7.2.2 Data Deletion

• Delete individual items (notes, journals, habits) directly in the app
• Account deletion available in settings
• Request complete erasure via support

7.2.3 Exercise of Rights

To exercise your rights, you can:

• Use the relevant features in the application
• Contact us at support@yourmarbles.app

8. International Data Transfers

8.1 Data Storage Location

Primary data storage: AWS US East (N. Virginia)

8.2 Transfer Mechanisms

When we transfer data outside the EU/EEA, we ensure appropriate safeguards through:

• Standard Contractual Clauses (SCCs)
• Adequacy decisions by the European Commission
• Binding Corporate Rules (where applicable)

8.3 Current Transfer Activities

• Analytics: Google Analytics (EU-US Transfer)
• Email Service: Brevo (formerly Sendinblue) - (EU Processing)
• Error Tracking: Sentry (EU Processing)

Safeguards: Standard Contractual Clauses, EU-US Data Privacy Framewor

9. Data Retention

9.1 Retention Periods

• Account information: Duration of account existence plus 30 days
• User-generated content: Until user deletion or account termination
• Technical logs: 90 days
• Analytics data: 26 months
• Support communications: 2 years

9.2 Extended Retention

We may retain certain data longer when:

• Required by law
• Necessary for legal claims
• Required for audit purposes

9.3 Technical Storage Implementation

• Local storage: Cleared on logout or after 30 days
• Cache storage: Cleared based on browser settings
• IndexedDB: Maintained until account deletion

10. Technical Features and Implementation

10.1 Progressive Web App (PWA)

• Service Worker scope and caching strategies
• Offline functionality implementation
• Push notification handling
• Background sync mechanisms

10.2 Data Synchronization

Cross-device synchronization

• End-to-end encryption
• Conflict resolution
• Delta updates
• Bandwidth optimization

10.3 Export and Import

Data portability

• JSON export format
• Markdown export for journal and notes
• Bulk import capabilities
• Selective export options

10.4 Third-party Integrations

• Calendar synchronization
• Task manager integration
• Cloud storage providers
• Authentication providers

11. Changes to Privacy Policy

We reserve the right to update this Privacy Policy at any time. When we do, we will:

• Post the updated version on our website
• Update the "Last updated" date at the top of this page
• Notify you through the application or email for material changes
• Obtain consent where required by applicable law

12. Additional Information

12.1 Age Restrictions

Our Service is not intended for users under the age of 13. We do not knowingly collect personal information from children under 13.

12.2 Data Protection Officer

You can contact our Data Protection Officer at:

• Email:support@yourmarbles.app
• Address: InfoNominal d.o.o., Ulica Brune Bušića 36, 10020 Zagreb, Croatia

12.3 Supervisory Authority

You have the right to lodge a complaint with a supervisory authority. In Croatia, this is:

Croatian Personal Data Protection Agency (AZOP)
Selska cesta 136
10000 Zagreb
Croatia

12.4 Security Breach Notification

In case of a personal data breach, we will notify you and the relevant supervisory authority in accordance with our obligations under the GDPR.

13. Contact Information

For any questions about this Privacy Policy or our data practices, please contact us at:

InfoNominal d.o.o.
Ulica Brune Bušića 36
10020 Zagreb
Croatia

Email: support@yourmarbles.app
Website: www.yourmarbles.app