Privacy policy

Marshal is a software product operated by [EDIT: legal entity name, e.g., “Marshal Inc., a Delaware corporation”] (“Marshal,” “we,” “us”). Our registered office is at [EDIT: registered address]. You can reach our privacy team at privacy@marshal.to.

We provide a SaaS application for HR investigations: a workspace where employer customers (“Customers”) conduct internal investigations of workplace complaints, with optional AI-assisted drafting of memos, findings, and reports.

Personal data flows through Marshal in two distinct ways, with two different legal roles:

• Marshal as data controller. When you sign up for an account, manage billing, contact support, or otherwise interact with us directly, we determine the purpose and means of processing your data. We act as a data controller for this information.
• Marshal as data processor.When a Customer uses Marshal to conduct an investigation, the Customer uploads or generates personal data about employees, complainants, respondents, and witnesses. The Customer is the data controller of that investigation content; Marshal processes it strictly on the Customer's instructions under the Data Processing Addendum that forms part of our Terms of Service.

This privacy policy primarily describes our practices as a controller. For questions about how your data is being processed within a specific Customer's Marshal account (for example, as a complainant or witness in an investigation), contact that Customer directly — they are the controller and we must refer your request to them.

We collect the following categories of personal data:

3.1 Account and contact data

When you create a Marshal account or are invited to one: name, email address, employer/organization, role in the tenant, password hash (we never see the plaintext), MFA factor metadata, and timestamps of account activity.

3.2 Billing data

For paying Customers, we collect business contact details and a subscription record. Payment cards are handled by our payment processor (Stripe); Marshal never sees full card details.

3.3 Investigation content (Customer-controlled)

On a Customer's instructions, Marshal stores and processes the content of investigations the Customer conducts. This typically includes complainant and respondent identifiers, witness names, narrative accounts of events, uploaded documents (emails, policies, screenshots), interview transcripts, allegation descriptions, and investigative findings. Some of this content is sensitive personal data, including potential allegations of unlawful conduct.

3.4 Usage and device data

We log application usage and request metadata to operate the service: IP address, user-agent string, request paths, timestamps, response status, and the user/tenant context of each authenticated request. Server logs are retained for [EDIT: e.g., 90 days], then deleted from live systems.

3.5 Cookies and similar

Marshal uses a minimal set of cookies that are strictly necessary to deliver the service: an authentication cookie managed by our auth provider (Supabase) and a CSRF token. We don't use marketing or analytics cookies on the application itself. [EDIT: confirm if the marketing site, when launched, uses any analytics; revise this paragraph accordingly.]

We use personal data for:

• Providing the service: letting Customers and their authorized users access Marshal, store investigation content, generate AI-assisted drafts, export reports, and use the other product features.
• Security and integrity: detecting and preventing abuse, fraud, and unauthorized access. We maintain a tamper-evident audit log of system activity for this purpose.
• Communications: account confirmations, password resets, invitations, security notifications, billing notices, and (when subscribed) product updates.
• Service improvement: aggregated usage metrics that help us understand how the product is used. We do not use Customer investigation content to improve, train, or develop AI models.
• Compliance with law: responding to lawful requests from authorities, maintaining records as required by tax and corporate law, and defending legal claims.

For users protected by the GDPR (or analogous laws), the legal bases we rely on are:

• Performance of a contract — to provide the service to Customers and their authorized users (Article 6(1)(b)).
• Legitimate interests — for security, fraud prevention, and limited service improvement (Article 6(1)(f)). Balanced against your rights and interests.
• Legal obligation — for tax records, accounting, and responding to lawful requests (Article 6(1)(c)).
• Consent — for product marketing emails and any optional features that ask for it. You can withdraw consent at any time without affecting the lawfulness of earlier processing.

For investigation content where the Customer is the controller, the Customer is responsible for identifying and documenting the legal basis (which is typically the Customer's legitimate interest in conducting the investigation, legal obligation under employment law, or legal claims defense).

Marshal uses third-party large language models to generate draft memos, finding analyses, report sections, and chat responses. Specifically, we send relevant content to Anthropic, PBC (the maker of the Claude family of models) under their commercial terms.

What you should know about how we use AI:

• No model training on Customer data. Anthropic's commercial terms with us prohibit them from using Customer content to train, fine-tune, or otherwise improve their models. We do not use Customer content for those purposes either.
• AI outputs are drafts, not decisions. Every AI-generated artifact is presented as a draft for human review. Investigators must read, edit, and confirm output before it becomes part of the investigation record. Marshal does not represent AI output as legal advice or as a substitute for investigator judgment.
• Provenance is logged. For each AI call we record the prompt template version, model name + version, input content hash, and output text. The Customer can audit which model produced which draft, and when.
• Investigator confirmation is required for material acts. Setting an allegation determination (sustained / not sustained / inconclusive), closing a case, and similar acts always require an investigator action on top of any AI suggestion.

We do not sell personal data. We share data only with the sub-processors that help us run the service, with our own professional advisers, and where compelled by law. Our current sub-processor list — including purpose, data accessed, and location of each — is at /trust/sub-processors.

We may also share data:

• With professional advisers (lawyers, accountants, auditors) under confidentiality
• With law enforcement or other authorities when legally compelled (we'll notify the affected Customer first unless prohibited by law)
• In connection with a corporate transaction (merger, acquisition, financing) — successor will be bound by this policy or equivalent terms

Marshal's primary infrastructure is in the United States. If you access the service from outside the US, your data will be transferred to and processed in the US.

For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland to the United States, we rely on the European Commission's Standard Contractual Clauses (the “SCCs”) plus supplemental measures appropriate to the data. [EDIT: confirm position on EU-US Data Privacy Framework certification once entity is formed; if certified, mention it here.]

Account data: while the account is active, plus a reasonable period afterward for security and dispute resolution. Tax and billing records are kept for the period required by law (typically 7 years in the US).

Investigation content: per the Customer's configured retention policy. Customers may set automatic archival after a defined window from case closure (subject to legal holds the Customer places). Marshal does not delete investigation content on its own initiative.

Audit log: append-only and retained for the life of the tenant, with periodic off-system attestation copies retained for seven years in tamper-evident storage. Audit retention is required by spoliation doctrine and by the legal-claims defense exemption under GDPR Article 17(3)(e).

Backups are retained for [EDIT: backup retention period, e.g., 30 days] and overwritten on a rolling basis.

Depending on where you live, you may have the right to:

• Access the personal data we hold about you and receive a copy
• Correct inaccurate or incomplete data
• Request erasure of your data, subject to legal exemptions (see below)
• Restrict or object to processing under certain circumstances
• Receive your data in a portable, machine-readable format
• Lodge a complaint with a supervisory authority
• Withdraw consent where consent is our legal basis (for example, marketing emails)

For data Marshal controls directly (your account data), contact privacy@marshal.to. We will respond within 30 days; this may be extended by two additional months for complex requests, with notice.

For investigation content held in a Customer's account, contact the Customer directly — they control the data and Marshal must refer your request to them. We'll assist them in fulfilling lawful requests.

About erasure and exemptions: some information cannot be erased on request because preserving it is required by law or another legitimate ground. Investigation records typically fall under one or more of these exemptions (legal-claims defense, HR-records statutes, third-party speech). When we preserve data under an exemption, we document the legal basis and provide it to you on request.

Marshal implements technical and organizational measures appropriate to the sensitivity of the data. Highlights:

• Database-level tenant isolation via row-level security, verified by an automated cross-tenant integration suite
• Encryption in transit (TLS 1.2+) and at rest
• Append-only cryptographic audit log with per-tenant sha256 chains and off-system attestation snapshots
• SAML SSO, SCIM provisioning, tenant-enforced MFA, and configurable session idle timeouts
• Principle of least privilege for all internal access; no standing access to Customer content

The full security posture is at /trust. No security program is perfect; we maintain a vulnerability disclosure policy at /trust/security and notify affected Customers in the event of a personal data breach per applicable law.

Marshal is not directed to children under [EDIT: 16 for GDPR / 13 for US; pick]years old, and we don't knowingly collect their personal data. If you believe a child has provided us personal data, contact us so we can investigate and delete it.

We may update this policy. When we do, we'll update the effective date at the top and, for material changes, give Customers at least [EDIT: 30 days] notice by email or in-app before the change takes effect. Continued use of the service after a change takes effect means you accept the updated policy.

Privacy questions, rights requests, and complaints: privacy@marshal.to.

EU representative under GDPR Article 27 (if applicable): [EDIT: appoint and list EU representative if any EU-based data subjects are processed].

UK representative under UK GDPR Article 27 (if applicable): [EDIT: same].