Markio Privacy Policy

1. Who we are

Markio is a product offering of Intuico Digital LLC, a limited liability company based in Oak Park, Illinois, United States. Markio is not a separate legal entity or registered DBA; on third-party platforms (including the TikTok OAuth consent screen, app-store listings, and partner directories) the Service appears as “Markio by Intuico Digital.” Throughout this Policy, “Markio,” “we,” “us,” or “our” refers to Intuico Digital LLC acting in connection with the Markio Service. Our corporate website is intuicodigital.com.

For personal data you submit into Markio about yourself or your teammates, Intuico Digital LLC acts as the business (under the California CCPA/CPRA) or data controller. For personal data contained in Customer Content that you or your workspace administrator upload or generate with Markio (for example, analytics data for your site's visitors, or draft content you publish), Markio acts as a service provider / processor on your behalf and uses that data only to provide the Service as described below.

2. Markio is a U.S.-based Service

Intuico Digital LLC is a U.S. company based in Illinois and operates Markio under U.S. federal law and the law of the State of Illinois. Markio is designed, priced, and supported for individuals and businesses located in the United States. We do not actively market, offer, or sell Markioin the European Economic Area, the United Kingdom, Switzerland, or other jurisdictions with extraterritorial privacy regimes, and we do not provide jurisdiction-specific instruments (such as an EU-style Data Processing Addendum with Standard Contractual Clauses, or an EU/UK Article 27 representative) for customers based in those regions.

The usemarkio.com website and the Markio signup flow are nonetheless reachable over the public internet, and Markio does not actively block access based on geography. If you choose to access or use Markio from outside the United States, you do so on your own initiative and you expressly consent to (a) the transfer, storage, and processing of your personal information in the United States and in the other subprocessor locations listed in Section 10, (b) the application of U.S. law to Markio's handling of your personal information, and (c) the use of this single Policy as our privacy notice for the Service worldwide. Markiohonors the substantive privacy rights described in Section 15 for all users regardless of location — but we do not undertake to provide rights or contractual protections specific to a non-U.S. privacy regime beyond what this Policy says.

3. What this Policy covers

This Policy applies to:

• the Markio marketing site at usemarkio.com and any subdomain;
• the authenticated Markio web application and workspace;
• Markio APIs, webhooks, MCP endpoints, and background jobs;
• email, support, and billing communications from Markio.

It does not cover third-party websites, AI providers, or Connected Services linked from Markio. Those are governed by their own privacy policies, which we link to below.

4. What information Markio collects

Markio collects the following categories of personal information:

3.1 Information you provide

• Account data. Email, name, password hash (or federated identity), workspace name, profile avatar, role, and billing address.
• Integration credentials. OAuth access and refresh tokens, API keys, and scope grants for Connected Services you link, including Google Search Console, Google Analytics 4, TikTok, and WordPress. Tokens are encrypted at rest.
• Customer Content. URLs, site lists, target keywords, prompts, uploads, images, generated drafts, TikTok slideshow assets, scheduled posts, and SEO audits.
• Support and marketing communications. Any messages or feedback you send us.

3.2 Information we collect automatically

• Usage data. Product events, clicks, routes visited inside Markio, feature usage, timing, and credit consumption.
• Device and network data. IP address, user-agent string, browser, operating system, language, referring URL, and approximate (city-level) geolocation derived from IP.
• Logs and diagnostics. Request logs, error stack traces, and performance metrics, collected via Sentry and our hosting provider.
• Cookies and similar technologies. Session cookies for authentication, CSRF tokens, and limited first-party analytics. See the Cookies section below.

3.3 Information we receive from Connected Services

• Google Search Console: verified site list, query, page, device, country, clicks, impressions, CTR, and position metrics.
• Google Analytics 4: property list, landing-page metrics, session/conversion aggregates, and channel data, at the granularity you authorize.
• TikTok: your TikTok open ID, display name, avatar URL, publishing status of posts you initiate through Markio, and quotas returned by the Content Posting API. Markio does not read your TikTok videos, inbox, followers, or messages.
• WordPress: site URL, the WordPress REST API user you authorize, and metadata returned by the sites you connect.
• Stripe: subscription status, plan, invoices, payment method brand and last four digits, billing country, and VAT/tax IDs. Markio never sees or stores full card numbers.

3.4 Information we do not want

Please do not submit sensitive personal data into Markio prompts or Customer Content unless you have a lawful basis and appropriate safeguards. Markiois not designed to process protected health information (PHI) covered by HIPAA, government-issued identifiers (Social Security numbers, driver's license numbers, passport numbers), biometric identifiers, geolocation data more precise than city-level, financial account numbers, children's data, payment card data (beyond what Stripe handles as its own controller), or other categories of “sensitive personal information” as defined under U.S. state privacy laws.

5. How and why Markio uses information

Markio uses personal information for the following purposes (with the GDPR legal basis noted only as a courtesy for visitors who access the Service from outside the United States, since the Service is U.S.-based):

• Providing the Service — authentication, workspace setup, ingesting GSC and GA4 data, running audits, generating AI drafts, publishing to WordPress or TikTok on your instruction, billing, and invoicing. (Legal basis where relevant: performance of a contract.)
• Securing the Service — fraud detection, abuse prevention, rate limiting, intrusion detection, and responding to security incidents. (Legal basis where relevant: legitimate interests; legal obligation.)
• Improving the Service — aggregate usage analytics, quality measurement, and debugging. Markio does not use your Customer Content to train third-party foundation models. (Legal basis where relevant: legitimate interests.)
• Communicating with you — transactional emails, product updates, security notices, and responses to support requests. Marketing emails are sent in accordance with the CAN-SPAM Act, and every marketing email includes an unsubscribe link. (Legal basis where relevant: performance of a contract; consent for marketing.)
• Complying with law — tax, accounting, audit, anti-fraud, and regulatory reporting obligations under U.S. federal and state law. (Legal basis where relevant: legal obligation.)

6. Google API Services User Data

Markio's use and transfer of information received from Google APIs (including Search Console and Analytics data) adheres to the Google API Services User Data Policy, including its Limited Use requirements. Specifically, Markio:

• uses Google user data only to provide and improve user-facing features of Markio;
• does not use Google user data to serve advertisements, including retargeting, personalized, or interest-based advertising;
• does not transfer Google user data to third parties except as necessary to provide the Service, comply with law, or as part of a merger or acquisition with appropriate safeguards;
• does not allow humans to read Google user data, except with your affirmative consent, for debugging a specific issue you raised, where required by law, or where data has been aggregated and anonymized;
• does not use Google user data to train or fine-tune generalized AI or ML models.

You can revoke Markio's Google access at any time from your Google Account permissions page or from Markio under Settings → Integrations.

7. TikTok data

When you connect TikTok, Markio requests only the OAuth scopes it needs to support the feature you are using, which may include user.info.basic, video.upload, and video.publish. Markio stores your TikTok access and refresh tokens in encrypted form so that Markio can send carousels or videos you created to your TikTok drafts inbox or publish on your instruction. Markio does not read your TikTok videos, followers, messages, or inbox, and does not post without an action you initiate or schedule. You may disconnect TikTok at any time under Settings → Integrations, which revokes the tokens we hold.

8. How Markio uses AI providers

Markio uses AI providers — including Google Gemini and models routed via OpenRouter — to generate drafts, rewrites, audit commentary, and other outputs. When you submit a prompt, Markio sends the minimum data needed to fulfill your request (for example, a URL, a target keyword, or a selected passage of Customer Content) to the provider. These providers process the data as Markio's subprocessor under contractual terms that prohibit using your Customer Content to train their foundation models. Providers may retain transient logs for abuse prevention; see the links in the Subprocessors section for each provider's terms.

9. How Markio shares information

Markio does not sell personal information. We share information only as follows:

• Subprocessors. Vendors that host, operate, secure, or help deliver Markio, listed in Section 9. Each subprocessor is bound by written terms that restrict use of the data to what is necessary to provide services to Markio.
• Connected Services you authorize. When you connect TikTok, WordPress, or another destination, Markio transmits only the data needed to fulfill the action you initiated.
• Within your workspace. Teammates and administrators in the same Markio workspace can see Customer Content, integration connections, usage, and audit logs relevant to that workspace.
• Professional advisors. Auditors, accountants, and lawyers, under duties of confidentiality.
• Corporate transactions. In connection with a merger, acquisition, financing, or sale of assets, subject to the acquirer honoring this Policy or providing comparable protection.
• Legal and safety. To comply with law, a valid subpoena, court order, or government request; to enforce these Terms; or to protect the rights, property, or safety of Markio, our users, or the public.

10. Subprocessors

Markio uses the following subprocessors. We may update this list and will post material changes here. You can subscribe to subprocessor change notifications by emailing privacy@usemarkio.com.

• Supabase, Inc. (United States / European Union) — Authentication, Postgres database, file storage, and row-level security for Markio workspaces. Privacy notice.
• Vercel Inc. (Global (US primary)) — Application hosting, edge network, and serverless execution for the Markio web app and API. Privacy notice.
• Stripe, Inc. (United States / European Union) — Payment processing, subscription billing, invoicing, and tax calculation. Privacy notice.
• Google LLC (United States) — Google Search Console and Google Analytics 4 API access, and Google Gemini AI inference for Markio features. Privacy notice.
• OpenRouter, Inc. (United States) — Routing AI inference requests to underlying large language model providers. Privacy notice.
• TikTok Inc. / TikTok Developer APIs (United States / Ireland) — Content Posting API for publishing Markio-generated carousels and videos to a user's own TikTok account. Privacy notice.
• Functional Software, Inc. (Sentry) (United States) — Error monitoring, exception tracking, and performance observability for the Markio application. Privacy notice.
• Automattic / WordPress.com & self-hosted WordPress (Customer-controlled) — WordPress REST API publishing for Markio-generated posts when a user connects their WordPress site. Privacy notice.

11. How long Markio keeps information

Markio retains personal information only as long as needed for the purposes described in this Policy. Typical retention periods:

• Account and workspace data: for the life of your account.
• Customer Content, audits, and generated drafts: for the life of your account, unless you delete earlier.
• GSC and GA4 cached metrics: up to 25 months, aligned with Google's own retention limits.
• OAuth tokens for Connected Services: until you disconnect the integration or delete your account, at which point tokens are revoked and deleted.
• Billing and tax records: up to 7 years to meet legal accounting obligations.
• Security logs: up to 12 months.
• Backups: deleted content may persist in encrypted backups for up to 35 days before being overwritten.

When you close your Markio account, we delete or anonymize Customer Content within 30 days, except where longer retention is required by law or reasonably necessary to resolve disputes, prevent fraud, or enforce our agreements. You can request earlier deletion by emailing privacy@usemarkio.com.

12. Where Markio stores and processes data

Markio is operated from the United States. Personal information you submit to Markio, and any personal information we receive from Connected Services on your behalf, is stored and processed primarily in the United States on infrastructure operated by the subprocessors listed in Section 10. Some subprocessors (for example, Supabase and Stripe) maintain additional facilities in the European Union or other regions, and may replicate data there for redundancy, backups, or performance. By using Markio you consent to the transfer and processing of your personal information in the United States and in those subprocessor regions.

13. Security

Markio protects personal information with administrative, technical, and physical safeguards including TLS 1.2+ in transit, AES-256 encryption at rest, Postgres row-level security for multi-tenant isolation, least-privilege access controls, single sign-on for staff, audit logging, secret scanning, automated dependency monitoring, and incident response processes. No method of transmission or storage is 100% secure; you use Markio at your own risk.

If Markio suffers a personal data breach affecting your data, we will notify affected customers and, where required, regulators without undue delay and in accordance with applicable law (for example, within 72 hours under GDPR Article 33). Report suspected security issues to security@usemarkio.com.

14. Cookies and tracking

Markio uses first-party cookies and similar technologies for:

• Authentication and session management (strictly necessary — cannot be turned off).
• Security (CSRF tokens, abuse detection).
• Preferences (theme, workspace selection).
• Limited analytics on the usemarkio.com marketing site to understand aggregate traffic and improve landing pages.

Markio honors the browser Global Privacy Control signal as an opt-out of any optional analytics or ad-style tracking. You can also control cookies through your browser or device settings.

15. Your privacy rights

Depending on where you live, you may have the following rights with respect to your personal information held by Markio:

• Access — get a copy of the personal data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure / Deletion — ask Markio to delete personal data, subject to legal retention obligations.
• Restriction — limit how we process your data in certain circumstances.
• Objection — object to processing based on legitimate interests, including direct marketing.
• Portability — receive your data in a commonly used, machine-readable format.
• Withdraw consent — where processing is based on consent, you can withdraw at any time.
• Do not sell / share — opt out of the “sale” or “sharing” of personal information as those terms are defined under the California CCPA/CPRA. Markio does not sell personal information, and we treat a verified GPC signal as a valid opt-out.
• Non-discrimination — you will not receive discriminatory treatment for exercising any right.
• Complain — lodge a complaint with your local data protection authority (for EU/UK users: your national DPA; for California: the California Privacy Protection Agency).

To exercise a right, email privacy@usemarkio.com. We may need to verify your identity before acting. If an authorized agent submits a request on your behalf, we will require written proof of authorization.

16. California-specific disclosures

The categories of personal information Markio has collected in the preceding 12 months correspond to the California CCPA/CPRA categories of Identifiers (e.g., name, email, IP), Internet Activity (usage logs, cookies), Commercial Information (billing, plan), Geolocation (city-level, IP-derived), and Inferences (opportunity scoring). Markio has not sold personal information and has not shared personal information for cross-context behavioral advertising in the past 12 months. Markio does not knowingly collect or sell the personal information of consumers under 16.

17. If you nonetheless use Markio from the EEA, UK, or Switzerland

As stated in Section 2, Markio is a U.S.-based Service and is not actively offered, marketed, or targeted to the EEA, UK, or Switzerland. Intuico Digital LLC does not appoint an EU or UK Article 27 representative and does not offer an EU-style Data Processing Addendum or Standard Contractual Clauses as part of the Service. If you nonetheless choose to use Markio from one of those regions, the following apply on a best-efforts basis: Intuico Digital LLC acts as the controller of account and usage data you provide directly to us, and as a processor of Customer Content you submit; the legal bases summarized in Section 5 apply where relevant; and you may exercise the substantive rights listed in Section 15 by emailing privacy@usemarkio.com. You retain any mandatory right to lodge a complaint with your local supervisory authority to the extent such a right applies to us. If you require a contractual instrument (DPA, SCCs, representative) that we do not offer, please do not use Markio.

18. Children

Markio is not directed to children under 16 and we do not knowingly collect personal information from children. If you believe a child has provided personal information to Markio, contact privacy@usemarkio.com and we will delete the information.

19. Automated decision-making

Markio uses automated scoring to rank SEO opportunities, detect audit issues, and suggest AI actions. These are decision-support tools, not fully automated decisions with legal or similarly significant effects. You remain in control of whether to accept any recommendation or publish any draft.

20. “Do Not Track”

Because there is no industry consensus on how to interpret DNT headers, Markio does not respond to browser Do Not Track signals. We do honor the Global Privacy Control (GPC) signal for opt-outs of optional analytics.

21. Changes to this Policy

Markio may update this Policy to reflect changes to our practices, the Service, or the law. Material changes will be announced in-app or by email to the address on your Markio account. The “Effective date” above shows when this Policy was last updated. Your continued use of Markio after the effective date means you accept the updated Policy.

22. Contact Markio / Intuico Digital LLC

For privacy questions, rights requests, or complaints, contact us:

• Privacy / rights requests: privacy@usemarkio.com
• Security reports: security@usemarkio.com
• Abuse reports: abuse@usemarkio.com
• General: hello@usemarkio.com

See also our Markio Terms of Service.