Privacy Policy

Last updated: October 2025

This Privacy Policy explains how MarkerKit (“we”, “us”, “our”) collects, uses, and shares personal data when you use our website, dashboard, APIs, and embeddable widgets (the “Service”).

We never sell personal data.

1. Who is the controller?

MarkerKit is the data controller for the hosted Service.
Contact: hello@markerkit.com

For self-hosted deployments run by a customer, that customer is the controller for end-user data processed on their infrastructure (see §12).

2. Data we collect

We aim to collect the minimum necessary data.

  • Account data (when you sign up or log in): name, email, password hash or identity provider ID (e.g., Google).
  • Billing data (only for payments): name, company, VAT/tax ID, billing address, transaction details. Card data is handled by our payment processor and is not stored by us.
  • Analytics data (website/app usage): page views, referrer, device/OS, approximate location, session metrics, and basic event counts. By default we use self-hosted, cookieless analytics (Plausible Community Edition) that does not rely on third-party cookies or advertising IDs. In some cases, and only with your consent where required, we may also use additional analytics or marketing tools (e.g., Google Analytics, Apollo tracking) for more detailed insights.
  • Logs & telemetry: IP address, request/response metadata, error traces, performance metrics—used for security, debugging, and reliability.
  • Support communications: messages you send to us (email or in-app).
  • Embedded widget events (pseudonymous): aggregate counts such as widget loads, interaction events, and tile/asset requests to operate usage-based features and billing.

We do not collect or process special categories of data.

3. Why we collect it (purposes) and legal bases (GDPR)

  • Provide and operate the Service (account access, widget delivery, APIs): Contract necessity.
  • Billing and compliance (invoicing, tax records, fraud prevention): Legal obligation and legitimate interests.
  • Analytics and product improvement:
    • For our self-hosted, cookieless analytics (e.g., Plausible CE running on our own infrastructure), we rely on legitimate interests to understand how the Service is used and improve it, without using third-party advertising cookies or cross-site tracking.
    • For any additional analytics or marketing tracking that uses non-essential cookies or similar technologies (e.g., Google Analytics, Apollo tracking), we rely on your consent obtained via a cookie/consent banner where required.
  • Security and abuse prevention (rate limiting, investigating incidents): Legitimate interests.
  • Communications (transactional emails, account notices): Contract necessity.
  • Marketing emails (news, tips, product updates): Consent. You can opt out anytime.

We do not use your data for automated decision-making that produces legal or similarly significant effects.

4. Cookies and analytics

We use cookies and similar technologies to:

  • keep you signed in,
  • remember preferences,
  • measure usage, and
  • support marketing and sales workflows where enabled.

We distinguish between:

  • Essential cookies – required for the basic operation of the Service (e.g., authentication sessions, security). These are set on the basis of contract necessity or legitimate interests.
  • Privacy-friendly, cookieless analytics – by default, we use self-hosted Plausible Analytics on our own infrastructure. This setup does not rely on third-party advertising cookies or cross-site tracking and is used under legitimate interests to obtain aggregated usage statistics.
  • Non-essential analytics and marketing cookies/trackers – for example, Google Analytics, Apollo tracking, or similar tools that may place identifiers in your browser or combine activity across sites. Where we use these, we do so only with your consent obtained via a cookie/consent banner.

Where required by law, we obtain consent through a cookie/consent banner for non-essential cookies and similar technologies.
You can control cookies via your browser settings and, where applicable, our cookie/consent settings.

5. Email practices (no spam)

  • We send transactional emails (receipts, security alerts, service notices). You cannot opt out of strictly necessary transactional emails.
  • Marketing emails are optional. Each message includes an unsubscribe link. You can also email hello@markerkit.com to opt out.

We do not share your email for third-party marketing.

6. Sharing your data (processors and recipients)

We share data only with service providers that help us run the Service, subject to data-processing agreements (DPAs) where required:

  • Hetzner – application infrastructure hosting (EU).
  • Self-hosted analytics (Plausible Community Edition) – privacy-friendly, cookieless analytics running on our own Hetzner-based infrastructure in the EU.
  • Google Firebase – authentication, Firestore, Realtime Database (EU multi-region where available).
  • AWS (S3, SES, SSM/KMS) – file storage, transactional email, and secrets management (region: eu-central-1).
  • QuestDB – analytics events storage (private EU environment).
  • Stripe – payments (PCI DSS Level 1 certified).
  • Email services – transactional communications and notifications.
  • Analytics and marketing tools – where enabled and consented to (e.g., Google Analytics, Apollo.io or similar sales/CRM tools for lead management and outreach).

We may disclose data to comply with law or to protect rights, safety, and security. In a merger or acquisition, your data may transfer to the successor entity.

We never sell personal data.

6a. Sub-processors

We maintain a list of sub-processors and notify customers of material changes.
Enterprise customers may request a DPA listing current sub-processors at privacy@markerkit.com.

7. International transfers

Primary data residency is within the European Union (Hetzner and AWS eu-central-1).

When limited data transfers occur outside the EEA (for example, to payment providers or sales/analytics tools with non-EU infrastructure such as Stripe or Apollo.io), they are governed by the European Commission’s Standard Contractual Clauses (SCCs) and appropriate technical and organizational safeguards.

8. Security

We apply layered security measures including HTTPS/TLS 1.2+, access control, IAM roles, network segmentation, least-privilege principles, and container isolation.
Data is encrypted in transit and at rest.
Regular security reviews, dependency scanning, and infrastructure audits are performed.

No method of transmission or storage is 100% secure, but we continually improve to meet best practices.

9. Data retention

  • Billing records: retained as required by applicable tax/accounting laws.
  • Account data: retained while your account is active; deleted or anonymized after closure, subject to legal holds.
  • Analytics and logs: retained for a limited period for security and product improvement, then aggregated or anonymized.
  • Support communications: retained as needed to address requests and maintain records.

10. Your rights (EU/EEA & similar jurisdictions)

You may have the right to access, rectify, erase, restrict, object, and port your personal data, and to withdraw consent at any time (withdrawal does not affect prior lawful processing).

Where we rely on legitimate interests (for example, for self-hosted, cookieless analytics), you have the right to object to such processing on grounds relating to your particular situation.

To exercise these rights, email hello@markerkit.com.
You may also lodge a complaint with your local data protection authority.

11. Children

The Service is not directed to children under 16 (or the age defined by local law).
We do not knowingly collect personal data from children.

12. Self-hosted deployments

If you deploy MarkerKit on your own infrastructure, you act as the controller for end-user data processed there.

You are responsible for:

  • implementing a lawful basis and consent (where required),
  • providing required notices to your users,
  • securing your deployment, and
  • honoring data-subject rights.

12a. Data Processing Agreement (DPA)

Enterprise customers or controllers subject to GDPR may request a signed Data Processing Agreement (DPA) by emailing privacy@markerkit.com.

13. Changes to this policy

We may update this Policy from time to time.
Material changes will be announced (e.g., via the dashboard or email).
The “Last updated” date reflects the latest version.
Continued use of the Service indicates acceptance of the updated Policy.

14. Contact

Privacy & compliance inquiries: hello@markerkit.com

MarkerKit VCC
UIC 208561215
Registered in Sofia, Bulgaria

MarkerKit VCC

UIC 208561215

Registered in Sofia, Bulgaria.

The interactive layer for maps,
floor plans, and diagrams.
© 2025 MarkerKit
Product
Solutions
Resources
Company