Legal

Privacy Policy

Last updated: January 28, 2026

The Margin (“we,” “us,” or “our”) operates the web application at themarginapp.com (the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect your email address and, if you sign in with Google, your name and profile photo as provided by Google OAuth. We do not store your Google password.

1.2 User Content

We store the content you create within the Service, including boards, cards, notes, checklists, habits, expenses, focus sessions, and any comments or file attachments. This data is necessary to provide the Service.

1.3 Usage Data

We collect minimal usage data to maintain and improve the Service, including device type, browser type, and pages visited. We do not use third-party analytics trackers. We do not sell or share analytics data with advertisers.

1.4 Local Data

The Service uses local storage (IndexedDB / SQLite via WASM) in your browser for offline functionality. This data resides entirely on your device and is not transmitted to our servers except during sync operations.

2. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service
  • Authenticate your identity and manage your account
  • Sync your data across devices in real time
  • Process AI features (Margin Chat) when you explicitly invoke them
  • Connect to third-party integrations you authorize (Google Sheets, Google Calendar)
  • Send transactional emails (e.g., magic link sign-in, password reset)
  • Respond to support requests
  • Detect, prevent, and address technical issues and abuse

3. AI Features & Data Processing

Margin Chat and other AI features are powered by our proprietary AI system. When you use these features:

  • Only the content you explicitly reference or query is processed to fulfil your request
  • We use semantic embeddings stored in our own database for context retrieval
  • Your data is not used to train any models
  • AI features are optional and can be disabled

4. Third-Party Integrations

When you connect third-party services (Google Sheets, Google Calendar), we access only the scopes you explicitly authorize via OAuth. Sign-in requests only your basic profile and email; the Google Sheets and Calendar scopes are requested separately, on demand, only when you choose to connect that specific feature. We store OAuth refresh tokens encrypted at rest. You can revoke access at any time from your Google account settings or from The Margin's settings page.

Google API Services — Limited Use

The Margin's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We use Google Sheets and Calendar data only to provide and improve the sync features you explicitly enable (two-way board ↔ spreadsheet sync; pushing and pulling calendar events).
  • We do not transfer this data to others except as needed to provide those features, for security, or to comply with law.
  • We do not use Google user data for advertising, and no humans read it except with your explicit consent, for security, or where required by law.

Webhook and Zapier integrations send event data only to endpoints you configure. Webhook payloads are signed with HMAC-SHA256 so you can verify authenticity.

5. Data Storage & Security

  • Data is stored in PostgreSQL on infrastructure we control (Hetzner, Germany/US)
  • All connections are encrypted in transit via TLS 1.2+
  • Database backups are encrypted at rest
  • OAuth tokens and secrets are encrypted at rest
  • We use Cloudflare for DDoS protection and CDN

6. Data Sharing

We do not sell, rent, or trade your personal information. We share data only in the following circumstances:

  • With your consent: When you share a board or workspace with other users
  • Service providers: Infrastructure providers (Hetzner, Cloudflare) that process data on our behalf under strict agreements
  • Legal requirements: When required by law, regulation, or legal process
  • Safety: To protect the rights, property, or safety of our users or the public

7. Data Retention

We retain your data for as long as your account is active. If you delete your account:

  • Your account information is deleted within 30 days
  • Your user content is deleted within 30 days
  • Encrypted backups containing your data expire within 90 days
  • Local data on your device remains until you clear your browser storage

8. Your Rights

Depending on your jurisdiction (including GDPR and CCPA), you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Export your data in a portable format
  • Object to or restrict processing of your data
  • Withdraw consent for optional processing (e.g., AI features)

To exercise these rights, email us at [email protected].

9. Cookies & Local Storage

We use essential cookies and local storage only:

  • Session cookie: Authenticates your login session (httpOnly, secure, SameSite=Lax)
  • Theme preference: Stored in localStorage to prevent flash of unstyled content
  • Offline database: IndexedDB stores your synced data for offline access

We do not use advertising cookies, tracking pixels, or fingerprinting.

10. Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect information from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. International Transfers

Your data may be processed in the United States and Germany (where our servers are located). If you are located outside these regions, your data will be transferred subject to appropriate safeguards as required by applicable law.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice within the Service or sending an email. Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.

13. Contact Us

If you have questions about this Privacy Policy, contact us at:

The Margin

Email: [email protected]