At Marker.io, protecting customer data and end-user privacy is core to our mission. This document explains:
What data we collect and how long we keep it.
How we secure that data with industry best practices.
Our legal and compliance commitments.
Overview
š Data Ownership
You always own your data.
Marker.io only processes end-user data on your behalf.
We never sell, share, or use your data for other purposes.
š What Information We Collect
When an end-user submits feedback via the Marker.io widget, the following data may be collected and attached to the report:
Basic details: name, email
Feedback content: description, screenshots, attachments.
Device & technical info: operating system, browser, viewport, page URL
Debugging data (Optional): console/network logs, session replays
Custom metadata (if configured): additional attributes (e.g. user ID, account role, plan type) configured by admin to send alongside the report.
Webpage content : Information embedded in your site that may appear in screenshots or replays. This can sometimes include personal information (PII) displayed on your site (e.g. names on a profile page), but admins can mask or suppress it at the source if needed.
š§° Data Controls
Admins are always in control. You can mask sensitive info, filter network requests, disable features (like replays), or decide what custom metadata (if any) is attached to reports.
Mask or blur sensitive data in screenshots and replays so PII is never recorded.
Filter network requests client-side so sensitive data never leaves the reportersā browsers.
Disable recording features you donāt need (e.g. session replay, console logs, network requests).
ā³ Retention
Data is stored permanently. Admins have full control to delete it.
Deleted data is removed from all backups within 90 days.
When the Session Replay feature is enabled, Marker.io temporarily records recent page content and user activity to generate a replay video if an issue is submitted. If no issue is created, this temporary data is automatically deleted within 15 minutes.
š Security
Encryption: TLS 1.2+ in transit, AES-256 at rest.
Hosting: AWS (Ireland/EU) with physical & network security.
Access: Restricted to authorized staff, fully logged & reviewed.
Audits: SOC 2 Type II + independent penetration testing annually.
ā Compliance
Fully GDPR compliant.
Subprocessors are carefully vetted.
Data Processing Agreement (DPA) available.
FAQ
Privacy & Data Handling
What data do you collect when someone submits an issue?
What data do you collect when someone submits an issue?
ā
When a reporter submits feedback via the Marker.io widget, the following information is collected and attached to the issue:
Reporter details
Email address
Name
Feedback content
Description written by the reporter
Optional manual attachments (screenshots, files)
Technical metadata (captured automatically)
Browser name & version
Operating system
Viewport size
Page URL
Console logs & network requests (if enabled)
Session replay (if enabled)
Custom metadata attributes (if enabled)
Website/app content (passively captured)
Screenshots, logs, or replays may include personal data if it is displayed in your siteās page content at the time of capture). To reduce the risk of capturing unnecessary personal data, we provide Sensitive Data Masking tools so admins can blur or block fields or DOM elements at the source.
Does Marker.io collect personal information (PII)?
Does Marker.io collect personal information (PII)?
Itās important to distinguish between the two main types of users whose data may be collected by Marker.io:
Users with a login (Marker.io customers)
When you create and use a Marker.io account (Admin, Manager, Member, Guests) , we collect basic account information.
Name
Email address
Profile picture (if provided)
IP address
Device and technical information (operating system, browser type and version)
Billing information (if applicable)
We use this information to provide you with an account, billing, and support services
End users / reporters (via Marker.io widget)
When someone submits feedback through a Marker.io widget, we collect:
Name
Email address
Device and technical information (operating system, browser, viewport, page URL, etc.)
Report details: description, attachments, screenshots, logs
In addition, two other categories of data may be collected depending on how your workspace admin configures Marker.io:
Custom metadata (actively provided): Widget admins can choose to attach extra attributes about reporters (e.g. internal user ID, plan type, role) via custom metadata attributes. Marker.io only receives what your team decides to send.
Page content (passively captured): Personal data may be passively sent to Marker.io if it is embedded in your websiteās page content where the widget is installed. For example, if your site includes a profile page showing a userās name or email address, that data could appear in screenshots, console logs, or session replays captured by the widget.
To reduce the risk of capturing unnecessary personal data, we provide Sensitive Data Masking tools so admins can blur or block fields or DOM elements at the source.
How can I prevent sensitive data from being captured?
How can I prevent sensitive data from being captured?
Marker.io gives workspace admins full control over what data is captured. You can prevent sensitive information from ever reaching our servers by configuring the following options:
Use Sensitive Data Masking (screenshots, replays, DOM):
Blur or block specific fields or DOM elements (e.g. passwords, credit card numbers, personal identifiers) so they are never included in screenshots, console logs, or session replays.
Filter network requests client-side:
In your Developer Tools settings, you can exclude sensitive keys or payloads from being recorded. This filtering happens entirely in the userās browser, which means sensitive request data is never transmitted to Marker.io servers in the first place.
Control custom metadata:
Only send attributes you need (e.g. user ID or account role). Avoid sending names, emails, or other direct identifiers if not required.
Limit widget fields for reporters:
Configure your feedback form to collect only the essentials (e.g. email + description). Avoid adding optional fields that might capture sensitive data unnecessarily.
Turn off non-essential features:
If you donāt need session replay or network/console logging for debugging, you can disable them to minimize data capture.
In short: all filtering and masking happens before data ever leaves the userās browser. You remain in control of what information Marker.io processes.
Do you own my data?
Do you own my data?
No. You always remain the owner of your data.
Itās important to distinguish between two types of data handled by Marker.io
End-user / reporter data (via the widget):
Data submitted by your end users through Marker.io belongs to your organization. You decide what is collected, how it is used, and how long it is retained. Marker.io only processes this data on your behalf to deliver the service. We do not sell, share, or use your end-user data for any other purpose.
(Legally: you are the Data Controller; Marker.io is your Data Processor, as outlined in our Data Processing Agreement.)
Customer account data (for using Marker.io):
To provide you with an account, billing, and support services, Marker.io collects limited information such as your name, email, and billing details.
Do you temporarily store data before a report is submitted?
Do you temporarily store data before a report is submitted?
Only when the Session Replay feature is enabled.
In that case, to help developers reproduce issues, Marker.io can temporarily buffer recent browser activity as to recreate a video of the user session.
If no issue is reported, this buffer is automatically deleted within 15 minutes.
If an issue is reported, the relevant data is saved with the issue and becomes part of permanent storage.
The content of these captures depends on your website or application content. We only records what is present in the page at the time.
How long do you keep data?
How long do you keep data?
We retain your data until you ask us to delete it. You can either delete your user data or workspace directly, or contact us for assistance. Once deleted, your data is also removed from our backups within 90 days.
Data type | Retention | Deletion method |
Reporter emails, descriptions, attachments | Stored until issue is deleted | Permanent deletion after backups expire (90 days) |
Console logs, network requests, metadata | Stored with the issue | Deleted with issue |
Session replays | Flushed after ~15 min if no issue submitted; stored with issue if submitted | Deleted with issue |
Account data (name, email, billing info) | Stored while account is active + legal obligations (e.g. tax) | Deleted on request or account closure |
How should I describe Marker.io in my own Privacy Policy?
How should I describe Marker.io in my own Privacy Policy?
To make it easier for you, weāve created sample wording you can include in your privacy policy when you are using Marker.io with your users. Feel free to use it as a starting point or adapt it to suit your needs. Note that this is a very generic statement and might need to be tailored to fit your particular use of our services. Check it out here.
Where is data stored?
Where is data stored?
Marker.io is hosted on Amazon Web Services (AWS). Data is stored in Ireland / EU region.
Do you use subprocessors?
Do you use subprocessors?
Yes, we work with third-party companies to deliver our services. We carefully choose these partners based on their strong security practices. You can review our full list of sub-processors here.
Is Marker.io GDPR compliant?
Is Marker.io GDPR compliant?
Yes, Marker.io fully complies with GDPR (General Data Protection Regulation). We take your privacy seriously. You can find more details about our GDPR compliance here.
Security
How is data secured?
How is data secured?
Encryption: TLS 1.2+ in transit; AES-256 at rest.
Access control: role-based, least privilege.
Monitoring: logging, intrusion detection, alerting.
Backups: daily encrypted backups retained for 90 days.
Infrastructure: hosted on AWS with physical and network security.
Who at Marker.io can access data?
Who at Marker.io can access data?
Only authorized employees, on a need-to-know basis, for support or system maintenance. All access is logged and reviewed.
Do you perform audits and certifications?
Do you perform audits and certifications?
Yes.
SOC 2 Type II audit annually.
Independent penetration testing annually.
Results are available to enterprise customers under NDA.
Do Marker.io employees receive security training?
Do Marker.io employees receive security training?
Yes. All new employees receive security training during onboarding and regular refreshers thereafter. Training covers data protection, privacy best practices, and secure engineering principles to make sure all staff handle data responsibly.
What infrastructure and monitoring tools do you use?
What infrastructure and monitoring tools do you use?
Marker.ioās infrastructure is hosted on Amazon Web Services (AWS) and protected by multiple layers of security:
Perimeter security: Cloudflare Web Application Firewall (WAF), AWS Network Firewall
Monitoring: Amazon CloudWatch, Rapid7 InsightOps, and other intrusion-detection/logging tools
How often do you back up data?
How often do you back up data?
All customer databases are backed up every 6 hours. Backups are encrypted and stored in multiple availability zones to ensure resilience in the event of a site disaster.
How secure are Marker.ioās integrations?
How secure are Marker.ioās integrations?
We use the OAuth standard for integrations whenever possible. This means:
We never see or store your integration passwords.
You can revoke Marker.ioās access to your integration accounts at any time directly from the integration provider.
Whatās your incident response process?
Whatās your incident response process?
Marker.io maintains a documented incident response plan.
If a breach affects customer data, we notify customers without undue delay.
We share scope, impact, and remediation measures.
How can I report a vulnerability or security concern?
How can I report a vulnerability or security concern?
We do not currently run a public bug bounty program, but we encourage responsible disclosure of vulnerabilities.
If you discover a potential issue, please email us at security@marker.io. Our security team reviews all submissions promptly.
Can you fill out my security assessment?
Can you fill out my security assessment?
Weāre happy to support detailed security reviews for customers on our Business and Enterprise plans. These plans include access to our team for completing security questionnaires, providing audit reports, and handling legal reviews.
For customers on self-service plans, we donāt complete custom questionnaires ā but youāll find comprehensive information on our support documentation.