marly.studio: Turn Long Videos into Publish-Ready Shorts

Cookies and similar technologies

__Host-ysf_guest_session — a signed cookie that keeps you attached to your workspace. HttpOnly, Secure in production, SameSite=Lax, path=/, 7-day lifetime. Minted on your first visit so guests can be identified to their own workspace.
__Host-ysf_account_remember — issued after you sign in with Google so you stay signed in across visits. HttpOnly, Secure in production, SameSite=Lax, path=/, 30-day lifetime, rotates after 7 days of use.
cf_dfp — a SHA-256 hash of browser signals (canvas rendering, WebGL renderer, screen, timezone, language) used only as an anti-abuse signal. Readable by browser scripts, SameSite=Lax, 30-day browser lifetime; the server-side abuse record is swept after 90 days.
Cloudflare edge cookies such as __cf_bm or cf_clearance may additionally be set by Cloudflare's bot-management and challenge layer when traffic is proxied through Cloudflare.

What marly.studio collects

Cookies and similar identifiers (listed above) used to keep you signed in, persist login across sessions, and surface abuse signals. marly.studio does not use any advertising or cross-site tracking cookies.
If you connect Google, account identifiers such as your Google subject ID, email address, email verification state, and basic profile fields returned during sign-in.
If you authorize YouTube publishing, an encrypted Google refresh token, the granted Google scope list, and the YouTube channel IDs and channel names returned for your account.
When YouTube comment timestamp signals are enabled, public comments on a submitted YouTube source video may be fetched to detect viewer-entered timestamp references. marly.studio stores only aggregate timestamp peaks, mention counts, and a hashed video ID for this feature; it does not persist raw comment text, commenter names, author IDs, or raw YouTube video IDs.
Uploaded videos, generated clips, clip titles and descriptions, scheduling metadata, and related processing records needed to run the service.
Billing records such as Stripe customer, checkout, and subscription references when paid plans are enabled.
Operational and security data such as rate-limit keys, hashed IP and browser fingerprint signals, audit events, and feedback submissions.

How marly.studio uses that information

Authenticate users and persist a workspace across devices.
Generate clips, queue jobs, play outputs back in the app, and support optional direct publishing to YouTube.
Fetch the user's own YouTube channel list after explicit authorization so the app can target the correct channel.
Use aggregate viewer timestamp peaks as optional engagement hints when selecting clip-worthy moments.
Process billing and subscription changes through Stripe when billing is enabled.
Prevent abuse, investigate incidents, monitor system health, and troubleshoot failures.

How marly.studio protects sensitive data

Stored Google refresh tokens are encrypted at rest before they are written to marly.studio's database.
In production, marly.studio is served over HTTPS and uses secure, HttpOnly, SameSite session cookies to protect authenticated sessions.
Access to connected-channel records, jobs, source media, and generated clips is restricted to the authenticated workspace that owns them.
Account-changing requests are protected with trusted-origin checks, CSRF validation, signed session cookies, and rate limits.
Operational abuse and sign-in monitoring uses hashed IP and browser-fingerprint signals instead of storing those values in raw form for those controls.
Authorized media access links are signed, short-lived, and served with private no-store cache controls.
Disconnecting Google or deleting an account removes stored Google OAuth credentials and connected-channel records used for YouTube features, and marly.studio attempts to revoke the Google token with Google.

Data retention and deletion

Google account identity data, granted scopes, and connected-channel records are kept while the workspace and the Google or YouTube connection remain active.
YouTube-derived metadata used for channel automation is retained only while the related connection remains active.
Raw YouTube comments used for timestamp detection are processed in memory and discarded after the job. Stored comment timestamp payloads are aggregate-only.
Generated clip media and related processing artifacts are retained for a limited rolling period, currently no more than seven days, before expired artifacts are swept from object storage.
Session, rate-limit, and similar operational security records expire automatically based on their operational purpose.
You can permanently delete your marly.studio account and associated data yourself from the Danger Zone at the bottom of Settings. If your account is flagged or suspended (so the in-app button is disabled), email support@marly.studio and we will remove it manually.

Google and YouTube data

Google login is separate from YouTube publishing. Basic sign-in requests identity scopes. The broader YouTube scopes are only requested when the user explicitly authorizes channel publishing.

marly.studio requests the following Google and YouTube OAuth scopes:

openid, email, profile — to identify you at sign-in and keep your workspace attached to your Google account.
https://www.googleapis.com/auth/youtube.readonly — requested only when you authorize YouTube, to list the channels on your Google account so marly.studio can target the right channel.
https://www.googleapis.com/auth/youtube.upload — requested only when you authorize YouTube, and used only when you explicitly choose to publish a clip.

marly.studio only uses Google API data to provide the sign-in, channel lookup, optional publishing, and channel-automation features that the user explicitly enables. marly.studiodoes not sell Google API data or use Google API data for advertising.

Separate from OAuth, comment timestamp signals use a server-side YouTube Data API key when enabled. The feature is best-effort and only reads public comments for a submitted YouTube source video to find timestamp references that may improve clip selection. Raw comments are discarded after processing; persisted payloads are aggregate-only.

marly.studio is operated by a very small team. Humans on our team read Google user data only (a) with your explicit consent — for example, when you contact support for help with a specific problem; (b) in aggregated or anonymized form for limited internal operations such as debugging; (c) for security investigations — for example, when reviewing a suspected abuse pattern, marly.studio's internal admin dashboard surfaces the email addresses of linked accounts to the operator; or (d) when required to comply with applicable law.

marly.studio's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

For more information about how Google handles data, see the Google Privacy Policy.

If you disconnect Google inside marly.studio, the app removes stored Google refresh-token credentials and connected-channel records used for YouTube publishing. You can also revoke access from your Google account permissions.

Google and YouTube APIs — for sign-in, for listing your YouTube channels when you authorize YouTube access, and for uploading clips you explicitly choose to publish.
Stripe — for checkout, billing, and subscription management. Stripe handles payment details directly on its own surfaces; marly.studio never stores card numbers.
Cloudflare — for DNS and content delivery, for object storage (Cloudflare R2) of uploaded videos and generated clips, and for an outbound egress proxy (Cloudflare Warp) that the worker uses when fetching imported videos. Cloudflare Web Analytics may also be enabled at the Cloudflare edge.
OpenRouter (and, through it, the OpenAI-compatible inference providers it routes to) — used to run the AI analysis step that finds interesting moments. Receives the transcript text, video title, and engagement-signal summaries for each chunk analyzed. Comment-derived engagement signals, when included, are aggregate timestamp peaks and mention counts only; raw comment text is not sent to AI inference providers. Does not receive your email, account ID, or IP address. We may change or add OpenAI-compatible inference providers over time.
Soniox — used as a fallback transcription provider when local transcription is overloaded or unsuitable for a given job. When invoked, receives only the extracted audio track of your upload or imported video, identified by an internal job UUID; marly.studio asks Soniox to delete both the audio and the transcription record after use. Soniox is off by default and is only invoked when configured for your tier.
Discord — the in-app Feedback widget posts the text you write (and any contact string you voluntarily add) to a private Discord channel. A separate ops Discord channel receives automatic job alerts (internal identifiers, the source video title, failure reason, and — on successful YouTube publishes — the resulting YouTube watch URL), but never receives your email.
Sentry — error monitoring and short session-replay recordings to help diagnose bugs. When Sentry is enabled, it may receive IP addresses, request metadata, and screenshots of the visible page at the time of an error; typed text and form inputs are masked by default and media is blocked. Sentry is DSN-gated and is not enabled at the time of this writing.
Self-hosted infrastructure (our reverse proxy, application server, worker, and PostgreSQL database) used to run the service itself. User data held on that infrastructure is not transferred to third parties beyond those listed here.

marly.studio does not transfer or disclose Google user data to third parties for purposes other than providing the requested service, protecting the service, or using the infrastructure and processing providers described on this page.

marly.studio does not sell personal information or Google API data for advertising.

Where marly.studio runs

marly.studio's primary application infrastructure (web, worker, PostgreSQL database) is hosted on a single server in Germany.
Object storage (Cloudflare R2) is distributed across Cloudflare's global edge; no specific region is pinned.
Third-party processors named above (Google, Stripe, OpenRouter, Soniox, Discord, Sentry, Cloudflare) are primarily based in the United States or operate on global infrastructure.
marly.studio is operated from New Zealand. New Zealand residents may contact us to exercise access, correction, or deletion rights under the Privacy Act 2020; residents of other jurisdictions with applicable privacy rights (for example, the EU/UK GDPR or California's CCPA) may also contact us to exercise those rights.

Using the service

You must have the rights, permissions, and legal authority to upload, process, publish, and distribute the videos and other content you submit.
You may not use the service to violate copyright, privacy, publicity, platform rules, or applicable law.
If you use Google or YouTube features, you remain responsible for complying with Google's policies, the YouTube Terms of Service, and YouTube Community Guidelines.
marly.studio may rate-limit, suspend, or refuse service for abuse, fraud, excessive automated activity, or other harmful behavior.
Paid plans, if enabled, are processed through Stripe. Payment terms, renewals, and billing disputes are also subject to Stripe's checkout and billing surfaces.
The product may change, be interrupted, or be removed at any time. The service is provided on an as-is and as-available basis without uptime, moderation, or publication guarantees.

This site uses YouTube API Services. If you use the YouTube connection or publishing features, your use is also subject to the YouTube Terms of Service.

marly.studio is an independent service and is not affiliated with, endorsed by, or sponsored by YouTube, Google, or any other third-party platform. YouTube, Google, and the logos of any other third-party services referenced on this page are trademarks of their respective owners.

Questions or complaints about this page or marly.studio's privacy practices can be sent to support@marly.studio.

Cookies and similar technologies

__Host-ysf_guest_session — a signed cookie that keeps you attached to your workspace. HttpOnly, Secure in production, SameSite=Lax, path=/, 7-day lifetime. Minted on your first visit so guests can be identified to their own workspace.
__Host-ysf_account_remember — issued after you sign in with Google so you stay signed in across visits. HttpOnly, Secure in production, SameSite=Lax, path=/, 30-day lifetime, rotates after 7 days of use.
cf_dfp — a SHA-256 hash of browser signals (canvas rendering, WebGL renderer, screen, timezone, language) used only as an anti-abuse signal. Readable by browser scripts, SameSite=Lax, 30-day browser lifetime; the server-side abuse record is swept after 90 days.
Cloudflare edge cookies such as __cf_bm or cf_clearance may additionally be set by Cloudflare's bot-management and challenge layer when traffic is proxied through Cloudflare.

What marly.studio collects

Cookies and similar identifiers (listed above) used to keep you signed in, persist login across sessions, and surface abuse signals. marly.studio does not use any advertising or cross-site tracking cookies.
If you connect Google, account identifiers such as your Google subject ID, email address, email verification state, and basic profile fields returned during sign-in.
If you authorize YouTube publishing, an encrypted Google refresh token, the granted Google scope list, and the YouTube channel IDs and channel names returned for your account.
When YouTube comment timestamp signals are enabled, public comments on a submitted YouTube source video may be fetched to detect viewer-entered timestamp references. marly.studio stores only aggregate timestamp peaks, mention counts, and a hashed video ID for this feature; it does not persist raw comment text, commenter names, author IDs, or raw YouTube video IDs.
Uploaded videos, generated clips, clip titles and descriptions, scheduling metadata, and related processing records needed to run the service.
Billing records such as Stripe customer, checkout, and subscription references when paid plans are enabled.
Operational and security data such as rate-limit keys, hashed IP and browser fingerprint signals, audit events, and feedback submissions.

How marly.studio uses that information

Authenticate users and persist a workspace across devices.
Generate clips, queue jobs, play outputs back in the app, and support optional direct publishing to YouTube.
Fetch the user's own YouTube channel list after explicit authorization so the app can target the correct channel.
Use aggregate viewer timestamp peaks as optional engagement hints when selecting clip-worthy moments.
Process billing and subscription changes through Stripe when billing is enabled.
Prevent abuse, investigate incidents, monitor system health, and troubleshoot failures.

How marly.studio protects sensitive data

Stored Google refresh tokens are encrypted at rest before they are written to marly.studio's database.
In production, marly.studio is served over HTTPS and uses secure, HttpOnly, SameSite session cookies to protect authenticated sessions.
Access to connected-channel records, jobs, source media, and generated clips is restricted to the authenticated workspace that owns them.
Account-changing requests are protected with trusted-origin checks, CSRF validation, signed session cookies, and rate limits.
Operational abuse and sign-in monitoring uses hashed IP and browser-fingerprint signals instead of storing those values in raw form for those controls.
Authorized media access links are signed, short-lived, and served with private no-store cache controls.
Disconnecting Google or deleting an account removes stored Google OAuth credentials and connected-channel records used for YouTube features, and marly.studio attempts to revoke the Google token with Google.

Data retention and deletion

Google account identity data, granted scopes, and connected-channel records are kept while the workspace and the Google or YouTube connection remain active.
YouTube-derived metadata used for channel automation is retained only while the related connection remains active.
Raw YouTube comments used for timestamp detection are processed in memory and discarded after the job. Stored comment timestamp payloads are aggregate-only.
Generated clip media and related processing artifacts are retained for a limited rolling period, currently no more than seven days, before expired artifacts are swept from object storage.
Session, rate-limit, and similar operational security records expire automatically based on their operational purpose.
You can permanently delete your marly.studio account and associated data yourself from the Danger Zone at the bottom of Settings. If your account is flagged or suspended (so the in-app button is disabled), email support@marly.studio and we will remove it manually.

Google and YouTube data

Google login is separate from YouTube publishing. Basic sign-in requests identity scopes. The broader YouTube scopes are only requested when the user explicitly authorizes channel publishing.

marly.studio requests the following Google and YouTube OAuth scopes:

openid, email, profile — to identify you at sign-in and keep your workspace attached to your Google account.
https://www.googleapis.com/auth/youtube.readonly — requested only when you authorize YouTube, to list the channels on your Google account so marly.studio can target the right channel.
https://www.googleapis.com/auth/youtube.upload — requested only when you authorize YouTube, and used only when you explicitly choose to publish a clip.

marly.studio's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

For more information about how Google handles data, see the Google Privacy Policy.

Google and YouTube APIs — for sign-in, for listing your YouTube channels when you authorize YouTube access, and for uploading clips you explicitly choose to publish.
Stripe — for checkout, billing, and subscription management. Stripe handles payment details directly on its own surfaces; marly.studio never stores card numbers.
Cloudflare — for DNS and content delivery, for object storage (Cloudflare R2) of uploaded videos and generated clips, and for an outbound egress proxy (Cloudflare Warp) that the worker uses when fetching imported videos. Cloudflare Web Analytics may also be enabled at the Cloudflare edge.
OpenRouter (and, through it, the OpenAI-compatible inference providers it routes to) — used to run the AI analysis step that finds interesting moments. Receives the transcript text, video title, and engagement-signal summaries for each chunk analyzed. Comment-derived engagement signals, when included, are aggregate timestamp peaks and mention counts only; raw comment text is not sent to AI inference providers. Does not receive your email, account ID, or IP address. We may change or add OpenAI-compatible inference providers over time.
Soniox — used as a fallback transcription provider when local transcription is overloaded or unsuitable for a given job. When invoked, receives only the extracted audio track of your upload or imported video, identified by an internal job UUID; marly.studio asks Soniox to delete both the audio and the transcription record after use. Soniox is off by default and is only invoked when configured for your tier.
Discord — the in-app Feedback widget posts the text you write (and any contact string you voluntarily add) to a private Discord channel. A separate ops Discord channel receives automatic job alerts (internal identifiers, the source video title, failure reason, and — on successful YouTube publishes — the resulting YouTube watch URL), but never receives your email.
Sentry — error monitoring and short session-replay recordings to help diagnose bugs. When Sentry is enabled, it may receive IP addresses, request metadata, and screenshots of the visible page at the time of an error; typed text and form inputs are masked by default and media is blocked. Sentry is DSN-gated and is not enabled at the time of this writing.
Self-hosted infrastructure (our reverse proxy, application server, worker, and PostgreSQL database) used to run the service itself. User data held on that infrastructure is not transferred to third parties beyond those listed here.

marly.studio does not sell personal information or Google API data for advertising.

Where marly.studio runs

marly.studio's primary application infrastructure (web, worker, PostgreSQL database) is hosted on a single server in Germany.
Object storage (Cloudflare R2) is distributed across Cloudflare's global edge; no specific region is pinned.
Third-party processors named above (Google, Stripe, OpenRouter, Soniox, Discord, Sentry, Cloudflare) are primarily based in the United States or operate on global infrastructure.
marly.studio is operated from New Zealand. New Zealand residents may contact us to exercise access, correction, or deletion rights under the Privacy Act 2020; residents of other jurisdictions with applicable privacy rights (for example, the EU/UK GDPR or California's CCPA) may also contact us to exercise those rights.

Using the service

You must have the rights, permissions, and legal authority to upload, process, publish, and distribute the videos and other content you submit.
You may not use the service to violate copyright, privacy, publicity, platform rules, or applicable law.
If you use Google or YouTube features, you remain responsible for complying with Google's policies, the YouTube Terms of Service, and YouTube Community Guidelines.
marly.studio may rate-limit, suspend, or refuse service for abuse, fraud, excessive automated activity, or other harmful behavior.
Paid plans, if enabled, are processed through Stripe. Payment terms, renewals, and billing disputes are also subject to Stripe's checkout and billing surfaces.
The product may change, be interrupted, or be removed at any time. The service is provided on an as-is and as-available basis without uptime, moderation, or publication guarantees.

This site uses YouTube API Services. If you use the YouTube connection or publishing features, your use is also subject to the YouTube Terms of Service.

Questions or complaints about this page or marly.studio's privacy practices can be sent to support@marly.studio.

Privacy Policy & Terms of Service

Cookies and similar technologies

What marly.studio collects

How marly.studio uses that information

How marly.studio protects sensitive data

Data retention and deletion

Google and YouTube data

Where marly.studio runs

Using the service

Privacy Policy & Terms of Service

Cookies and similar technologies

What marly.studio collects

How marly.studio uses that information

How marly.studio protects sensitive data

Data retention and deletion

Google and YouTube data

Where marly.studio runs

Using the service

Cookies and similar technologies

What marly.studio collects

How marly.studio uses that information

How marly.studio protects sensitive data

Data retention and deletion

Google and YouTube data

How information is shared

Where marly.studio runs

Using the service

Cookies and similar technologies

What marly.studio collects

How marly.studio uses that information

How marly.studio protects sensitive data

Data retention and deletion

Google and YouTube data

How information is shared

Where marly.studio runs

Using the service