Privacy Policy

1. Information We Collect

We collect information you provide directly, information generated through your use of the Service, and information from third-party services integrated into the platform.

1.1 Account Information

When you register for the Service, we collect your full name, email address, and password. Your password is cryptographically hashed by our authentication provider (Supabase Auth) and is never stored in plaintext. We also collect your company name and professional role during onboarding.

1.2 Profile and Professional Information

To tailor the Service to your needs, we collect additional profile data including, but not limited to: your primary Original Equipment Manufacturer (“OEM”) relationships, average deal size range, years of experience in the IT channel, company size category, and VAR type classification. You may update this information at any time through the Settings page.

1.3 Deal Data

The core functionality of the Service requires you to submit detailed deal information. This includes, without limitation: deal names, customer names, customer segment classifications, OEM and product category identifiers, list prices, cost prices, margin percentages, deal registration status, services attachment information, competitive pressure indicators, competitor names, anticipated close dates, deal value, and any notes or commentary you provide. All deal data you submit is stored in our database and associated with your account.

1.4 Uploaded Documents

The Service allows you to upload vendor quote documents in PDF format. Uploaded files are stored in Supabase Storage and processed using artificial intelligence (the Anthropic Claude API) to extract deal-relevant data. We retain both the original uploaded file and any data extracted from it. You should not upload documents containing information you do not wish MarginArc to process and retain.

1.5 Scoring and Analytics Data

When you score a deal, we store all scoring outputs including margin recommendations (conservative, recommended, and aggressive bands), confidence levels, win probability estimates, score driver breakdowns, and the complete input parameters used to generate each score. This data is permanently associated with your account and contributes to our aggregate analytics.

1.6 Feedback and Communications

If you submit feedback through the in-app feedback widget, contact us via email, or otherwise communicate with us, we collect and retain the content of those communications, including any personal information contained therein.

1.7 Usage and Analytics Data

We automatically collect usage data through Vercel Analytics, including but not limited to: pages viewed, features used, session duration, referral sources, browser type, device type, operating system, screen resolution, and general geographic location derived from IP address. This data is collected in aggregate and is used to improve the Service.

1.8 Error and Diagnostic Data

We use Sentry for error monitoring and performance tracking. When errors occur, Sentry may capture stack traces, browser information, device information, and contextual data about the state of the application at the time of the error. This data is used solely for debugging and improving the reliability of the Service.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Providing the Service: To operate, maintain, and deliver the features and functionality of the Service, including generating margin scores, pricing recommendations, win probability estimates, and deal analytics for your individual use.
• Building Market Intelligence: To aggregate, de-identify, and analyze deal data submitted by you and other users in order to create market benchmarks, pricing intelligence, competitive landscape analyses, industry trend reports, and other aggregated data products. This is a fundamental and material purpose of the Service.
• Improving Our Algorithms: To train, refine, test, and improve our proprietary scoring models, recommendation engines, machine learning systems, and analytical methodologies using the deal data, scoring outputs, and usage patterns collected through the Service.
• Developing New Products: To inform the development, design, and improvement of current and future MarginArc products and services, including but not limited to enterprise-grade solutions, Salesforce integrations, API products, and data analytics offerings.
• Communications: To send you transactional emails (via AWS SES) related to your account, including account verification, password resets, scoring notifications, and service updates. If you opt in, we may also send you newsletters, product announcements, and marketing communications.
• Security and Fraud Prevention: To detect, investigate, and prevent fraudulent transactions, abuse, and other illegal activities, and to protect the rights and safety of MarginArc, our users, and the public.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, or governmental requests.
• Research and Analytics: To conduct internal research and analysis, generate statistical reports, and produce whitepapers, publications, or presentations using aggregated and anonymized data derived from the Service.

3. Data Aggregation, Anonymization, and Market Intelligence

This section describes a core aspect of how MarginArc operates. Please read it carefully.

When you submit deal data to the Service, that data—along with deal data submitted by other users—is aggregated and anonymized to create market intelligence products, pricing benchmarks, competitive analyses, and industry trend data (collectively, “Aggregated Data”). This Aggregated Data is a key output of the Service and is central to MarginArc’s business model.

Anonymization Process: When we create Aggregated Data, we remove or transform personally identifiable information so that the resulting data cannot reasonably be used to identify any individual user, specific deal, or specific company. Aggregated Data reflects market trends, category-level pricing patterns, and statistical benchmarks—not individual transactions.

Ownership of Aggregated Data: You acknowledge and agree that all Aggregated Data derived from your submissions, in combination with submissions from other users, is the sole and exclusive property of MarginArc. MarginArc may use, license, sublicense, sell, publish, distribute, and otherwise commercially exploit Aggregated Data without restriction, compensation to you, or further notice.

Underlying Data: While published outputs are always anonymized, MarginArc retains the right to use, process, analyze, and derive insights from the underlying non-anonymized deal data you submit for the internal purposes described in Section 2, including algorithm training, product development, and service improvement. This underlying data is not shared externally in individually identifiable form except as described in Section 4.

No Opt-Out for Aggregation: Because data aggregation and anonymization are integral to the functioning of the Service and the value proposition offered to all users, there is no mechanism to opt out of data aggregation while continuing to use the Service. If you do not wish your deal data to be aggregated, you must discontinue use of the Service.

4. How We Share Your Information

4.1 Aggregated and Anonymized Data

MarginArc may share, sell, license, or otherwise distribute Aggregated Data (as defined in Section 3) to third parties for commercial or non-commercial purposes. This data does not identify individual users or specific deals.

4.2 Service Providers

We share your information with third-party service providers who perform services on our behalf, subject to contractual obligations of confidentiality and data protection. These providers include:

• Supabase: Database hosting, user authentication, and file storage (Supabase, Inc.)
• Vercel: Application hosting, deployment, and analytics (Vercel, Inc.)
• Amazon Web Services (AWS): Email delivery via Amazon Simple Email Service (SES) (Amazon Web Services, Inc.)
• Anthropic: Artificial intelligence processing for PDF document parsing and data extraction via the Claude API (Anthropic, PBC)
• Sentry: Error monitoring and performance tracking (Functional Software, Inc.)

Each service provider processes data only as necessary to provide their respective services and is bound by their own privacy policies and data processing agreements.

4.3 Legal Requirements

We may disclose your information if we believe in good faith that such disclosure is necessary to: (a) comply with applicable law, regulation, legal process, or governmental request; (b) enforce our Terms of Service or other agreements; (c) detect, prevent, or address fraud, security issues, or technical problems; or (d) protect the rights, property, or safety of MarginArc, our users, or the public as required or permitted by law.

4.4 Business Transfers

In the event MarginArc is involved in a merger, acquisition, asset sale, financing, reorganization, bankruptcy, receivership, dissolution, or similar transaction, your information (including all deal data, account data, and Aggregated Data) may be transferred, sold, or assigned as part of such transaction. You acknowledge and agree that such transfers may occur and that any acquirer or successor may continue to use your information as set forth in this Policy.

4.5 With Your Consent

We may share your information for other purposes with your explicit consent.

5. Data Retention

MarginArc retains your information for as long as your account is active and thereafter as described below.

5.1 Account and Deal Data

Your account information, profile data, deal submissions, uploaded documents, scoring results, and associated metadata are retained indefinitely unless you request deletion as described in Section 5.3. Indefinite retention enables us to maintain the integrity of our scoring models, provide you with historical analytics, and contribute to the ongoing improvement of the Service.

5.2 Aggregated and Anonymized Data

Aggregated Data and any anonymized derivatives of your submissions are retained permanently and irrevocably. Because Aggregated Data is anonymized and combined with data from other users, it cannot be attributed to, or disaggregated for, any individual user. Aggregated Data survives any deletion of your account and is not subject to deletion requests.

5.3 Account Deletion

You may request deletion of your account and personally identifiable information by contacting us at [email protected]. Upon receipt of a verified deletion request, we will delete or de-identify your personal information within 45 days, subject to the following exceptions:

• Aggregated Data derived from your submissions, which is anonymized and cannot be removed.
• Information we are required to retain for legal, regulatory, or compliance purposes.
• Information contained in backups, which will be purged in accordance with our standard backup rotation schedule.
• De-identified data that has been rendered permanently non-identifiable and contributes to scoring models or market intelligence.

6. AI and Machine Learning

MarginArc uses artificial intelligence and machine learning technologies in two primary capacities:

• Document Processing: Uploaded PDF vendor quotes are processed using the Anthropic Claude API to extract structured deal data. Document content is transmitted to Anthropic’s servers for processing and is subject to Anthropic’s Privacy Policy. MarginArc uses Anthropic’s API under terms that prohibit Anthropic from using your data to train its models.
• Proprietary Scoring Models: Your deal data, scoring results, and usage patterns may be used to train, refine, validate, and improve MarginArc’s proprietary scoring algorithms, pricing models, and analytical systems. These are internal MarginArc models—not third-party AI systems. By using the Service, you consent to the use of your data for this purpose.

7. Security

We implement commercially reasonable technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of all data in transit using TLS/SSL (HTTPS).
• Encryption of data at rest within our database and storage providers.
• Row-Level Security (RLS) policies in our database ensuring that users can only access their own data through the application.
• Cryptographic hashing of passwords (bcrypt via Supabase Auth).
• Access controls and authentication requirements for all API endpoints.
• Regular security updates and dependency management.

However, no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security, and you acknowledge and accept this inherent risk when using the Service.

8. Cookies and Tracking Technologies

The Service uses the following cookies and similar technologies:

• Authentication Cookies: Supabase Auth stores session tokens in your browser’s local storage and cookies to maintain your authenticated session. These are strictly necessary for the Service to function and cannot be disabled.
• Analytics: Vercel Analytics collects anonymized usage data including page views, session information, and performance metrics. Vercel Analytics is privacy-focused and does not use cookies for cross-site tracking.
• Error Monitoring: Sentry may set cookies or use local storage to track error sessions for debugging purposes.

We do not use third-party advertising cookies or tracking pixels. We do not sell data to advertisers or participate in ad networks.

9. Third-Party Services

The Service integrates with the following third-party services, each of which has its own privacy policy governing its processing of your data:

• Supabase (database, auth, storage): supabase.com/privacy
• Vercel (hosting, analytics): vercel.com/legal/privacy-policy
• Amazon Web Services (email via SES): aws.amazon.com/privacy
• Anthropic (AI document processing): anthropic.com/privacy
• Sentry (error monitoring): sentry.io/privacy

We encourage you to review the privacy policies of these third-party services. MarginArc is not responsible for the privacy practices of third-party service providers.

10. International Data Transfers

The Service is operated from and data is stored in the United States. Our primary infrastructure is located in the following U.S. regions:

• Supabase: U.S. region
• Vercel: U.S. edge network
• AWS SES: us-east-1 (N. Virginia)
• Sentry: U.S. data center

If you access the Service from outside the United States, you acknowledge and consent to the transfer, processing, and storage of your information in the United States, where data protection laws may differ from those in your jurisdiction. By using the Service, you expressly consent to such transfers.

11. Your Rights and Choices

11.1 Account Information

You may review and update your account and profile information at any time through the Settings page within the Service.

11.2 Data Export

You may export your deal data in CSV format through the Settings page. This provides a portable copy of your individual deal submissions.

11.3 Communications

You may opt out of non-essential marketing communications by updating your notification preferences in Settings or by clicking the unsubscribe link in any marketing email. You cannot opt out of transactional emails necessary for the operation of the Service (e.g., password resets, security alerts).

11.4 Deletion

You may request deletion of your account as described in Section 5.3. Please note the limitations on deletion described therein, particularly with respect to Aggregated Data.

12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with certain rights regarding your personal information. These include:

• Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.
• Right to Delete: You may request deletion of your personal information, subject to the exceptions described in Section 5.3.
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

Sale of Personal Information: MarginArc does not sell personal information as defined under the CCPA. The creation and commercial distribution of Aggregated Data (which is anonymized and does not constitute “personal information” under the CCPA) is not a “sale” of personal information.

To exercise your California privacy rights, contact us at [email protected]. We will verify your identity before processing your request. You may be asked to provide information that matches our records to confirm your identity.

13. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and applicable local data protection laws provide you with additional rights. Our legal bases for processing your personal data include:

• Performance of Contract: Processing necessary to provide the Service you have requested (account management, deal scoring, analytics).
• Legitimate Interests: Processing necessary for our legitimate business interests, including data aggregation for market intelligence, algorithm improvement, product development, and security, where those interests are not overridden by your rights and freedoms.
• Consent: Where required by applicable law (e.g., marketing communications).
• Legal Obligation: Where processing is necessary to comply with a legal obligation.

Your rights under GDPR include the right to access, rectify, erase, restrict processing, data portability, and object to processing. To exercise these rights, contact [email protected]. Please note that certain rights may be limited where we have a compelling legitimate interest or legal obligation to continue processing, and that the right to erasure does not extend to Aggregated Data as described in Section 5.2.

14. Children’s Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have inadvertently collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe a child under 18 has provided personal information to us, please contact us at [email protected].

15. Changes to This Policy

We reserve the right to modify this Policy at any time at our sole discretion. When we make changes, we will update the “Effective Date” at the top of this page and post the revised Policy on the Service. We may, but are not obligated to, notify you of material changes via email or through an in-app notification.

Your continued use of the Service after any changes to this Policy constitutes your acceptance of the revised Policy. If you do not agree with the updated Policy, you must stop using the Service and may request account deletion as described in Section 5.3. It is your responsibility to review this Policy periodically for any updates.

16. Governing Law and Dispute Resolution

This Policy shall be governed by and construed in accordance with the laws of the State of New York, without regard to its conflict of law principles. Any disputes arising from or relating to this Policy or your use of the Service shall be resolved exclusively in the state or federal courts located in New York County, New York, and you consent to the personal jurisdiction of such courts.

17. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: