Privacy Policy
Last updated: May 11, 2026 Effective date: May 11, 2026
This Privacy Policy (“Policy”) explains how Margin Technologies, LLC (d/b/a “Margin,” “we,” “us,” or “our”) collects, uses, discloses, and otherwise processes personal information in connection with the Margin pricing and project management platform at marginpricing.com, app.marginpricing.com, and related services (collectively, the “Service”).
This Policy is incorporated into and forms part of our Terms of Service. Capitalized terms used but not defined here have the meanings given in the Terms.
Plain-English summary (not a substitute for the rest of this Policy): Margin is a business-to-business service. We collect the information you give us, the information you generate by using the Service, and standard device/usage information. We use it to run, secure, and improve the Service, communicate with you, comply with the law, and develop new products. We do not sell your account credentials or your raw business data. We may use de-identified, aggregated, and anonymized data for any lawful purpose, including training AI models and commercial benchmarking products. Where required (e.g., California, Colorado, Connecticut, Utah, Virginia, and similar states), you have the right to opt out of sale or sharing for cross-context behavioral advertising — see Section 9.
1. Who We Are; Contact
Margin Technologies, LLC (a Tennessee limited liability company) is the entity responsible for the personal information processed through the Service (“controller” in EEA/UK parlance; “business” in California parlance).
- General privacy questions: [email protected]
- Data-subject / consumer-rights requests: [email protected]
- EU/UK representative: Not applicable — Margin does not target users in the EEA or UK.
2. Scope
This Policy applies to personal information we process when you:
- visit our websites or marketing pages;
- sign up for, log in to, configure, or use the Service;
- communicate with us by email, chat, or other channels;
- interact with our advertising, events, or social media; or
- otherwise provide information to us.
This Policy does not apply to (a) third-party services that we link to or that integrate with the Service (Stripe, Clerk, etc. — their policies apply); (b) any product or website that does not link to this Policy; or (c) information about you that we receive in your capacity as an employee of a current or prospective business partner.
Customer responsibilities. If you are using the Service on behalf of an organization, the organization is the controller of the personal information in its account, and we act as a processor / service provider with respect to information that the organization’s users submit to the Service. The organization’s own privacy notices govern its handling of that information; our role is limited to providing the Service.
3. Information We Collect
3.1 Information You Provide
- Account information: name, email, password (managed by Clerk), organization name, billing address, and profile details.
- Payment information: processed by Stripe; we receive only limited metadata (last 4 digits, card brand, expiration). We do not store full card numbers.
- Customer Content: project names, client names, rates, hours, expenses, templates, role/billing configurations, comments, attachments, and any text or files you submit. Customer Content may incidentally contain personal information about your employees, contractors, or clients (e.g., a contractor’s name and billing rate).
- AI inputs: the prompts you submit to AI features and the contextual account data the AI features access to respond.
- Support communications: the contents of any messages or files you send to support, including any personal information you choose to include.
3.2 Information We Collect Automatically
- Device & usage data: IP address, browser type and version, operating system, device identifiers, referring URL, pages viewed, features used, clicks, session duration, time zone, and language.
- Cookies and similar technologies: see Section 8.
- Log data: server logs of requests, errors, and security events (including failed login attempts).
- Telemetry: error events and basic performance traces captured via Sentry; product analytics events captured via PostHog (e.g., signed_up, onboarding_completed, first_project_created, subscription_activated).
3.3 Information from Third Parties
- Identity provider (Clerk): user identifiers, email addresses, authentication factors, sign-in events.
- Payment processor (Stripe): subscription status, invoice history, card metadata, refund and dispute records.
- AI providers (OpenAI, Anthropic): AI usage metadata (token counts, model versions, latency).
- Marketing partners: if you click a tracked ad or referral link, the source/medium/campaign parameters of that link.
- Public sources: we may enrich business contact information using publicly available sources (e.g., company website, public LinkedIn page) for sales and account-management purposes.
3.4 Sensitive Categories — Don’t Submit Them
The Service is not designed or warranted to receive Sensitive Personal Information, including without limitation Social Security numbers, government IDs, financial account numbers, payment card data (outside the Stripe-hosted checkout), protected health information, precise geolocation, biometric data, or information of children under 13. You are responsible for not submitting such information. If we discover that you have, we may delete it without notice.
4. How We Use Information
We use personal information for the following purposes:
- Provide the Service — create accounts, authenticate users, host Customer Content, deliver features (including AI features), personalize the interface.
- Billing — process payments, generate invoices, prevent fraud, manage subscriptions.
- Communications — send service messages (welcome, payment failed, security alerts, product changes), respond to support requests, send product news and marketing (where lawful — see Section 6).
- Improve & develop the Service — measure feature usage, debug errors, conduct A/B tests, build new features.
- AI features — process prompts and relevant account data via OpenAI and Anthropic to generate output; cache and log outputs for troubleshooting and abuse prevention.
- Security & abuse prevention — detect, investigate, and prevent fraud, attacks, abuse, violations of the Terms, and other harmful activity; maintain audit logs (including the AI tool audit log).
- Comply with law — respond to legal process, enforce our Terms, protect our and our users’ rights.
- Corporate transactions — evaluate and conduct mergers, acquisitions, financings, reorganizations, asset sales, or other business transactions.
- De-identified and aggregated analytics — produce statistics, benchmarks, machine-learning training data, and product or industry reports (see Section 5).
- Other purposes — for which we provide notice or obtain consent.
Legal bases (EEA/UK only)
Where the EU/UK GDPR applies, we rely on these legal bases:
- Performance of a contract — to provide the Service and process payments (Art. 6(1)(b)).
- Legitimate interests — to secure the Service, prevent fraud, improve the product, send certain B2B marketing, and develop de-identified analytics (Art. 6(1)(f)).
- Compliance with a legal obligation — to meet tax, accounting, and similar duties (Art. 6(1)(c)).
- Consent — for optional cookies, certain marketing emails, and any processing where we ask for it (Art. 6(1)(a)). You may withdraw consent at any time.
5. De-Identified, Aggregated & Anonymized Data; AI Training; Commercialization
This is important: please read it.
We may derive, generate, and create De-Identified Data from any information processed through the Service. “De-Identified Data” means data that has been aggregated, anonymized, or otherwise modified so that it cannot reasonably be used to identify any individual or any specific organization. Once data has been de-identified, it is no longer personal information under applicable privacy laws, and we treat it accordingly.
We may use, retain, disclose, license, sell, and otherwise commercialize De-Identified Data without restriction, including, without limitation, for the following purposes:
- operating, analyzing, securing, and improving the Service;
- training, fine-tuning, evaluating, and improving machine-learning and artificial-intelligence models, whether developed by us or by our partners;
- creating, publishing, distributing, selling, and licensing benchmarks, industry reports, market insights, and aggregate statistics (for example, “the median agency billable rate for senior designers in the U.S. Northeast”); and
- any other lawful commercial purpose.
We commit publicly to the following limits on this use:
- We will not attempt to re-identify De-Identified Data.
- We will not publish or sell statistics that we reasonably believe could identify an individual user, an individual organization, or an individual client of an organization.
- We will not include free-text Customer Content (e.g., your project descriptions or comments) verbatim in any commercial publication.
- We do not sell or share your raw Customer Content, raw personal information about you, or your account credentials.
You consent to this processing by accepting the Terms. If you do not consent, do not use the Service.
AI providers and training on your inputs
When you use AI features, we transmit your prompt and the contextual account data the feature needs to OpenAI or Anthropic (“AI Providers”) to generate a response. We have configured our AI Provider accounts so that prompts and outputs are not used by the AI Providers to train their foundation models (under their commercial API “zero-retention” or “do-not-train” terms, as available). We do not directly train foundation models on identified Customer Content; we may train internal models, fine tunes, evaluations, or analytical models on De-Identified Data as described above.
If an AI Provider changes its terms in a way that affects this commitment, we will update this Policy.
6. Marketing Communications
We may send you product news, tips, case studies, and promotional offers about the Service and related products. You may unsubscribe from marketing emails at any time by clicking “unsubscribe” in the email or emailing [email protected]. You will continue to receive transactional and service messages (billing, security, terms changes) even after unsubscribing.
For users in jurisdictions requiring opt-in consent (e.g., the EEA, UK, Canada under CASL), we will obtain such consent before sending marketing where required.
7. How We Share Information
We do not sell personal information for money. We may share information in the following circumstances:
7.1 Subprocessors / Service Providers
We share information with vendors that help us run the Service (“subprocessors”). They are contractually bound to use the information only for the services they provide to us. Our current subprocessors are:
| Subprocessor | Purpose | Data handled | Location |
|---|---|---|---|
| Clerk, Inc. | User authentication and identity | Account credentials, email, profile, sign-in events | United States |
| Stripe, Inc. | Payment processing and subscriptions | Billing name and address, card metadata, invoices | United States |
| PlanetScale, Inc. | Primary database hosting (Postgres) | All application data, encrypted at rest | United States |
| Railway Corp. | Application hosting and deployment | Server-side application data, runtime logs | United States |
| OpenAI, L.L.C. | AI features — commercial API with zero-retention configuration where available | Prompts and contextual data submitted to AI features | United States |
| Anthropic, PBC | AI features (alternative provider) — commercial API with zero-retention configuration where available | Prompts and contextual data submitted to AI features | United States |
| Resend, Inc. | Transactional email | Recipient email address, message content | United States |
| PostHog, Inc. | Product analytics and feature flags | Pseudonymous usage events, device metadata | United States |
| Functional Software, Inc. (Sentry) | Error monitoring and performance traces | Error events, browser metadata, IP address | United States |
We may add, remove, or change subprocessors at any time. This Policy is the authoritative current list. If you would like to receive notice when we add a new subprocessor, email [email protected] with the subject line “Subprocessor Updates” and we will add you to the notification list.
7.2 Your Organization
If you use the Service through an organization, your activity, profile, and Customer Content are visible to other authorized users of that organization in accordance with role-based permissions. The Owner of an organization can view, edit, export, and delete account data.
7.3 Legal & Safety
We may disclose information when we reasonably believe disclosure is necessary to (a) comply with applicable law, legal process, or governmental request; (b) enforce the Terms; (c) detect, prevent, or respond to fraud, security, or technical issues; or (d) protect the rights, property, or safety of Margin, our users, or the public.
7.4 Corporate Transactions
If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will give notice (e.g., by email or in-app notification) before your information becomes subject to a different privacy policy.
7.5 With Your Consent
We share information for any other purpose disclosed to you at the time or to which you consent.
7.6 De-Identified Data
As described in Section 5, we may share De-Identified Data without restriction.
8. Cookies & Tracking
We and our service providers use cookies, local storage, pixels, and similar technologies to:
- keep you signed in (essential),
- remember preferences (functional),
- measure usage and conversion (analytics, e.g., PostHog), and
- attribute marketing campaigns (e.g., UTM parameters).
You can control non-essential cookies through your browser settings or any cookie banner we display. Disabling essential cookies will break the Service.
We do not currently respond to browser “Do Not Track” signals. We honor Global Privacy Control (GPC) signals as an opt-out of sale/sharing where required by California and similar laws (see Section 9.2).
9. Your Privacy Rights
Depending on where you reside, you may have certain rights regarding your personal information. Where multiple laws apply, the more protective right controls.
9.1 Rights Available to Many U.S. Residents
If you are a resident of California, Colorado, Connecticut, Utah, Virginia, Texas, Oregon, Montana, or another state with a comprehensive privacy law, you may have the right to:
- Know / Access what personal information we collect, use, disclose, and (where applicable) sell or share.
- Delete personal information we hold about you (subject to legal exceptions, including for paying customers we must keep billing records for).
- Correct inaccurate personal information.
- Portability — receive a copy of your personal information in a structured, machine-readable format.
- Opt out of sale / sharing for cross-context behavioral advertising (see Section 9.2).
- Limit use of sensitive personal information (we do not collect sensitive personal information for purposes that would require this option — see Section 3.4).
- Non-discrimination for exercising any of these rights.
To exercise any right, email [email protected] from the email address on your account, or use the in-app deletion control under Settings → Danger Zone. We will respond within the timeframes required by law (generally 45 days). We may need to verify your identity before fulfilling a request. You may also designate an authorized agent to submit a request on your behalf.
9.2 “Do Not Sell or Share My Personal Information” (CCPA/CPRA)
We do not sell personal information for money. However, certain disclosures of pseudonymous identifiers to advertising and analytics partners may be considered “sharing” or a “sale” under the CCPA/CPRA. You may opt out by:
- emailing [email protected] with the subject line “Do Not Sell or Share”; or
- enabling Global Privacy Control (GPC) in your browser, which we will honor as a valid opt-out signal.
A link to this control is also maintained at marginpricing.com/do-not-sell/.
9.3 Rights Under EU/UK GDPR
If you are in the EEA or UK, you may have additional rights to access, rectify, erase, restrict, port, and object to our processing, as well as the right to lodge a complaint with your local supervisory authority (in the UK, the Information Commissioner’s Office). You may also withdraw any consent at any time without affecting prior lawful processing.
9.4 Right to Appeal
If we deny a request, you may appeal by replying to our denial email. We will respond to the appeal within the time required by applicable law.
10. Data Retention
We retain personal information for as long as we have an ongoing legitimate business need to do so — typically:
- Account & Customer Content: for the life of your account, plus a short tail (generally up to 90 days) after deletion to allow for recovery and backup expiration.
- Billing records: at least seven (7) years from the close of the applicable tax year, as required by tax and accounting laws.
- Security and audit logs: up to two (2) years.
- AI tool audit log: up to two (2) years.
- De-Identified Data: indefinitely.
Account deletion is available in Settings → Danger Zone, as described in the Terms.
11. International Data Transfers
We are based in the United States, and the Service is hosted in the United States. If you access the Service from outside the U.S., you understand that your information will be transferred to, stored, and processed in the U.S. and other countries, which may have different data-protection laws than your country.
Where we transfer personal information out of the EEA or UK to a country not deemed to provide an adequate level of protection, we rely on appropriate safeguards such as the EU Standard Contractual Clauses and the UK International Data Transfer Addendum. A copy is available on request.
12. Security
We maintain administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit (TLS), encryption at rest, access controls, audit logging, and regular review of our security posture.
However, no system is perfectly secure. We cannot guarantee that unauthorized access, disclosure, alteration, or destruction will never occur. To the maximum extent permitted by law, we disclaim liability for unauthorized access to or disclosure of your information, except where caused by our gross negligence or willful misconduct and as required by applicable data-breach laws.
In the event of a security incident that compromises your personal information, we will notify you and any required regulators in accordance with applicable law.
13. Children’s Privacy
The Service is not directed to children and is intended only for adults using the Service for business purposes. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us personal information, contact us at [email protected] and we will delete it.
14. Third-Party Sites & Links
The Service may link to third-party websites, products, or services. We are not responsible for the privacy practices of those third parties. Their privacy policies, not this one, govern their handling of your information.
15. Changes to This Policy
We may update this Policy from time to time. The “Last updated” date at the top reflects the most recent change. Material changes will be communicated by email or in-app notice. Continued use of the Service after the effective date of the change constitutes acceptance.
16. Contact Us
Margin Technologies, LLC Email: [email protected]
17. California-Specific Disclosures (CCPA/CPRA)
This section supplements the rest of this Policy and applies to California residents.
Categories of personal information collected in the last 12 months
| Statutory category (Cal. Civ. Code § 1798.140) | Examples we collect | Source | Disclosed to |
|---|---|---|---|
| Identifiers | Name, email, account ID, IP address | You, Clerk, automatic | Subprocessors |
| Customer records (§ 1798.80(e)) | Billing name, billing address | You, Stripe | Stripe, tax authorities |
| Commercial information | Subscription, billing history | You, Stripe | Stripe |
| Internet / network activity | Usage events, pages viewed, device data | Automatic, PostHog, Sentry | Subprocessors |
| Geolocation (approximate) | Country / region from IP | Automatic | Subprocessors |
| Inferences | Engagement scores, segment | Derived | Subprocessors |
| Professional / employment | Role / title (if entered) | You | Subprocessors |
We do not collect sensitive personal information for purposes that would trigger the “Right to Limit” under § 1798.121.
Sale and sharing
We do not sell personal information for monetary consideration. We may “share” identifiers and internet/network activity with analytics and advertising partners as defined under § 1798.140(ah). You may opt out of sharing as described in Section 9.2.
Retention
See Section 10.
Notice of financial incentive
We do not currently offer financial incentives in exchange for personal information.
Shine-the-Light (California Civil Code § 1798.83)
We do not disclose personal information to third parties for their own direct marketing purposes.
Questions? Email [email protected].