Privacy Policy

We collect the following categories of personal data:

• Account data: your name and email address, provided when you register.
• Profile and settings: your currency preference, monthly revenue target, weekly capacity, and payment terms. These are provided by you within the Service.
• Business data you enter: client names and email addresses, project names, project values, invoicing information (including invoice numbers and dates), and time entries. You are the data controller for any personal data belonging to your own clients that you enter into the Service; we process this data on your behalf as a data processor.
• Authentication data: a hashed password and session tokens, managed by our authentication provider (Supabase).
• Technical data: IP address, browser type, and access logs, collected automatically by our hosting infrastructure for security and operational purposes.

We do not collect payment card data. We do not use advertising trackers or sell your data to third parties.

We process your personal data for the following purposes and on the following legal bases:

We share your data with the following sub-processors to operate the Service. All are bound by data processing agreements and appropriate safeguards for international transfers:

• Supabase Inc. (San Francisco, USA) — database hosting and authentication. Data is stored in the EU (eu-west-2) region. Supabase is certified under the EU–US Data Privacy Framework and maintains standard contractual clauses. Privacy policy: supabase.com/privacy.
• Vercel Inc. (San Francisco, USA) — application hosting and edge network. Vercel maintains standard contractual clauses for EU data transfers. Privacy policy: vercel.com/legal/privacy-policy.

We do not share your data with any other third parties, advertisers, or analytics platforms.

Both Supabase and Vercel are US-based companies. Transfers of personal data to them are protected by standard contractual clauses (SCCs) approved by the European Commission under Article 46(2)(c) GDPR, and in the case of Supabase, additionally by their participation in the EU–US Data Privacy Framework. Your database data is stored in the EU region (eu-west-2) by Supabase and does not leave the EU at rest.

We retain your personal data for as long as your account is active. Specifically:

• Account and profile data: retained until you delete your account.
• Business data (clients, projects, time entries): retained until you delete the individual records or delete your account.
• Authentication logs and technical data: retained for up to 90 days for security purposes.

When you delete your account, all your personal data and business data is permanently deleted from our database within 30 days. Supabase and Vercel may retain anonymised infrastructure logs for up to 90 days per their own policies.

Margin uses only strictly necessary cookies — specifically, a session cookie set by Supabase to maintain your authenticated session. This cookie is essential for the Service to function and does not require consent under the UK PECR / EU ePrivacy Directive. We do not use any analytics, advertising, or tracking cookies.

Under UK GDPR and EU GDPR, you have the following rights regarding your personal data:

• Right of access: you can request a copy of the personal data we hold about you.
• Right to rectification: you can correct inaccurate data directly within the Service (Settings page) or by contacting us.
• Right to erasure: you can delete your account and all associated data at any time via Settings → Delete account. We will complete deletion within 30 days.
• Right to data portability: you can export all your data in JSON format at any time via Settings → Export data.
• Right to restriction: you can request that we restrict processing of your data in certain circumstances.
• Right to object: you can object to processing based on legitimate interests.
• Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at [YOUR CONTACT EMAIL]. We will respond within 30 days.

When you enter personal data about your clients (such as their name and email address) into Margin, you are the data controller for that data and we are your data processor. You are responsible for ensuring you have a lawful basis to store your clients' personal data with us (for example, as part of your contractual relationship with them). You should reference Margin in your own privacy notices to your clients if required.

We process your clients' data solely on your documented instructions (i.e. whatever you enter and store in the Service). We do not use it for any other purpose.

We implement appropriate technical and organisational measures to protect your data, including encrypted connections (TLS), hashed passwords (managed by Supabase Auth), row-level security policies ensuring users can only access their own data, and access controls. However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a prominent notice within the Service at least 14 days before the change takes effect. The "last updated" date at the top of this page will always reflect the current version.

If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113. If you are based in the EU, you may also contact your local supervisory authority.