Legal. Updated 2026-05-11
Subprocessors
Marrow uses a small number of third-party services to operate the platform. This page lists every one of them, what they do for us, and where they're based. We update it before any new subprocessor goes live. If something on this list materially changes, we notify coaches in advance and give them a chance to object before the change takes effect.
This page is referenced in the Coach Founder Agreement (Section 4) and the Marrow Privacy Policy. Athletes' data is processed by Marrow on behalf of each coach. The same subprocessor list applies whether you signed up as a coach, an athlete, or a gym admin.
| Vendor | What they do for Marrow | Data handled |
|---|---|---|
| Stripe Payments Inc. USA. Privacy policy | Payment processing for coach subscriptions to Marrow and for athlete subscriptions to coaches via Stripe Connect Express. Coach is the merchant of record for athlete billing. | Coach + athlete name, email, billing address, payment method tokens. Marrow never sees full card numbers. |
| Cloudflare, Inc. USA. Privacy policy | DNS, edge network, asset delivery, Worker compute, KV storage for non-PII operational data (e.g. coach onboarding state, idempotency keys). | IP addresses, browser fingerprint for abuse prevention. No application content stored at rest beyond operational caches. |
| Supabase, Inc. USA. Privacy policy | Application database, authentication (magic-link email), object storage for athlete-uploaded form videos and coach-uploaded program videos. | All application data. PostgreSQL row storage with row-level security policies enforced at the database layer. |
| Kit (formerly ConvertKit) USA. Privacy policy | Transactional and nurture email sequences for coach prospects and athlete signups. Form-submission tagging. | Email address, first name, tags reflecting funnel stage. |
| Postmark (Wildbit) USA. Privacy policy | One-off transactional emails (welcome notes, payment receipts, password-reset-style flows) outside of Supabase's built-in auth email. | Email address, name, payload of the transactional message. |
| Plausible Analytics Estonia, EU. Privacy policy | Privacy-friendly page-view analytics on marrowfitness.com. No cookies, no cross-site tracking, no fingerprinting. | Aggregated, anonymized page-view counts. No individual identifiers. |
| Daily.co (Daily Inc.) USA. Privacy policy | Virtual session video calls between coaches and athletes (lands in v1.1, August 2026). | Video and audio streams during a live session, peer connection metadata, retained per Daily's policy. |
| Upstash, Inc. USA. Privacy policy | Redis-backed job queue (BullMQ) for migrations from competitor platforms, video transcoding, and transactional email dispatch. | Transient job payloads. Cleared once jobs complete. |
| Sentry (Functional Software, Inc.) USA. Privacy policy | Production error monitoring on iOS app and web app. Captures stack traces and error context. | Stack traces, breadcrumbs, user-agent. PII is redacted at source per Sentry SDK configuration. |
How we add or change a subprocessor
When Marrow adds a new subprocessor, removes one, or makes a material change to how an existing one processes coach or athlete data, we notify coaches 30 days in advance via the email on file. Coaches who object can either request an alternative arrangement or terminate their agreement under the standard cancellation terms.
Routine vendor sub-changes (a vendor updating their own infrastructure providers) are not announced unless they materially change where data is stored or processed.
Data residency
Application data lives primarily in the United States. Cloudflare's edge network may cache static assets globally for performance, but application reads and writes route to US-based origin servers. Plausible Analytics is hosted in the European Union; only aggregated, anonymized page-view counts are sent there.
Athletes
If you are an athlete, your data is processed by Marrow on behalf of the coach you train with. Marrow does not sell, license, or share athlete data with third parties for marketing purposes. Marrow does not market to athletes for any purpose other than transactional platform notifications.
Coaches own the relationship with their athletes. Coaches may export athlete data at any time. On termination of a coach's account, athletes are given 30 days to migrate their training history before deletion.
Questions
Privacy and data questions: privacy@marrowfitness.com. We answer as soon as we can.