margint

Privacy Policy

Last updated: May 3, 2026

This Privacy Policy describes how Margint ("we", "us", "our") collects, uses, and discloses information when you use our website, dashboard, and software development kits (collectively, the "Service"). By using the Service, you agree to the terms of this Policy.

1. Information we collect

1.1 Account information

When you sign up using GitHub OAuth, we receive your email address, GitHub username, profile name, and avatar URL. We also store a hashed copy of any API key you generate (we never store the plain-text key after creation).

1.2 Workspace information

Information you provide when configuring your workspace, such as workspace name, billing address (collected by our payment processor), and the customer-identifier scheme you use in your own product.

1.3 Usage metadata sent by our SDKs

Our SDKs send a defined set of metadata fields for each LLM call you instrument: customer ID (which you control), feature label, provider, model name, input and output token counts, calculated cost, latency, and an optional metadata object you provide. We do not receive, store, or log the contents of your prompts, completions, system messages, tool calls, or any other message payload. This is a deliberate architectural choice and a core differentiator of the Service.

1.4 Data from connected third-party services

If you connect your Stripe account via Stripe Connect, we receive read-only access to invoice, subscription, and customer metadata from your Stripe account so we can compute revenue per customer. We do not receive cardholder data, and we do not perform write operations on your Stripe account.

1.5 Cookies and technical data

We use a session cookie to keep you signed in. We may also collect IP address, browser type, device information, and request timing data for security, abuse prevention, and basic operational analytics.

1.6 Billing information

Subscription fees for the Service are processed by our payment provider, Polar (Polar Software Inc.). We receive billing status, plan, and invoice metadata from Polar. We do not store full credit-card details on our infrastructure.

2. How we use information

We use the information described above to:

  • Provide, operate, and improve the Service.
  • Calculate per-customer AI costs and margins, generate dashboards, and run budget enforcement features.
  • Authenticate you, secure your account, and prevent abuse.
  • Send transactional and account-related emails (e.g., login notifications, budget alerts, billing receipts).
  • Diagnose issues, monitor performance, and investigate suspected violations of our Terms of Service.
  • Comply with legal obligations.

Our legal bases for processing personal data under the GDPR are: (i) performance of a contract with you (operating the Service); (ii) our legitimate interests in maintaining and securing the Service; (iii) your consent, where required; and (iv) compliance with legal obligations.

3. How we share information

We do not sell personal data. We share information only as necessary with the following categories of recipients:

  • Subprocessors who provide infrastructure or operational services to us, listed below.
  • Other users of your workspace, if you invite them. They will see workspace-level data including your cost events.
  • Legal authorities, where we have a good-faith belief that disclosure is required by law, regulation, or valid legal process.
  • Successors in the event of a merger, acquisition, or sale of all or substantially all of our assets, subject to standard confidentiality obligations.

3.1 Current subprocessors

  • Railway — application hosting and Postgres database (United States).
  • Cloudflare — DNS, CDN, and DDoS protection (Global).
  • GitHub — authentication via OAuth (United States).
  • Stripe — read-only access to your connected Stripe account, when you authorize it (United States, Ireland).
  • Polar — subscription billing for our paid plans (United States).
  • Resend — transactional email delivery (United States).

We will update this list as we add or change service providers. Material changes will be communicated via the Service or by email.

4. International data transfers

Our infrastructure and several of our subprocessors are located in the United States. If you access the Service from the European Economic Area, the United Kingdom, or other jurisdictions with data-protection laws, your data will be transferred to and processed in countries that may not offer the same level of protection as your home jurisdiction. Where required, we rely on standard contractual clauses or other approved transfer mechanisms.

5. Data retention

We retain account and workspace data for as long as your account is active. Cost events are retained for the lifetime of your account, plus up to 30 days after account deletion to allow for restoration in the event of an accidental cancellation. Aggregated and anonymized data may be retained longer for operational analytics. Backups are retained on a rolling 30-day window.

6. Security

We use industry-standard measures to protect your data, including TLS encryption in transit, encrypted storage of secrets and access tokens, role-based access controls within our infrastructure, hashed API keys, and audit logging of administrative actions. No system can be guaranteed perfectly secure; you should use a strong unique password on your GitHub account and rotate API keys if you suspect compromise.

7. Your rights

Depending on your jurisdiction, you may have the right to: access the personal data we hold about you; request correction or deletion; object to or restrict certain processing; receive a portable copy of your data; and lodge a complaint with a data-protection supervisory authority. To exercise any of these rights, email hi@margint.dev.

California residents have specific rights under the California Consumer Privacy Act (CCPA), including the right to know, the right to delete, and the right to non-discrimination for exercising these rights. We do not sell personal information.

8. Children

The Service is intended for use by businesses and is not directed to individuals under 16. We do not knowingly collect data from children. If you believe a child has provided data to us, contact us and we will delete it.

9. Changes to this policy

We may update this Policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Material changes will be communicated by email to active workspace owners or via a notice in the Service.

10. Contact

For privacy-related questions or requests, email hi@margint.dev.