Privacy Policy

Last updated: June 19, 2026

This Privacy Policy explains how Margin collects, uses, shares, and protects personal information in connection with Margin, a browser-extension service for anchored discussions on web pages (the “Service”). Margin is operated by {{OPERATOR_NAME}}, an individual developer (sole proprietor) based in {{OPERATOR_LOCATION}}, and in this policy “we,” “us,” and “our” refer to that operator. Margin lets a workspace member install a Chromium browser extension and leave inline, anchored comments on the pages they view, @mention teammates or email invitees, track unread items in My Inbox, search workspace history, resolve discussions, and receive notifications.

Margin is operated by {{OPERATOR_NAME}} ({{OPERATOR_LOCATION}}), who is the data controller for personal data processed as a controller; contact hello@margindoc.dev.

Margin is a business-to-business product sold to organizations (“workspaces”). When you use Margin as part of a workspace, your organization is generally the controller of the personal information processed in that workspace, and we act as its processor or service provider under that organization’s instructions. For our own account, billing, security, and operational records, we act as a controller. This policy describes both roles.

Last updated: June 19, 2026.

Who We Are and the Scope of This Policy

Margin is operated by {{OPERATOR_NAME}}, an individual developer (sole proprietor) based in {{OPERATOR_LOCATION}}. This policy applies to the Margin browser extension, our REST API and web services, our billing and notification flows, and our marketing and support communications. It does not apply to third-party websites you visit with the extension installed (we do not control or read those sites’ server-side content), or to third-party services your workspace chooses to connect, which are governed by their own privacy terms.

Margin is positioned for the US and English-speaking market. Because a US SaaS commonly serves users in the EU/EEA, the UK, and California, this policy is written to be aware of the GDPR, the UK GDPR, and the California Consumer Privacy Act as amended by the CPRA, in addition to other applicable laws.

Where we act as a processor or service provider for a workspace, that processing is governed by a data processing addendum that forms part of our agreement with the workspace and sets out the Article 28 / CCPA service-provider terms, including security, sub-processing, audit, and deletion obligations. We can enter into a data processing addendum on request — contact hello@margindoc.dev.

Information We Collect

We collect the following categories of information, drawn from how Margin actually works.

Account and identity information. When you sign in, we process your Margin user id, email address, display name, and avatar URL, and we maintain a mapping (auth identities) between your external login identity and your Margin business user id. Ordinary login is handled through Supabase Auth; enterprise workspaces may use single sign-on through Scalekit (SAML/OIDC), a capability we have selected but not yet enabled in the Service. Comments in Margin are attributed to real-name authors, so your display name and identity are visible to other members of the same workspace.

Workspace and membership information. We process workspace id, slug, and name; your membership and role within a workspace (owner, admin, member, or billing admin) and status; and governance and audit events. The active workspace is the only visibility boundary in Margin.

Workspace Content — comments, mentions, and the page text you select. The core of Margin is the content you create. In this policy, “Workspace Content” means the comments, replies, @mentions, pasted image attachments, and other materials that you or your workspace submit to the Service (referred to as “Your Content” in our Terms of Service). Workspace Content includes comment bodies; anchored discussions (including the anchor selectors that locate a comment on a page, and discussion status such as resolved, reopened, or locked); @mentions of teammates or email invitees; and read/unread state used for My Inbox. To anchor a comment to a spot on a page, the extension captures “Page-Derived Text” — the quotes, anchors, page title, domain, and a normalized and display version of the page URL captured from the page your browser renders. Page-Derived Text is selected by you when you place a comment; we do not crawl the page. Page-Derived Text is distinct from the third-party page content itself (the underlying site), which Margin neither owns nor scrapes. We treat all Page-Derived Text and all comment bodies as untrusted input and HTML-escape them everywhere they are rendered, including in enterprise chat cards.

Pasted image attachments. If you paste images (PNG, JPEG, or WebP) into the comment box, we store them as attachments (up to 10 MB each and up to 5 per comment) together with metadata such as object key, content type, and size. Attachments live in a private storage bucket and are served only through short-lived signed URLs to members of the same workspace.

Invites and mentions. When you invite someone by email or @mention an email address, we process the invitee’s email, a hashed (never plaintext) invite token, the invite’s expiry and status, and a limited preview (workspace name, inviter, page title, domain, a redacted URL, and the @mention comment). The plaintext invite token exists only inside the emailed link; we store only its hash.

Notification routing and delivery identities. To deliver notifications, we process Web Push subscription details (endpoint, the p256dh/auth keys, and user agent), your notification rows and preferences (watch, mute, follow), and — only where your workspace enables an enterprise chat channel — a mapping between your Margin user and your channel handle (for example a Slack user id or Feishu open_id), plus the workspace’s channel bindings.

Usage, device, and technical information. We process technical information needed to run and secure the Service, such as request and event identifiers, user-agent strings tied to push subscriptions, and operational telemetry described under Security and Telemetry below.

Search information. We maintain a workspace-scoped search projection (titles, URLs, domains, comment bodies, and participants) so that members can search their own workspace’s history. Search is restricted to workspace members.

Billing information. For paid Team plans, we process workspace billing records (plan, seat limit, status, and the billing provider’s customer and subscription identifiers) and billing events (provider event id, type, and a hash of the payload). Payment card and tax details are handled by our billing provider as described under Payments below; we do not store full payment card numbers.

Operational telemetry. We process errors and exceptions with workspace-safe context (Sentry), reliability metrics and synthetics such as latency and queue lag (Grafana Cloud), and platform logs (Railway and Supabase). This telemetry is configured to exclude raw sensitive URL parameters, comment body plaintext, attachment signed URLs, and plaintext invite tokens.

For California disclosure purposes, the categories of personal information we collect, the sources of that information, the business and commercial purposes for which we collect it, and the categories of recipients to which we disclose it are those described in this “Information We Collect” section and in the “How We Share Information and Our Sub-Processors” section below. We do not collect or process sensitive personal information as defined by the CPRA, so the right to limit its use does not apply.

Cookies, Local Storage, and Extension Storage

We use cookies and similar technologies, together with browser local storage and the extension’s own storage, to keep you signed in, maintain your session and active workspace, store your Web Push subscription, and remember preferences needed for the Service to function. The extension stores data locally in your browser to render the Shadow DOM comment overlay and to power anchoring. We do not use cookies or local storage for cross-context behavioral advertising. Where required by law, we ask for consent for any non-essential cookies; you can also control cookies through your browser settings, though disabling essential cookies may break the Service. For full details, see our Cookie Policy.

How and Why We Use Information

We use the information above to:

• authenticate users and attribute comments to their real-name authors;
• provide the core product — anchoring and re-anchoring discussions to page locations, showing page context, unread tracking in My Inbox, and the resolve workflow;
• enforce the active-workspace visibility boundary and authorization, and to keep governance and audit records;
• let reviewers attach screenshots as discussion context, stored privately and shared only with workspace members via short-lived signed URLs;
• create token-scoped workspace invites and resolve @mentions within a workspace, including a limited preview before an invitee accepts;
• deliver browser Web Push notifications and, where a workspace enables them, optional enterprise chat notifications. Web Push is the always-on channel and relies on push subscriptions rather than email. For enterprise chat channels (such as Slack or Feishu) we resolve a recipient’s channel handle either by looking it up from a verified email or by the member self-binding their handle;
• provide workspace-scoped search of pages, URLs, comments, and participants;
• manage paid Team subscriptions and seat counting (a seat is an active workspace member; pending invites are not billed);
• monitor errors, measure reliability, run synthetics, and debug issues; and
• comply with legal obligations, prevent abuse and fraud, and protect the rights, safety, and security of users and the Service.

We do not sell your personal information, and we do not use Workspace Content to train generative AI models. We do not use your personal information for automated decision-making or profiling that produces legal or similarly significant effects about you.

Legal Bases for Processing (GDPR / UK GDPR)

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

• Performance of a contract — to provide the Service to you and your workspace, including authentication, comments, notifications, search, and billing.
• Legitimate interests — to secure the Service, prevent abuse and fraud, maintain audit logs, operate error tracking and reliability metrics, and improve and support the product, balanced against your rights and freedoms.
• Consent — for non-essential cookies and, where applicable, for browser push notifications you choose to enable. You may withdraw consent at any time.
• Compliance with legal obligations — to meet tax, accounting, and other legal requirements, including those handled by our Merchant of Record for billing.

Where we act as a processor for your workspace, your organization is responsible for establishing the legal basis for the Workspace Content it processes through Margin.

How We Share Information and Our Sub-Processors

We do not sell personal information. We share information only as needed to run the Service:

• With other members of your workspace — comments, mentions, attachments, page context, and participant information are visible to members of the same workspace, consistent with the active-workspace visibility boundary.
• With invitees — an email invite exposes only the limited, token-scoped preview; invitees cannot read full threads, the member directory, attachments, search, or My Inbox before joining.
• With sub-processors — vendors that process information on our behalf under contract, listed below.
• For legal and safety reasons — where required by law or to protect rights, safety, and the integrity of the Service.
• In a business transfer — in connection with a merger, acquisition, or sale of assets, subject to this policy.

Our current and contemplated sub-processors are:

• Supabase — managed Postgres data plane (server-owned, with FORCE row-level security), Supabase Auth for ordinary login, a private Storage bucket for pasted attachments, and platform logs.
• Railway — hosts our API service (REST, auth callback, invite preview, event stream, Web Push subscription, and provider webhooks) and the background outbox/jobs worker, and holds server-only secrets.
• Polar.sh — Merchant of Record for paid Team plans: hosted checkout, subscription management, global sales tax/VAT/GST collection and remittance, and signed billing webhooks.
• Stripe — a prior billing provider, now dormant (we retain historical billing columns only, with no new writes). Stripe also underlies our Merchant of Record’s payouts to us, which does not involve Stripe processing your personal information on our behalf.
• Slack — optional, per-workspace enterprise chat notification channel using your workspace’s own credentials.
• Feishu / Lark — optional, per-workspace enterprise chat notification channel using your workspace’s own credentials; also a possible SSO identity provider.
• Microsoft Teams — named as a planned enterprise chat notification channel; the adapter is not yet implemented.
• Scalekit — enterprise self-service SSO (SAML/OIDC) with an admin portal; selected but not yet enabled in the Service.
• Sentry — error and exception tracking with workspace-safe context (no comment bodies or tokens).
• Grafana Cloud — metrics and synthetics, such as latency, queue lag, notification delivery, and health probes.
• Browser push services (such as Google FCM or Mozilla autopush) — transport for Web Push; payloads carry only routing ids and a generic, content-free title, with real content fetched on wake through our access-controlled API.
• Email delivery provider — sends workspace invite emails carrying the token-scoped preview link; the specific vendor may change.

We will provide workspaces with advance notice of any new or replacing sub-processor (for example via this list, our changelog, or email to the workspace owner) before the sub-processor begins processing Workspace Content, and a reasonable opportunity to object. We can enter into a data processing addendum on request, which sets out the contractual details of our sub-processor commitments — contact hello@margindoc.dev. An up-to-date sub-processor list is also available on request at hello@margindoc.dev.

Payments

Free plans never enter a billing provider. For paid Team plans, checkout and payment are handled by Polar.sh, which acts as the Merchant of Record and the seller of record, and which handles billing and collects and remits applicable sales tax, VAT, and GST. The client never communicates with the billing provider directly; only a workspace owner or billing admin can start checkout, and the server returns only a hosted checkout URL. We update paid status only from the provider’s signed webhooks. We do not receive or store full payment card numbers; the billing provider handles payment instruments under its own privacy terms.

International Data Transfers

We and our sub-processors may process information in countries other than the one where you live, including the United States. No specific data-residency region is guaranteed under the standard Service; data residency or private deployment is available only as an Enterprise capability. Where we transfer personal information out of the EEA, the UK, or Switzerland, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (and the UK Addendum) or other lawful transfer mechanisms. You may request more information about these safeguards at hello@margindoc.dev. As an individual operator, our principal place of activity is in {{OPERATOR_LOCATION}}; you can reach us by email at hello@margindoc.dev (a postal address is available on request at {{CONTACT_ADDRESS}}).

Data Retention

We retain Workspace Content for as long as your workspace remains active and until it is deleted, because the data model is workspace-scoped and durable. Plans may carry different history limits (for example, longer history on Team plans and retention/export controls on Enterprise plans). Specific Workspace Content retention follows your plan’s history settings and your deletion instructions, rather than a single global window.

For data we hold as a controller, we typically retain account records for the life of the account plus a short wind-down period; billing and tax records for the period required by applicable tax and accounting law (commonly up to about 7 years); and audit and security logs for a limited period proportionate to security needs.

Deleted comments are soft-deleted with a placeholder and an audit record retained. Invite tokens expire (currently after 7 days) and only a token hash is stored. Web Push subscriptions are deleted when you log out, disable notifications, leave a workspace, or when a subscription fails. Billing webhook events are stored idempotently. Operational telemetry retention is managed by our observability providers; logs are not maintained as a long-term analytics store. When you or your workspace deletes data, or when a workspace is closed, we delete or de-identify the associated personal information within a commercially reasonable period, except where we must retain it to meet legal, tax, security, or audit obligations.

Security and Telemetry

We design Margin so that clients never connect directly to the database, realtime services, or third-party providers; all writes and business reads go through our REST API. Key safeguards include:

• Postgres row-level security keyed by workspace id, with FORCE RLS on high-risk tables, enforced on every business transaction; no service-role bypass for ordinary business queries.
• Membership and role gates on all workspace data; the only anonymous read path is the limited, token-scoped, expirable, and revocable invite preview, which grants no membership.
• Treating comment bodies, quotes, page titles, and all Page-Derived Text as untrusted and HTML-escaping them on render everywhere, including enterprise chat cards.
• Attachments in a private bucket with unguessable object keys, accessible only via short-lived signed URLs; the bucket is never public and invite previews never show image content.
• Web Push payloads that carry only routing ids and a generic, content-free title, with real content fetched on wake through our access-controlled API.
• Server-side-only secrets (held in Railway secrets), never placed in clients, the extension, logs, or the database; bring-your-own channel credentials are referenced indirectly and never persisted or logged in raw form.
• Signed-webhook verification for billing, idempotent writes, per-channel delivery isolation so a failing channel cannot affect comments or billing, recipient re-checks before any enterprise send, and audit logging of sensitive actions.

No method of transmission or storage is completely secure, but we work to protect your information using the controls above.

Data Breach Notification

We maintain incident-response procedures and the audit-logging and security controls described in the Security and Telemetry section above. In the event of a personal-data breach affecting your information, we will notify the affected workspaces and/or controllers without undue delay and consistent with applicable law, including the timelines in Articles 33 and 34 of the GDPR (and the UK GDPR) where we act as a processor. We will provide information reasonably necessary to help the workspace controller meet its own breach-notification obligations and will cooperate in investigating, mitigating, and remediating the incident.

The Browser Extension Specifically

The Margin extension is a client-side overlay (rendered in a Shadow DOM) that runs in your own browser. It can access only the pages your own browser renders while you use it, and it does not require any code from the site’s author. To power anchored comments, the extension captures the Page-Derived Text you select on a page — the specific text and anchors, along with the page title, domain, and URL.

Importantly, the extension and our servers do not scrape or fetch the third-party page content (the server-side content of the sites you visit), and they do not read pages beyond what you yourself view and choose to annotate. URLs are stored as opaque strings and run through your workspace’s URL-privacy rules before being saved, returned, linked, exported, or used in notifications. Anchoring and normalization logic is contained in our shared annotator code, and the extension simply calls it.

Your Privacy Rights

Depending on where you live, you may have rights to access, correct, delete, or receive a portable copy of your personal information, to object to or restrict certain processing, and to withdraw consent. Where we act as a processor for a workspace, we will direct requests about Workspace Content to the relevant workspace administrator and assist them in responding; you may also contact your workspace owner or admin directly. To exercise rights regarding data for which we are the controller, contact us at hello@margindoc.dev. We will verify your request and respond within the timeframes required by applicable law. You will not be discriminated against for exercising your rights.

California (CCPA/CPRA). California residents have rights to know, access, correct, and delete personal information, and to limit the use of sensitive personal information. The categories of personal information we collect, the sources, the business and commercial purposes, and the categories of recipients are described in the “Information We Collect” and “How We Share Information and Our Sub-Processors” sections above. We do not collect or process sensitive personal information as defined by the CPRA, we do not sell personal information, and we do not share personal information for cross-context behavioral advertising. Because we do not sell or share in this sense, there is no “Do Not Sell or Share My Personal Information” action to take, but you may still exercise your other rights as described above. You may use an authorized agent to submit requests where permitted by law.

EEA/UK. If you are in the EEA or UK and believe we have not handled your information properly, you may lodge a complaint with your local supervisory authority, though we encourage you to contact us first. Where we are required under Article 27 GDPR/UK GDPR to appoint a representative, their details are: {{EU_UK_REPRESENTATIVE}}.

Children’s Privacy

Margin is a business product that is not directed to children. We do not knowingly collect personal information from anyone under the age of 16. If you believe a child has provided us personal information, please contact us at hello@margindoc.dev and we will take appropriate steps to delete it.

Data Protection Officer

As a small, independent operation we are generally not required to appoint a Data Protection Officer; please direct any privacy question to hello@margindoc.dev.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, provide additional notice. Your continued use of the Service after an update means you accept the revised policy.

How to Contact Us

If you have questions or requests about this policy or your personal information, you can reach us by email at hello@margindoc.dev (a postal address is available on request at {{CONTACT_ADDRESS}}):

• Margin, operated by {{OPERATOR_NAME}} ({{OPERATOR_LOCATION}})
• Email: hello@margindoc.dev
• Postal address: available on request at {{CONTACT_ADDRESS}}
• Privacy contact: hello@margindoc.dev (as a small, independent operation we are generally not required to appoint a Data Protection Officer)
• Data processing addendum: we can enter into a data processing addendum on request — contact hello@margindoc.dev
• EU/UK representative: where we are required under Article 27 GDPR/UK GDPR to appoint a representative, their details are: {{EU_UK_REPRESENTATIVE}}