Last updated in March 2025
Marloo is committed to protecting your privacy. This Privacy Policy outlines how we collect, use, store, and share Personal Information (as defined below), ensuring that your data is handled responsibly and securely. Region-specific provisions and details are included in relevant sections.
This Privacy Policy may be updated periodically to reflect changes in our practices, legal requirements, or other factors. All changes will be communicated by publishing a copy of the updated Privacy Policy on our website. We encourage you to review it periodically.
1.1 We are Marloo Limited, a New Zealand registered company (company number 9118972) of Lot 3, 130 Ponsonby Road, Grey Lynn, Auckland, 1011 , New Zealand (“we”, “us”, and “our”).
1.2 Marloo is an AI assistant for financial advisers – it automates note-taking, transcribes and provides summaries of meetings, syncs with calendars and facilitates other administrative tasks (the “Marloo Service”). The term “Marloo Service” in this Privacy Policy includes any associated products or services that we may offer from time to time. Marloo maintains a website (the “Site”) which includes information about Marloo and the Marloo Service.
1.3 For those who purchase or otherwise interact with us or the Marloo Service, all visitors to the Site, and all other individuals with whom we communicate in the course of running our business (each referred to as “you” and “your”), we are the controller of your Personal Information. This means that we decide which information and Personal Information we collect, and how to use it. The measures and rights set out in this Privacy Policy apply only where we are the controller of your Personal Information. Where we process Personal Information on behalf of third parties, we have Data Processing Agreements in place to cover our handling of that data (where legally required).
2.1 Under the Australian Privacy Act 1988 (Cth) (“APA”), “Personal Information” means “Information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not.”
2.2 Under the New Zealand Privacy Act 2020 (“PA”), “Personal Information” means “information about an identifiable individual”.
2.3 Under the General Data Protection Regulation (EU) 2016/679) (“GDPR”), and the retained version of the same regulation in the UK (“UK GDPR”), “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2.4 For the purposes of this Privacy Policy, we use the term “Personal Information” to refer to:
2.4.1 Personal Information as defined in the APA;
2.4.2 Personal Information as defined in the PA; and
2.4.3 Personal Data as defined in the GDPR and the UK GDPR.
2.5 If you are a resident of the UK or the EEA, your rights will be applicable only in respect of Personal Data, as defined above (even though, as explained above, we will use the term “Personal Information” to refer to this). If you are resident of Australia or New Zealand, your rights will be applicable only in respect of Personal Information, as defined in the applicable legislation above.
3.1 The Personal Information we collect from you, and how we collect it, will depend on the service you are purchasing and the way you interact with us.
3.2 The table below sets out what we collect, how we collect it and what we do with it. We may state a more specific additional purpose when we collect your Personal Information.
3.3 In some jurisdictions (in particular the UK and EEA), we are required to identify a legal justification (also known as a “Lawful Basis”) for collecting and using your Personal Information, in addition to describing the purpose. There are six Lawful Bases that organisations can rely on. The most relevant of these to us are where we use your Personal Information to:
3.3.1 Fulfil a contract that we have with you as an individual (“Contract”);
3.3.2 Comply with our legal obligations (“Legal Obligation”);
3.3.3 Pursue our legitimate interests (our justifiable business aims) but only if those interests are not outweighed by your other rights and freedoms (“Legitimate Interests”); or
3.3.4 Do something for which you have given your consent (“Consent”).
Where we use your information for our legitimate interests, we have assessed whether such use is necessary and that such use will not infringe on your other rights and freedoms.
Below includes the Lawful Basis we rely on when we process your Personal Information, which will be applicable only to UK and EEA Data Subjects.
What we collect: Any information you provide voluntarily, such as name, phone number, email address, country and city (or full postal address), and the organisation you work for.
How we collect it: When you provide it voluntarily through enquiring about our services (including through our online form), by subscribing to marketing communications, or giving us feedback.
Purpose(s) for which it is used:
The purpose specified when provided to us
To provide you with current information about the Marloo Service, special offers, or new products or services through our newsletter or otherwise.
To respond to customer enquiries.
Lawful Basis: Consent
What we collect: Information including the type of browser you are using, device details, and your IP address.
How we collect it: Automatically when you browse the Site (some data is collected through cookies—see our cookie notice below).
Purpose(s) for which it is used:
To provide you with access to the Site.
To enhance security and prevent fraud.
To monitor service integrity.
To improve the Site.
To perform routine analysis on the performance of our services and business.
To administer or perform our contract with service providers.
To protect our business and defend ourselves against legal claims.
Lawful Basis: Legitimate Interests
What we collect: Information you provide to us in order to purchase the Marloo Service, such as name, phone number, email address, country and city (or full postal address), and the organisation you work for.
How we collect it: When you input the information on the Site to sign up for the Marloo Service.
Purpose(s) for which it is used:
To provide the Marloo Service (including technical support).
To process your payment information in connection with any contract we have with you.
To perform accounting, billing, and other administrative and operational functions.
To send you updates about the Marloo Service you have purchased.
For customer support and responding to enquiries.
To enhance security and prevent fraud.
Lawful Basis: Contract
What we collect: Login details.
How we collect it: Through cookies.
Purpose(s) for which it is used:
To verify your identity (so that you can log in).
To make logging in easier (so you don’t need to type in your username each time).
Lawful Basis: Legitimate Interests
What we collect: Calendar details, meeting details, meeting notes, transcripts, and any other information we are given access to when you integrate your Google and/or Microsoft accounts with the Marloo Service.
How we collect it: From third parties (Google, Microsoft, or other third-party services as applicable).
Purpose(s) for which it is used:
To sync calendars and enable you to make the best use of the Marloo Service.
Lawful Basis: Contract
What we collect: Name, phone number, email address, country and city (or full postal address), and the organisation you work for.
How we collect it: When you input the information on the Site to sign up for the Marloo Service.
Purpose(s) for which it is used:
To provide you with current information about the Marloo Service, special offers, or new products and services via our newsletter or other communications.
Lawful Basis: Consent
3.4 In addition to the Lawful Bases set out in the table above, we may use your Personal Information (however collected) to fulfil a Legal Obligation if processing is necessary:
3.4.1 to record your preferences (e.g. marketing) to ensure that we comply with applicable data protection laws;
3.4.2 where we are required to assist government and law enforcement agencies or regulators;
3.4.3 where we retain information to enable us to bring or defend legal claims; and/or
3.4.4 where we are required to assist government and law enforcement agencies or regulators, including in relation to any eligible data breach declarations by any of them.
We may anonymise the Personal Information we collect (so it can no longer identify you) and then combine it with other anonymous information so it becomes aggregated data. Aggregated data helps us identify trends (e.g. what percentage of users responded to a specific survey). Data protection laws do not govern the use of aggregated data and the various rights described below do not apply to it.
5.1 Cookies are small text files that we store on your browser, or the hard drive of your computer, if you agree. Cookies collect data which includes Personal Information.
5.2 We use our own cookies, and similar tracking technologies, to enhance user experience, provide security, and improve our services. We also use third party cookies. The following cookies (or similar technologies) are used on our Site:
5.2.1 Essential cookies. These are cookies that are required for the core functionality of the Site. These essential cookies are always enabled because the Site will not work properly without them. They include, for example, cookies that enable certain authentication and security functions.
5.2.2 Preference cookies. These enable us to recognise you when you return to the Site, to personalise our content for you and remember your preferences.
5.2.3 Performance cookies. These help us to understand how visitors interact with the Site. They include cookies that tell us how long people spend on the Site and the number of times they visit, to improve service functionality.
6.1 We take the security of your Personal Information seriously. We implement technical and organisational measures to protect against unauthorised access, disclosure, and loss of data, including:
6.1.1 Encryption: all data at rest is encrypted using AES-256 encryption. Data in transit is protected by TLS 1.2/1.3 protocols.
6.1.2 Audit trails and monitoring: access logs are retained for a minimum of one year and regularly reviewed for compliance and security monitoring.
6.2 If there is an incident that has affected your Personal Information, we will investigate it, take steps to contain it, notify the appropriate regulator and keep you informed (where required under applicable data protection law).
7.1 We will only retain your Personal Information for as long as necessary to fulfil the purposes we collected it for.
7.2 To decide how long to keep Personal Information (also known as its retention period), we consider the volume, nature, and sensitivity of the Personal Information, the potential risk of harm to you if an incident were to happen, whether we require the Personal Information to achieve the purposes we have identified or whether we can achieve those purposes through other means (e.g. by using aggregated data instead), and any applicable legal requirements (e.g. minimum accounting records for tax authorities).
7.3 If you have asked for information from us or you have subscribed to our mailing list, we keep your details until you ask us to stop contacting you.
8.1 Depending on whether you are dealing with us in Australia, New Zealand or the UK, your personal information will generally be held locally. However, like most organisations, we use various services and tools and we collaborate with our affiliates and business partners in countries different to your country of residence, including Australia, the US, UK and EU, and we may transfer your personal information as a result. Each recipient is subject to appropriate safeguards such as due diligence and the standard contractual clauses or similar contractual provisions for international transfers of personal information.
9.1 We may share your Personal Information with the organisations listed below, for the specified reasons.
9.2 As outlined in the region specific sections below, this may involve transfers overseas.
9.3 When we share your Personal Information with third parties to process your Personal Information on our behalf, we ensure that an appropriate Data Processing Agreement is in place, where required under applicable data protection laws.
Category of Third Party
Reason for Sharing Your Personal Information
Service Providers Used for Business Operations
This includes providers for:
Our current providers for these purposes are:
Some of these organisations (currently only Supabase) will store your Personal Information. We rely on these providers to conduct our business.
Any Authorised Government, Regulatory, or Enforcement Agency
If we are under a duty to disclose your Personal Information to comply with any legal obligation or to protect the rights, property, or safety of Marloo, its clients, or others.
Professional Advisers or Contractors
This includes auditors, accountants, lawyers, or other professional consultants.
Reason: To obtain relevant advice in running our business.
Business Transactions
If part of, or in connection with:
Reason: For the purposes of the relevant transaction.
Any Other Person Authorised by You
Reason: For the purpose authorised by you.
10.1 You can opt out of marketing and sales communications at any time by clicking on the “unsubscribe” or “opt-out” link in the marketing e-mails or messages we send you. You can also contact us at support@gomarloo.com.
11.1 Where we require certain Personal Information from you in order to provide a service to you, and you choose not to provide us with that Personal Information, we may not be able to provide our services to you, or aspects of those services. If this is the case, we will inform you.
12.1 If you have questions, requests or concerns about your Personal Information or this Privacy Policy, please email us at compliance@gomarloo.com or write to us at Lot 3, 130 Ponsonby Road, Grey Lynn, Auckland, 1011, New Zealand. Our Data Protection Officers are:
12.1.1 Australia and New Zealand: Shakeel Lala
12.1.2 UK and EEA: Hardy Michel
12.2 We will take such steps as are reasonable to investigate any issues within a reasonable time of receipt. We will give you written notice of the investigations which have been carried out and the outcome.
12.3 Whilst you are entitled to submit a complaint to your local protection authority (in applicable jurisdictions) with any concerns, we would encourage you to contact us first so that we can try to address your concerns.
12.4 We value your privacy and your rights as a data subject and have therefore appointed Prighter Group with its local partners as our privacy representative and your point of contact for the following regions:
- European Union
- United Kingdom
Prighter gives you an easy way to exercise your privacy-related rights (e.g. requests to access or erase personal data). If you want to contact us via our representative, Prighter or make use of your data subject rights, please visit the following website: https://app.prighter.com/portal/15980164479
13.1 As mentioned in paragraph 2.5 above, if you are a resident of Australia, your rights in this Privacy Policy are only applicable only in respect of Personal Information, as defined in the APA.
13.2 If there is any inconsistency between this “Additional Clauses Applicable to Residents of Australia” section and the rest of the Privacy Policy, this section will prevail.
14.1 Your Personal Information may be transferred overseas or stored overseas for a variety of reasons. If we transfer your Personal Information to a recipient in a country with data protection laws which are at least substantially similar to the Australian Privacy Principles (“APP”), and where there are mechanisms available to you to enforce protection of your Personal Information under that overseas law, we will not be liable for a breach of the APP if your Personal Information is mishandled in that jurisdiction.
15.1 If there is a data breach and we are required to comply with the NDBS, we will take all reasonable steps to contain the suspected or known breach where possible and follow the process set out in this clause.
15.2 If we have reasonable grounds to suspect that the data breach is likely to result in serious harm to any individuals involved, then we will take all reasonable steps to ensure an assessment is completed within 30 days of the breach, or sooner, if possible. We will follow all guidance published by the Office of the Australian Information Commissioner (“OAIC”) in making this assessment. If we reasonably determine that the data breach is not likely to result in serious harm to any individuals involved, or that any remedial action we take is effective in preventing serious harm from becoming likely, then we will not notify the affected individuals or the OAIC.
16.1 If you are a resident of Australia, your data protection rights are as follows:
16.1.1 You can request access to your Personal Information, subject to certain exceptions. For example we may, in accordance with the APP, refuse to provide you with access if, for instance, granting you access would have a negative impact on the privacy of another person.
16.1.2 You can request corrections to any inaccurate, outdated, incomplete or misleading information regarding your Personal Information. If you request correction, we will address it within a reasonable timeframe and notify you of the outcome.
16.1.3 We have an independent obligation to take reasonable steps to correct information that is inaccurate, out-of-date, incomplete, irrelevant or misleading.
16.1.4 You can ask us to delete or de-identify your Personal Information if there is no good reason for us to continue holding it.
16.1.5 You can ask to have your Personal Information, where technically feasible, sent to another organization, where we hold this Personal Information with your consent or for the performance of a contract with you.
16.1.6 You can ask us not to send you any marketing materials. However, we may still send you newsletters and updates about your account, if you are a business contact.
16.1.7 If you are unhappy with the way we collect and use your Personal Information, you can complain to the OAIC, but we would encourage you to contact us first so that we can try to address your concerns.
16.2 To contact us or submit requests in relation to any of the above, please email compliance@gomarloo.com with full details of your request. Please note that we may ask you to verify your identity before responding to such requests. If your request is particularly complex or requires a detailed search, we may charge you for dealing with it. Any such charge will be fair and reasonable, and we will let you know in advance what it is.
16.3 If your request relates to unsubscribing or opting out of marketing, you can contact us on support@gomarloo.com
17.1 We do not carry out any automated decision-making processes.
18.1 As mentioned in paragraph 2.5 above, if you are a resident of New Zealand, your rights in this Privacy Policy are only applicable only in respect of Personal Information, as defined in the PA, i.e. information about an identifiable individual.
18.2 If there is any inconsistency between this “Additional Clauses Applicable to Residents of New Zealand” section and the rest of the Privacy Policy, this section shall prevail.
19.1 For the purposes of the PA, the “lawful purposes” for which we collect Personal Information are the Lawful Bases identified in clause 3 of this Privacy Policy.
20.1 We only transfer your Personal Information overseas in accordance with the PA (Information Privacy Principle 12 of the PA).
21.1 If you are a resident of New Zealand, your data protection rights under the PA are as follows. Subject to certain grounds for refusal set out in the PA:
21.1.1 You have the right to know whether we hold any Personal Information about you.
21.1.2 You have the right to access your Personal Information.
21.1.3 You have the right to ask us to correct any Personal Information you have provided to us.
21.2 To contact us or submit requests in relation to any of the above, please email compliance@gomarloo.com with full details of your request. Please note that we may ask you to verify your identity before responding to such requests. If your request is particularly complex or requires a detailed search, we may charge you for dealing with it, in line with the PA. Any such charge will be fair and reasonable, and we will let you know in advance what it is, and when it is payable.
21.3 In respect of a request for correction, if we think the correction is reasonable and we consider it reasonable for us to comply, we will make the correction. If we do not make the correction, we will take reasonable steps to note (on the Personal Information in question) that you requested the correction.
21.4 If your request relates to unsubscribing or opting out of marketing, you can contact us on support@gomarloo.com
21.5 If you are unhappy with the way we collect and use your Personal Information, you can complain to the Privacy Commissioner, but we would encourage you to contact us first so that we can try to address your concerns.
22.1 As mentioned in paragraph 2.5 above, if you are a resident of the UK, the EEA or Switzerland, your rights in this Privacy Policy are only applicable only in respect of Personal Data, as defined in the EU and UK GDPR, i.e. any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. For the purposes of this Privacy Policy, we are using the term “Personal Information” to refer to Personal Data.
22.2 If there is any inconsistency between this “Additional Clauses Applicable to Residents of the UK, the EEA Or Switzerland” section and the rest of the Privacy Policy, this section shall prevail.
23.1 We only transfer your Personal Information overseas where we are able to comply with applicable data protection laws. If you are located in the UK, the EEA or Switzerland (the “GDPR Area”), and we transfer your Personal Information outside of the EEA, UK or Switzerland, we will take appropriate measures to ensure that the recipient protects your Personal Information adequately in accordance with this Privacy Policy and all applicable UK, EU and Swiss data protection laws. These measures may include:
23.1.1 Ensuring that there is an adequate decision in respect of the country to which the Personal Information is being transferred, which means that the applicable authority of the GDPR Area has concluded that the laws and practices of the destination country provide adequate protection for Personal Information.
23.1.2 The use of standard model contractual arrangements with the recipient of Personal Information which have been approved by the UK Information Commissioner, the European Commission or the Swiss Supervisory Authority, as appropriate (these are known as Standard Contractual Clauses, or SCCs).
23.1.3 The EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF and the Swiss-U.S. Data Privacy Framework.
24.1 If you are a resident of the GDPR Area, your data protection rights are as follows:
24.1.1 You can request access of your Personal Information.
24.1.2 You can ask us to correct your Personal Information if it is inaccurate or incomplete. We might need to verify the new information before we make any changes.
24.1.3 You can ask us to delete or remove your Personal Information if there is no good reason for us to continuing holding it or if you have asked us to stop using it. If we think there is a good reason to keep the information you have asked us to delete (e.g. to comply with regulatory requirements), we will let you know and explain our decision.
24.1.4 You can object to processing of your Personal Information, ask us to restrict processing of your Personal Information or request portability of your Personal Information. If we think there is a good reason for us to keep using the information or for not complying with your request, we will let you know and explain our decision.
24.1.5 You have the right to opt-out of marketing communications we send you at any time. [You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing e-mails we send you]. You can also contact us at support@gomarloo.com
24.1.6 If you are unhappy with the way we collect and use your Personal Information, you can complain to the Information Commissioner’s Office, but we would encourage you to contact us first so that we can try to address your concerns.
24.2 To contact us or submit requests in relation to any of the above (except marketing related requests) please email compliance@gomarloo.com.
24.3 If we have collected your Personal Information with your consent, you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect the processing of your Personal Information conducted in reliance on a Lawful Basis other than consent.
