Privacy Policy

1. Information We Collect

We collect information you provide directly to us and information generated through your use of our services.

Information You Provide

When you create an account, connect your insurance, or contact us, we may collect:

• Full name and email address
• Insurance plan details, member ID, and group number
• Health plan deductible and benefits data
• Medical bills and Explanation of Benefits (EOB) documents you upload
• Prescription information
• Access codes and referral data

Information We Collect Automatically

When you use Margin, we automatically collect:

• Log data (IP address, browser type, pages visited, time stamps)
• Device information (device type, operating system)
• Usage data (features used, actions taken in the app)

Information from Third Parties

When you connect your insurance account or EHR via OAuth, we receive:

• Deductible accumulator data
• Benefits and coverage information
• Claims and EOB data
• Prescription history (if EHR connected)

We only request data necessary to provide our services. We never receive or store your insurance portal password.

2. How We Use Your Information

We use the information we collect to:

• Provide, operate, and improve our services
• Power Margin HI — your personal Health Intelligence agent
• Analyze your insurance benefits and identify potential savings
• Detect billing errors and generate dispute letters
• Send alerts about FSA/HSA deadlines, procedure timing, and free benefits
• Respond to your questions and support requests
• Send transactional emails (account confirmation, alerts)
• Comply with legal obligations

3. How We Share Your Information

We do not sell, trade, or rent your personal information. We may share information only in these limited cases:

Service Providers

We work with trusted service providers who help us operate our platform:

• Supabase (database and authentication)
• Resend (transactional email delivery)
• Vercel (hosting and infrastructure)
• Anthropic Claude API (AI processing)

All service providers are bound by data processing agreements and may only use your data to provide services to us.

Legal Requirements

We may disclose your information if required by law, court order, or government regulation, or to protect the rights, property, or safety of Margin, our users, or the public.

Business Transfers

If Margin is acquired or merges with another company, your information may be transferred as part of that transaction. We will notify you before your information is subject to a different privacy policy.

4. Data Security and HIPAA Compliance

We take data security seriously and implement industry-standard protections:

• AES-256 encryption for data at rest
• TLS 1.3 for all data in transit
• OAuth 2.0 / SMART on FHIR for secure third-party connections
• No storage of insurance portal passwords
• Audit logging for all data access
• Minimum necessary data collection
• SOC 2 Type II certification in progress

While we implement these safeguards, no security system is impenetrable. We encourage you to use a strong password and notify us immediately at hello@marginhealth.org if you suspect unauthorized access.

5. Your Rights and Choices

You have the following rights regarding your personal information:

Access and Portability

You can request a copy of all personal data we hold about you at any time by emailing hello@marginhealth.org.

Correction

You can update your account information directly in the app under Settings, or contact us to correct inaccurate data.

Deletion

You can request deletion of your account and all associated data at any time. We will delete your data within 30 days, except where retention is required by law.

Disconnect Integrations

You can disconnect your insurance account, EHR connection, or any third-party integration at any time from your dashboard settings.

Email Communications

You can opt out of non-transactional emails by clicking unsubscribe in any marketing email. You cannot opt out of transactional emails related to your account security.

California Residents (CCPA)

If you are a California resident, you have additional rights under the CCPA including the right to know what personal information is collected, the right to delete, and the right to non-discrimination for exercising your rights.

6. Data Retention

We retain your information for as long as your account is active or as needed to provide services. Specifically:

• Account data: retained until you delete your account
• Insurance and health data: retained for the duration of your subscription plus 90 days after cancellation
• Uploaded documents (EOBs, bills): retained until you delete them or your account is closed
• Log data: retained for 90 days
• Anonymized, aggregated data: may be retained indefinitely for product improvement

7. Children’s Privacy

Margin is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child under 18, we will delete it immediately. If you believe we have inadvertently collected such information, please contact us at hello@marginhealth.org.

8. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Sending an email to your registered address
• Displaying a notice in the app
• Updating the ‘Last updated’ date at the top of this page

Your continued use of Margin after changes become effective constitutes your acceptance of the updated policy.

9. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us: