TMarlowBack to site

Legal

Privacy Policy

Effective May 21, 2026

This Privacy Policy explains how Marlow (“Marlow,” “we,” “our,” or “us”) handles information when you use our website at tasktracked.com, our web application, our desktop time-tracking application, and our mobile applications for iOS and Android (collectively, the “Services”).

Marlow is a workforce platform sold to businesses (“Customers”) that engage virtual assistants and distributed teams. When you use the Services as part of a Customer’s account, that Customer is the controller of your personal data and you should also review their privacy notice. Marlow acts as a processor on the Customer’s behalf for that data.

1. Information we collect

1.1 Account & identity data

  • Name, email address, and avatar image you upload.
  • Password (stored only as a salted hash; never in plaintext).
  • Role assignments (admin, manager, virtual assistant, client) and the organization you belong to.

1.2 Work content you create

  • Tasks, comments, attachments, knowledge-base articles, and SOPs.
  • Direct and channel messages, including text, voice notes, video clips, and screen recordings you choose to send.
  • Time-off requests, write-ups, and other workflow records you submit.

1.3 Time tracking & productivity data

  • Work intervals (start and end timestamps) recorded by the Marlow desktop application while you are tracking time.
  • Periodic screenshots of your active display captured by the desktop application during tracked intervals. Screenshots are taken only while time tracking is running and you have started a session. You can stop tracking at any time.
  • Active-window titles and keyboard/mouse activity counters used to determine idle time. We do not capture keystrokes, passwords, or clipboard contents.

1.4 Calls & real-time communication

  • Call metadata such as participants, start and end times, and call duration.
  • Audio and video streams are transmitted in real time through our media infrastructure (LiveKit). Calls are not recorded unless a participant explicitly initiates a recording, in which case the recording is stored as message content tied to the conversation.

1.5 Mobile device data

  • Push notification tokens (APNs / FCM) so we can deliver notifications and incoming-call alerts to your device.
  • When you use camera, microphone, or photo-library features, the underlying media is sent to Marlow only when you choose to attach or send it. We do not access these resources in the background.
  • Device identifiers used to manage sign-in sessions across devices.

1.6 Payment & payout data

  • Billing customers pay through Stripe. We receive a Stripe customer ID and limited billing metadata; we do not store full card numbers.
  • Virtual assistants who receive payouts provide payout details through Wise. We receive a payout recipient identifier; we do not store full bank-account credentials.

1.7 Technical & log data

  • IP address, user-agent, device model, operating system, and application version.
  • Request logs, error reports, and crash diagnostics used to operate and secure the Services.

We do not knowingly collect personal information from children under 16. The Services are not directed at children.

2. How we use information

  • To operate, maintain, and improve the Services.
  • To authenticate you, provision your workspace, and route messages, tasks, and calls to the correct recipients.
  • To generate verified timesheets, payroll reports, and invoices for your Customer.
  • To deliver push notifications, including incoming-call notifications via Apple PushKit and CallKit, and to display caller information on your device’s lock screen.
  • To detect, prevent, and respond to fraud, abuse, security incidents, and violations of our Terms of Service.
  • To comply with our legal obligations and respond to lawful requests.

We do not sell your personal information, and we do not use your content to train third-party machine-learning models.

3. How we share information

We share information only as described below:

  • Within your organization. Content you create is visible to other members of your Marlow organization based on their role and the permissions configured by your administrator.
  • Service providers. We use a small set of processors to run the Services, including:
    • DigitalOcean and Cloudflare for hosting, networking, and edge caching.
    • Supabase / managed Postgres for primary data storage.
    • Amazon S3-compatible object storage for attachments, recordings, and screenshots.
    • LiveKit for real-time audio and video transport.
    • Stripe for billing and Wise for payouts.
    • Apple Push Notification service (APNs) and Firebase Cloud Messaging (FCM) for push delivery.
    • Transactional email providers for account and notification email.
    These providers process data on our behalf under written data processing agreements.
  • Legal. We may disclose information if required by law, subpoena, or other legal process, or to protect the rights, property, or safety of Marlow, our users, or the public.
  • Business transfers. If Marlow is involved in a merger, acquisition, or sale of assets, information may be transferred subject to this Privacy Policy.

4. Data retention

We retain account and content data for as long as your account is active. If you delete your account, we anonymize your profile, revoke all active sessions, and remove device push tokens immediately. Content you produced inside an organization (tasks, messages, time entries, invoices) may be retained by that organization for business and legal-compliance purposes, but it is no longer associated with your personal identifiers.

Backup snapshots may persist for up to 35 days before being overwritten. Log data is typically retained for up to 90 days.

5. Security

We protect data in transit with TLS and at rest with provider managed encryption. Passwords are stored as salted hashes. Production access is restricted to authorized personnel and audited. No system is perfectly secure, but we work to keep yours as safe as we reasonably can.

6. Your choices & rights

  • Access and correction. You can view and update your profile from the Settings screen in the web and mobile applications.
  • Account deletion. You can delete your account from Settings → Delete account in the mobile app or by emailing [email protected] from your account email address. Account deletion anonymizes your profile and revokes all sessions.
  • Notification controls. You can manage notification preferences in Settings, or turn off notifications at the operating-system level.
  • Time tracking. You control when the desktop tracker is running. Closing the tracker stops all screenshots and activity collection.
  • Regional rights. Depending on where you live, you may have additional rights under laws such as the GDPR, UK GDPR, or California Consumer Privacy Act, including the right to request a copy of your data, object to processing, or file a complaint with your local supervisory authority. Contact [email protected] to exercise these rights.

7. International transfers

Marlow is operated from the United States, and our infrastructure providers may process data in the United States and other regions. Where required, we rely on Standard Contractual Clauses or other lawful transfer mechanisms.

8. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the “Effective” date at the top of this page and, for material changes, notify you in-app or by email.

9. Contact us

Questions about this Privacy Policy or about how your data is handled?