Privacy Policy

When you create an account, we store your email address, name, and the credentials used to sign in. If you sign up through a payment, we also hold a billing record kept by our payment processor — MARIA never sees your card number.

Inside your workspace, we store the brand material you upload or generate: brand guidelines, voice samples, reference assets, written briefs, and every piece of content produced through MARIA.

We collect light usage analytics — pages visited, features used, error events — to understand how the product is working. These analytics are aggregated and do not include the substance of your generations.

Your data powers the service. We use it to authenticate you, render your workspace, generate the content you ask for, and send transactional notifications (billing receipts, security alerts, expiry warnings).

We fine-tune the model on your brand voice strictly inside the boundary of your own workspace. The voice profile we build for you is never reused for another customer.

We use aggregated analytics to improve the product. We do not use the content of your briefs or generations to train any external or shared model.

Every workspace is logically isolated. Brand data, voice profiles, uploaded references, and generation history belong to one workspace and are not visible from any other.

We do not sell, syndicate, or share workspace data between customers under any circumstance. The brand voice we learn for you remains exclusive to your account for as long as the workspace exists.

We rely on a small set of trusted sub-processors to run the service: Stripe for billing, Anthropic and OpenAI for model inference, Amazon Web Services for storage and compute, Plausible for privacy-friendly analytics.

Each sub-processor is bound by a data processing agreement and handles only the data needed to perform its function.

We do not sell personal data to advertisers or data brokers. We will disclose data to a public authority only when compelled by a valid legal request, and we will notify you when the law allows.

Active workspace data is retained for as long as your account is open. You can export or delete individual items at any time from the workspace settings.

When you delete your account, we keep your data for a 90-day grace period so the action can be reversed in case of mistake. After that window, production data is permanently removed.

Encrypted backups follow a rolling 12-month cycle. Within twelve months of account deletion, every trace of your workspace is purged from backup media.

Under the GDPR you have the right to access your data, correct it, erase it, port it to another service, restrict its processing, and object to processing based on legitimate interest.

To exercise any of these rights, write to privacy@maria.ai from the email associated with your account. We respond within thirty days and will not charge you a fee for a reasonable request.

You may also lodge a complaint with your local data protection authority — for EU residents, this is your national DPA.

Your workspace is hosted within the European Union. Day-to-day operations and storage stay within EU borders.

Some sub-processors — notably model inference providers — operate infrastructure outside the EU. When that happens, transfers are covered by the European Commission's Standard Contractual Clauses and equivalent safeguards.

Data is encrypted in transit (TLS 1.3) and at rest (AES-256). Access to production systems is restricted to a small on-call team and gated by hardware-backed multi-factor authentication.

We are working towards SOC 2 Type II attestation and follow the practices it requires: least-privilege access, audit logging, periodic access reviews, and quarterly penetration tests.

If we ever discover a personal data breach, we will notify affected customers and the relevant supervisory authority within 72 hours of becoming aware of it.