What we know about you.

We know your email, the Google account you sign in with, your plan, your devices and the settings you give them, and your Todoist token, which we keep encrypted. Not your assignments. Below is the long version, in plain language.

Last updated · 17 June 2026

01What we collect & what we don't

Everything on our side, by design.

The data pipeline is deliberately tiny. No Margin server ever handles your academic data. Your assignments move from your school's class portal, to your browser plugin, to your Todoist, to your device, using your own credentials at every step. We do run a small control plane for sign-in and device sync. It holds your account and plan, your devices and their settings, your encrypted Todoist token, and the record of any license key you've redeemed — never your assignments. Here's the full accounting:

What we collect

Your email address, when you join the waitlist. Stored only until pre-orders ship and we email you about ordering. Never marketing.
Three optional fields on the same waitlist form, only if you choose to fill them in: your school's name, whether you're buying for yourself or someone in your family, and an open note. Each is blank by default. Used to prioritize which class portals we test first and to understand what objections to address. Never marketing, never shared.
When you sign in to sync, your Google account email and the account ID Google gives us, plus your plan status. Sign-in is Google OAuth, so we never see your Google password, and we never receive anything else from your Google account: no name, photo, contacts, Gmail, or Drive.
If you redeem a license key or buy a Margin Pass, the record linking that purchase to your account and your plan's status (which tier, and when a non-renewing pass lapses), so it can be honored across sign-ins. Paid checkout will run through a merchant-of-record, which handles the payment and passes us your name, email, and an opaque reference that links the purchase to your account — we never see or store a card number, and no academic data is part of a purchase.
For each device you set up: the device's number and its registry timestamps (when it was set up, claimed, and last checked in), the settings you give it (theme, timezone, and the city you pick for weather, with the map coordinates that city resolves to — an approximate location), and any remote command you've queued from the extension (sync now, reboot) until the device picks it up.
Your Todoist access token and refresh token, kept encrypted (AES-GCM at rest). We decrypt the access token to hand your device a copy so it can read your Todoist, and the server also uses these tokens to identify your Todoist account and to refresh access when it expires, so your sync keeps working. We never use them to read your assignments — the tokens round-trip through us, the task titles never do — but since we decrypt them, that restraint is our policy, not a thing the architecture makes impossible.

That's the full list of what lives on a server we control. There's no academic data on our infrastructure: no assignment titles, no due dates, no grades. Your account, your plan, your device records and settings, and your encrypted Todoist token are there only to sign you in and keep your device in sync.

What we don't collect

Assignment titles or due dates (extension → Todoist → device; we're not in the path)
Course names or codes (same)
Calendar events (your device reads iCal URLs directly)
Your LMS password. Ever.
Your Google password, or anything else from your Google account (name, photo, contacts, Gmail, Drive)
Grades, scores, or feedback on assignments
Submission contents, files, or attachments
Browsing history
Your location, beyond the city you typed for weather (typed once, never tracked)
Contacts, or anything from other apps
Analytics, telemetry, or usage tracking on the device or in the extension

The browser plugin reads your already-authenticated session with your school's LMS, the same way you read it. We never see your university password and we never log you in. The plugin then writes those assignments to your Todoist using your Todoist OAuth token. The device reads from Todoist using the same token. To save you from re-typing it on the device, our control plane relays that token, encrypted at rest, and only to a device you've claimed under your account. Your assignments never pass through us.

Two sign-ins are involved, and we handle them differently. Your Google sign-in just proves who you are: we verify the one-time token Google sends, store your email and the account ID Google provides, and throw the token away. Your Todoist token is the one we keep a copy of, encrypted, for the single purpose of handing it to a device you own so you don't have to type it in. Your LMS login is never a token we touch at all; the plugin just uses the session already open in your browser.

02What it's used for

One purpose, and that's the device.

What little data passes through anything we run is used for one thing: running your device and keeping it showing what's due. Your account signs you in and tracks your plan; your device settings and Todoist token get your dashboard set up and synced. That's the whole purpose. We don't use any of it for advertising, recommendations, training models, market research, or any other secondary purpose.

Specifically, we never:

Sell your data to anyone, for any reason.
Share your data with advertisers, brokers, or affiliates.
Use your assignment titles to train AI models.
Profile you, your study habits, or your academic performance.

These aren't aspirations. They're commitments. If we ever wanted to do any of these things, we'd have to update this policy and notify you first. We won't.

03Where it lives

Where each piece of data lives.

Your academic data lives in five places. None of them is a server we operate:

Your school's LMS (Canvas, Blackboard, D2L, or Moodle), where your assignments already live. We don't have an account there. The browser plugin reads your existing session, the way a tab in your browser would.
Todoist, where your LMS assignments are mirrored. The browser plugin writes them using your own Todoist OAuth token. The device reads them the same way. Doist (the company behind Todoist) is the data processor for every assignment that passes through this pipeline. Their privacy practices: doist.com/privacy. Doist is headquartered in the EU; data may be stored there.
Your browser, where the extension keeps its configuration: the LMS URL, your course-to-Todoist-project mapping, your Todoist OAuth token, and your sync preferences. Chrome's encrypted local storage. We can't read any of this remotely.
Your Margin device, in your room. Holds the Todoist OAuth token, Wi-Fi credentials, the iCal URLs you subscribed to, and a cached copy of the most recent assignment list for offline display. A factory reset wipes all of it.
Whatever calendar service you point at the device (Apple, Google, Outlook, Proton, Notion, your school's academic calendar). The device reads the public iCal feed URL you gave it during setup. No account is created on either side.

And on servers we do run:

The waitlist record, until pre-orders open. That's your email plus whichever of the three optional fields (school, who you're buying for, an open note) you chose to fill in. Stored in a Supabase database with strict access controls so no one outside our team can read it. Supabase is a managed Postgres provider; we use them as a data processor only. Their privacy practices: supabase.com/privacy. No academic data passes through this database. Only the waitlist record.
The control plane, once you sign in and set up a device. It holds your account (the email and account ID from your Google sign-in, plus your plan status and any license key you've redeemed), your device records and settings (registry timestamps; theme, timezone, and the city you chose for weather with its coordinates; any queued remote command), and your Todoist token, encrypted at rest. Its job is to sign you in, let you manage your device from the extension, and hand the device its Todoist token so you don't type a key. No assignment titles, due dates, or grades ever pass through it.

Three outside services each handle one narrow thing:

Google, who you sign in with. Google tells us your account email and a stable account ID, and nothing more; your password stays with Google. Their privacy practices: policies.google.com/privacy.
The merchant-of-record, who handles any payment (a Margin Pass or a license key). They take the card, the tax, and the refund, and pass us your name, email, and an opaque reference that links the purchase to your account. We never see or store card numbers, and no academic data is part of a checkout. There is no payment processor on the free Preview tier at all.
Open-Meteo, a free public weather API. The first time the device comes online it sends the city or region name you entered during onboarding to Open-Meteo's geocoding service once, to look up coordinates; it then caches those coordinates and afterward sends only a fixed latitude and longitude to fetch the local forecast. No account, name, email, or other personal information is sent.

That's the complete list. There are no other third parties. No marketing pixels, no analytics scripts, no chat widgets, no data brokers.

The same accounting, integration by integration. The column that matters is the last one: where the data lives. Only one row points at a server we run, and that row holds a license check and a billing identity, never your coursework.

What each integration touches, and where it lives
Integration	What it touches	Where the data lives
Canvas (LMS)	Your assignment list, read from the session already open in your browser. The plugin writes those items into your Todoist. We never see your LMS password.	Your browser → your Todoist. Never a Margin server.
Todoist	The assignments the plugin wrote, one project per course. The device reads them on every refresh using your own token.	Doist (EU). The encrypted token round-trips through us; the task titles never do.
iCal calendars	The events in any iCal feed URL you add (Apple, Google, Outlook, your school's academic calendar). The device fetches them directly.	Device ↔ the calendar provider. We're not in the path.
Syllabus parsing & change-tracking	The syllabus you paste or upload, and the diffs between captures over time. Parsed and stored on your own machine.	Your machine, client-side. Never sent to us.
License & billing server	A license check (is your plan current) plus, through the merchant-of-record at checkout, a name, email, and an opaque reference linking the purchase to your account. No syllabi, assignments, due dates, or grades.	Our control plane (US), and the merchant-of-record. The only server row.

04How long we keep it

Plain durations. The numbers got smaller.

Real numbers:

Assignment data is never on our servers, so there's no retention window to publish. It moves from your LMS into your Todoist and onto your device. Doist's retention rules cover the Todoist copy. Check theirs.
Your waitlist record is kept until pre-orders ship. That record is your email plus whichever of the three optional fields you chose to fill in. When we email you about ordering, the record transitions to either "ordered" or "didn't order" and we stop sending anything to that address. You can ask us to delete it sooner, at any time. Never marketing.
Your account, device settings, and encrypted Todoist token stay on our control plane while your account is active. "Delete server data" in the extension's settings removes all of it in one action, immediately; disconnecting Todoist deletes just the token, and revoking a device drops that device's settings and stops it from receiving the token. We don't keep backups beyond thirty days.
Calendar feed contents pass through, they don't sit. The device fetches iCal URLs fresh on every refresh and discards the previous copy. We don't keep a history. We also can't, because we don't see them.
Local device and extension data (assignment cache, Wi-Fi credentials, your Todoist OAuth token, course-to-project mapping) lives where it lives until you remove the extension or reset the device. A factory reset wipes the device clean. If you sell or give away your device, run the reset first.

05Your rights

What you can ask us to do.

You can:

See everything we have on you. Email us and we'll send you a complete export within seven days. In practice that's your waitlist email (if you joined), your account email and plan, any key you've redeemed, your device list, settings, and check-in timestamps, and your encrypted Todoist tokens, which we decrypt to provision your device and to keep your sync working — identifying your Todoist account and refreshing access, never reading your coursework. There's no profile, no behavioral data, no academic record on our side.
Delete everything we hold, in one action. "Delete server data" in the extension's settings removes your account (the email and Google account ID), your encrypted Todoist tokens, every device's settings and queued commands, and the records linking your purchase to your identity — immediately, no email required. Your devices return to their claim screens. The license key itself survives and can be redeemed again: the purchase outlives the account. Two smaller levers exist too: disconnecting Todoist in the extension deletes the token, and revoking a device clears its claim. For the waitlist email, write to us and we'll remove it within seven days. No "backup" copies are kept after thirty days. For the data in Todoist, in your browser, and on your device, you delete it directly: revoke Margin's access from Todoist's settings page, uninstall the browser plugin, and factory-reset the device.
Correct anything that's wrong. We rarely have anything to correct, but if something on our end looks off, tell us.
Stop the sync without deleting anything. Just uninstall the browser plugin. The device will show its last cached state and stop receiving new assignments. Your Todoist stays as it was.

These rights apply to everyone, regardless of where you live. Not just people in California or the EU. We don't think basic data rights should depend on jurisdiction.

06Security

Practical measures, not promises.

The actual safeguards in place today:

All data is encrypted in transit (HTTPS / TLS 1.2 or newer).
Your stored Todoist token is encrypted at rest (AES-GCM), so a stolen copy of our database doesn't expose it.
The database is configured so one person's data can't be read by another, even if a query is misformed or compromised.
Passwords for university LMS accounts are never sent to us. The browser plugin uses your existing session.
Local device files containing API tokens are stored in a non-world-readable location on the device's SD card.

What we don't claim: that we're impervious to breach. No company can honestly claim that. If a security incident affects your data, we'll tell you what happened, what we know, and what we're doing about it. Within seventy-two hours of confirming the breach. Not "as soon as practicable." Not "in due course." Within seventy-two hours.

07Children under 13

Margin is for readers 13 and older.

We don't knowingly collect data from anyone under 13. If you're a parent or guardian and you believe your child has registered for Margin, email us and we'll delete the account and all associated data, no questions asked.

This policy aligns with COPPA (the U.S. Children's Online Privacy Protection Act). Schools and districts that wish to provide Margin to students under 13 should contact us first. We don't currently support that use case.

08International readers

The world is bigger than the U.S.

Margin is operated from the United States. The waitlist database is hosted on Supabase (U.S.-region servers), and the control plane that holds your account, device settings, and encrypted Todoist token also runs in the United States. If you use Margin from outside the U.S., joining the waitlist or signing in means that data is transferred to and stored in the United States. By doing so, you consent to this transfer.

Your academic data is a different story. It flows from your browser to your Todoist to your device, and Doist is headquartered in the European Union. None of that data passes through any U.S. server we run.

For readers in the European Economic Area, the United Kingdom, or Switzerland: we process your waitlist email to perform the pre-order contract you entered into (you asked to be told when we ship), and we process your account and device data to provide the device you signed up for. Both rest on the legal basis of performing a contract with you. You have the rights described in section 05, plus the right to lodge a complaint with your local data protection authority.

For California residents: the rights in section 05 satisfy the requirements of the CCPA and CPRA (California's consumer privacy laws). We don't sell your data and we don't "share" it for cross-context behavioral advertising. There is no advertising on Margin.

09Changes to this policy

How you'll know we changed something.

If we update this policy in any meaningful way (adding a new third party, changing what we collect, changing how long we keep it), we'll email every active reader at least thirty days before the change takes effect. The email will say what changed, in plain language, and link to a diff of the old and new policies.

Cosmetic edits (typos, clarifications, link fixes) don't count and won't trigger an email. The "last updated" date at the top of this page reflects every change, cosmetic or otherwise.

Questions, requests, or concerns? Email us.

Privacy questions, data export requests, deletion requests, or "I think something's wrong." All go to the same address:

privacy@margin.computer

We aim to respond within three business days and to complete data export or deletion requests within seven days. A real human reads every email.

Marginalia LLC.
This policy is governed by the laws of the State of Illinois, United States.