Security &
Data Protection
margin/ is built for enterprise-grade security. We process payment metadata—never sensitive cardholder data—with full GDPR compliance and zero PCI scope.
Zero PCI Scope
No cardholder data stored or transmitted
GDPR Compliant
Full compliance with EU data protection
EU Data Residency
Data processed and stored in EU regions
Encrypted at Rest
AES-256 encryption for all stored data
01 / Zero PCI Scope
We never see your
customers' card numbers.
margin/ operates on Bank Identification Numbers (BINs)—the first 6-8 digits of a payment card. BINs identify the issuing bank, card type, and country, but are not considered cardholder data under PCI DSS standards.
What we receive
6-digit BIN, transaction amount, currency, country code. No PAN, CVV, or expiry.
What we store
Anonymized event logs with BIN prefix, amounts, and timestamps for savings calculation.
Your PCI burden
Unchanged. margin/ integration does not affect your PCI scope or compliance posture.
02 / Data We Collect
Minimal data.
Maximum insight.
We follow the principle of data minimization. We only collect what's necessary to detect payment optimization opportunities and calculate your savings.
| Data Type | Purpose | PII? |
|---|---|---|
| BIN (6 digits) | Card type detection | No |
| Amount & Currency | Savings calculation | No |
| Country Code | SEPA eligibility | No |
| Timestamp | Event logging | No |
| Merchant Email | Account & billing | Yes |
Your Rights Under GDPR
→ Right of Access
Request a copy of all data we hold about you or your organization. We'll provide it within 30 days in a machine-readable format.
→ Right to Erasure
Request deletion of your data. We'll remove all personal data and anonymize transaction logs, retaining only aggregated statistics.
→ Right to Rectification
Request correction of inaccurate data. Update your account information at any time through your dashboard or by contacting us.
→ Right to Portability
Export your data in JSON or CSV format. Download your transaction events, savings reports, and configuration at any time.
Data Processing Basis
We process data under the following legal bases:
- •Contract performance: Processing transaction data to deliver the margin/ service.
- •Legitimate interest: Improving our service, fraud prevention, and security.
- •Legal obligation: Financial record-keeping and regulatory compliance.
Retention Policy
Transaction Events
BIN detections, interventions, savings records
Then aggregated & anonymized
Billing Records
Invoices, payment history, usage summaries
Legal requirement (tax/accounting)
Audit Logs
API access, configuration changes, security events
Rolling window
Account Data
Email, company name, API keys
Deleted on account closure + 30 days
Subprocessors
We carefully select infrastructure partners that meet our security and compliance standards.
| Provider | Purpose | Location | Data Processed |
|---|---|---|---|
| Cloudflare | Edge compute, CDN, D1 database | EU (configurable) | All service data |
| Resend | Transactional email | US (EU available) | Email addresses only |
| Stripe / Polar | Payment processing | EU | Billing data only |
Last updated: January 2025. We notify customers of subprocessor changes with 30 days notice.
Data Processing Agreement
Enterprise customers can request a signed Data Processing Agreement (DPA) that includes Standard Contractual Clauses (SCCs) for any non-EU data transfers.
Request DPAData Protection Officer
For GDPR-related inquiries, data subject requests, or privacy concerns:
privacy@margin.soSecurity Team
To report security vulnerabilities or request security documentation:
security@margin.so