Legal

Privacy Policy

Last updated: April 24, 2026

Mark My Merchant ("we", "us", or "our") operates markmymerchant.com (the "Service"). This page explains what personal information we collect, why we collect it, and how you can control it.

1. Information we collect

Account information

  • Email address (you provide this during signup or checkout)
  • Bcrypt-hashed password (we never store or see your plaintext password)
  • Stripe customer and subscription identifiers (for billing management)

Usage information

  • Files you upload for watermarking (PDFs and logo images) and the watermarked outputs we generate
  • Batch names, session timestamps, and your IP address at time of processing
  • Approximate usage counts (for enforcing the free-tier limit)

Tracking beacons (third-party IPs)

Our service embeds beacon URLs in watermarked PDFs so you can detect leaks and track opens. When a recipient opens one of your watermarked PDFs, or a corporate scanner/bot parses the file, our server may log:

  • IP address
  • User-agent string (device / browser / PDF viewer)
  • Approximate geographic location (city, country) derived from IP
  • Timestamp

As the account owner, you are responsible for ensuring your use of this feature complies with applicable law in the jurisdictions of your recipients (including but not limited to GDPR, CCPA, and similar privacy frameworks). See the Terms of Service for your obligations.

Cookies

We use one cookie — a PHP session cookie — to keep you logged in. It is set with HttpOnly, Secure, and SameSite=Lax flags. We do not use advertising cookies, third-party trackers, or analytics cookies.

2. How we use your information

  • Process and deliver your watermarked documents
  • Operate your account (authentication, billing, support)
  • Provide tracking and leak-detection features you've requested
  • Prevent abuse, fraud, and unauthorized access
  • Communicate with you about your account (transactional email only)

We do not sell, rent, or share your personal data with advertisers, data brokers, or unrelated third parties.

3. Data sharing

We share limited information only with service providers necessary to run the Service:

  • Stripe (payments) — processes your subscription. See Stripe's privacy policy.
  • Amazon Web Services (hosting) — hosts the servers where your data lives, within the United States.
  • ip-api.com (GeoIP) — enriches beacon-hit IPs with country/city. Only raw IPs are sent; no other data.
  • Google Workspace / Gmail (transactional email) — sends password-setup and reset emails from team@markmymerchant.com.

We may disclose information when required by law, subpoena, or other legal process.

4. Data retention

  • Watermarked output files are retained indefinitely while your account is active. Delete-on-request is available via team@markmymerchant.com.
  • Uploaded source PDFs are retained on the server as long as the session's watermarked output exists.
  • Beacon-hit logs (IP, UA, geo) are retained for 90 days, then purged.
  • Account records, Stripe identifiers, and authentication data are retained for as long as your account exists, plus 30 days after cancellation for billing reconciliation.

5. Your rights

You may request at any time:

  • A copy of the personal data we hold about you
  • Correction of inaccurate data
  • Deletion of your account and associated data
  • Withdrawal of consent for any processing based on consent
  • Portability of your data in a machine-readable format

To exercise any of these rights, email team@markmymerchant.com. We'll respond within 30 days.

Residents of California have additional rights under the CCPA, including the right to opt out of "sale" of personal information — we do not sell personal information.

Residents of the European Economic Area, UK, and Switzerland have rights under the GDPR. Our legal basis for processing is: contract performance (your account) and legitimate interest (security, fraud prevention).

6. Security

  • TLS 1.2+ encryption for all traffic
  • AES-256 encryption on watermarked output files
  • Bcrypt password hashing
  • Rate limiting and signed Stripe webhook verification
  • Regular server security updates

No system is perfectly secure. If you believe your account has been compromised, contact us immediately.

7. Children

The Service is not directed to individuals under 18. We do not knowingly collect data from children.

8. International users

Our servers are located in the United States. By using the Service, you consent to the transfer of your data to the U.S., which may have different data protection laws than your country.

9. Changes to this policy

We may update this policy. The "Last updated" date above reflects the most recent revision. Material changes will be emailed to account holders.

10. Contact us

Questions, requests, or complaints: team@markmymerchant.com