What we know about you.

Almost nothing on our side, by design.

The data pipeline is deliberately tiny. Margin runs no server that handles your academic data. Your assignments move from your school's class portal, to your browser plugin, to your Todoist, to your device, using your own credentials at every step. We're never in the middle. Here's the full accounting:

The browser plugin reads your already-authenticated session with your school's LMS, the same way you read it. We never see your university password and we never log you in. The plugin then writes those assignments to your Todoist using your Todoist OAuth token, stored locally in the extension. The device reads from Todoist using the same token, cached on the device.

Those OAuth tokens are yours, not ours. They live in your browser's encrypted local storage and on your device's flash storage. We don't hold copies, and we couldn't act on them if we wanted to.

One purpose, and that's the device.

What little data passes through anything we run is used for one thing: making the device show you what's due. That's the whole purpose. We don't use any of it for advertising, recommendations, training models, market research, or any other secondary purpose. With the new pipeline, there's barely anything to misuse even if we wanted to.

Specifically, we never:

• Sell your data to anyone, for any reason.
• Share your data with advertisers, brokers, or affiliates.
• Use your assignment titles to train AI models.
• Profile you, your study habits, or your academic performance.

These aren't aspirations. They're commitments. If we ever wanted to do any of these things, we would need to update this policy and notify you first, and we never will.

Five places, none of them a Margin server.

Your academic data lives in five places. None of them is a server we operate:

• Your school's LMS (Canvas, Blackboard, D2L, or Moodle), where your assignments already live. We don't have an account there. The browser plugin reads your existing session, the way a tab in your browser would.
• Todoist, where your LMS assignments are mirrored. The browser plugin writes them using your own Todoist OAuth token. The device reads them the same way. Doist (the company behind Todoist) is the data processor for every assignment that passes through this pipeline. Their privacy practices: doist.com/privacy. Doist is headquartered in the EU; data may be stored there.
• Your browser, where the extension keeps its configuration: the LMS URL, your course-to-Todoist-project mapping, your Todoist OAuth token, and your sync preferences. Chrome's encrypted local storage. We can't read any of this remotely.
• Your Margin device, in your room. Holds the Todoist OAuth token, Wi-Fi credentials, the iCal URLs you subscribed to, and a cached copy of the most recent assignment list for offline display. A factory reset wipes all of it.
• Whatever calendar service you point at the device (Apple, Google, Outlook, Proton, Notion, your school's academic calendar). The device reads the public iCal feed URL you gave it during setup. No account is created on either side.

And one small thing on a server we do run:

• The waitlist record, until pre-orders open. That's your email plus whichever of the three optional fields (school, who you're buying for, an open note) you chose to fill in. Stored in a Supabase database with strict access controls so no one outside our team can read it. Supabase is a managed Postgres provider; we use them as a data processor only. Their privacy practices: supabase.com/privacy. No academic data passes through this database. Only the waitlist record.

The device also reaches one more public service for the weather widget:

• Open-Meteo, a free public weather API. The first time the device comes online it sends the city or region name you entered during onboarding to Open-Meteo's geocoding service once, to look up coordinates; it then caches those coordinates and afterward sends only a fixed latitude and longitude to fetch the local forecast. No account, name, email, or other personal information is sent.

That's the complete list. There are no other third parties. No marketing pixels, no analytics scripts, no chat widgets, no data brokers.

Plain durations. The numbers got smaller.

Real numbers:

• Assignment data is never on our servers, so there's no retention window to publish. It moves from your LMS into your Todoist and onto your device. Doist's retention rules cover the Todoist copy. Check theirs.
• Your waitlist record is kept until pre-orders ship. That record is your email plus whichever of the three optional fields you chose to fill in. When we email you about ordering, the record transitions to either "ordered" or "didn't order" and we stop sending anything to that address. You can ask us to delete it sooner, at any time. Never marketing.
• Calendar feed contents pass through, they don't sit. The device fetches iCal URLs fresh on every refresh and discards the previous copy. We don't keep a history. We also can't, because we don't see them.
• Local device and extension data (assignment cache, Wi-Fi credentials, your Todoist OAuth token, course-to-project mapping) lives where it lives until you remove the extension or reset the device. A factory reset wipes the device clean. If you sell or give away your device, run the reset first.

What you can ask us to do.

You can:

• See everything we have on you. Email us and we'll send you a complete export within seven days. In practice, under the new pipeline, that's "your waitlist email and the date you joined." There's no profile, no behavioral data, no academic record on our side.
• Delete everything we hold. Email the same address and we'll respond within seven days. We remove your waitlist email from our database and don't keep "backup" copies after thirty days. For the data in Todoist, in your browser, and on your device, you delete it directly: revoke Margin's access from Todoist's settings page, uninstall the browser plugin, and factory-reset the device.
• Correct anything that's wrong. We rarely have anything to correct, but if something on our end looks off, tell us.
• Stop the sync without deleting anything. Just uninstall the browser plugin. The device will show its last cached state and stop receiving new assignments. Your Todoist stays as it was.

These rights apply to everyone, regardless of where you live. Not just users in California or the EU. We don't think basic data rights should depend on jurisdiction.

Practical measures, not promises.

The actual safeguards in place today:

• All data is encrypted in transit (HTTPS / TLS 1.2 or newer).
• The database is configured so one person's data can't be read by another, even if a query is misformed or compromised.
• Passwords for university LMS accounts are never sent to us. The browser plugin uses your existing session.
• Local device files containing API tokens are stored in a non-world-readable location on the device's SD card.

What we don't claim: that we're impervious to breach. No company can honestly claim that. If a security incident affects your data, we'll tell you what happened, what we know, and what we're doing about it. Within seventy-two hours of confirming the breach. Not "as soon as practicable." Not "in due course." Within seventy-two hours.

Margin is for users 13 and older.

We don't knowingly collect data from anyone under 13. If you're a parent or guardian and you believe your child has registered for Margin, email us and we'll delete the account and all associated data, no questions asked.

This policy aligns with COPPA (the U.S. Children's Online Privacy Protection Act). Schools and districts that wish to provide Margin to students under 13 should contact us first. We don't currently support that use case.

The world is bigger than the U.S.

Margin is operated from the United States. The waitlist database is hosted on Supabase, which stores it on U.S.-region servers. If you use Margin from outside the U.S., joining the waitlist means your email and any optional fields you fill in are transferred to and stored in the United States. By joining, you consent to this transfer.

Your academic data is a different story. It flows from your browser to your Todoist to your device, and Doist is headquartered in the European Union. None of that data passes through any U.S. server we run.

For users in the European Economic Area, the United Kingdom, or Switzerland: we process your waitlist email on the legal basis of performing the pre-order contract you've entered into with us (you asked to be told when we ship). You have the rights described in section 05, plus the right to lodge a complaint with your local data protection authority.

For California residents: the rights in section 05 satisfy the requirements of the CCPA and CPRA (California's consumer privacy laws). We don't sell your data and we don't "share" it for cross-context behavioral advertising. There is no advertising on Margin.

How you'll know we changed something.

If we update this policy in any meaningful way (adding a new third party, changing what we collect, changing how long we keep it), we'll email every active user at least thirty days before the change takes effect. The email will say what changed, in plain language, and link to a diff of the old and new policies.

Cosmetic edits (typos, clarifications, link fixes) don't count and won't trigger an email. The "last updated" date at the top of this page reflects every change, cosmetic or otherwise.