Last Updated: June 7, 2026
MarkIt is a universal capture tool run by Tomer Ezri, a sole proprietor based in Israel. We save the links, notes, screenshots, documents, and messages you send us, organize them with AI, and let you search them later. We do not sell your data, we do not train third-party AI models on it, and we do not show you ads. This policy is the long version. If anything below is unclear, email [email protected].
user_engagement.phone_raw) used by our outbound-messaging code. We are migrating to hash-only storage; until that migration completes, the raw phone is retained while you have WhatsApp linked and is deleted when you unlink WhatsApp or delete your account. Every inbound and outbound message is logged in an audit table for up to 30 days for abuse-prevention and support purposes. If you unlink WhatsApp we delete the logs for your account immediately.sb- prefix) so you stay signed in.markit_invite_code cookie (10 minutes, during Google OAuth redirect).We run our own click and scroll tracking so we can improve the dashboard. For each event we store: a random per-tab session ID (not your user ID, not your IP), the page URL (capped at 500 characters), the event type (click, scroll, rage-click, dead-click, page view), normalized coordinates, scroll depth, time on page, and the element you interacted with (tag name, ID, CSS classes, and up to 50 characters of visible text such as a button label).
We never record the text you type: inputs, textareas, selects, and any field marked as a password, email, or phone number are masked before being written anywhere.
We do not use third-party analytics providers. No PostHog, no Google Analytics, no Mixpanel, no Amplitude. Your IP is used only as a rate-limit key in memory and is not persisted.
MarkIt is currently a free beta. When we turn on paid tiers, billing will be handled by a regulated payment processor and we will update this policy with that processor's name and role before charging anyone.
If you ask for early access through our request form (before you have an account), we collect:
When you submit a request, the email and pitch plus the signals above are forwarded to an internal inbox at [email protected] via Resend so our team can review it (the same way feedback is handled in Section 2.8). Please do not include sensitive personal information, or other people's personal data, in your pitch.
We use this only to evaluate and grant early access and to prevent abuse of the form. We do not name a separate sub-processor for this data; it is handled by the processors already listed in Section 4. Retention is described in Section 8.
EU and UK GDPR require us to disclose the legal basis for each purpose. The table below does that.
| Purpose | Data categories | Legal basis | Retention |
|---|---|---|---|
| Create and run your account, save captures, run search | Account, captured content, metadata, integration data | Contract (Art. 6(1)(b)) | Until you delete your account |
| Auto-categorize, tag, summarize, and embed your items | Captured content, derived metadata | Contract (Art. 6(1)(b)) - this is the product you signed up for | Until you delete the item or account |
| Deliver the reminders you scheduled - by email, WhatsApp, or Telegram - and the calendar events you add | Account data, reminder settings, your WhatsApp/Telegram link (if connected), Google tokens (if connected) | Contract (Art. 6(1)(b)) | Until the reminder fires, then per normal retention |
| Engagement emails (product tips, milestone messages) | Account data, engagement metadata | Legitimate interest (GDPR Art. 6(1)(f)) combined with the soft-opt-in exemption in Member-State implementations of ePrivacy Directive 2002/58/EC Art. 13(2) (for UK users, Regulation 22(3) of the Privacy and Electronic Communications Regulations 2003), with one-click unsubscribe in every message. Where a Member State's implementation does not allow soft opt-in, we fall back to explicit prior consent. | Until you unsubscribe |
| WhatsApp proactive messages | Phone hash, engagement metadata | Consent (GDPR Art. 6(1)(a)) and the prior-consent requirement under ePrivacy Directive Art. 13(1) as implemented locally - explicit opt-in, default off | Until you reply STOP or revoke |
| Evaluate early-access requests + prevent form abuse | Email, pitch, hashed IP, country, source page, user-agent | Legitimate interest (Art. 6(1)(f)); requester voluntarily submits | 30 days after a decision; 90 days if never decided |
| Fraud prevention, abuse monitoring, rate limiting | Account data, bot audit logs, heatmap session IDs | Legitimate interest (Art. 6(1)(f)) | Server request logs retained per Vercel's platform policy; 30 days for bot audit; 500k-row circuit breaker for heatmaps |
| In-house product analytics (heatmaps, aggregate usage) | Pseudonymous session data, page URLs, click metadata | Legitimate interest (Art. 6(1)(f)) - first-party, no cross-site tracking, input fields masked | Rolling; ingestion pauses at 500k events |
| Legal, tax, and regulatory compliance | Whatever the law requires | Legal obligation (Art. 6(1)(c)) | As long as the obligation requires |
| Protecting the service (security incidents, disputes) | All relevant data | Legitimate interest (Art. 6(1)(f)) | For the duration of the incident plus limitation periods |
For direct marketing outside the soft-opt-in model (for example, a future newsletter to prospects who are not yet customers), we will rely on your explicit consent and will ask for it at the point of collection.
We do not sell your personal data and we do not "share" it for cross-context behavioral advertising under the CCPA definition. The companies below process data on our behalf, as independent controllers where noted, under written contracts that restrict use to the purposes listed.
| Vendor | Role | What they receive | Hosting region | Transfer mechanism |
|---|---|---|---|---|
| Supabase, Inc. | Processor (primary database, auth, storage) | Everything stored in our database and the three storage buckets (items, user-uploads, ai-generated-images) | Region tied to our Supabase project; email [email protected] and we will confirm the current data-residency region before you rely on it | Standard Contractual Clauses 2021/914 (EU Commission Implementing Decision 2021/914) incorporated into Supabase's DPA; Supabase is not DPF-certified |
| OpenAI, LLC | Processor (AI inference and embeddings) | Item titles, URLs, scraped text, user notes, handwritten or document OCR text, and images for vision OCR. Output is not used to train OpenAI's public models per OpenAI's API data policy (default since March 2023). OpenAI retains API requests for up to 30 days for abuse monitoring under its default policy and we do not currently have a zero-data-retention flag on our account. | US | SCCs 2021/914; EU-US Data Privacy Framework certification where applicable |
| Apify Technologies s.r.o. | Processor (social-media scrapers for Instagram, TikTok, Facebook, LinkedIn, YouTube captions) | The public URL you saved. No user identifier. | Czech Republic (EU) | Intra-EU transfer at the Apify leg; data still transits US infrastructure upstream (Vercel/Supabase) under SCCs 2021/914 |
| Jina AI GmbH (r.jina.ai) | Processor (reader extraction for non-social URLs) | The public URL you saved. No user identifier. | Germany (EU); requests to the r.jina.ai endpoint may be routed via global CDN for latency, but data is processed in the EU | Intra-EU at the Jina leg; SCCs 2021/914 for any US CDN leg upstream |
| weserv.nl (operated from the Netherlands) | Processor (on-the-fly image proxy and resize for social-CDN images) | The source image URL | Netherlands (EU); fetches public images through a CDN | Intra-EU transfer at the weserv leg; standard SCC mechanism for any CDN leg that touches the US |
| Resend, Inc. | Processor (email delivery) | Your email address, email subject, full HTML body of messages we send you | US | SCCs 2021/914 |
| WaSender (WasenderAPI) | Processor (WhatsApp Business API relay) | Your phone number (without + prefix) and the bot message body | Region not published; treat as global | SCCs where applicable |
| Meta Platforms, Inc. (WhatsApp Business Platform) | Independent controller for the messaging service; processor for message content per WhatsApp Business Data Processing Terms | Phone number and message content, via WaSender | US / Ireland | EU-US Data Privacy Framework; WhatsApp Business Data Transfer Addendum |
| Telegram Messenger Inc. | Independent controller for the messaging service | Telegram user ID, chat ID, message content | Global (Telegram does not publish region pins) | Reliance on Telegram's own terms |
| Google LLC (OAuth sign-in) | Independent controller for your Google account; processor for our OAuth request | Your Google email, name, avatar | US | EU-US Data Privacy Framework |
| Google LLC (Calendar API) | Independent controller for your calendar data | Event summary, description, start/end, reminder settings, and a private extended property containing the MarkIt item ID, for events you explicitly scheduled | US | EU-US Data Privacy Framework |
| Vercel, Inc. | Processor (application hosting and edge) | All HTTP traffic to the Service; standard platform logs per Vercel's own policy | US default unless we pin a region | EU-US Data Privacy Framework (Vercel is DPF-certified); SCCs 2021/914 as a secondary mechanism |
| Cloudflare, Inc. | Processor (bot-search relevance reranker via Cloudflare Workers AI) | For each bot search call: the search query plus title and content snippets (up to 600 characters each) of candidate items from your library. Per Cloudflare's Workers AI Data Usage policy, Cloudflare does not use this content to train AI models, does not retain it beyond inference, and does not share it with other Cloudflare customers. | Cloudflare global edge network | EU-US Data Privacy Framework (Cloudflare is DPF-certified); SCCs 2021/914 as a secondary mechanism |
| Cloudflare, Inc. (R2 object storage) | Processor (encrypted off-site backup storage via Cloudflare R2) | Encrypted backup copies of your account data: a nightly database dump (your items, categories, tags, notes, links, reminders, and account records) and a weekly copy of our storage buckets (uploaded images and documents). Backups are encrypted with age before they leave our systems, so Cloudflare stores only opaque encrypted blobs it cannot read; we hold the decryption key. See Section 8 for retention and post-deletion handling. | Western Europe (EU) | EU-US Data Privacy Framework (Cloudflare is DPF-certified); SCCs 2021/914 as a secondary mechanism |
We keep written data-processing agreements (Article 28 GDPR) with every processor above. We maintain an internal record of sub-processors and will update this list before adding a new one that materially changes the data flow.
Beyond this list, we may disclose data where required by law, by court order, or by a government request with legal authority. We may also transfer data in a merger, acquisition, or asset sale; if that happens, we will notify you in advance and let you delete your account before the transfer takes effect.
MarkIt offers two optional messaging-bot integrations: a WhatsApp bot delivered through WaSender (which relays the WhatsApp Business API) and a Telegram bot built on the official Telegram Bot API. You activate either integration explicitly from Settings > Integrations by clicking Connect. This section is the Article 13 notice for the data processing that begins at that click.
Lawful basis. Once you click Connect, MarkIt processes the content you send the bot under GDPR Article 6(1)(b) - performance of a contract. The contract is the user-facing agreement to provide bot capture, search, and reminder features in exchange for processing the messages and media you forward. Connect is the activation moment; disconnect is the termination of that sub-contract.
What we process and why.
We do not name sub-processors inline in this subsection because the canonical list lives in Section 4. If we add or replace a bot-related sub-processor we will update that table and bump the "Last Updated" date at the top of this page.
Retention of bot data. Bot audit logs follow the schedule documented in Section 2.4 and Section 8: whatsapp_messages auto-purge after about 30 days and are deleted immediately when you unlink WhatsApp; telegram_messagesare retained for abuse prevention pending a parallel delete-on-unlink path. Saved items captured through the bot are stored under your account and deleted only when you delete the item or your account.
Contract-activation record. To meet the Article 5(2) accountability requirement we keep a small bot_link_history record of when each integration was activated and disconnected, alongside the version of the consent notice shown to you at the time. This record survives disconnect for the limitation period and is used only to demonstrate, on request, that the integration was activated by you and when. It does not contain message content.
How to withdraw. You can end the integration any time. From the web, open Settings and tap Disconnect on the WhatsApp or Telegram card. From inside the bot, send /unlink on either platform. Disconnect terminates the sub-contract and removes your bot link record. Saved items captured during the integration are kept under your account until you delete them.
We use OpenAI (GPT-5 nano for text tasks and embeddings, GPT-5 vision for image OCR, plus an image-generation model for the optional AI image feature) for the following:
None of these decisions produce a legal or similarly significant effect on you under GDPR Article 22. Every AI label is reversible with one click in the UI: you can rename categories, edit tags, correct summaries, move an item back to "Unsorted", or delete the item entirely.
OpenAI processes your data as our processor under the OpenAI API data policy. OpenAI does not train its publicly available models on API data by default. OpenAI retains API requests for up to 30 days for abuse monitoring. We do not have an OpenAI zero-data-retention agreement on our account today.
We do not send Google Calendar data to OpenAI today. We do not send payment data to OpenAI today. We will update this policy and obtain your consent before adding any feature that would change this.
When you send feedback through the in-app feedback widget, the message text is sent to OpenAI (gpt-5-nano) so we can automatically classify it (category and priority) for our internal triage. OpenAI processes it on our behalf as described above and does not train its publicly available models on it by default. If you would rather your feedback not be processed this way, email us at the address in Section 2.8 instead of using the widget.
If you connect Google Calendar, MarkIt requests the narrowest scope that fits the reminder feature: https://www.googleapis.com/auth/calendar.events, plus openid, userinfo.email, and userinfo.profile so we can identify your account.
MarkIt's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
The Google API Services User Data Policy permits the use and transfer of information received from Google APIs only for the following purposes. The four exceptions below are quoted verbatim from Google's policy:
Applied to MarkIt: we use Google Calendar data only to create, read, update, and delete the reminder events you schedule inside MarkIt, which is a user-facing feature prominent in the MarkIt interface. We do not use Google Calendar data to serve advertisements, including retargeting, personalized, or interest-based advertising. Humans at MarkIt do not read Google Calendar data except where an exception above applies. Beyond those exceptions, MarkIt voluntarily commits that if a merger, acquisition, or asset sale ever occurs, we will give you advance notice and the opportunity to delete your data.
We do not use Google Calendar data to train AI or machine-learning models of any kind, and we do not send Calendar data to OpenAI.
OAuth tokens live only in your browser's NextAuth session cookie. We do not copy them to our database. To revoke access at any time, sign out of your Google account in MarkIt or visit myaccount.google.com/permissions and remove MarkIt. There is no "revoke" button inside MarkIt yet - this is on our roadmap.
MarkIt is operated from Israel. Our primary database (Supabase) and application hosting (Vercel) are in the United States. Several sub-processors are located in the US, the EU, or operate globally. Israel is currently recognized by the European Commission as offering an adequate level of data protection for transfers from the EEA under Commission Decision 2011/61/EU. If that decision is amended or revoked, we will update this policy and apply SCCs to those transfers.
Your data is transferred outside the European Economic Area, the United Kingdom, and Israel when it reaches US-based sub-processors. We rely on two mechanisms, in this order of priority for each recipient: (a) the EU-US Data Privacy Framework and its UK Extension, where the recipient is certified (currently Vercel; see dataprivacyframework.gov/list for current status); and (b) the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914) together with the UK Addendum to the SCCs, which are incorporated into each sub-processor's Data Processing Agreement. For Israel, we rely on the EU adequacy decision for Israel. For each sub-processor we assess the level of protection in the receiving country before transferring. You can request a copy of the transfer-impact assessment from [email protected].
For transfers from Israel, where the recipient country is not on the Israeli Privacy Protection Authority's list of adequate jurisdictions, we use a written contract that binds the recipient to standards equivalent to the PPL and the Israeli Data Security Regulations 2017.
whatsapp_messages, telegram_messages): whatsapp_messages are set to auto-purge after about 30 days and are deleted immediately when you unlink WhatsApp. telegram_messages are currently retained for abuse prevention and are not yet deleted when you unlink Telegram - we will add a parallel delete on the Telegram side; in the meantime, email [email protected] to have your Telegram audit rows removed.No system is perfectly secure. If a breach is likely to risk your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of it (GDPR Art. 33). Where the risk to you is high, we will notify you without undue delay (GDPR Art. 34).
You have the following rights regardless of where you live. We will honor them within 30 days, extendable once by an additional 30 days for complex requests (GDPR allows up to three months; we target 30 days as our standard).
To exercise any of these rights, email [email protected] from the address on your account or from an address you can verify you control. We may ask you to confirm your identity if the request is not obviously from you.
STOP in English. (We are adding Hebrew STOP - reply STOP in English for now; or unlink WhatsApp from Settings at any time to stop all WhatsApp messages.)/unlink in the bot (links to your MarkIt account are removed) or unlink Telegram from Settings. Your Telegram audit logs are retained per the general retention schedule and are removed on account deletion.This section applies if you are a California resident. We treat these rights as extending to all US residents regardless of state.
Categories of personal information we collected in the preceding 12 months (using the CCPA's statutory categories under Cal. Civ. Code § 1798.140(v)(1)):
| CCPA category | Collected? | Source |
|---|---|---|
| A. Identifiers (name, email, IP) | Yes | Direct from you / Google OAuth |
| B. Customer records (CA CC 1798.80(e)) | No | - |
| C. Protected classifications | No | - |
| D. Commercial information | Yes (credit/feature usage) | Inferred from activity |
| E. Biometric information | No | - |
| F. Internet or network activity | Yes (heatmap events, clicks) | In-browser telemetry |
| G. Geolocation data | No (only coarse IP region for rate limits, not stored) | - |
| H. Sensory data (audio, visual, thermal, olfactory) | No | - |
| I. Professional or employment information | No | - |
| J. Education information | No | - |
| K. Inferences | Yes (category/tag/engagement-segment assignments) | Derived by our AI |
Sources: directly from you, from Google (OAuth profile), from Apify/Jina (public content you chose to save), and from your device (session data).
Purposes: see section 3. Business purposes: providing the service, preventing fraud, and ensuring security.
We do not sell personal information. Disclosures to the vendors in Section 4 are made to service providers under written contracts that meet CCPA § 1798.140(ag) requirements and that restrict use of the personal information to providing the services to MarkIt. We do not "share" personal information for cross-context behavioral advertising under the CCPA definition. We honor the Global Privacy Control signal as a valid opt-out of sale or sharing, even though we have no such activities.
Sensitive Personal Information: we do not collect any SPI (CA CC § 1798.140(ae)) - no government IDs, financial account numbers, precise geolocation, racial/ethnic/religious origin, union membership, genetic/biometric data, health information, or sexual-orientation data. Users may upload such data into their own captured content (notes, documents); they remain responsible for that, and we treat it as User Content subject to standard protections, not as SPI we collect for our own purposes.
Shine the Light (Cal. Civ. Code § 1798.83): we do not disclose personal information to third parties for their own direct-marketing purposes. California residents are entitled to request this information once per year; the response for MarkIt would be: none.
Your California rights: to know, to delete, to correct, to opt out of sale/share (not applicable to us), to limit use of sensitive PI (not applicable, since we collect no SPI), and not to be retaliated against for exercising these rights.
Automated decision-making technology (ADMT): our AI categorization, tagging, summarization, and engagement segmentation are ADMT under the CPPA definition. California's Automated Decisionmaking Technology regulations were adopted by the California Privacy Protection Agency in September 2025 and are being implemented on a phased schedule. MarkIt's AI features do not make decisions that produce legal or similarly significant effects on users (our AI only suggests a category, generates a tag, summarizes text, or ranks search results - all of which you can override), so the ADMT transparency obligations that apply to us are limited. We will update this policy if any MarkIt feature begins producing ADMT-covered decisions.
How to exercise: email [email protected]. We verify by replying to the address on file.
If you are in the UK, the rights listed in section 10 apply under the UK GDPR. You can complain to the Information Commissioner's Office at ico.org.uk/make-a-complaint. We rely on the "soft opt-in" in Regulation 22(3) of the Privacy and Electronic Communications (EC Directive) Regulations 2003 for engagement emails to existing users, and every such message carries a one-click unsubscribe. We will name a UK Article 27 representative in this policy before the Service is generally available to UK residents outside the closed invite-only beta.
MarkIt is operated from Israel and the controller is an Israeli sole proprietor. The Israeli Privacy Protection Authority is our home supervisory authority.
You can complain to the supervisory authority where you live, where you work, or where you believe a violation occurred.
We would appreciate the chance to address your concerns before you contact a regulator. Email [email protected] first.
MarkIt is not directed to children. You must be at least 13 years old to use MarkIt in the United States (COPPA), at least 16 in the European Union unless your member state has lowered the digital-consent age to 13, 14, or 15, and at least 18 in jurisdictions where that is the default age of contractual capacity unless your legal guardian has agreed on your behalf.
We do not have a technical age gate today. We rely on your acceptance of the Terms and on user reports. If you believe a child under the applicable minimum age has used MarkIt, email [email protected] and we will delete the account.
We use strictly necessary cookies and first-party browser storage only. We do not set advertising, analytics, or cross-site tracking cookies, and we do not use third-party analytics providers.
| Name | Type | Purpose | Lifetime |
|---|---|---|---|
sb-* (Supabase Auth) | Cookie (HttpOnly) | Keeps you signed in | Until you sign out or the session expires |
| NextAuth session cookie | Cookie (HttpOnly) | Holds your Google Calendar OAuth token when you connect Calendar | Until you sign out or the session expires |
markit_invite_code | Cookie (SameSite=Lax) | Carries your invite code across the Google OAuth redirect during sign-up | 10 minutes |
mk_sid | sessionStorage | Pseudonymous per-tab session ID for heatmap analytics | Cleared when you close the tab |
markit_has_items, markit_tz, and other UI flags | localStorage | Remember sidebar state, timezone, seen/dismissed prompts, and recent search queries | Until you clear site data |
Because we use only strictly necessary cookies and first-party UI state, we do not show a cookie consent banner under the ePrivacy Directive. If we ever add third-party analytics or marketing tags, we will present a consent banner with an equal-weight "Reject All" option before any non-essential technology loads.
MarkIt is a small team. Access to production data is limited to the controller (Tomer Ezri) and staff on the ADMIN_EMAILS allow-list, and is logged in an admin audit table. Staff access is used only to investigate abuse, diagnose a bug you reported, respond to a legal request, or build a feature you asked for. We do not read your content for marketing purposes.
/mute to the bot at any time, or toggle "Recap channel" in Settings. /mute stops both recaps and re-engagement nudges; you can resume with /unmute. The legacy STOP keyword (in English) is still honoured immediately, and /unlink disconnects the bot from your account entirely. Both keywords take effect on the next inbound message.We will post a new "Last Updated" date at the top of this page for every change. For material changes we will also email the address on your account and show a banner in the app for at least 30 days before the change takes effect. Corrections and additions that expand your rights may take effect immediately. If you do not agree to a material change, you can delete your account before the effective date.