M MarBoba
Start free
Privacy

Privacy Policy

Last updated: 2026-04-19

MarBoba is operated by SomexAI Applications Group ("we", "us", or "SomexAI"). This policy explains what personal data we collect through MarBoba (the product at apps.marboba.com) and our website (marboba.com), why we collect it, and your rights over it. If anything here conflicts with a signed Data Processing Agreement, the DPA controls.

What we collect

  • Account data: your email, display name, and org membership. Created when you sign up.
  • Authentication metadata: last sign-in time, IP, MFA status. Used to keep the account secure.
  • Project metadata: project names, component types, deployment targets, environment names, workflow file paths. Used to power the product UI.
  • VCS metadata: repo URLs, pull request titles, pipeline run statuses, branch names. Fetched on-demand from your VCS when you view a screen; cached briefly for performance.
  • Secrets you store in the Vault: encrypted as described in our Security page. We don't read them; we hand them to your VCS when you sync.
  • Billing data: handled by Stripe. We see plan + subscription status; we do not store card numbers.
  • Support conversations: emails to support@somexai.com and in-app tickets.
  • Usage analytics: page views, feature-usage counts, error rates. Tied to your org — not shared with third parties in a way that identifies you.

What we do NOT collect

  • The contents of your repositories. MarBoba pushes one file (the pipeline config) and reads metadata; it does not clone or read your source code.
  • The plaintext of your Vault items. These are decrypted only inside Cloud Functions for the brief moment needed to push to your VCS.
  • Behavioral advertising data. We don't run an ad network.

Why we collect it

  • To operate the product — you can't run a pipeline without knowing which repo to push to.
  • To bill you — we need to know who is on which plan.
  • To keep you secure — audit logs, MFA, anomaly detection.
  • To improve the product — in aggregate, not per user.

Who sees it

  • Your team. Members of your org see the projects + data you share with them, per their role.
  • SomexAI employees, only as needed for support, debugging, or legal compliance. Access is logged.
  • Subprocessors listed on our Security page.
  • Legal authorities, only when compelled by a valid court order. We will challenge overly broad requests and notify you unless prohibited by law.

How long we keep it

  • Active accounts: for as long as you're a customer.
  • Cancelled accounts: 90 days soft-delete (recoverable by contacting support). Then permanent deletion.
  • Backups: 30 days.
  • Audit logs: retained per org setting (7 days to 7 years).

Your rights

  • Export: download your org's data as a ZIP via Settings → Organization Backups.
  • Delete: an org owner can delete the organization from Settings. Doing so removes every project, feature flag, and Vault item within 7 days.
  • Access / correct: email privacy@somexai.com.
  • Object / restrict: same email.

International transfers

Data is stored in Google Cloud's US regions by default. Enterprise customers can request a specific region (Scale + Enterprise tiers). We rely on Standard Contractual Clauses for EU → US transfers when applicable.

Cookies

marboba.com uses only strictly-necessary cookies (session, CSRF). The app at apps.marboba.com uses additional cookies for authentication and preference storage. We don't use third-party tracking cookies.

Children

MarBoba is not directed at people under 16. If you believe a child has created an account, email privacy@somexai.com and we will remove the account.

Changes

We'll announce material changes in-app at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

Contact

Privacy questions: privacy@somexai.com.
Legal questions: legal@somexai.com.
Mailing address available on request.