Legal

Privacy Policy

Effective date: May 28, 2026

Operated by Junghard Software AB (org. nr. 559217-6753), Jans väg 5, Göteborg, Sweden.

Overview

Mara ("we", "us", "our") is an AI lifecycle marketer operated by Junghard Software AB (org. nr. 559217-6753) at hiremara.com. This policy explains what data we collect, why we collect it, who we share it with, and what rights you have over it.

We sell Mara to founders. This policy is written the same way: clearly, with specifics, and without unnecessary legalese.

Data controller and processor

For data about you as the account holder (your email, account settings, billing, dashboard activity), Junghard Software AB is the data controller.

For data about your end customers (the recipients of the emails Mara writes for you, and the contact and event data you feed into Mara), you are the data controller and we are the data processor acting on your documented instructions. A data processing agreement is available on request; contact [email protected].

What we collect

Account data

When you sign up, we collect your email address. We use passwordless magic-link authentication; we never store passwords. On signup we provision a tenant, a default brand profile, and an onboarding wizard state for your account.

Tenant configuration

Your company name, the sending domain you connect, send-window quiet hours, the approval policy you set, the journeys you enable, and the brand profile Mara extracts (voice fingerprint, value proposition, audience description, palette).

GitHub data (when connected)

If you grant GitHub OAuth access, Mara reads the README, commit log, issues, and marketing pages in-tree for the repository you connect. The scope is read-only. Mara does not write to your repo. We retain the extracted content; we do not retain your OAuth tokens beyond what is required to make subsequent reads (encrypted at rest).

Event stream data

Webhook payloads from the event sources you connect (Stripe, Polar, PostHog, Segment, or your own webhook). Mara reads contact and event data, including subscription state, signup events, billing events, and product events.

Contact records

The email addresses of your end customers, their lifecycle state (engaged, dormant, at-risk, expanded), their event history with you, and any reply they sent in response to a Mara-drafted send.

Generated drafts and outcomes

The drafts Mara writes for your journeys, the variants the bandit tested, and the outcomes Molted reports back (delivered, opened, clicked, bounced, replied, complained). This data feeds Mara's per-tenant learning loop and is yours.

Audit log

Every specialist call Mara makes writes a row recording which specialist ran, what it read, what it returned, how long it took, and how much it cost in cents. The reasoning trace is included. This log is available to you in the dashboard.

API usage and billing data

We log internal API requests for rate limiting, billing reconciliation, abuse prevention, and debugging. Subscription state, usage counts against your tier limits, and invoice records. Payment processing is handled by our payment provider; we do not store credit card numbers on our servers.

Cookies and analytics

We use session cookies for authentication in the dashboard. These are strictly necessary; without them, you cannot stay logged in. They are HTTP-only and scoped to our domain.

For website analytics, we use Plausible Analytics, which is cookie-free and does not track individual users. No personal data is sent to Plausible. We do not use Google Analytics, Facebook pixels, or any advertising trackers.

How we use your data

• Drafting emails.Mara reads the brand profile, recent product changes, and (for high-stakes journeys) the recipient's engagement history to draft each send in your voice.
• Computing segments. The Cartographer specialist consumes your event stream to maintain segments such as engaged, dormant, at-risk, and expanded.
• Variant testing. A Thompson-sampling bandit per journey-step learns which variants land for each segment, scoped to your tenant.
• Outcome attribution.Delivery and engagement signals come back from Molted on a five-minute reconciliation tick and feed Mara's next draft.
• Service delivery. Authentication, approval gate enforcement, billing, debugging, and incident response.
• Service communications. Transactional email to you about your account and responses to your support requests.

AI processing

AI is the product. Every specialist call (Brand Analyst, Copywriter, Reply Analyst, Cartographer, Journey Architect, Opportunity Scout, Reporter, Conductor) calls Anthropic's Claude API. This is not optional; you cannot use Mara without AI processing.

Important details about AI processing:

• No training on your data. Content sent to Anthropic is processed in real time. Anthropic's commercial-API terms prohibit training on customer data submitted through API calls. We do not opt your tenant into any data-sharing or training program.
• Retention at Anthropic. Anthropic retains API inputs and outputs for a limited window for safety and abuse monitoring, per their published policies, and then deletes them. See Anthropic's privacy and trust documentation for current specifics.
• What gets sent.The prompts that go to Anthropic include the brand profile, the relevant journey step, and (for high-stakes drafts) a qualitative summary of the recipient's engagement history. We do not send raw recipient lists or unrelated tenant data in any single call.

Third-party services and sub-processors

We share data only with the service providers required to operate Mara. Here is exactly who and why:

• Molted. The email sending platform operated by the same legal entity. Receives the rendered email (sender address, recipient address, subject, body) at send time. Returns delivery and engagement outcomes. Governed by Molted's privacy policy.
• Anthropic. Model inference for every specialist call. See AI Processing above.
• GitHub. When you grant OAuth, we read the repository contents you authorized. We send only the GitHub OAuth grant; we do not push data back to your repo.
• Stripe and Polar. When you connect billing webhooks, we receive subscription and order events from your chosen processor. The processor itself remains your relationship; we are a recipient of webhook events you configured.
• Payment processor. Polar.sh handles our own subscription billing for your Mara plan. Stores payment methods; we do not.
• Infrastructure providers. Hetzner (hosting) and Cloudflare (network and DNS). Run the platform.
• Plausible Analytics. Cookie-free website analytics. No personal data is shared.

We do not sell your data. We do not share data with advertisers. We do not monetize your data beyond providing the Service you pay for.

Data retention

• Account and tenant data. Retained while your account is active. After cancellation or workspace deletion, kept in soft-deleted form until you request erasure (see below).
• Brand profile, generated drafts, outbox history. Retained while your account is active. Deleted with the tenant.
• Contact records and event data. Retained while your account is active. You can delete individual contacts at any time from the dashboard.
• Audit log. Retained for 90 days from the time of the call.
• Backups. Up to 90 days after deletion from active systems.
• Billing records. Retained as required by Swedish tax and financial regulations (currently 7 years).

When you delete a workspace from the dashboard, sending stops, journeys are paused, any active subscription is canceled, and your access is removed immediately. The underlying records (contacts, drafts, send history, audit log) are retained in soft-deleted form so we can investigate issues and meet legal obligations. Full erasure of a deleted workspace's data is performed on request: email [email protected] and we will remove it from active systems, keeping only the operational records we are legally required to retain for audit.

Security

We take security seriously. Here is what we do:

• All data in transit is encrypted via TLS.
• Authentication is via magic links sent to your email; no passwords are stored.
• Sensitive secrets at rest (webhook signing keys, per-tenant scoped API keys) are encrypted with AES-256-GCM under a tenant-specific key.
• Data access is tenant-isolated at the query layer; your data is logically separated from other customers at the database level.
• Sessions use HTTP-only, secure cookies with short expiration windows.
• Every specialist call is recorded in the audit log with cost, latency, and a reasoning trace.

For more on how we handle approval, kill-switch, and data-access controls, see the trust page.

Your rights under GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation:

• Access. Request a copy of all personal data we hold about you.
• Rectification. Request correction of inaccurate data.
• Erasure.Request deletion of your personal data ("right to be forgotten").
• Restriction. Request that we limit processing of your data.
• Portability. Request your data in a structured, machine-readable format.
• Objection. Object to processing based on legitimate interests.

Our legal bases for processing are: performance of our contract with you (service delivery, billing), legitimate interest (security, abuse prevention, service improvement), and consent (where applicable).

To exercise any of these rights, email [email protected]. We will respond within 30 days.

Your rights under CCPA

If you are a California resident, the California Consumer Privacy Act gives you the following rights:

• Right to know. Request what personal information we collect, use, and disclose.
• Right to delete. Request deletion of your personal information.
• Right to opt out of sale. We do not sell your personal information, so there is nothing to opt out of.
• Right to non-discrimination. We will not discriminate against you for exercising your privacy rights.

To exercise these rights, email [email protected]. We will verify your identity and respond within 45 days as required by law.

International data transfers

Mara is operated by Junghard Software AB from Sweden. Our infrastructure and third-party providers (including Anthropic, Molted, GitHub, Hetzner, and Cloudflare) may process data in various regions, including the United States. We ensure appropriate safeguards are in place for international transfers through standard contractual clauses and data processing agreements with our providers, in accordance with GDPR requirements.

Children

Mara is a B2B service for SaaS founders. It is not directed at children. We do not knowingly collect data from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it.

Changes to this policy

We may update this policy as our service evolves. For material changes, we will notify you via email or a notice in the dashboard at least 30 days before the changes take effect. The "effective date" at the top of this page always reflects the latest version.

Contact

Data controller: Junghard Software AB (org. nr. 559217-6753), Jans väg 5, Göteborg, Sweden.

For privacy-related questions or to exercise your data rights:

• Email: [email protected]
• General inquiries: [email protected]