Marloo Privacy Policy

‍

Document information

‍

• Date: 19 February 2025
• Version: 1.4
• Author: Shakeel Lala, Co Founder, Marloo Limited
• Contact: compliance@gomarloo.com

1. Introduction

Marloo Limited ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy outlines how we collect, use, store, and share personal information through Marloo, ensuring your data is handled responsibly and securely. By using Marloo, you agree to the terms of this policy. Region-specific provisions and details are included in relevant sections. 

2. Scope and legal compliance

This policy applies to individuals located in Australia, the United Kingdom (UK), the European Union (EU), and New Zealand. It is designed to comply with the following privacy laws applicable to each region:

‍

• Australian Privacy Principles (APPs)
• UK General Data Protection Regulation (UK GDPR)
• UK Data Protection Act 2018
• EU General Data Protection Regulation (GDPR)
• New Zealand Privacy Act 2020

‍

This policy is designed to comply with the applicable privacy laws in each region. Where differences exist, additional region-specific provisions are detailed in the Region-specific provisions section.

‍

We may update this policy as legal requirements evolve, so we encourage you to review it periodically.

3. Data protection contacts

For privacy and data protection matters, you can contact:

‍

• Data Protection Officer (AU/NZ): Shakeel Lala
• Data Protection Officer (UK/EU): Hardy Michel
• Email: compliance@gomarloo.com

4. Legal bases for processing

We process personal data under the following lawful bases, depending on the region and applicable privacy laws:

‍

• Contract performance: To provide our core meeting summarisation services
• Legitimate interests: For security operations and service improvements
• Consent: For marketing communications (where applicable)

‍

Our processing of personal data is subject to privacy laws applicable in your region. The specific legal bases for processing under NZ, AU, and UK/EU GDPR are detailed in the Region-specific provisions section.

‍

5. Information we collect

We collect different types of personal data to provide Marloo’s services. The categories of data we collect include:

‍

• Personal data: Name, contact details, organisation affiliation
• Client-related data: Information related to professional activities, financial circumstances, personal situations, and content shared in recorded meetings
• Technical data: Device information, browser details, and IP addresses used for functionality and security
• Sensitive data: 
  
  • Given the nature of Marloo’s services, we may process sensitive data included in meeting discussions (e.g., financial, legal, health or other personal matters)
  • We do not actively collect or request this data, but if users share it in meetings, it may be processed as part of our service.
  • Under UK/EU GDPR (Article 9), processing special category data requires additional safeguards, and users should avoid sharing unnecessary sensitive information.

‍

Given the nature of Marloo as a meeting summarisation tool, any information discussed in a meeting, including sensitive client data, may be collected and processed.

‍

We collect personal data as outlined above. Some jurisdictions have additional requirements regarding data collection, which are outlined in the Region-specific provisions section.

6. How we use your information

We process personal data for the following purposes:

‍

• Service delivery: Providing and maintaining Marloo’s core features (e.g., transcription, summaries, compliance support).
• Communications: Responding to customer inquiries, service updates, legal notices.
• Compliance and security: Monitoring service integrity, preventing fraud, and ensuring regulatory compliance.

‍

We do not use adviser-client-specific information for product improvement, development, or any other purpose that falls outside the scope of providing Marloo's core services.

‍

We process personal data in line with applicable privacy laws. The specific legal requirements for data use in NZ, AU, and UK/EU are detailed in the Region-specific provisions section

‍

7. Data ownership and control

You retain full ownership of all personal and client data shared with Marloo. We process your data only as instructed by you and as required by law. Users have the right to:

• Access their personal data.
• Correct inaccurate information.
• Request deletion of their data.
• Restrict or object to processing.
• Withdraw consent (where processing is based on consent).

‍

Contact compliance@gomarloo.com to action any of these rights. 

‍

We process personal data in accordance with applicable laws. Users may exercise their rights as described in the Region-specific provisions section.

‍

8. Data sharing and third-party processors

Your data may be shared with third-party processors to support Marloo's services. All of these infrastructure providers maintain SOC 2 Type 2 compliance. These providers are vetted to meet privacy standards under the Australian Privacy Act 1988, the New Zealand Privacy Act 2020, and UK/EU GDPR. They are categorised as follows:

‍

Infrastructure and storage:

‍

• Amazon Web Services (AWS)
  
  • Data storage and cloud infrastructure (Sydney for AU/NZ customers, Ireland for UK/EU customers)
  • API hosting and processing
  • Encrypted data storage and backup services
• Supabase
  
  • User authentication and database services
  • Hosted on AWS in the same regions as our primary infrastructure (Sydney/Ireland)
  • Stores user accounts and associated data
• Cloudflare
  
  • Web security and content delivery
  • DDoS protection and threat management
  • Transit only - no permanent data storage

‍

AI and processing:

‍

• SendGrid (email sending, no permanent storage)
• Retool (workflow management, no permanent storage)
• OpenAI (AI summarisation processing only, no permanent storage)
• Recall (Meeting bot processing only, no permanent storage)
• AssemblyAI (transcription, no permanent storage)

‍

Our AI providers process data primarily for providing our service. By default, they retain data for 30 days. Under all circumstances, this data is not used for AI model training.

‍

Business operations:

‍

• Google Workspace (Email and business operations)

‍

All third parties comply with relevant privacy regulations and are vetted to meet Marloo Limited's data security standards. Any changes to our sub-processors will be communicated to customers.

9. Data retention and your rights

We handle data retention as follows:

• Default retention: We retain customer data (transcripts, recordings, summaries) only for as long as necessary to provide our service or as required by law. Customers may request automatic deletion settings to align with their data retention policies
• Optional retention: Customers can choose to delete meeting recordings and transcripts
• Deletion requests: Upon request, we will delete specified data from all systems within 30 days
• Sub-processor retention: Our AI providers have default retention periods of 30 days. They never use data for AI training. Other processors only store data as needed for service delivery

‍

Your rights include:

‍

• Access your personal data
• Correct inaccurate data
• Request data deletion
• Object to processing
• Request data portability
• Restrict processing
• Withdraw consent

‍

To exercise these rights, contact compliance@gomarloo.com.

10. Data security measures

Marloo Limited takes the security of your data seriously. We implement technical and organisational measures to protect against unauthorised access, disclosure, and loss of data, including:

‍

• Encryption: All data at rest is encrypted using AES-256 encryption. Data in transit is protected by TLS 1.2/1.3 protocols
• Access controls: We enforce Multi-Factor Authentication (MFA) for system access
• Audit trails and monitoring: Access logs are retained for a minimum of one year and regularly reviewed for compliance and security monitoring

11. Use of AI and data ethics

Marloo utilises third-party AI tools for transcription, summarisation, and other features. We ensure that:

‍

• No AI training with client or personal data: Your data will not be used to train AI models. This is explicitly prohibited in our agreements with AI providers
• Accuracy assurance: While our AI aims for high accuracy, users are responsible for validating AI-generated outputs before use
• Ethics and bias mitigation: AI bias and ethical reviews are conducted on artificially generated data only, ensuring fairness and reliability without using real client data
• No automated decisions: AI processing is limited to transcription and summarisation only, and does not include any automated decision making that affects user rights or obligations

12. Data breach and incident response

In the event of a security incident or data breach:

‍

Initial reporting: All incidents should be reported to security@gomarloo.com

‍

Assessment: Our engineering team will assess and classify incidents based on severity (P0-Critical to P3-Low)

‍

Response process: We follow a structured incident response process including:

‍

• Investigation and containment
• Impact assessment
• Remediation
• Post-incident review

‍

Notification: We will notify:

‍

• Affected users within 72 hours of confirmed breaches
• The appropriate regional authority, such as the New Zealand Privacy Commissioner, Australian Information Commissioner, UK Information Commissioner’s Office (ICO), or the relevant EU Data Protection Authority

13. Cookies and tracking technologies

Marloo uses cookies and similar tracking technologies to enhance user experience, provide security, and improve our services. These may include:

‍

• Essential cookies: Required for core functionality (e.g., authentication, security).
• Functional cookies: Used to remember preferences and settings.
• Performance cookies: Provide analytics to improve service functionality.

‍

Users may manage or disable cookies through their browser settings or by using the cookie 

consent management tool on our website. Additional legal requirements for cookie usage in NZ, AU, and UK/EU are outlined in the Region-specific provisions section.

14. Updates to the policy

This privacy policy may be updated periodically to reflect changes in our practices, legal requirements, or other factors. We will notify users of significant updates through email or via Marloo.

‍

15. Region-specific provisions:

‍

This section outlines specific legal obligations, user rights, and regional variations under applicable privacy laws for individuals in Australia, the United Kingdom (UK), the European Union (EU), and New Zealand.

‍

Legal compliance by region

‍

Marloo complies with privacy laws applicable to users based on their location:

• Australia: Marloo adheres to the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs), which regulate the collection, use, and disclosure of personal information.
• UK and EU: Marloo complies with the UK General Data Protection Regulation (UK GDPR), EU GDPR, and the UK Data Protection Act 2018, ensuring individuals’ rights regarding data processing, access, and rectification.
• New Zealand: Marloo complies with the NZ Privacy Act 2020 and the Information Privacy Principles (IPPs). The New Zealand Privacy Commissioner oversees compliance and enforcement.

‍

Legal bases for processing

• Australia (APPs 3 & 6): We only collect personal information necessary for our functions and disclose it as permitted by law.
• UK/EU GDPR (Article 6): Our legal bases include contract performance, legitimate interests, and user consent.
• New Zealand (IPP 1): Personal information is processed only for lawful purposes.

‍

User rights

• Australia (APPs 12 & 13): Right to access and correct personal data.
• UK/EU GDPR (Articles 15-21): Right to access, correct, delete, object to processing, and request data portability.
• New Zealand (IPP 6 & 7): Right to access and correct personal information.

‍

AI processing

Under UK/EU GDPR, users have the right to be informed about AI processing and to challenge outcomes if they believe their rights have been impacted. While Marloo relies on AI for transcription and summarisation, it does not use AI for automated decision-making affecting user rights.

‍

Non-essential cookies

Depending on your location, the use of non-essential cookies is subject to specific privacy regulations:

• Australia: You have the right to provide or withdraw consent for non-essential cookies in accordance with the Australian Privacy Act 1988.
• UK/EU: Under UK/EU GDPR and the ePrivacy Directive, explicit consent is required before non-essential cookies can be placed on your device.
• New Zealand: You must be informed about the collection of personal information through cookies as required by the NZ Privacy Act 2020 (IPP 3).

‍

Data use and purpose

• Marloo uses personal information only for the purposes communicated at the time of collection:
• Australia (APP 6 & 7): Personal information can only be used for the purposes for which it was collected.
• UK/EU GDPR (Articles 6 & 7): Users must provide explicit consent for certain types of data use, including marketing communications. Consent can be withdrawn at any time via account settings or by contacting compliance@gomarloo.com.
• New Zealand (IPP 10 & 11): Personal data must be used only for the purposes for which it was collected.

‍

Data breach notifications and complaint procedures

In the event of a confirmed data breach, Marloo will notify affected users within 72 hours and inform the appropriate regulatory authority (below). If users believe Marloo has violated their privacy rights, they can lodge a complaint with the relevant regional authority:

• Australia: Office of the Australian Information Commissioner (OAIC) – www.oaic.gov.au.
• UK/EU: UK Information Commissioner’s Office (ICO) or the relevant EU Data Protection Authority – www.ico.org.uk.
• New Zealand: New Zealand Privacy Commissioner – www.privacy.org.nz or call 0800 803 909.

‍

Contact for region-specific concerns

For privacy matters under specific regional laws, users can contact our data protection officers:

• Australia & New Zealand: Shakeel Lala – compliance@gomarloo.com
• UK & EU: Hardy Michel – compliance@gomarloo.com

Marloo Privacy Policy (10 Feb 2025)

‍

Document information

‍

• Date: 10 February 2025
• Version: 1.3
• Data Protection Officer (AU/NZ): Shakeel Lala
• Author: Shakeel Lala, IT Manager, Marloo Limited
• Contact: compliance@gomarloo.com

1. Introduction

Marloo Limited ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy outlines how we collect, use, store, and share personal information through Marloo, ensuring your data is handled responsibly and securely. By using Marloo, you agree to the terms of this policy.

2. Scope and legal compliance

This policy is governed by and designed to comply with:

‍

• New Zealand Privacy Act 2020
• Australian Privacy Principles (APPs)
• UK General Data Protection Regulation (UK GDPR)
• EU General Data Protection Regulation (GDPR)
• UK Data Protection Act 2018

‍

We may update this policy as legal requirements evolve, so we encourage you to review it periodically.

3. Data protection contacts

For privacy and data protection matters, you can contact:

‍

• Data Protection Officer (AU/NZ): Shakeel Lala
• Email: compliance@gomarloo.com

4. Legal bases for processing

We process your personal data based on:

‍

• Contract performance: To provide our core meeting summarisation services
• Legitimate interests: For security operations and service improvements
• Consent: For marketing communications (where applicable)

5. Information we collect

We collect various types of personal and client-related information to provide Marloo's services, which may include but are not limited to:

‍

• Personal identifiers: Name, contact details, and organisation affiliation
• Client financial and professional information: Information related to professional activities, financial circumstances, personal situations, and other content shared during recorded meetings
• Technical data: Device information, browser details, and other online identifiers necessary for functionality and security

‍

Given the nature of Marloo as a meeting summarisation tool, any information discussed in a meeting, including sensitive client data, may be collected and processed.

6. How we use your information

We use the information we collect for:

‍

• Service delivery: To provide and maintain Marloo's core functions, including transcription of meetings, generation of summaries, and compliance support
• Communications: To support customer queries, provide updates on Marloo features, and deliver legal notices

‍

We do not use adviser-client-specific information for product improvement, development, or any other purpose that falls outside the scope of providing Marloo's core services.

7. Data ownership and control

You retain full ownership of all personal and client data shared with Marloo. We only process your data in accordance with your instructions and legal obligations. You have the right to access, update, or request deletion of your data at any time by contacting compliance@gomarloo.com.

8. Data sharing and third-party processors

Your data may be shared with third-party processors to support Marloo's services. All of these infrastructure providers maintain SOC 2 Type 2 compliance. They are categorised as follows:

‍

Infrastructure and storage:

‍

• Amazon Web Services (AWS)
  
  • Data storage and cloud infrastructure (Sydney for AU/NZ customers, Ireland for UK/EU customers)
  • Encrypted data storage and backup services
• Supabase
  
  • User authentication and database services
  • Hosted on AWS in the same regions as our primary infrastructure (Sydney/Ireland)
  • Stores user accounts and associated data
• Cloudflare
  
  • Web security and content delivery
  • DDoS protection and threat management
  • Transit only - no permanent data storage
• Digital Ocean
  
  • API hosting and processing
  • Transit only - no permanent data storage

‍

AI and processing:

‍

• SendGrid (email sending, no permanent storage)
• Retool (workflow management, no permanent storage)
• OpenAI (AI summarisation processing only, no permanent storage)
• Recall (Meeting bot processing only, no permanent storage)
• AssemblyAI (transcription, no permanent storage)

‍

Our AI providers process data primarily for providing our service. By default, they retain data for 30 days. Under all circumstances, this data is not used for AI model training.

‍

Business operations:

‍

• Google Workspace (Email and business operations)

‍

All third parties comply with relevant privacy regulations and are vetted to meet Marloo Limited's data security standards. Any changes to our sub-processors will be communicated to customers.

9. Data retention and your rights

We handle data retention as follows:

‍

• Default retention: We retain all customer data (transcripts, recordings, summaries) indefinitely to provide our service unless otherwise specified
• Optional retention: Customers can opt to have meeting recordings and transcripts not stored permanently. 
• Deletion requests: Upon request, we will delete specified data from all systems within 30 days
• Sub-processor retention: Our AI providers have default retention periods of 30 days, with possible extensions for trust and safety purposes. They never use data for AI training. Other processors only store data as needed for service delivery

‍

Your rights include:

‍

• Access your personal data
• Correct inaccurate data
• Request data deletion
• Object to processing
• Request data portability
• Restrict processing
• Withdraw consent

‍

To exercise these rights, contact compliance@gomarloo.com.

10. Data security measures

Marloo Limited takes the security of your data seriously. We implement technical and organisational measures to protect against unauthorised access, disclosure, and loss of data, including:

‍

• Encryption: All data at rest is encrypted using AES-256 encryption. Data in transit is protected by TLS 1.2/1.3 protocols
• Access controls: We enforce Multi-Factor Authentication (MFA) for system access
• Audit trails and monitoring: Access logs are retained for a minimum of one year and regularly reviewed for compliance and security monitoring

11. Use of AI and data ethics

Marloo utilises third-party AI tools for transcription, summarisation, and other features. We ensure that:

‍

• No AI training with client data: Your data will not be used to train AI models. This is explicitly prohibited in our agreements with AI providers
• Accuracy assurance: While our AI aims for high accuracy, users are responsible for validating AI-generated outputs before use
• Ethics and bias mitigation: AI bias and ethical reviews are conducted on artificially generated data only, ensuring fairness and reliability without using real client data

12. Data breach and incident response

In the event of a security incident or data breach:

‍

Initial reporting: All incidents should be reported to security@gomarloo.com

‍

Assessment: Our engineering team will assess and classify incidents based on severity (P0-Critical to P3-Low)

‍

Response process: We follow a structured incident response process including:

‍

• Investigation and containment
• Impact assessment
• Remediation
• Post-incident review

‍

Notification: We will notify:

‍

• Affected users within 72 hours of confirmed breaches
• Relevant supervisory authorities as required
• The appropriate regional authority (NZ Privacy Commissioner, Australian Information Commissioner, or UK ICO)

13. Cookies and tracking technologies

Marloo may use cookies and similar tracking technologies to enhance user experience, provide security, and improve our services. These may include:

‍

• Essential cookies: Required for core service functionality
• Functional cookies: Remember your preferences and settings
• Performance cookies: Help us understand how our service is used

‍

You may manage or disable cookies through your browser settings.

14. Updates to the policy

This privacy policy may be updated periodically to reflect changes in our practices, legal requirements, or other factors. We will notify users of significant updates through email or via Marloo.

‍

Privacy Policy (28 Jan 2025)

1. Introduction

Marloo Limited ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy outlines how we collect, use, store, and share personal information through Marloo, ensuring your data is handled responsibly and securely. By using Marloo, you agree to the terms of this policy.

2. Scope and legal compliance

This policy is governed by and designed to comply with:

‍

• New Zealand Privacy Act 2020
• Australian Privacy Principles (APPs)
• UK General Data Protection Regulation (UK GDPR)
• EU General Data Protection Regulation (GDPR)
• UK Data Protection Act 2018

‍

We may update this policy as legal requirements evolve, so we encourage you to review it periodically.

3. Data protection contacts

For privacy and data protection matters, you can contact:

‍

• Data Protection Officer (AU/NZ): Shakeel Lala
• Data Protection Officer (UK/EU): Hardy Michel
• Email: compliance@gomarloo.com

4. Legal bases for processing

We process your personal data based on:

‍

• Contract performance: To provide our core meeting summarisation services
• Legitimate interests: For security operations and service improvements
• Consent: For marketing communications (where applicable)

5. Information we collect

We collect various types of personal and client-related information to provide Marloo's services, which may include but are not limited to:

‍

• Personal identifiers: Name, contact details, and organisation affiliation
• Client financial and professional information: Information related to professional activities, financial circumstances, personal situations, and other content shared during recorded meetings
• Technical data: Device information, browser details, and other online identifiers necessary for functionality and security

‍

Given the nature of Marloo as a meeting summarisation tool, any information discussed in a meeting, including sensitive client data, may be collected and processed.

6. How we use your information

We use the information we collect for:

‍

• Service delivery: To provide and maintain Marloo's core functions, including transcription of meetings, generation of summaries, and compliance support
• Communications: To support customer queries, provide updates on Marloo features, and deliver legal notices

‍

We do not use adviser-client-specific information for product improvement, development, or any other purpose that falls outside the scope of providing Marloo's core services.

7. Data ownership and control

You retain full ownership of all personal and client data shared with Marloo. We only process your data in accordance with your instructions and legal obligations. You have the right to access, update, or request deletion of your data at any time by contacting compliance@gomarloo.com.

8. Data sharing and third-party processors

Your data may be shared with third-party processors to support Marloo's services. All of these infrastructure providers maintain SOC 2 Type 2 compliance. They are categorised as follows:

‍

Infrastructure and storage:

‍

• Amazon Web Services (AWS)
  
  • Data storage and cloud infrastructure (Sydney for AU/NZ customers, Ireland for UK/EU customers)
  • Encrypted data storage and backup services
• Supabase
  
  • User authentication and database services
  • Hosted on AWS in the same regions as our primary infrastructure (Sydney/Ireland)
  • Stores user accounts and associated data
• Cloudflare
  
  • Web security and content delivery
  • DDoS protection and threat management
  • Transit only - no permanent data storage
• Digital Ocean
  
  • API hosting and processing
  • Transit only - no permanent data storage

‍

AI and processing:

‍

• Anthropic (AI summarisation processing only, no permanent storage)
• Recall (Meeting bot processing only, no permanent storage)

‍

Our AI providers process data primarily for providing our service. By default, they retain data for 30 days. This period may be extended for trust and safety purposes (such as abuse prevention and service monitoring). Under all circumstances, this data is not used for AI model training.

‍

Business operations:

‍

• Google Workspace (Email and business operations)

‍

All third parties comply with relevant privacy regulations and are vetted to meet Marloo Limited's data security standards. Any changes to our sub-processors will be communicated to customers.

9. Data retention and your rights

We handle data retention as follows:

‍

• Default retention: We retain all customer data (transcripts, recordings, summaries) indefinitely to provide our service unless otherwise specified
• Optional retention: Customers can opt to have meeting recordings and transcripts not stored permanently. 
• Deletion requests: Upon request, we will delete specified data from all systems within 30 days
• Sub-processor retention: Our AI providers have default retention periods of 30 days, with possible extensions for trust and safety purposes. They never use data for AI training. Other processors only store data as needed for service delivery

‍

Your rights include:

‍

• Access your personal data
• Correct inaccurate data
• Request data deletion
• Object to processing
• Request data portability
• Restrict processing
• Withdraw consent

‍

To exercise these rights, contact compliance@gomarloo.com.

10. Data security measures

Marloo Limited takes the security of your data seriously. We implement technical and organisational measures to protect against unauthorised access, disclosure, and loss of data, including:

‍

• Encryption: All data at rest is encrypted using AES-256 encryption. Data in transit is protected by TLS 1.2/1.3 protocols
• Access controls: We enforce Multi-Factor Authentication (MFA) for system access
• Audit trails and monitoring: Access logs are retained for a minimum of one year and regularly reviewed for compliance and security monitoring

11. Use of AI and data ethics

Marloo utilises third-party AI tools for transcription, summarisation, and other features. We ensure that:

‍

• No AI training with client data: Your data will not be used to train AI models. This is explicitly prohibited in our agreements with AI providers
• Accuracy assurance: While our AI aims for high accuracy, users are responsible for validating AI-generated outputs before use
• Ethics and bias mitigation: AI bias and ethical reviews are conducted on artificially generated data only, ensuring fairness and reliability without using real client data

12. Data breach and incident response

In the event of a security incident or data breach:

‍

Initial reporting: All incidents should be reported to security@gomarloo.com

‍

Assessment: Our engineering team will assess and classify incidents based on severity (P0-Critical to P3-Low)

‍

Response process: We follow a structured incident response process including:

‍

• Investigation and containment
• Impact assessment
• Remediation
• Post-incident review

‍

Notification: We will notify:

‍

• Affected users within 72 hours of confirmed breaches
• Relevant supervisory authorities as required
• The appropriate regional authority (NZ Privacy Commissioner, Australian Information Commissioner, or UK ICO)

13. Cookies and tracking technologies

Marloo may use cookies and similar tracking technologies to enhance user experience, provide security, and improve our services. These may include:

‍

• Essential cookies: Required for core service functionality
• Functional cookies: Remember your preferences and settings
• Performance cookies: Help us understand how our service is used

‍

You may manage or disable cookies through your browser settings.

14. Updates to the policy

This privacy policy may be updated periodically to reflect changes in our practices, legal requirements, or other factors. We will notify users of significant updates through email or via Marloo.

‍

Document information

‍

• Date: 28 January 2025
• Version: 1.1
• Data Protection Officer (AU/NZ): Shakeel Lala
• Data Protection Officer (UK/EU): Hardy Michel
• Author: Shakeel Lala, IT Manager, Marloo Limited
• Contact: compliance@gomarloo.com

‍

Privacy Policy (26 Sept 2024)

1. Introduction

Marloo Limited (“we,” “our,” or “us”) is committed to protecting your privacy. This Privacy Policy outlines how we collect, use, store, and share personal information through Marloo, ensuring your data is handled responsibly and securely. By using Marloo, you agree to the terms of this policy.

2. Scope & Legal Compliance

This policy is governed by and designed to comply with:

‍

• New Zealand Privacy Act 2020
• Australian Privacy Principles (APPs)
• General Data Protection Regulation (GDPR)
• California Consumer Privacy Act (CCPA) and other US privacy laws

‍

We may update this policy as legal requirements evolve, so we encourage you to review it periodically.

3. Information We Collect

We collect various types of personal and client-related information to provide Marloo’s services, which may include but are not limited to:

‍

• Personal Identifiers: Name, contact details, and organisation affiliation.
• Client Financial & Professional Information: Information related to professional activities, financial circumstances, personal situations, and other content shared during recorded meetings.
• Technical Data: Device information, browser details, and other online identifiers necessary for functionality and security.

‍

Given the nature of Marloo as a meeting recording tool, any information discussed in a meeting, including sensitive client data, may be collected and processed.

4. How We Use Your Information

We use the information we collect for:

‍

• Service Delivery: To provide and maintain Marloo’s core functions, including transcription of meetings, generation of summaries, and compliance support.
• Communications: To support customer queries, provide updates on Marloo features, and deliver legal notices.
• We do not use adviser-client-specific information for product improvement, development, or any other purpose that falls outside the scope of providing Marloo’s core services.

5. Data Ownership & Control

You retain full ownership of all personal and client data shared with Marloo. We only process your data in accordance with your instructions and legal obligations. You have the right to access, update, or request deletion of your data at any time by contacting compliance@gomarloo.com.

6. Data Sharing & Third-Party Processors

Your data may be shared with third-party processors to support Marloo’s services. These include cloud service providers, AI tools for transcription, and other technology partners. All third parties comply with relevant privacy regulations and are vetted to meet Marloo Limited’s data security standards.

‍

Marloo Limited ensures that all cross-border data transfers, including processing in jurisdictions like the US and EU, are compliant with privacy regulations such as GDPR, CCPA, the New Zealand Privacy Act 2020, and the Australian Privacy Principles (APPs).

7. Data Retention & Right to be Forgotten

We retain your personal data only as long as necessary to provide services or as required by law. If you request deletion, we will:

‍

• Securely Delete Data: Data will be removed from our active systems, and any backups will be destroyed within 30 days (subject to the capabilities of third-party providers).
• Right to Access & Correct: You have the right to access your personal information and correct any inaccuracies.

‍

To make a request regarding your data, please contact compliance@gomarloo.com.

8. Data Security Measures

Marloo Limited takes the security of your data seriously. We implement technical and organisational measures to protect against unauthorised access, disclosure, and loss of data, including:

‍

• Encryption: All data at rest is encrypted using AES-256 encryption. Data in transit is protected by TLS 1.2/1.3 protocols.
• Access Controls: We enforce Multi-Factor Authentication (MFA) for system access and maintain a role-based access structure with super-admin and master privileges as required.
• Audit Trails & Monitoring: Access logs are retained for a minimum of one year and regularly reviewed for compliance and security monitoring.

‍

9. Use of AI & Data Ethics

Marloo utilises third-party AI tools for transcription, summarisation, and other features. We ensure that:

‍

• No AI Training with Client Data: Your data will not be used to train AI models.
• Accuracy Assurance: While our AI aims for high accuracy, users are responsible for validating AI-generated outputs before use.
• Ethics & Bias Mitigation: AI bias and ethical reviews are conducted on artificially generated data only, ensuring fairness and reliability without using real client data.

‍

10. Data Breach & Incident Response

In the event of a security incident or data breach:

‍

• Breach Notification: Marloo Limited will notify affected users within 72 hours of detection, in line with GDPR requirements.
• Incident Management: We have procedures in place to identify, contain, and remediate security issues. For any concerns regarding data security, please contact compliance@gomarloo.com.

‍

11. Cookies & Tracking Technologies

Marloo may use cookies and similar tracking technologies to enhance user experience, provide security, and improve our services. You may manage or disable cookies through your browser settings. A detailed cookie policy will be provided where applicable.

‍

12. Updates to the Privacy Policy

This Privacy Policy may be updated periodically to reflect changes in our practices, legal requirements, or other factors. We will notify users of significant updates through email or via Marloo.

‍

Document Information

• Date: 26 September 2024
• Version: 1.0
• Author: Shakeel Lala, Compliance Manager, Marloo Limited
• Contact: compliance@gomarloo.com

‍