Marmo Privacy
Back to home
Privacy Policy
Marmo Privacy ("we", "us", or "our") operates the Service under the name Marmo, Marmo Privacy, and usemarmo.xyz. This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information.
We built Marmo on a principle of minimal data collection. We do not sell your data. We do not profile you. Our co-signer signs transactions without learning what those transactions contain.
1. Information We Collect
Co-signer registration: When you create a wallet, we store:
- Your smart account address (a public blockchain address)
- Your Shard A address and Shard C address (public addresses)
- An encrypted copy of your Shard B private key (encrypted with AES-256-GCM using a server-side vault key; we cannot read it)
- A SHA-256 hash of your API key (the key itself is shown once and never stored)
- A daily spending limit and cumulative spend counter
Co-signing requests: When you request a co-signature, we receive the userOpHash (a hash of your transaction). We do not receive the transaction contents, recipient, or amount unless you optionally provide an amountUsd field for spend-limit tracking.
Website: Our landing page (usemarmo.xyz) does not use tracking cookies, analytics scripts, or fingerprinting. Standard server access logs (IP address, timestamp, path) may be retained briefly by our hosting provider.
2. How We Use Your Information
- To operate the co-signer and provide the 2-of-3 signing service
- To enforce daily spending limits you configure
- To authenticate your requests via your API key hash
- To detect and prevent abuse of the co-signer service
We do not use your information for advertising, profiling, or any purpose beyond operating the Service.
3. Data Storage and Security
Your wallet data is stored in a PostgreSQL database hosted by Supabase (EU region). Your Shard B private key is encrypted at rest with AES-256-GCM before being written to the database. The encryption key (vault key) is held only in the co-signer server's environment and is never written to the database.
We use TLS for all data in transit. Access to production infrastructure is restricted to authorized personnel only.
4. Data Retention
Your co-signer registration data is retained for as long as your wallet is active. You may request deletion by emailing security@usemarmo.xyz with your wallet address. Deletion removes your shard and wallet record, making co-signing permanently unavailable for that wallet.
5. Third-Party Service Providers
We use the following third-party providers to operate the Service:
- Supabase — database hosting (EU)
- Render — co-signer server hosting
- GitHub / GHCR — source code and container image hosting
Each provider has its own privacy policy. We do not share your data with any other third parties.
6. Blockchain Data
Your wallet address and all on-chain transactions are publicly visible on the Base blockchain. This is an inherent property of public blockchains and is outside our control. Marmo's privacy features (stealth addresses, screened pools) are designed to minimize on-chain linkability, but we cannot guarantee anonymity.
7. Your Rights
Depending on your jurisdiction, you may have the right to access, correct, or delete the personal data we hold about you. To exercise any of these rights, contact us at security@usemarmo.xyz. We will respond within 30 days.
8. Children
The Service is not directed at individuals under 18 years of age. We do not knowingly collect information from minors.
9. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be announced on our website. Continued use of the Service after changes constitutes acceptance of the revised policy.
10. Contact
For privacy questions or requests, contact us at security@usemarmo.xyz.