About us Careers Pricing Book a demo Log in

Privacy Policy

Last updated in June 2026

Marloo is committed to protecting your privacy. This Privacy Policy outlines how we collect, use, store, and share Personal Information (as defined below), ensuring that your data is handled responsibly and securely. Region-specific provisions and details are included in relevant sections.

This Privacy Policy may be updated periodically to reflect changes in our practices, legal requirements, or other factors. All changes will be communicated by publishing a copy of the updated Privacy Policy on our website. We encourage you to review it periodically.

1. Introduction and Scope

1.1 We are Marloo Limited, a New Zealand registered company (company number 9118972) of Lot 3, 130 Ponsonby Road, Grey Lynn, Auckland, 1011, New Zealand, and, in respect of our United States operations and US-resident consumers, our affiliated entity Marloo USA LLC, a Delaware corporation with a registered office at Suite 7D, 335 Madison Ave., New York, NY 10017 (collectively, “we”, “us”, and “our”).

1.2 Marloo is an AI assistant for financial advisers that processes various inputs (including calendar events, meetings, calls, and uploaded documents) to automate administrative tasks, create a unified client record, and generate draft advice documents such as fact-finds and review letters (the “Marloo Service”). The term “Marloo Service” in this Privacy Policy includes any associated products or services that we may offer from time to time. Marloo maintains a website at https://www.marloo.com (the “Site”) which includes information about Marloo and the Marloo Service.

1.3 For those who purchase or otherwise interact with us or the Marloo Service, all visitors to a Site, and all other individuals with whom we communicate in the course of running our business (each referred to as “you” and “your”), we are the controller (or, for US residents, the “business”, as defined under applicable US State Privacy Laws) of your Personal Information. This means that we decide which information and Personal Information we collect, and how to use it. The measures and rights set out in this Privacy Policy apply only where we are the controller or business in respect of your Personal Information. Where we process Personal Information on behalf of third parties (including, for example, as a service provider or processor on behalf of a financial adviser or firm that is our Customer), we have Data Processing Agreements or service provider agreements in place to cover our handling of that data (where required by applicable law).

2. Meaning of Personal Information

2.1 Under the Australian Privacy Act 1988 (Cth) (“APA”), “Personal Information” means “information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not.”

2.2 Under the New Zealand Privacy Act 2020 (“PA”), “Personal Information” means “information about an identifiable individual”.

2.3 Under the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the retained version of the same regulation in the UK (“UK GDPR”), “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2.4 Under applicable US state privacy laws (collectively, “US State Privacy Laws”), “Personal Information” generally means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Under certain US State Privacy Laws, Personal Information may include “Sensitive Personal Information” or “Sensitive Data”, as applicable under such laws.

2.5 For the purposes of this Privacy Policy, we use the term “Personal Information” to refer to:

2.5.1 Personal Information as defined in the APA;

2.5.2 Personal Information as defined in the PA;

2.5.3 Personal Data as defined in the GDPR and the UK GDPR; and

2.5.4 Personal Information as defined under US State Privacy Laws.

2.6 If you are a resident of the UK or the EEA, your rights will be applicable only in respect of Personal Data, as defined above (even though, as explained above, we use the term “Personal Information” to refer to this). If you are a resident of Australia, New Zealand, or a state of the United States that has enacted a US State Privacy Law, your rights will be applicable only in respect of Personal Information as defined in the applicable legislation above.

3. What we collect, how we collect it, and what we do with it

3.1 The Personal Information we collect from you, and how we collect it, will depend on the service you are purchasing and the way you interact with us.

3.2 The table below sets out what we collect, how we collect it and what we do with it. We may state a more specific additional purpose when we collect your Personal Information.

3.3 In some jurisdictions (in particular the UK and EEA), we are required to identify a legal justification (also known as a “Lawful Basis”) for collecting and using your Personal Information, in addition to describing the purpose. There are six Lawful Bases that organisations can rely on. The most relevant of these to us are where we use your Personal Information to:

3.3.1 Fulfil a contract that we have with you as an individual (“Contract”);

3.3.2 Comply with our legal obligations (“Legal Obligation”);

3.3.3 Pursue our legitimate interests (our justifiable business aims), but only if those interests are not outweighed by your other rights and freedoms (“Legitimate Interests”); or

3.3.4 Do something for which you have given your consent (“Consent”).

Where we use your information for our legitimate interests, we have assessed whether such use is necessary and that such use will not infringe on your other rights and freedoms.

The Lawful Basis column in the table below applies only to UK and EEA Data Subjects. For individuals subject to applicable US State Privacy Laws, additional disclosures regarding categories of Personal Information collected and the purposes for which such collection are set out in section 26 below.

This table is best viewed on desktop

Visitors to the Site

Any information you provide to us voluntarily such as name, phone number, email address, country and city (or full postal address) and the organisation you work for.

When you provide it to us voluntarily through enquiring about our services (including through our online form), by subscribing to marketing communications or giving us feedback.

The purpose specified when provided to us
To provide you with current information about the Marloo Service, special offers you may find of interest, or new products or services being offered by us, through our newsletter or otherwise
To respond to customer enquiries

Consent

Technical data including the type of browser you are using, device information and your IP address. Some of this data is collected through cookies. See our cookie notice below for further details.

Automatically when you browse the Site.

To provide you with access to the Site
To enhance security and prevent fraud
To monitor service integrity
To make improvements to the Site
To perform routine analysis on the performance of our services and business more generally
To administer or perform our contract with service providers
To protect our business and defend ourselves against legal claims
To serve targeted advertising to you on third-party platforms, and to measure the effectiveness of our advertising campaigns

Legitimate Interests

Customers (primarily financial advisers) of the Marloo Service

Information you provide to us in order to purchase the Marloo Service such as name, phone number, email address, country and city (or full postal address) and the organisation you work for.

When you input the information on the Site in order to sign up to the Marloo Service.

To provide the Marloo Service to you (including the provision of technical support)
To process your payment information in connection with any contract we have with you
To respond to customer enquiries
To perform accounting, billing and other administrative and operational functions
To send you updates about the Marloo Service you have purchased
For customer support
To enhance security and prevent fraud

Contract

Through cookies.

To verify your identity (so that you can log in)
To make logging in easier (so that you do not need to type in your username each time)

Legitimate Interests

Calendar details, meeting details, meeting notes, transcripts, audio recordings, and any other information we are given access to when you integrate your Google and/or Microsoft accounts to the Marloo Service.

From third parties — Google, Microsoft or other third party (as applicable) — and from the operation of the Marloo Service when meetings or calls are recorded or transcribed at your direction.

To sync calendars and otherwise enable you to make best use of the Marloo Service
To contribute to a unified client record for analysis
To enable AI-driven analysis across the complete client record

Contract

Client-related documents and other information you choose to upload.

From your direct input and uploads into the Marloo Service.

To create a unified client record by aggregating all associated meetings, notes, and documents
To enable AI-driven analysis across this entire unified client record

Contract

Name, phone number, email address, country and city (or full postal address) and the organisation you work for.

When you input the information on the Site in order to sign up to the Marloo Service.

To provide you with current information about the Marloo Service, special offers you may find of interest, or new products or services being offered by us, through our newsletter or otherwise.

Consent

Participants in our referral programme

Financial information, including bank account holder name, number, and sort code/BSB/US routing and account numbers.

When you provide it to us securely after being notified of an earned reward.

To process and transfer cash rewards earned through the Marloo Referral Programme
To verify your identity, prevent fraud, and comply with applicable financial regulations

Contract

3.4 In addition to the Lawful Bases set out in the table above, we may use your Personal Information (however collected) to fulfil a Legal Obligation if processing is necessary:

3.4.1 to record your preferences (e.g. marketing) to ensure that we comply with applicable data protection laws;

3.4.2 where we are required to assist government and law enforcement agencies or regulators;

3.4.3 where we retain information to enable us to bring or defend legal claims; and/or

3.4.4 where we are required to assist government and law enforcement agencies or regulators, including in relation to any eligible data breach declarations by any of them.

4. Anonymised and Aggregated Data

We may anonymise the Personal Information we collect (so it can no longer identify you) and then combine it with other anonymous information so it becomes aggregated data. Aggregated data helps us identify trends (e.g. what percentage of users responded to a specific survey). Data protection laws do not govern the use of aggregated data and the various rights described below do not apply to it.

5. Use of Cookies and Similar Tracking Technologies

5.1 Cookies are small text files that we store on your browser, or the hard drive of your computer, if you agree. Cookies collect data which includes Personal Information.

5.2 We use our own cookies, and similar tracking technologies, to enhance user experience, provide security, and improve our services. We also use third party cookies. The following cookies (or similar technologies) are used on our Sites:

5.2.1 Essential cookies. These are cookies that are required for the core functionality of a Site. These essential cookies are always enabled because the Site will not work properly without them. They include, for example, cookies that enable certain authentication and security functions.

5.2.2 Preference cookies. These enable us to recognise you when you return to a Site, to personalise our content for you and remember your preferences.

5.2.3 Performance cookies. These help us to understand how visitors interact with a Site. They include cookies that tell us how long people spend on a Site and the number of times they visit, to improve service functionality.

5.2.4 Advertising and targeting cookies. These are third-party cookies that collect information such as cookie identifiers, IP addresses, and browsing activity on our Site for the purposes of serving targeted advertising on third-party platforms and measuring the effectiveness of our advertising campaigns.

6. Security Measures

6.1 We take the security of your Personal Information seriously. We implement technical and organisational measures to protect against unauthorised access, disclosure, and loss of data, including:

6.1.1 Encryption: all data at rest is encrypted using AES-256 encryption. Data in transit is protected by TLS 1.2/1.3 protocols.

6.1.2 Audit trails and monitoring: access logs are retained for a minimum of one year and regularly reviewed for compliance and security monitoring.

6.1.3 Independent assurance: we maintain a SOC 2 Type 2 attestation report covering our security, availability, and confidentiality controls. Current reports are available at https://trust.marloo.com.

6.2 If there is an incident that has affected your Personal Information, we will investigate it, take steps to contain it, notify the appropriate regulator, and keep you informed (where required under applicable data protection law).

7. How long we keep your Personal Information

7.1 We will only retain your Personal Information for as long as necessary to fulfil the purposes we collected it for.

7.2 To decide how long to keep Personal Information (also known as its retention period), we consider the volume, nature, and sensitivity of the Personal Information, the potential risk of harm to you if an incident were to happen, whether we require the Personal Information to achieve the purposes we have identified or whether we can achieve those purposes through other means (e.g. by using aggregated data instead), and any applicable legal requirements (e.g. minimum accounting records for tax authorities).

7.3 If you have asked for information from us or you have subscribed to our mailing list, we keep your details until you ask us to stop contacting you.

7.4 Specific retention periods applicable to US residents are set out in section 30 below.

8. Where your Personal Information is stored

8.1 The location in which your Personal Information is stored depends on the region in which you are based:

• Customers based in Australia or New Zealand: your data is stored in Australia, using Supabase infrastructure hosted in Sydney, Australia.

• Customers based in the United Kingdom or the EEA: your data is stored in the United Kingdom, using Supabase infrastructure hosted in London, United Kingdom.

• Customers based in the United States: your data is stored in the United States, using Supabase infrastructure hosted in a United States region.

8.2 In all cases, certain Personal Information may also be processed by our subprocessors in other jurisdictions in order to provide the Marloo Service (for example, for AI processing, transcription, or communication services). A full list of our subprocessors and their processing locations is available at https://trust.marloo.com/subprocessors.

9. Who we share your Personal Information with

9.1 We may share your Personal Information with the organisations listed below, for the specified reasons.

9.2 As outlined in the region-specific sections below, this may involve transfers overseas.

9.3 When we share your Personal Information with third parties to process your Personal Information on our behalf, we ensure that an appropriate Data Processing Agreement or service provider agreement is in place, where required under applicable data protection laws.

9.4 We can provide more detailed information about our specific service providers, their data processing locations, and retention periods upon request. Please contact us at compliance@gomarloo.com for such information.

9.5 We do not use your Personal Information, including any Customer Data, meeting transcripts, or uploaded documents, to train any large language models, whether proprietary or third party.

This table is best viewed on desktop

Service providers used for business operations, including: infrastructure services (data storage, cloud hosting, API processing, backup services); security and authentication services (user authentication, web security, content delivery); communication services (email, marketing communications, calendar integration); operational services (workflow management, monitoring, logging); and speech processing and transcription services. Our current providers for these purposes include Supabase, AWS (US region) and our other subprocessors, listed at https://trust.marloo.com/subprocessors. Some of these organisations will store your Personal Information only where required for service functionality and for as long as necessary to provide those services.

We rely on these providers to conduct our business.

AI / Large Language Model Providers. We partner with leading AI providers, including Anthropic and OpenAI as our primary large language model (LLM) providers, and Google (for certain features), to enable functionality within the Marloo Service. We have implemented contractual and technical arrangements designed to prevent the retention of inputs processed by these providers beyond what is necessary to provide the Marloo Service, and to prevent the use of your Personal Information for training their models. Where any provider retains limited data temporarily for abuse monitoring or other operational purposes, we have ensured this is consistent with applicable data protection laws.

To provide core AI-driven functionalities such as meeting transcription, summarisation, and analysis.

Any authorised government or regulatory or self-regulatory authority or enforcement agency.

If we are under a duty to disclose your Personal Information in order to comply with any legal obligation, or to protect the rights, property or safety of Marloo, its clients or others.

Professional advisers or contractors, such as our auditors, accountants, or lawyers or other professional consultants.

To obtain relevant advice in running our business.

Successors and counterparties as part of or in connection with a sale of our business, or a merger, reorganisation, investment, change in control, transfer of substantial corporate assets, liquidation or similar transaction.

For the purposes of the relevant transaction.

Any other person authorised by you.

For the purpose authorised by you.

10. Unsubscribing from marketing messages

10.1 You can opt out of marketing and sales communications at any time by clicking on the “unsubscribe” or “opt-out” link in the marketing emails or messages we send you. You can also contact us at support@gomarloo.com.

11. What happens if Personal Information is not provided

11.1 Where we require certain Personal Information from you in order to provide a service to you, and you choose not to provide us with that Personal Information, we may not be able to provide our services to you, or aspects of those services. If this is the case, we will inform you.

12. Contacting us and complaints

12.1 If you have questions, requests, or concerns about your Personal Information or this Privacy Policy, please email us at compliance@gomarloo.com or write to us at Suite 7D, 335 Madison Ave., New York, NY 10017. Our Data Protection Officers are:

12.1.1 Australia and New Zealand: Shakeel Lala;

12.1.2 UK and EEA: Hardy Michel; and

12.1.3 United States: Shakeel Lala.

12.2 We will take such steps as are reasonable to investigate any issues within a reasonable time of receipt. We will give you written notice of the investigations which have been carried out and the outcome.

12.3 Whilst you are entitled to submit a complaint to your local data protection authority (in applicable jurisdictions) with any concerns, we would encourage you to contact us first so that we can try to address your concerns.

12.4 We value your privacy and your rights as a data subject and have therefore appointed Prighter Group with its local partners as our privacy representative and your point of contact for the European Union and the United Kingdom. Prighter gives you an easy way to exercise your privacy-related rights (e.g. requests to access or erase personal data). If you want to contact us via our representative, Prighter, or make use of your data subject rights, please visit the following website: https://app.prighter.com/portal/15980164479.

ADDITIONAL CLAUSES APPLICABLE TO RESIDENTS OF AUSTRALIA

13. Scope

13.1 As mentioned in paragraph 2.6 above, if you are a resident of Australia, your rights in this Privacy Policy are applicable only in respect of Personal Information, as defined in the APA.

13.2 If there is any inconsistency between this “Additional Clauses Applicable to Residents of Australia” section and the rest of the Privacy Policy, this section will prevail.

14. Transfers of Personal Information out of Australia

14.1 Your Personal Information may be transferred overseas or stored overseas for a variety of reasons. If we transfer your Personal Information to a recipient in a country with data protection laws which are at least substantially similar to the Australian Privacy Principles (“APP”), and where there are mechanisms available to you to enforce protection of your Personal Information under that overseas law, we will not be liable for a breach of the APP if your Personal Information is mishandled in that jurisdiction.

15. Notifiable Data Breach Scheme (“NDBS”) pursuant to the APA

15.1 If there is a data breach and we are required to comply with the NDBS, we will take all reasonable steps to contain the suspected or known breach where possible and follow the process set out in this clause.

15.2 If we have reasonable grounds to suspect that the data breach is likely to result in serious harm to any individuals involved, then we will take all reasonable steps to ensure an assessment is completed within 30 days of the breach, or sooner if possible. We will follow all guidance published by the Office of the Australian Information Commissioner (“OAIC”) in making this assessment. If we reasonably determine that the data breach is not likely to result in serious harm to any individuals involved, or that any remedial action we take is effective in preventing serious harm from becoming likely, then we will not notify the affected individuals or the OAIC.

16. Your rights under the APP and the APA

16.1 If you are a resident of Australia, your data protection rights are as follows:

16.1.1 You can request access to your Personal Information, subject to certain exceptions.

16.1.2 You can request corrections to any inaccurate, outdated, incomplete or misleading information regarding your Personal Information.

16.1.3 We have an independent obligation to take reasonable steps to correct information that is inaccurate, out-of-date, incomplete, irrelevant or misleading.

16.1.4 You can ask us to delete or de-identify your Personal Information if there is no good reason for us to continue holding it.

16.1.5 You can ask to have your Personal Information, where technically feasible, sent to another organisation, where we hold this Personal Information with your consent or for the performance of a contract with you.

16.1.6 You can ask us not to send you any marketing materials. However, we may still send you newsletters and updates about your account, if you are a business contact.

16.1.7 If you are unhappy with the way we collect and use your Personal Information, you can complain to the OAIC, but we would encourage you to contact us first so that we can try to address your concerns.

16.2 To contact us or submit requests in relation to any of the above, please email compliance@gomarloo.com with full details of your request.

16.3 If your request relates to unsubscribing or opting out of marketing, you can contact us on support@gomarloo.com.

17. Automated Decision-Making

17.1 We do not make decisions about you that are based solely on automated processing and that produce legal effects concerning you or similarly significantly affect you. The outputs of the Marloo Service (such as draft fact-finds, review letters, meeting notes, and similar materials) are generated to assist our Customers (financial advisers and their firms) in their work; the financial adviser remains responsible for reviewing, validating, and acting on those outputs, and is the decision-maker for any actions affecting their clients.

ADDITIONAL CLAUSES APPLICABLE TO RESIDENTS OF NEW ZEALAND

18. Scope

18.1 As mentioned in paragraph 2.6 above, if you are a resident of New Zealand, your rights in this Privacy Policy are applicable only in respect of Personal Information, as defined in the PA, i.e. information about an identifiable individual.

18.2 If there is any inconsistency between this “Additional Clauses Applicable to Residents of New Zealand” section and the rest of the Privacy Policy, this section shall prevail.

19. Lawful Purpose

19.1 For the purposes of the PA, the “lawful purposes” for which we collect Personal Information are the Lawful Bases identified in clause 3 of this Privacy Policy.

20. International Data Transfers

20.1 We only transfer your Personal Information overseas in accordance with the PA (Information Privacy Principle 12 of the PA).

21. Your Rights Regarding Personal Information

21.1 If you are a resident of New Zealand, your data protection rights under the PA are as follows. Subject to certain grounds for refusal set out in the PA:

21.1.1 You have the right to know whether we hold any Personal Information about you.

21.1.2 You have the right to access your Personal Information.

21.1.3 You have the right to ask us to correct any Personal Information you have provided to us.

21.2 To contact us or submit requests in relation to any of the above, please email compliance@gomarloo.com with full details of your request.

21.3 In respect of a request for correction, if we think the correction is reasonable and we consider it reasonable for us to comply, we will make the correction. If we do not make the correction, we will take reasonable steps to note (on the Personal Information in question) that you requested the correction.

21.4 If your request relates to unsubscribing or opting out of marketing, you can contact us on support@gomarloo.com.

21.5 If you are unhappy with the way we collect and use your Personal Information, you can complain to the Privacy Commissioner, but we would encourage you to contact us first so that we can try to address your concerns.

ADDITIONAL CLAUSES APPLICABLE TO RESIDENTS OF THE UK, THE EEA OR SWITZERLAND

22. Scope

22.1 As mentioned in paragraph 2.6 above, if you are a resident of the UK, the EEA, or Switzerland, your rights in this Privacy Policy are applicable only in respect of Personal Data, as defined in the EU and UK GDPR.

22.2 If there is any inconsistency between this “Additional Clauses Applicable to Residents of the UK, the EEA or Switzerland” section and the rest of the Privacy Policy, this section shall prevail.

23. International Data Transfers

23.1 We only transfer your Personal Information overseas where we are able to comply with applicable data protection laws. If you are located in the UK, the EEA, or Switzerland (the “GDPR Area”), and we transfer your Personal Information outside of the EEA, UK, or Switzerland, we will take appropriate measures to ensure that the recipient protects your Personal Information adequately in accordance with this Privacy Policy and all applicable UK, EU, and Swiss data protection laws. These measures may include:

23.1.1 Ensuring that there is an adequacy decision in respect of the country to which the Personal Information is being transferred.

23.1.2 The use of standard model contractual arrangements with the recipient of Personal Information which have been approved by the UK Information Commissioner, the European Commission, or the Swiss Supervisory Authority, as appropriate (these are known as Standard Contractual Clauses, or SCCs).

23.1.3 The EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework.

24. Your Rights Regarding Personal Information

24.1 If you are a resident of the GDPR Area, your data protection rights are as follows:

24.1.1 You can request access to your Personal Information.

24.1.2 You can ask us to correct your Personal Information if it is inaccurate or incomplete.

24.1.3 You can ask us to delete or remove your Personal Information if there is no good reason for us to continue holding it.

24.1.4 You can object to processing of your Personal Information, ask us to restrict processing of your Personal Information, or request portability of your Personal Information.

24.1.5 You have the right to opt out of marketing communications we send you at any time. You can also contact us at support@gomarloo.com.

24.1.6 If you are unhappy with the way we collect and use your Personal Information, you can complain to the Information Commissioner's Office, but we would encourage you to contact us first so that we can try to address your concerns.

24.2 To contact us or submit requests in relation to any of the above (except marketing-related requests), please email compliance@gomarloo.com.

24.3 If we have collected your Personal Information with your consent, you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect the processing of your Personal Information conducted in reliance on a Lawful Basis other than consent.

ADDITIONAL CLAUSES APPLICABLE TO RESIDENTS OF THE UNITED STATES

25. Scope and Application

25.1 As mentioned in paragraph 2.6 above, if you are a resident of the United States subject to a US State Privacy Law, your rights under this Privacy Policy apply in respect of Personal Information as defined under the privacy laws of the state in which you reside, including but not limited to the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the “CCPA”), the Colorado Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Utah Consumer Privacy Act (“UCPA”), the Texas Data Privacy and Security Act (“TDPSA”), and other applicable US State Privacy Laws.

25.2 This section applies in addition to the rest of the Privacy Policy. The general clauses in this Privacy Policy (sections 1 to 12) also apply to US residents, except where modified by this section.

25.3 If there is any inconsistency between this “Additional Clauses Applicable to Residents of the United States” section and the rest of the Privacy Policy, this section will prevail with respect to US residents subject to applicable US State Privacy Laws.

26. Categories of Personal Information we collect

26.1 In the past twelve (12) months, we have collected the following categories of Personal Information from US residents, drawn from the categories enumerated below:

This table is best viewed on desktop

A. Identifiers

Name, email address, phone number, IP address, online identifiers, account credentials.

B. Customer Records Information (Cal. Civ. Code § 1798.80(e))

Name, address, telephone number, bank account number (where collected through our referral programme), employment information.

D. Commercial information

Records of subscriptions and services purchased; transactional information related to your use of the Marloo Service.

F. Internet or other electronic network activity

Cookies, log data, browsing and usage information related to your interaction with the Site and the Marloo Service.

H. Audio, electronic, visual, or similar information

Audio recordings, transcripts, and other content captured from meetings, calls, and uploaded materials processed through the Marloo Service.

I. Professional or employment-related information

The organisation you work for, your professional role, your business contact information.

K. Inferences

Inferences drawn from the foregoing to create draft documents, summaries, and related outputs generated through the Marloo Service.

L. Sensitive Personal Information

See section 27 below.

26.2 The sources from which we collect this Personal Information, the purposes for which we use it, and the categories of third parties to whom we disclose it for business purposes are described in sections 3 and 9 above and should be read together with the table in this section 26.

27. Sensitive Personal Information

27.1 We may collect certain categories of “Sensitive Personal Information” or “Sensitive Data” as those terms are defined under applicable US State Privacy Laws, including:

27.1.1 Account log-in credentials (such as usernames);

27.1.2 Information contained in communications captured through the Marloo Service (including audio recordings, transcripts, meeting notes, and uploaded documents), that may include Sensitive Personal Information or Sensitive Data voluntarily submitted by users;

27.1.3 Financial account information (including, where collected in connection with our referral programme); and

27.1.4 Such other categories of Sensitive Personal Information as may be contained in the content of communications, uploaded documents, or notes processed through the Marloo Service.

27.2 We use Sensitive Personal Information and Sensitive Data only for the purposes set out in section 3 above, and for those additional purposes permitted under applicable US State Privacy Laws, including providing the services reasonably expected by the users, preventing fraud, ensuring the security and integrity of the Marloo Service, and complying with legal obligations. We do not use or disclose Sensitive Personal Information or Sensitive Data for the purpose of inferring characteristics about a consumer.

27.3 California residents have the right to limit our use and disclosure of Sensitive Personal Information to the purposes described in section 27.2 (the “Right to Limit”). See section 31.1.5 below for how to exercise this right.

28. Sharing of Personal Information

28.1 We share certain Personal Information (such as cookie identifiers, IP addresses, and browsing activity) of visitors to our Site with third parties for certain advertising purposes.

28.2 We do not have actual knowledge that we sell or share Personal Information of consumers under sixteen (16) years of age.

29. Recording of Communications and Consent

29.1 The Marloo Service captures audio recordings and transcripts of meetings, calls, and other communications. Recordings are initiated by, and at the direction of the financial adviser or firm using the Marloo Service (“Customer”). Our Customer is responsible for obtaining all necessary consents from meeting participants, end-clients, and other individuals whose communications are recorded or transcribed through the Marloo Service, in accordance with applicable federal and state laws, including the Federal Wiretap Act and the laws of the states that require the consent of all parties to a recorded communication (including but not limited to, as of the date of this Privacy Policy, California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Montana, Nevada, New Hampshire, Pennsylvania, and Washington, each with variations).

29.2 If you are a participant in a meeting or other communication captured through the Marloo Service and you have not consented to the recording, you should notify the financial adviser or firm before the recording commences and request that the recording not occur or that your participation not be recorded.

29.3 Requests for information about recordings and transcripts processed through the Marloo Service that contain your Personal Information may be made directly to the Customer using the Marloo Service. Where we are acting as a service provider on behalf of the Customer, we will direct your request to the Customer and will assist the Customer in responding to it as required by our agreement with the Customer and applicable law.

30. Retention of Personal Information

30.1 The general retention principles described in section 7 above apply to US residents. Specifically:

30.1.1 Account identifiers and customer records information: retained for the duration of your relationship with us, plus a reasonable period thereafter for legal, accounting, and audit purposes (generally up to seven (7) years).

30.1.2 Commercial information related to transactions: retained for the period required by applicable tax and accounting laws (generally up to seven (7) years).

30.1.3 Audio recordings, transcripts, and uploaded content processed through the Marloo Service: retained for the period directed by our Customer or as required to provide the Marloo Service, and deleted in accordance with our agreement with the applicable Customer.

30.1.4 Cookies and similar technical data: retained for the period set out in our cookie notice (see section 5 above), generally up to twenty-four (24) months.

30.1.5 Referral programme financial information: retained for the period required by applicable financial regulations (generally up to seven (7) years).

31. Your Privacy Rights as a US resident

31.1 Subject to applicable US State Privacy Laws and the rights available under the laws of your state of residence, you may have the following rights with respect to your Personal Information:

31.1.1 Right to Know / Access: You may request that we disclose the categories and specific pieces of Personal Information we have collected about you, the sources from which we collected the Personal Information, the purposes for collecting or processing it, and the categories of third parties with whom we share it.

31.1.2 Right to Delete: You may request that we delete Personal Information we have collected from you, subject to certain exceptions provided under applicable law.

31.1.3 Right to Correct: You may request that we correct inaccurate Personal Information we maintain about you.

31.1.4 Right to Portability: You may request that we provide you with a copy of your Personal Information in a portable and, to the extent technically feasible, readily usable format.

31.1.5 Right to Limit Use of Sensitive Personal Information (California only): You may request that we limit our use and disclosure of Sensitive Personal Information to the purposes described in section 27.2 above.

31.1.6 Right to Non-Discrimination: We will not discriminate against you for exercising any of your rights under US State Privacy Laws. See section 35 below.

31.2 The specific rights available to you depend on the state in which you reside. Some US State Privacy Laws also include thresholds, exemptions, and other limitations that may affect the availability of these rights.

32. How to Exercise your Rights

32.1 To exercise any of the rights described in section 31, please contact us by:

32.1.1 email to compliance@gomarloo.com; or

32.1.2 mail to our US privacy contact at Suite 7D, 335 Madison Ave., New York, NY 10017.

32.2 We will respond to your verifiable request within forty-five (45) days of receipt, except where additional time is permitted under applicable law. If we require additional time, we will inform you of the reason and any extension period in writing.

32.3 Subject to applicable US State Privacy Laws, you may make a request for access or portability twice within a twelve (12) month period without charge.

33. Authorised Agents

33.1 You may designate an authorised agent to submit a request on your behalf. The authorised agent must provide:

33.1.1 written and signed permission from you authorising the agent to act on your behalf; or

33.1.2 a valid power of attorney pursuant to the laws of the applicable state.

33.2 We may also require you to verify your own identity directly with us, or to confirm with us directly that you have provided the authorised agent to act on your behalf, before we process the request.

34. Identity Verification

34.1 Before responding to a request to know, delete, correct, exercise portability rights, or limit the use of Sensitive Personal Information, we will take reasonable steps to verify your identity. The level of verification will depend on the nature, sensitivity, and risk of the request.

34.2 We may ask you to provide identifying information that we can match against information already held by us, or to log in to your account if you have one. We will not retain identifying information provided solely for verification purposes for any longer than is necessary to fulfil the verification function.

35. Non-Discrimination

35.1 We will not discriminate against you for exercising any of your rights under US State Privacy Laws. Specifically, we will not:

35.1.1 deny you goods or services;

35.1.2 charge you different prices or rates, including through the use of discounts, benefits, or penalties;

35.1.3 provide you with a different level or quality of goods or services; or

35.1.4 suggest that you may receive a different price, rate, level, or quality of goods or services.

35.2 Nothing in this section 35 prohibits us from offering a different price, rate, level, or quality of goods or services where the difference is reasonably related to the value provided to us by your Personal Information, or from providing financial incentives in compliance with applicable US State Privacy Laws.

36. Notice of Financial Incentives

36.1 We do not currently offer financial incentives or price or service differences in exchange for the collection, retention, sale, or sharing of Personal Information. If we begin to offer any such financial incentives, we will update this Privacy Policy and provide all required disclosures at that time.

37. California “Shine the Light”

37.1 California Civil Code Section 1798.83 (commonly known as the “Shine the Light Law”) permits California residents to request information regarding any disclosure of certain personal information to third parties for third parties' direct marketing purposes during the immediately preceding calendar year. We will honour such requests from California residents. To submit a request, please contact us at compliance@gomarloo.com.

38. Children's Personal Information

38.1 The Marloo Service is not directed to, nor intended for use by, individuals under the age of eighteen (18). We do not knowingly collect Personal Information from individuals under the age of eighteen (18).

38.2 If we become aware that we have collected Personal Information from an individual under eighteen (18) years of age in the United States, we will take reasonable steps to delete that information. If you believe we may have collected Personal Information from a person under eighteen (18), please contact us at the addresses provided in section 32.

39. Changes to this Privacy Policy

39.1 The general provisions in the introduction to this Privacy Policy regarding updates apply to US residents. We will notify US residents of material changes to this Privacy Policy in accordance with applicable US State Privacy Laws, including, where required, by direct notice or by providing thirty (30) days' advance notice on the relevant Site.