Margin ("we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share information when you use Margin (the "Service").
1. Who We Are
Margin is a financial operating system for small and medium-sized businesses, registered in England & Wales. The data controller is the business operator deploying this software. Where we process data as a data processor on your behalf, we act under your instructions.
2. What Data We Collect
- Account data: your name, email address, company name, and password (hashed and salted — never stored in plain text).
- Financial data: transactions, invoices, expenses, payroll figures, VAT returns, and bank imports you enter into the system.
- Contact data: customer and supplier names, addresses, phone numbers, and email addresses.
- Usage data: log files, feature usage, and audit trail entries generated during normal use.
- Device data: browser type, operating system, and IP address for security and authentication purposes.
3. How We Use Your Data
- To provide, maintain, and improve the Service.
- To process transactions, generate reports, and submit returns to HMRC on your behalf.
- To send transactional emails (invoices, reminders, receipts) that you configure.
- To detect and prevent fraud, unauthorised access, and security incidents.
- To comply with legal obligations, including HMRC requirements and Companies House filings.
4. Legal Basis for Processing
We process personal data under the following lawful bases:
- Contract (Art. 6(1)(b)): to deliver the Service you have subscribed to.
- Legal obligation (Art. 6(1)(c)): to meet HMRC, RTI, and other statutory requirements.
- Legitimate interests (Art. 6(1)(f)): to secure and improve the Service.
- Consent (Art. 6(1)(a)): where you have given explicit consent for a specific purpose such as marketing.
5. Data Sharing
We do not sell your data. We may share data with:
- HMRC — via MTD APIs with your authorisation.
- Stripe — for payment processing (governed by Stripe's Privacy Policy).
- TrueLayer — for open banking data feeds (governed by TrueLayer's Privacy Policy).
- Infrastructure providers — under strict data processing agreements.
All third parties are required to handle data in accordance with UK GDPR.
6. Data Security
Your data is stored locally on your own infrastructure by default. We use industry-standard encryption for passwords and API credentials. You are responsible for the security of the server or device on which Margin is installed. We strongly recommend enabling 2FA and taking regular encrypted backups.
7. Your Rights
Under UK GDPR you have the right to access, rectify, erase, restrict, or port your data. See our GDPR & Data Rights page for full details on exercising these rights.
8. Cookies
We use strictly necessary and functional cookies. We do not use advertising or analytics cookies. See our Cookie Policy for full details.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by email or via an in-app notice. Continued use of the Service after changes constitutes acceptance.
10. Contact
For privacy queries, contact us at hello@getmargin.co.uk. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.