Privacy
We never require a bank login. We don't sell your data. We don't train shared AI models on your receipts. Privacy isn't a setting at Marvin — it's the design.
Four pledges
You upload what you want to share. You delete what you want to remove. You export everything as CSV or PDF anytime, on any plan, including Free.
Marvin never sees or stores your online-banking username or password, and we never screen-scrape. The core app needs no bank login at all. The optional bank connection (Pro+, US & Canada) signs you in through our secure bank-connection provider — those credentials go to the provider and your bank, never to Marvin. You feed Marvin what you choose: receipts, statements, manual entries.
Every receipt, statement, and entry is encrypted on disk with industry-standard AES-256. Personal fields like your name and email get an extra layer of encryption on top.
We don't sell your data to advertisers. We don't share it with brokers. And your receipts never become training data for AI models that other people use. Marvin's intelligence is built on public data, not yours.
What we never do
How your data moves
Encrypted in transit. Encrypted at rest. Never resold.
The details
To run the app for you, we need to hold a few things: your email, name, country, currency, and the entries you create or upload — receipts, statements, manual transactions, recurring bills, your salary settings. That's the working set Marvin needs to draw your timeline, calculate your forecast, and answer your questions honestly. None of it is sold, shared, or used to train shared AI models. Your numbers stay your numbers.
We don't ask for your address, phone is optional, and we never request government IDs.
To run the app for you: rendering your timeline, generating Marvin's insights, calculating forecasts, sending you the password-reset email if you ask for one. That's the whole list. We don't profile you, we don't build a behavioral model, we don't sell anonymized aggregates to anyone.
Your account, expenses, receipts, and encrypted backups are stored on enterprise-grade cloud infrastructure located in Canada (Montréal region). Your data does not leave Canada at rest. When you contact us from outside Canada, requests are still routed to and stored on these Canadian servers.
Everything is encrypted at rest, and backups are encrypted too. We chose at-rest encryption rather than end-to-end-on-your-device because Marvin's AI features — reading a receipt, answering a question, drawing your forecast — need to process the actual numbers to give you a useful answer. End-to-end would mean a notebook that can't read itself. Access is restricted to a small named team for incident response only — never browsed, never used for marketing.
To operate Marvin securely and reliably, we work with a small number of carefully selected partners for hosting, payments, AI features, market data, communications, and the optional bank connection.
You can see the current list of those partners in our Trust Center. Each is bound by contract to process your data only on our instructions and only as needed to deliver services to Marvin. By contract, our partners are not permitted to sell your data, advertise to you, or train their own AI models on it. Where a partner needs to use a sub-processor of its own, or is required by law to disclose data (for example, in response to a court order), we expect them to tell us — and we vet those arrangements as part of onboarding.
Marvin works fully without a bank login, and most members never connect one. Pro+ members in the US and Canada (more countries coming) can optionally connect a bank to auto-update their balance and import recent transactions. It's a convenience, not a requirement — you can use every part of Marvin without it.
When you use it, you sign in through our secure bank-connection provider — your credentials go to the provider and your bank, and Marvin never sees or stores your banking username or password. You can disconnect anytime, and transactions already imported stay as your records. If you downgrade or cancel Pro+, the connection stays active until your current plan period ends, then is automatically disconnected at the source, so no access lingers. To use auto-import again later, you simply reconnect with a fresh sign-in.
We wipe your data within 30 days of the deletion request — receipts, statements, chat history, all of it. After that there are no copies, no backups, no recovery. Export anything you want to keep before you press the button.
You can request a copy of everything we have on you, ask us to fix anything that's wrong, or have us delete you entirely — at any time, on any plan. Email privacy@marvinmoney.com. We respond within 7 days, usually within 24 hours.
Write to privacy@marvinmoney.com. A real person reads everything.
Try Marvin for 7 days. We'll never ask you for anything we don't need.