LEGAL

Privacy Policy

What we collect, how we use it, and the controls you have.

Effective April 20, 2026

Marti only works if we can read what shoppers are looking for — so we take privacy seriously. This page tells you exactly what we collect, why, who we share it with, and how long we keep it.

The short version. We collect the minimum data needed to run Marti, we don't sell it, we use enterprise AI providers who don't train on it, and we do use it — de-identified — to improve our own systems. You have clear rights to access, correct, and delete your data; email marti@martimart.com and we'll act on it.

1. Who we are

Martimart Ltd (company number 517110128), an Israeli company, operates Marti. In data-protection language, we play two roles depending on the context:

Data controller for our own websites (martimart.com), our creator storefronts, Marti Direct, and our account data for brands and creators. We decide what's collected and why.
Data processor when Marti is installed on a brand's store and processes their shoppers' data on their behalf. In that case, the brand is the controller; we follow their instructions under a Data Processing Addendum.

2. Data we collect

Account data (brands and creators)

Name, work email, company name, country, billing details (handled by Paddle), and authentication metadata.

Shopper data (on partner stores and Marti Direct)

What shoppers browse, click, skip, and hesitate on; queries they type into Marti; items added to cart; device and browser metadata; coarse location (country/region) derived from IP; and, if they identify themselves (login, email signup, checkout), the identifiers they provide.

We don't collect health, financial, or other sensitive-category data beyond what a shopper types into the assistant. If a shopper types sensitive information voluntarily, we treat it as sensitive.

Chat transcripts

Conversations with Marti (both the assistant and any human follow-ups) are stored so the assistant can remember context across a session, so we can investigate issues, and so we can improve the model.

Cookies and similar technologies

See Section 7 for the full breakdown.

3. How we use it

Run the service — generate recommendations, power the assistant, keep sessions continuous across pages.
Billing and account management — charge subscriptions, send receipts, notify you of account activity.
Security and fraud prevention — detect abuse, rate-limit the API, investigate incidents.
Analytics — understand what's working and what isn't, in aggregate.
Improve Marti — tune prompts, evaluate recommendation quality, train Marti-specific models (see Section 5).
Communication — transactional emails (always), product updates (with a clear unsubscribe), and — only with your consent — marketing.
Comply with law — respond to lawful requests, enforce our Terms.

Our legal bases under GDPR are: contract (running the service you signed up for), legitimate interests (security, analytics, improving Marti — balanced against your rights), consent (marketing, non-essential cookies), and legal obligation (tax records, lawful requests).

5. AI and model training

Marti uses AI models from OpenAI, Anthropic, and Google. These providers process data on our behalf under enterprise agreements that prohibit training their public foundation models on our inputs or outputs.

We do train Marti-specific models on data generated through the service — recommendation patterns, assistant behavior, quality signals. Before training, we de-identify the data: we remove direct identifiers (name, email, address) and aggregate shopper behavior so no single person can be recovered from a training set.

You can opt out of training on your data at any time by emailing marti@martimart.com. Brands and creators on Enterprise plans can set this as the default across their workspace in the DPA.

6. Sub-processors

These are the vendors that process personal data on our behalf as of the effective date:

OpenAI, Anthropic, Google — language models powering the assistant. United States.
Vercel — application hosting and edge network. United States.
PostgreSQL (self-hosted on Vercel infrastructure) — primary database. United States.
Mixpanel — product analytics. United States.
Paddle — payments, subscription billing, merchant of record for SaaS. United Kingdom / United States.

When a sub-processor changes, we update this list and give notice to brands and creators at least 30 days before the change takes effect in their workspaces.

7. Cookies and similar technologies

We use three categories of cookies:

Strictly necessary — keep you signed in, remember your language, secure the session. These can't be turned off.
Analytics — help us understand how the site is used (Mixpanel). You can opt out in the banner or in your account.
Preferences — remember settings like cookie choices and theme.

We don't set third-party advertising cookies. You can change your cookie choices at any time by clicking Cookie preferences in the footer.

8. International transfers

Marti is operated from Israel, and our primary infrastructure and sub-processors are in the United States. If you're in the EU or UK, your personal data is transferred outside the EEA/UK.

We rely on (i) Israel's adequacy decision from the European Commission for EU→Israel transfers, and (ii) the Standard Contractual Clauses (and the UK Addendum where applicable) for any onward transfer to the United States, combined with supplementary measures — encryption in transit, encryption at rest, and vendor-side commitments.

9. How long we keep data

Account and billing records — kept for the life of the account plus 7 years, to meet tax and accounting obligations.
Chat transcripts and shopper behavior — retained for 24 months on a rolling window, or deleted within 30 days of a valid deletion request (subject to legal holds).
Backups — retained for an additional 90 days, then cycled out.
Analytics cookies — maximum 13 months per GDPR guidance.

10. Your rights

Depending on where you live, you have some or all of the following rights over your personal data:

Access — get a copy of the data we hold about you.
Correction — fix inaccurate or incomplete data.
Deletion — ask us to delete data we're not legally required to keep.
Portability — receive your data in a machine-readable format.
Objection / restriction — tell us to stop or limit certain uses (for example, analytics or improvement-training).
Withdraw consent — where we rely on consent, you can withdraw it at any time.
Complain — to the Israeli Privacy Protection Authority, your EU supervisory authority, or (if you're in California) the California Attorney General.

California residents. We don't sell or share personal information as those terms are defined under CCPA/CPRA. You have the rights listed above and will not be discriminated against for exercising them.

To exercise any of these rights, email marti@martimart.com. We reply within 30 days.

11. Children

Marti is not intended for children. We don't knowingly collect personal data from anyone under 16. If you believe a child has given us data, email marti@martimart.com and we'll delete it.

12. Changes to this policy

We update this policy as Marti evolves. Material changes are announced in-product and by email to account holders at least 14 days before they take effect.

13. Contact

Privacy questions, data-rights requests, and DPA requests: marti@martimart.com.