Marv Inbox

Privacy Policy

Last Updated: March 23, 2026 Effective Date: April 17, 2026

O.Dev ("we," "us," or "our"), incorporated in Israel under registration number 200373754, operates the Marv.inbox omnichannel customer communication platform ("Service").

We are committed to protecting the privacy of our customers, their End Users, and all individuals whose personal data passes through or is processed by our platform.

This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, how long we retain it, and what rights you have. It applies to:

  • Users who register for and use the Service (our customers and their team members);
  • Visitors to our website and platform;
  • Personal data about End Users that our customers submit to the Service (processed on our customers' behalf).

This Privacy Policy complies with the Israeli Protection of Privacy Law, 5741-1981 (PPL) and its Amendment No. 13 (effective August 14, 2025), which aligns Israeli data protection standards with international best practices including the EU General Data Protection Regulation (GDPR).

1. Data Controller and Contact Details

O.Dev is the data controller for personal data processed in connection with operating the Service, managing customer accounts, and interacting with website visitors.

For personal data that our customers ("Clients") submit to the Service on behalf of their own customers ("End Users"), our Clients are the data controllers and we act as a data processor under their instructions.

Data Protection Contact: O.Dev HaBarzel 38, Tel Aviv, Israel Company Registration No.: 200373754 Email: privacy@marv.oshri.dev Phone: +972-55-934-458

2. Definitions

| Term | Meaning | |---|---| | "Personal Data" | Any information relating to an identified or identifiable natural person. | | "Processing" | Any operation performed on personal data, including collection, storage, use, disclosure, or deletion. | | "Data Controller" | The entity that determines the purposes and means of processing personal data. | | "Data Processor" | An entity that processes personal data on behalf of and under the instructions of a data controller. | | "Client" | A business that subscribes to the Service and uses it to manage their own customer communications. | | "End User" | A natural person (typically the Client's customer or contact) whose data the Client manages through the Service. | | "PPL" | Israel's Protection of Privacy Law, 5741-1981, and its amendments. | | "PPA" | The Israeli Privacy Protection Authority (הרשות להגנת הפרטיות). |

3. What Personal Data We Collect

3.1 Data You Provide to Us Directly

Account and Registration Data

When you create an account or manage your organization in the Service:

| Data | Examples | |---|---| | Identity | Full name, job title | | Contact | Email address, phone number | | Organization | Company name, company website | | Authentication | Password (stored as a one-way hash — never in plain text), session tokens | | Profile | Profile photo (if uploaded) |

Billing and Payment Data

When you purchase a Subscription:

| Data | Examples | |---|---| | Billing contact | Name, email, billing address | | Tax | VAT/company registration number | | Payment | Card details (processed directly and securely by Stripe — we do not store raw card numbers) |

Communications Data

When you contact us for support, send inquiries, or respond to surveys:

| Data | Examples | |---|---| | Support records | Messages, issue descriptions, attachments | | Survey responses | Feedback and ratings you provide |

3.2 Data Collected Automatically

When you use the Service or visit our website, we automatically collect:

| Data | Examples | Retention | |---|---|---| | Usage data | Features accessed, pages visited, actions taken, session duration | 90 days | | Technical data | IP address, browser type and version, operating system, device type | 30 days (logs) | | Performance data | API response times, error rates, queue depths | 30 days | | Cookies | Session cookies, preference cookies (see Section 9) | Varies |

3.3 Customer Data — Processed on Behalf of Clients (Processor Role)

When Clients use the Service to manage their customer communications, personal data about their End Users is submitted to and processed by the Service. This data is controlled by the Client and processed by us solely under the Client's instructions. It may include:

| Data | Examples | |---|---| | Identifiers | Phone numbers, WhatsApp IDs, Messenger IDs, Telegram IDs, email addresses | | Profile information | Names, profile photos (as provided by the messaging platform) | | Conversation content | WhatsApp messages, Messenger messages, Instagram messages, Telegram messages, Microsoft Teams messages, and any attachments (images, documents, voice notes) | | Contact metadata | Labels, tags, notes, conversation history, assigned team or agent | | Custom fields | Any additional data Clients choose to record against a contact |

We do not use Client End User data for our own purposes, and we do not sell it, share it for advertising, or combine it with data from other Clients.

4. Legal Basis for Processing

We process personal data under the following legal grounds, as recognized under the PPL and Amendment 13:

| Legal Basis | When We Rely On It | |---|---| | Consent | Newsletter subscriptions; optional analytics cookies; marketing communications. You may withdraw consent at any time. | | Contract performance | Providing the Service to registered Clients; processing billing and payments; managing your account. | | Legal obligation | Maintaining tax records; responding to lawful requests from Israeli authorities; complying with court orders. | | Legitimate interests | Service security and fraud prevention; platform performance monitoring; improving the Service using aggregated, anonymized data; sending service-related notices. |

Where we rely on legitimate interests, we have assessed that our interests are not overridden by your privacy rights. You may object to processing based on legitimate interests at any time (see Section 10).

5. How We Use Personal Data

We use personal data for the following purposes:

Service Delivery

  • Create and manage your account
  • Process Subscription payments and issue invoices
  • Provide access to all features included in your plan
  • Process and route messages across supported channels
  • Run automation flows, AI-assisted responses, and scheduled tasks

Communication

  • Send service notifications (invoices, payment receipts, Subscription renewals, account alerts)
  • Respond to your support requests
  • Send product updates and feature announcements related to your Subscription

Security and Integrity

  • Detect and prevent unauthorized access, fraud, and abuse
  • Monitor for and respond to security incidents
  • Enforce these Terms and our Acceptable Use Policy

Platform Improvement

  • Analyze aggregated, anonymized usage patterns to improve features and performance
  • Conduct internal research and development

Legal and Regulatory Compliance

  • Comply with obligations under Israeli law (tax, accounting, regulatory reporting)
  • Respond to lawful requests from courts or regulatory authorities

We do not:

  • Sell your personal data or Client End User data to any third party
  • Use personal data for targeted advertising
  • Profile individual users for automated decision-making that produces legal or similarly significant effects without human oversight

6. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this Policy, or as required by law.

| Data Type | Retention Period | Reason | |---|---|---| | Account data (names, email, job title) | Duration of Subscription + 12 months after account closure | Account management, dispute resolution | | Billing records (invoices, payment history) | 7 years after the relevant tax year | Israeli tax law (חוק מס הכנסה) | | End User data (messages, contacts) — Processor role | Duration of Client Subscription + 30 days after termination | Service delivery; grace period for export | | Server and access logs | 30 days | Security monitoring | | Backup snapshots | Up to 90 days | Disaster recovery | | Support communications | 3 years from resolution | Quality assurance, legal protection |

After the applicable retention period, data is securely deleted or anonymized. You may request earlier deletion of your data, subject to our legal obligations to retain certain records (see Section 10).

7. Sharing and Third-Party Data Processors

We share personal data only to the extent necessary to operate the Service. All third-party processors are bound by data processing agreements and must maintain appropriate security and confidentiality standards.

7.1 Infrastructure and Hosting

| Processor | Role | Location | |---|---|---| | Supabase | Relational database hosting (control and tenant databases) | US / EU | | Google Cloud Run | Backend application hosting | US (Iowa, us-central1) | | Fly.io | Worker process hosting (job queue processing) | Singapore (sin) | | Vercel | Frontend application hosting and CDN | Global (edge) | | Redis Labs (Redis Cloud) | In-memory data store (real-time events, job queues, caching) | US | | Cloudflare | DNS, DDoS protection, TLS termination, CDN | Global |

7.2 Payments

| Processor | Role | Location | |---|---|---| | Stripe | Payment processing, card tokenization, invoicing | US / EU |

Stripe processes your payment data under its own privacy policy and PCI DSS standards. We do not store raw payment card numbers.

7.3 Messaging Platform Integrations

| Processor | Role | Location | |---|---|---| | Meta Platforms (Facebook) | WhatsApp Business API, Messenger API, Instagram API | US | | Telegram | Telegram Bot API | Various | | Microsoft | Microsoft Teams API | US / EU |

When you connect these platforms to the Service, messages and related data are transmitted to and from those platforms. Their use of your data is governed by their respective privacy policies.

7.4 Disclosure Required by Law

We may disclose personal data to courts, law enforcement, or regulatory authorities (including the PPA) if required by applicable law, court order, or other legal process. Where permitted by law, we will notify you of such requests.

7.5 Business Transfers

If we are involved in a merger, acquisition, asset sale, or restructuring, your personal data may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.

8. International Data Transfers

The third-party processors listed in Section 7 are located in various countries, including the United States and Singapore. When we transfer personal data outside of Israel, we ensure adequate protection through one or more of the following mechanisms:

  • Adequacy decisions: Transfers to countries recognized by Israel as providing adequate data protection.
  • Standard Contractual Clauses (SCCs): Contractual safeguards adopted with processors in countries without an adequacy decision.
  • Data Processing Agreements: Executed with all sub-processors, including security and confidentiality commitments.
  • Consent: Where required and no other mechanism applies, with your explicit consent.

Israel has been recognized as providing adequate data protection under the EU GDPR. We maintain transfer documentation in accordance with Amendment 13 requirements.

9. Data Security

We implement technical and organizational security measures appropriate to the risk of processing, including:

| Measure | Details | |---|---| | Encryption in transit | TLS 1.2 or higher for all data transmission | | Encryption at rest | AES-256 encryption for sensitive configuration data and credentials | | Access control | Role-based access control (RBAC); least-privilege principle; strong authentication required for all staff with data access | | Network security | Private VPC networks; firewalled databases not exposed to public internet; Cloudflare DDoS protection | | Secret management | Integration credentials stored encrypted in database; encryption keys managed via environment secrets | | Audit logging | Access and activity logs for security-relevant operations | | Vendor security | All sub-processors assessed for security standards before engagement |

Data Breach Notification: In the event of a personal data breach that poses a risk to the rights and freedoms of affected individuals, we will:

  1. Notify the Israeli Privacy Protection Authority (PPA) within 72 hours of becoming aware, as required by Amendment 13;
  2. Notify affected individuals without undue delay where the breach creates a high risk to their rights;
  3. For breaches affecting Client End User data in our Processor role, notify the relevant Client promptly so they can fulfill their notification obligations.

Despite these measures, no system is completely secure. We cannot guarantee absolute security of your data.

10. Your Rights Under Israeli Law

Under the Protection of Privacy Law (PPL) and Amendment No. 13, you have the following rights regarding your personal data:

| Right | Description | |---|---| | Right of Access | Request a copy of the personal data we hold about you, in Hebrew, Arabic, or English. | | Right to Correction | Request that inaccurate or incomplete data be corrected. | | Right to Deletion | Request erasure of your personal data where there is no legal basis for continued retention. | | Right to Restriction | Request that we limit processing of your data in certain circumstances. | | Right to Object | Object to processing based on legitimate interests; we will cease processing unless we demonstrate compelling legitimate grounds. | | Right to Data Portability | Receive your personal data in a structured, commonly used, machine-readable format. | | Right to Withdraw Consent | Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing. |

How to Exercise Your Rights: Submit a written request to privacy@marv.oshri.dev. Please include:

  • Your full name and account email address;
  • A clear description of the right you wish to exercise;
  • Proof of identity (we may request this to protect against fraudulent requests).

We will respond within 30 days. For complex or multiple requests, we may extend this by a further 15 days with written notice to you.

Complaints: If you believe we have not handled your personal data lawfully, you have the right to lodge a complaint with the Israeli Privacy Protection Authority (PPA): Website: https://www.ppa.gov.il

We encourage you to contact us first so we can address your concerns directly.

11. Cookies

We use cookies and similar tracking technologies on our website and within the Service.

| Cookie Type | Purpose | Can Be Disabled? | |---|---|---| | Essential / Strictly Necessary | Authentication sessions, CSRF protection, load balancing — required for the Service to function | No | | Functional | User preferences (language, theme, layout settings) | Yes | | Analytics | Aggregated, anonymized usage statistics to understand how the platform is used | Yes |

Managing Cookies: You can control cookies through your browser settings. Note that disabling essential cookies will prevent you from logging in or using the Service. For analytics and functional cookies, you can adjust your preferences in your account settings or browser.

We do not use cookies for cross-site behavioral advertising or sell cookie data to third parties.

12. Children's Privacy

The Service is intended for use by businesses and is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you become aware that a minor has provided us with personal data without appropriate consent, please contact us at privacy@marv.oshri.dev and we will delete such data promptly.

13. Links to Third-Party Services

The Service integrates with and may contain links to third-party platforms (Meta, Telegram, Microsoft, Google, Slack, Notion, and others). This Privacy Policy does not cover the privacy practices of those third parties. We encourage you to review their privacy policies before connecting them to the Service.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Service. When we make material changes, we will:

  • Post the updated Policy at https://marv.oshri.dev/privacy with a new "Last Updated" date;
  • Notify you by email to your registered address or via in-platform notification at least 14 days before the changes take effect.

Your continued use of the Service after the effective date constitutes acceptance of the updated Policy. If you do not accept the changes, you must stop using the Service.

15. Contact Us

For any questions, requests, or complaints about this Privacy Policy or our data practices:

O.Dev HaBarzel 38, Tel Aviv, Israel Company Registration No.: 200373754 Email: privacy@marv.oshri.dev Phone: +972-55-934-458 Website: https://marv.oshri.dev

For data subject rights requests, please email privacy@marv.oshri.dev with the subject line: "Privacy Rights Request."

Privacy Policy | Marv Inbox