Legal

GDPR & Data Rights

Last updated: March 2025 — Compliant with UK GDPR and the Data Protection Act 2018

This page sets out your rights under the UK General Data Protection Regulation (UK GDPR) and explains how Margin handles personal data belonging to you, your customers, your suppliers, and your employees.

1. Data Controller vs Data Processor

For data about your business contacts (customers, suppliers, employees), you are the data controller and Margin acts as a data processor. You are responsible for ensuring you have a lawful basis to store and process that data within the system.

For data about your own Margin account (name, email, billing information), Margin is the data controller.

2. Your Individual Rights

Right of Access — Article 15

You may request a copy of the personal data we hold about you at any time. We will respond within 30 calendar days at no charge.

Right to Rectification — Article 16

You may correct inaccurate or incomplete personal data at any time, either directly through your account settings or by contacting us.

Right to Erasure ("Right to be Forgotten") — Article 17

You may request deletion of your personal data where it is no longer necessary for the purposes it was collected. Note that HMRC requires financial records to be retained for 6 years, so we cannot delete data subject to statutory retention obligations.

Right to Restrict Processing — Article 18

You may ask us to pause processing your personal data while a dispute over its accuracy or lawfulness is being resolved.

Right to Data Portability — Article 20

You may export your data at any time in CSV or JSON format using the built-in export functions. Data is provided in a structured, machine-readable format.

Right to Object — Article 21

You may object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making — Article 22

Margin does not make solely automated decisions that produce significant legal effects on you without a human reviewing and approving the outcome.

3. Lawful Basis for Processing

Purpose	Lawful Basis
Account registration & service delivery	Contract (Art. 6(1)(b))
HMRC submissions (VAT, PAYE, ITSA)	Legal obligation (Art. 6(1)(c))
Fraud prevention & security monitoring	Legitimate interests (Art. 6(1)(f))
Marketing communications	Consent (Art. 6(1)(a))
Payroll & employee data processing	Legal obligation / Contract
Improvement of the Service	Legitimate interests (Art. 6(1)(f))

4. Data Breaches

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay and notify the ICO within 72 hours of becoming aware of the breach, as required under Article 33 UK GDPR.

5. International Transfers

Your data is processed primarily within the UK. Where data is transferred outside the UK (for example, via Stripe or TrueLayer APIs), we ensure adequate safeguards are in place, including UK adequacy regulations or standard contractual clauses approved by the ICO.

6. Data Retention

We retain personal data only for as long as necessary. Key periods include 6 years for financial records (HMRC requirement) and 30 days post-account closure for data retrieval. See our full Privacy Policy for more detail.

7. Your Obligations as a Data Controller

Where you store personal data about your customers, suppliers, or employees within Margin, you are the data controller. You are responsible for:

Having a lawful basis for processing that personal data.
Providing a privacy notice to data subjects (your customers, employees, etc.).
Responding to data subject access requests made to you.
Ensuring data is accurate and kept up to date.

Margin provides the export and deletion tools to help you meet these obligations.

8. Making a Request

To exercise any of the rights listed above, email us at hello@getmargin.co.uk with the subject line "Data Rights Request". Please include your name, email address, and a description of your request. We will acknowledge within 5 working days and respond in full within 30 calendar days.

If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint or by calling 0303 123 1113.