Mark-O-MaticPrivacy Policy
Mark-O-Matic (MOMWA)
Operated by Weevil Labs (weevillabs.dev)
Effective Date: March 27, 2026 | Last Updated: March 27, 2026
1. Introduction
This Privacy Policy explains how Weevil Labs ("we," "us," "our") collects, uses, stores, and protects information when you use Mark-O-Matic ("the Service"), an AI-powered essay grading platform for university teachers, hosted at www.markomatic.app.
We believe in being straightforward about data practices. This policy is written in plain language so you can understand exactly what happens with your data and your students' data.
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
- Email address (used for login and account recovery)
- Password (hashed and stored securely by Supabase Auth; we never see or store your plaintext password)
- Display name and initials (optional, used for comment attribution in graded documents)
2.2 Assignment Data
When you use the Service to grade assignments, we collect and process:
- Student papers (.docx, .pdf, .txt files you upload)
- Rubrics (grading criteria you create or paste)
- Evaluation results (AI-generated scores, comments, and feedback stored as structured data)
- Student names (derived from uploaded filenames)
2.3 Usage Data
We collect basic usage information to keep the Service running:
- Authentication session data (login timestamps, session tokens)
- Assignment metadata (creation dates, grading status, file counts)
2.4 Planned Future Collection
We plan to add the following, and will update this policy before activating them:
- Vercel Analytics (anonymized page view and performance data)
- Payment information (processed by Paddle; we will not store credit card numbers directly)
3. How We Use Your Information
We use collected information to:
- Provide the Service: Process student papers through AI grading, generate evaluation reports, and deliver exports in your chosen format.
- Maintain your account: Authenticate your sessions, save your preferences, and attribute comments to your display name.
- Improve the Service: Diagnose errors, fix bugs, and improve reliability. We do not use your assignment data or student papers to train AI models.
- Communicate with you: Send account-related emails (password reset, critical service updates). We do not send marketing emails.
4. How AI Processing Works
When you submit papers for grading:
- The text content of each student paper is sent to Anthropic's Claude API along with your rubric.
- Anthropic processes the text and returns structured evaluation data (scores, comments, feedback).
- The evaluation data is stored in our database and associated with the submission.
Important: Anthropic does not train generative models on data submitted through its commercial API. API inputs are retained for up to 30 days for trust and safety monitoring, then deleted. For details, see Anthropic's Terms of Service.
Mark-O-Matic also supports optional alternative AI models. When enabled by the teacher, essay text may be processed by DeepSeek or MiniMax instead of Anthropic. DeepSeek's Open Platform Terms of Service permit minimal use of inputs and outputs to maintain and improve services, subject to de-identification; users can opt out via platform settings (DeepSeek Terms). MiniMax supports zero-retention modes for API usage; with retention disabled, input data is not stored or used for training (MiniMax Privacy Policy).
5. Data Sharing
We share data only with the service providers necessary to operate Mark-O-Matic:
| Provider | What They Receive | Purpose |
|---|---|---|
| Supabase | Account data, uploaded files, evaluation results | Database hosting, file storage, authentication |
| Anthropic | Essay text, rubric criteria, grading prompts | AI-powered grading via Claude API |
| DeepSeek (optional) | Essay text, rubric criteria, grading prompts | AI-powered grading via DeepSeek API |
| MiniMax (optional) | Essay text, rubric criteria, grading prompts | AI-powered grading via MiniMax API |
| Vercel | Web request logs, deployment data | Application hosting and serving |
| Paddle (planned) | Payment details (email, billing info) | Payment processing (not yet active) |
We do not sell, rent, or trade your data to any third party. We do not share data with advertisers. We do not provide data to data brokers.
6. Data Storage and Security
6.1 Where Data Is Stored
- Database and file storage: Supabase-hosted PostgreSQL database and storage buckets. Supabase infrastructure runs on AWS.
- Application hosting: Vercel serverless functions (AWS-backed).
- Geographic note: Supabase and Vercel infrastructure may route data through US-based servers.
6.2 Security Measures
- All data in transit is encrypted via HTTPS/TLS.
- Passwords are hashed using Supabase Auth's bcrypt implementation. We never store or have access to plaintext passwords.
- File storage uses private buckets with Row-Level Security (RLS). Each teacher can only access their own uploads and evaluations.
- API routes that trigger grading are protected by a server-side secret token.
- Database access is restricted by RLS policies scoped to the authenticated user.
6.3 What We Cannot Guarantee
No system is perfectly secure. While we implement reasonable security measures, we cannot guarantee absolute security of data transmitted over the internet or stored on third-party infrastructure. If we become aware of a security breach affecting your data, we will notify you promptly.
7. Data Retention
- Student papers and evaluation data are retained as long as the assignment exists in your account. When you delete an assignment, the associated papers are deleted from file storage and evaluation data is removed from the database.
- Account data is retained as long as your account is active. If you request account deletion, we will delete your account and all associated data within 30 days.
- Server logs (Vercel function logs) are retained according to Vercel's standard retention policy (typically 1 to 3 days for function logs).
8. Data Deletion
You have control over your data:
- Delete an assignment: Removes all uploaded papers from storage and all evaluation data from the database for that assignment.
- Delete your account: Contact us at support@weevillabs.dev to request full account deletion. We will delete your account, all assignments, all uploaded files, and all evaluation data within 30 days.
9. Cookies and Local Storage
Mark-O-Matic uses minimal browser storage:
- Supabase session cookies: Required for authentication. These keep you logged in and expire when your session ends or after the configured timeout. You cannot use the Service without these cookies.
- localStorage (theme preference): Stores your light/dark mode preference locally in your browser. This data never leaves your device.
We do not use third-party tracking cookies. We do not use cookies for advertising.
10. FERPA Awareness
Mark-O-Matic processes student academic work (essays, papers). We understand the sensitivity of this data.
For individual teacher accounts: Individual teacher accounts on Mark-O-Matic are not FERPA-covered entities. Teachers using the Service are responsible for ensuring their use complies with their institution's data handling policies.
For institutional accounts: If your institution requires a FERPA-compliant data processing agreement (DPA) or similar arrangement, contact us at support@weevillabs.dev. We are prepared to execute institutional DPAs as needed.
Regardless of FERPA status, we treat all student data with care:
- Student papers are used only for the grading purpose you initiate.
- Student data is not used to train AI models.
- Student data is not shared with any party beyond the service providers listed in Section 5.
- Student data is deleted when you delete the associated assignment.
11. Children's Privacy
Mark-O-Matic is designed for university teachers and is not intended for use by children under 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected data from a child under 13, we will delete it promptly. If you believe a child under 13 has provided us with personal information, contact us at support@weevillabs.dev.
Note: Student papers uploaded by teachers may have been written by students of any age. Teachers are responsible for ensuring they have appropriate authorization to upload student work to the Service.
12. International Data Transfers
Our infrastructure providers (Supabase, Vercel, Anthropic) operate servers in multiple countries, including the United States. By using the Service, you acknowledge that your data may be transferred to and processed in countries outside your own. We rely on our providers' compliance with applicable data protection frameworks for these transfers.
13. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access the personal data we hold about you.
- Correct inaccurate personal data.
- Delete your personal data (see Section 8).
- Export your data (evaluation results are available in CSV, XLSX, PDF, DOCX, and Markdown formats via the export feature).
- Object to or restrict certain processing of your data.
To exercise any of these rights, contact us at support@weevillabs.dev.
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we make changes:
- We will update the "Last Updated" date at the top of this page.
- For significant changes (new data sharing partners, changes to how student data is processed), we will notify you by email or by a prominent notice in the application.
- Continued use of the Service after changes take effect constitutes acceptance of the updated policy.
15. Contact Us
If you have questions about this Privacy Policy or our data practices:
Email: support@weevillabs.dev
Company: Weevil Labs
Website: weevillabs.dev