Marno
Privacy

Privacy policy.

Last updated · 2026-05-22

Draft noticeThis document is a working draft and has not been reviewed by counsel. We will update it as our practices evolve and as counsel review completes.

This Privacy Policy describes how Chill Vibes, Inc. (operating the “Marno” service; collectively “Marno,” “we,” or “us”) collects, uses, discloses, and protects personal data when you use marno.io and the Marno application (together, the “Service”). By creating an account or using the Service you agree to this policy.

If you have questions, email privacy@marno.io. We respond within 30 days.

1. Who we are

The Service is operated by Chill Vibes, Inc., a Delaware C-corporation based in San Francisco, California, United States. “Marno” is a trade name of Chill Vibes, Inc. We are the controller of the personal data described below; our sub-processors (section 5) act as processors on our behalf.

2. Data we collect

2.1 Account data

  • Name, email address, and profile image, provided through our authentication provider Clerk.
  • Workspace and team information (workspace name, role) that you create or that is created on your behalf.
  • Billing data — handled by Stripe. We receive a customer reference, the subscription state, the last four digits of your payment instrument, and invoice metadata. We never receive or store full card numbers, CVCs, or bank account credentials.

2.2 LinkedIn integration data

When you connect a LinkedIn account to the Service, the following data is collected and used solely to operate the Service on your behalf:

  • LinkedIn login credentials (email and password) for the account you connect. Credentials are encrypted at rest using AES-256-GCM with keys managed outside the database. They are used only to obtain and maintain a logged-in LinkedIn session. We never display them in the UI, never log them, and never share them with any third party other than LinkedIn itself.
  • LinkedIn session cookies, also encrypted at rest using AES-256-GCM, refreshed on your behalf so the Service can carry out actions you have scheduled while you are not actively present.
  • Data the Service reads on your behalf from LinkedIn: your connections list, your inbox conversations and messages, and the public profile data returned for searches and lead enrichment you run. We do not collect data from accounts you are not connected to beyond what LinkedIn already exposes to you as the logged-in user.
  • Two-factor/challenge tokens that you provide during a guided login or relogin. These are used immediately and not retained.

2.3 Lead and outreach data you provide

  • Lead lists, message templates, sequence configurations, tags, and notes that you create or import.
  • Your do-not-contact (DNC) list, which is scoped to your workspace and used to suppress sends.

2.4 Usage and operational data

  • Sequence runs, send/view/connect/reply events, per-day action counters, and per-action timing data we use to operate the Service safely (for example, to enforce daily caps).
  • Standard request metadata: IP address, browser user-agent, timestamps, and request paths. We use this for security, fraud prevention, abuse detection, and rate limiting.
  • Error reports and performance traces captured by Sentry, including stack traces and request metadata. PII in error context is minimized; we do not send LinkedIn credentials or cookies to Sentry.

2.5 What we do not collect

  • We do not run third-party advertising trackers on the marketing site or in the application.
  • We do not sell personal data and have not sold personal data in the preceding 12 months (CCPA § 1798.140(t)).
  • We do not use your data to train any machine-learning model.

3. How we use data

  • To operate the Service. Run searches, sequences, lead enrichment, message sends, inbox sync, and reply triage on your behalf using your LinkedIn session.
  • To bill you. Manage subscriptions, process payments, send receipts and invoices through Stripe.
  • To communicate with you. Transactional email (welcome, trial expiry, payment failed, summaries), support replies, and material changes to these policies. We do not send marketing email without your consent.
  • To keep the Service safe. Detect, prevent, and respond to abuse, fraud, account compromise, and security incidents — both on Marno and on the LinkedIn accounts you connect.
  • To improve the Service. Aggregate, de-identified analytics on feature usage and reliability. We do not profile individual users for advertising.
  • To comply with law. Respond to lawful requests from authorities, enforce our Terms, and meet our legal obligations.

4. Legal bases (UK/EU users)

If you are in the UK or the EU, we rely on the following legal bases under the UK GDPR / GDPR:

  • Contract (Art. 6(1)(b)) — to provide the Service you have subscribed to.
  • Legitimate interests (Art. 6(1)(f)) — for security, fraud prevention, abuse detection, and aggregate service improvement.
  • Consent (Art. 6(1)(a)) — for any optional communications you opt into.
  • Legal obligation (Art. 6(1)(c)) — for tax, accounting, and lawful-request responses.

5. Sub-processors

The Service relies on a small set of carefully selected third-party processors. Each is bound by its own data-processing obligations and (where applicable) by a data-processing agreement with us.

  • Clerk — user authentication and identity management (US).
  • Stripe — payment processing and subscription billing (US/EU).
  • Resend — transactional email delivery (US).
  • Sentry — error monitoring and performance tracing (US).
  • Storm Proxies — residential proxy egress used to route your LinkedIn traffic from a stable IP assigned to your workspace.
  • Hetzner Online GmbH — application hosting and PostgreSQL database storage (EU, Germany or Finland by default).
  • Telegram — outbound delivery of operational alerts to our internal admin channel only. No user data is sent through Telegram beyond what is necessary to describe an incident (e.g. anonymized identifiers).

We may add or replace sub-processors over time. We will update this list when we do; if a change is material we will notify active subscribers by email at least 30 days before it takes effect, so you have time to object or cancel.

6. Data retention

  • Account data is retained for the life of your account, and for up to 90 days after deletion for backup and dispute-resolution purposes.
  • LinkedIn credentials and session cookies are deleted within 7 days of you disconnecting the LinkedIn account or deleting the Marno account, whichever is sooner.
  • Lead lists, sequences, and message content are retained for the life of your workspace. You can delete individual records at any time from the application or via API.
  • Operational logs (errors, request metadata, action audit trail) are retained for up to 90 days.
  • Billing records are retained as required by applicable tax and accounting law (typically 7 years in most jurisdictions).

7. Your rights

Subject to applicable law you have the right to:

  • Access the personal data we hold about you;
  • Correct inaccurate or incomplete data;
  • Delete your data (subject to overriding obligations such as billing-record retention);
  • Restrict or object to certain processing;
  • Export your data in a portable format;
  • Withdraw consent where we rely on it; and
  • Lodge a complaint with your local supervisory authority.

To exercise any of these rights, email privacy@marno.io from the email address registered to your Marno account. We respond within 30 days and may extend by a further 60 days for complex requests (we will tell you if we need the extension).

California residents have additional rights under the California Consumer Privacy Act (CCPA) including the right to know what categories of personal information we collect, the right to delete, and the right to opt out of sale or sharing for cross-context behavioral advertising. We do not sell or share personal information; if this changes we will update this policy and provide a Do Not Sell or Share My Personal Information link.

8. Security

We use industry-standard safeguards proportionate to the sensitivity of the data we handle:

  • TLS in transit for all marno.io endpoints and all calls to sub-processors.
  • AES-256-GCM at rest for LinkedIn credentials and session cookies, with encryption keys held outside the database.
  • Hardened infrastructure: firewalled services, SSH-key-only access, automatic operating-system patching, least-privilege access controls for our team.
  • Logging and monitoring of authentication events, configuration changes, and unusual activity.
  • Regular backups with restoration tested on a quarterly cadence.

No system is perfectly secure. If we become aware of a personal- data breach we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware, as required by Art. 33 GDPR. We will notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

9. Cookies and similar technologies

The Marno application uses strictly-necessary first-party cookies for authentication and session management. The marketing site (marno.io) sets only a single first-party preference cookie to remember your light/dark theme choice. We do not use third-party advertising cookies, do not run cross-site tracking pixels, and do not embed third-party social-media share widgets.

10. International transfers

Personal data may be processed in the European Union, the United Kingdom, and the United States, depending on the sub-processor. Where data leaves the EEA or UK we rely on the European Commission’s Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable), or equivalent safeguards.

11. Children

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us at privacy@marno.io and we will delete it promptly.

12. Automated decision-making

The Service uses automated rules to operate sequences (for example, to advance leads through a sequence after an event, to enforce daily caps, and to classify obvious reply categories). These automations operate on data and rules you configure; they do not make decisions about you that produce legal or similarly significant effects on you within the meaning of Art. 22 GDPR.

13. Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top of this page reflects the most recent change. For material changes we will notify active subscribers by email at least 30 days before the change takes effect. Continued use of the Service after a change takes effect constitutes acceptance of the updated policy.

14. Contact

Privacy questions, requests, and complaints: privacy@marno.io.

General contact: hello@marno.io.