Privacy Policy

Effective date: 5 May 2026 · Last updated: 11 May 2026

Marv ("we", "our", "the app") is a personal family organisation tool. This policy explains what data we collect, why we collect it, and your rights under UK GDPR. By using Marv you agree to this policy.

1. Who we are

Marv is operated in the United Kingdom. If you have any questions about this policy or your data, contact us at admin@heymarv.co.uk.

2. What data we collect

Account information

Name, email address, and profile photo obtained from your Google or Microsoft sign-in.
An account identifier (UID) assigned by Firebase Authentication.

Family data

The family name and names, roles, and dates of birth of family members you enter within the app.
Which family members are associated with your account.
An AI-maintained family profile: a short plain-text summary (under 400 words) built up over time from processed emails. It records things like which email senders relate to which child, school names, year groups, and regular activities. It is used solely to improve event assignment within Marv and is not shared with third parties.
A log of each email processed: the email subject line, sender address, timestamp, and the number of events extracted. The original email body is not stored.

Forwarded emails

When you set up email forwarding, the full text of emails you choose to forward to Marv is processed to extract calendar events, tasks, and reminders.
Email content is processed by the Claude AI service (Anthropic) and is not retained beyond the duration of that processing request.
We store a summary of extracted events and tasks in your family's database record, not the original email body.

Google Calendar data

When you sign in with Google and grant calendar access, we read and write events on your Google Calendar.
We create calendar events from information extracted from your forwarded emails.
We read existing events solely to display them within the app and to avoid creating duplicates.
We do not share your calendar data with any third party except as described in Section 4.

Usage data

Basic request logs may be retained by Netlify (our hosting provider) for security and abuse prevention. We do not use analytics tracking or advertising cookies.

3. Google API Services — User Data

Marv's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Google data we access

When you connect a Google account, Marv requests the following OAuth scopes:

openid, profile, email — your name, email address, and profile photo, used to identify your account and display your name within the app.
https://www.googleapis.com/auth/calendar — read and write access to your Google Calendar, used to create calendar events from your forwarded emails and to display your upcoming events within Marv.

How we use Google user data

Profile information (name, email, photo) is used solely to authenticate you and identify your Marv account. It is stored in Firebase Authentication and is not shared with any third party.
Calendar read access is used to retrieve your upcoming events for display within Marv and to check for duplicate events before creating new ones.
Calendar write access is used exclusively to create calendar events extracted from emails you have chosen to forward to Marv. We do not modify or delete existing events.
OAuth access tokens and refresh tokens are stored securely in our Firebase database and are used only to perform the calendar operations described above on your behalf.

Limitations on use of Google user data

Google user data is used only to provide and improve the features you see in Marv. It is not used for any other purpose.
We do not use Google user data to serve advertisements.
We do not sell Google user data or allow any third party to use it for their own purposes.
We do not allow any human to read your Google user data except where you have given explicit consent, or where required by law.
Your Google Calendar data is never sent to the Claude AI service (Anthropic). Only the text of emails you forward to Marv is processed by Claude.

You may revoke Marv's access to your Google account at any time at myaccount.google.com/permissions.

4. Why we process your data (legal basis)

Performance of a contract — processing your account information and family data is necessary to provide the Marv service.
Legitimate interests — processing forwarded email content to extract calendar events is the core function you have specifically requested.
Consent — accessing your Google Calendar requires your explicit consent via Google's OAuth flow. You may revoke this at any time in your Google Account settings.

5. Third-party services

Marv relies on the following third-party services to operate. Each has its own privacy policy.

Google (Firebase & Google Calendar API) — authentication, database, and calendar integration. Google Privacy Policy.
Microsoft (Microsoft Graph API) — optional Microsoft account sign-in. Microsoft Privacy Statement.
Anthropic (Claude API) — AI processing of email content to extract events. Data sent to Anthropic is subject to their Privacy Policy. Anthropic does not use API request data to train models by default.
Netlify — website hosting and serverless functions. Netlify Privacy Policy.

We do not sell your personal data to any third party.

6. How long we keep your data

Your account and family data are retained for as long as your account is active.
You may request deletion of your account and all associated data at any time by emailing admin@heymarv.co.uk.
On deletion, we remove all Marv-held data for your family: member records, extracted events, email sources, calendar connections, processing logs, the AI family profile, and all account lookup records. After deletion, any family member who signs in will find no account and can register fresh.
We are not able to delete your Google or Microsoft authentication account — those are managed by Google and Microsoft respectively and contain only the information you provided to them. You can manage or delete those accounts directly with the relevant provider.
Forwarded email bodies are not stored — only the extracted structured data (event title, date, time, assignee).

7. Your rights under UK GDPR

You have the right to:

Access — request a copy of the personal data we hold about you.
Rectification — ask us to correct inaccurate data.
Erasure — ask us to delete your personal data.
Restriction — ask us to limit processing of your data.
Portability — receive your data in a machine-readable format.
Object — object to processing based on legitimate interests.
Withdraw consent — revoke Google Calendar access at any time via your Google Account settings at myaccount.google.com/permissions.

To exercise any of these rights, email admin@heymarv.co.uk. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

8. Cookies

Marv does not use tracking or advertising cookies. Firebase Authentication uses local storage to maintain your signed-in session. No third-party advertising cookies are used.

9. Data security

All data is transmitted over HTTPS. Firebase Realtime Database access is restricted by security rules so that each family can only access their own data. We take reasonable technical and organisational measures to protect your personal data, but no system is completely secure.

10. Children's privacy

Marv is designed for adult family members to manage family information. We do not knowingly collect personal data directly from children. Information about children (such as family member names) is entered and managed by an adult account holder.

11. Changes to this policy

We may update this policy from time to time. If we make material changes, we will update the effective date above. Continued use of the app after changes constitutes acceptance of the updated policy.

12. Contact

admin@heymarv.co.uk
United Kingdom