Marrow

Marrow — Privacy Policy

Last updated: 2026-04-26

This Privacy Policy describes how Vihaan Sharma, an individual operating as a sole proprietorship registered in Ontario, Canada, doing business as "Marrow" ("Marrow," "we," "us," "our"), collects, uses, shares, and protects personal information when you use Marrow (the "Service"). It applies to our website, web app, and any related features.

If you do not agree with this Policy, please do not use the Service.

1. Who We Are

Marrow is a research outreach copilot for pre-medical and other students. We are operated by Vihaan Sharma, sole proprietor, based in Ontario, Canada.

The Privacy Officer responsible for compliance with this Policy and applicable privacy laws (including Quebec Law 25 where it applies) is Vihaan Sharma, reachable at sharmavihaan190@gmail.com.

2. Information We Collect

We collect the following categories of information.

2.1 Information You Provide

  • Account information — name and email address from your authentication provider (Clerk).
  • Profile information — school, year of study, program, target specialties, target provinces, target schools, research interests, voice samples, preferred tone, and additional context you supply during onboarding.
  • Resume content — PDF files you upload, plus extracted text and structured fields (education, experience, skills, publications, awards) parsed via our unpdf server-side parser.
  • Outreach content — search queries, professor lists you build, draft emails (subject, body, rationale, source URLs), edits you make, and approval/send status.
  • Billing information — handled by Stripe; we receive a Stripe customer ID, subscription status, billing interval, and current period end. We do not store full card numbers ourselves.
  • Communications — emails or messages you send to us.

2.2 Information Collected Automatically

  • Usage data — pages viewed, features used, search and draft event counts, credits consumed, and session metadata. Stored in Convex (usageEvents, usageCounters) and PostHog.
  • Device and log data — IP address, browser type, operating system, referrer, timestamps, and similar diagnostic data. Used by Sentry for error monitoring and PostHog for product analytics.
  • Cookies and similar technologies — see Section 7.

2.3 Information from Third Parties

  • Clerk — basic identity attributes, email verification status, and OAuth-linked profile data when you sign up via a social provider.
  • Stripe — billing events and subscription status via webhooks.
  • Public sources / Firecrawl — professor metadata (name, institution, department, faculty page URL, lab URL, public email, research keywords, recent papers) collected via web search and scraping of Canadian and US university and hospital domains. This data is then summarized by an LLM and cached so that multiple users do not re-scrape the same source.
  • Optional Gmail integration — when you connect Gmail (e.g., via Composio), we use a restricted scope that lets you send approved drafts. We do not read other emails in your inbox.

We do not intentionally collect special-category data (health, race, biometrics, etc.). Please avoid uploading such data via your resume or voice samples.

3. How We Use Your Information

We use information to:

  1. Provide the Service — authenticate you, store your profile and resume, run searches, generate AI drafts, and queue them for your approval.
  2. Personalize drafts — combine your profile, resume, and the matched professor's snapshot to produce a personalized email.
  3. Process payments — manage subscriptions and billing through Stripe.
  4. Send transactional and product communications — account notices, billing receipts, security alerts, and important product updates.
  5. Improve the Service — analyze usage patterns, fix bugs, build new features, and tune relevance. We use de-identified or aggregated data wherever possible.
  6. Maintain security — detect abuse, fraud, scraping attempts, and policy violations.
  7. Comply with law — respond to legal requests, enforce our Terms, and protect rights, property, and safety.
  8. Marketing (optional) — with your consent or where permitted by law, send occasional product news. You can opt out at any time.

3.1 AI Processing

Drafts are generated by sending your profile excerpt, resume excerpt, and the matched professor's public snapshot to a third-party LLM provider (currently OpenAI). Per our agreement with the provider, your data is not used to train their general-purpose models. AI inputs and outputs may be retained for a limited period for abuse monitoring by the provider.

3.2 Legal Bases (GDPR/UK GDPR)

Where the GDPR or UK GDPR applies, we rely on:

  • Performance of a contract — to deliver the Service you signed up for.
  • Legitimate interests — to keep the Service secure, prevent abuse, and improve features (we balance this against your rights).
  • Consent — for optional cookies, marketing, and any sensitive processing.
  • Legal obligation — for tax, accounting, and compliance.

4. How We Share Information

We do not sell your personal information. We share it only as follows.

4.1 Service Providers (Subprocessors)

ProviderPurposeData shared
ClerkAuthentication, identityEmail, name, auth events
ConvexPrimary database and serverless functionsProfile, resume, drafts, usage events
VercelHosting and edge deliveryRequest metadata, log data
StripePayments and subscription managementEmail, name, billing identifiers
OpenAI (via Vercel AI SDK)AI text generationProfile excerpt, resume excerpt, professor snapshot, prompts
FirecrawlWeb search and scraping of public faculty pagesSearch queries, target URLs
PostHogProduct analytics and LLM telemetryUsage events, anonymized identifiers
SentryError monitoring and performanceError stack traces, request metadata, IP
Composio / Google (optional)Gmail integration to send approved draftsOAuth token, draft content you approve

These providers act as our processors and are bound by data-protection terms.

4.2 Recipients of Outreach Emails

When you approve and send a draft, the email is delivered to the professor's address. We do not control what they do with it. Sending happens either by you copying to clipboard or via the optional Gmail integration.

4.3 Legal Disclosures

We may share information when required by law, court order, or legitimate government request, or to protect rights, property, or safety. Where legally permitted, we will notify you.

4.4 Business Transfers

If we are involved in a merger, acquisition, financing, or sale of assets, your information may be transferred to the successor entity, subject to this Policy.

4.5 With Your Consent

We may share information for any other purpose with your explicit consent.

5. International Data Transfers

We are based in Canada and the United States, and our subprocessors operate globally. Your information may be transferred to, stored in, and processed in countries other than your own, including the US, Canada, and the European Union. These countries may have different data-protection laws than your home jurisdiction.

When transferring personal data out of the EEA, UK, or Switzerland, we rely on appropriate safeguards such as:

  • The European Commission's Standard Contractual Clauses (SCCs) and the UK Addendum.
  • Adequacy decisions where applicable.
  • Other lawful transfer mechanisms.

You may request a copy of the relevant safeguards by contacting sharmavihaan190@gmail.com.

6. Data Retention

We retain personal data only as long as necessary for the purposes described in this Policy.

DataRetention
Account recordLife of account; deleted within 30 days of account closure
Resume file and parsed textUntil you delete it; or within 24 hours of an explicit deletion request; or within 30 days of account closure
DraftsUntil you delete them or close your account
Cached professor snapshotsUp to 12 months from last fetch (re-fetched periodically)
Usage events and analyticsUp to 24 months in PostHog; aggregated longer
Sentry error data90 days
Stripe billing recordsAs required by tax and accounting law (typically 7 years)
BackupsUp to 30 days after primary deletion

Some logs and aggregated/de-identified data may be retained longer for security, fraud prevention, and analytics.

7. Cookies and Tracking

We and our providers use cookies, local storage, and similar technologies for:

  • Strictly necessary — authentication (Clerk), session management, and security.
  • Functional — remembering preferences such as theme.
  • Analytics — usage analytics via PostHog.
  • Error monitoring — diagnostics via Sentry.

Where required, we present a cookie banner so you can accept or reject non-essential categories. You can also manage cookies via your browser settings. Disabling strictly necessary cookies may break sign-in.

We do not use third-party advertising cookies or sell data to data brokers. We do not currently respond to "Do Not Track" browser signals because there is no industry consensus on the standard, but we honor verifiable opt-outs (e.g., Global Privacy Control where applicable).

8. Security

We use commercially reasonable safeguards to protect your information, including:

  • TLS in transit, encryption at rest with our cloud providers.
  • Authentication via Clerk with hardened session management.
  • Least-privilege access for staff.
  • Vendor due diligence and SOC 2 / equivalent certifications where available.
  • Logging and monitoring via Sentry and PostHog.

No system is fully secure. If you believe your account or our Service has been compromised, contact sharmavihaan190@gmail.com immediately. We will notify affected users and regulators of qualifying breaches as required by law.

9. Your Rights

Depending on where you live, you may have the following rights:

9.1 GDPR / UK GDPR (EEA, UK, Switzerland)

  • Access — request a copy of your personal data.
  • Rectification — correct inaccurate data.
  • Erasure — request deletion ("right to be forgotten").
  • Restriction — limit our processing.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests or for direct marketing.
  • Withdraw consent — at any time, without affecting prior lawful processing.
  • Lodge a complaint — with your local supervisory authority.

9.2 CCPA / CPRA (California Residents)

  • Right to know what personal information we collect, use, and share.
  • Right to delete personal information.
  • Right to correct inaccurate information.
  • Right to opt out of the "sale" or "sharing" of personal information (we do not sell or share personal information for cross-context behavioral advertising).
  • Right to limit the use of sensitive personal information.
  • Right to non-discrimination for exercising these rights.

9.3 Canada (PIPEDA, Quebec Law 25)

  • Access and correct your personal information.
  • Withdraw consent (subject to legal or contractual restrictions).
  • Request information about disclosures and automated decisions.
  • File a complaint with the Office of the Privacy Commissioner of Canada or the Commission d'accès à l'information du Québec.

9.4 How to Exercise Rights

Email sharmavihaan190@gmail.com from the address associated with your account. We will verify your identity and respond within the time required by applicable law (generally 30 days for GDPR, 45 days for CCPA, extendable). You may use an authorized agent where the law permits.

We will not retaliate against you for exercising any of these rights.

10. Automated Decision-Making and AI

Marrow uses AI to:

  • Rank professors by research overlap.
  • Draft personalized email text.
  • Summarize professor research.

These are assistive features. They do not produce legal or similarly significant effects on you. Every email requires your explicit human approval before sending. You can edit, reject, or replace any AI output.

If you have questions about the logic of an AI suggestion, contact us.

11. Children's Privacy

The Service is not directed at children under 16. We do not knowingly collect personal information from children under 13 (or under 16 in the EEA). If you believe a child has provided personal information, contact sharmavihaan190@gmail.com and we will delete it promptly.

12. Third-Party Links

Our Service may link to third-party websites, including the faculty and lab pages we display in search results. We are not responsible for their content or privacy practices. Please review their policies before sharing personal information with them.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will:

  • Update the "Last updated" date.
  • For material changes, give you reasonable advance notice via email or in-app notice.
  • Where required, obtain your consent.

Continued use of the Service after the effective date of a change means you accept the updated Policy.

14. Contact Us

For privacy questions, requests, or complaints:

  • Email: sharmavihaan190@gmail.com
  • Mailing address: 210 Huguenot Rd, Oakville, Ontario L6H 0L6, Canada
  • Data Controller / Operator: Vihaan Sharma, sole proprietor (Ontario, Canada), doing business as Marrow
  • Privacy Officer: Vihaan Sharma (sharmavihaan190@gmail.com)
  • Jurisdiction: Province of Ontario, Canada

If we cannot resolve your concern, you may contact the data-protection authority in your jurisdiction. Canadian residents may contact the Office of the Privacy Commissioner of Canada (priv.gc.ca) or the Information and Privacy Commissioner of Ontario (ipc.on.ca). Quebec residents may contact the Commission d'accès à l'information du Québec (cai.gouv.qc.ca).