Last updated: November 2025

Privacy Policy

This Privacy Policy explains how Marginstone ("we", "us", or "our") collects, uses, and protects personal data when you:

  • visit our websites, including https://marginstone.com and any subdomains (the "Site"),
  • contact us or sign up for content, events, or demos, or
  • use our products and services (including the Marginstone Core workflow runtime, web console, and related integrations) (together, the "Services").

We are committed to protecting your privacy and handling personal data in a transparent and compliant way.

If you have questions, contact us at:

Data Protection Contact
Aura Sphere Inc.
23 Valentine House, 2 Sands End Lane, SW6 2QH
tim@marginstone.com

If you are in the EU/EEA or UK, we process your personal data in accordance with the GDPR/UK GDPR.

1. Roles, hosting, and scope

1.1 Our Azure tenant vs. your Azure tenant

We use Microsoft Azure as our primary infrastructure provider.

  • Our website, control plane, and business systems (CRM, support tools, etc.) run in Marginstone's own Azure tenant, typically located in UK South.
  • Marginstone Core for enterprises is designed to run inside your Azure tenant:
    • The workflow runtime, tools, and data connections are deployed to your Azure subscription and resource groups.
    • Your business data (e.g., Fabric data, files) stays in your Azure tenant unless you deliberately share content with us for support.

1.2 Controller vs. processor

Depending on context, we may act as:

  • Data Controller for:
    • data collected via marginstone.com and related marketing sites,
    • prospects and customer contacts (sales, marketing, support),
    • user accounts and usage metadata for our web console and Teams app.
  • Data Processor (or sub‑processor) for:
    • limited support and telemetry data we process on behalf of a customer under a services agreement, if that data includes personal data.

This Policy focuses on:

  • personal data we control (website, accounts, communications), and
  • limited personal data we may process as a processor during support or co‑build work.

2. Data we collect

2.1 Visitors to marginstone.com

When you visit the Site, we may collect:

  • Technical data
    • IP address and approximate location (city/region),
    • browser and device type,
    • pages visited, time on page, referring URL,
    • error and performance logs.
  • Cookie / analytics data
    • essential cookies for basic site and security functions,
    • optional analytics events (e.g., page views, button clicks) if enabled.

We generally use pseudonymous identifiers and do not attempt to link this data to named individuals unless you submit a form.

2.2 Contact forms, demos, pilots, and newsletters

If you submit a form on marginstone.com, book a call, or sign up for updates, we may collect:

  • name, job title, company, email address, phone number (optional),
  • the content of your message or request,
  • information about your organisation (industry, country, approximate company size),
  • records of our communications and meeting notes.

2.3 Product accounts and usage metadata

When your organisation uses our Services (e.g., Marginstone console, Teams app), we may process:

  • Account and identity data
    • name, email address, username,
    • organisation and role,
    • identity provider identifiers (e.g., Azure AD object ID),
    • permissions and roles.
  • Usage metadata
    • which parts of the product are used and when,
    • workflow IDs, run IDs, and high‑level status (success/failure),
    • configuration events (e.g., "workflow created", "policy approved").

This metadata is primarily stored in our Azure tenant. It does not require access to the underlying business data you process in your own Azure tenant.

2.4 Data processed in your Azure tenant (customer runtime)

When Marginstone Core is deployed in your Azure tenant:

  • Your organisation controls:
    • which datasets (Fabric tables, SharePoint sites, etc.) are connected,
    • where they are stored and backed up,
    • who can access them.
  • Marginstone does not automatically receive or copy that data into our own systems.

We may access or receive samples, logs, or configuration files only when you explicitly share them with us for:

  • support and troubleshooting,
  • implementation and co‑build work,
  • performance tuning or testing.

Where this includes personal data, we process it strictly under your instructions and contracts.

2.5 Support and co‑build engagements

In support or co‑build projects, you may share:

  • sample datasets, screenshots, or logs,
  • workflow definitions (e.g., YAML files),
  • meeting recordings or notes.

We use this information only to deliver the requested services and delete or anonymise it according to your instructions and our retention policies.

3. Why we process personal data (purposes and legal bases)

Where GDPR applies, our main legal bases are:

  • Contract (Art. 6(1)(b)) – to provide and support the Services you or your organisation request.
  • Legitimate interests (Art. 6(1)(f)) – to secure, improve, and promote our Services to business users.
  • Consent (Art. 6(1)(a)) – where required for non‑essential cookies or marketing emails.

We use personal data to:

  1. Provide and operate the Services
    • set up and manage accounts,
    • authenticate users (e.g., via Azure AD),
    • configure and monitor Marginstone Core deployments,
    • deliver support, training, and implementation work.
  2. Secure and maintain our systems
    • log access and changes for audit and security,
    • detect and prevent unauthorised or abusive activity,
    • monitor performance and availability.
  3. Improve our products
    • analyse aggregate usage patterns,
    • prioritise features and fixes,
    • test and optimise our Site and interfaces.
  4. Communicate with you
    • respond to enquiries and demo requests,
    • send information about updates, features, events, and research (where permitted),
    • manage contracts, billing, and renewals.
  5. Meet legal and compliance obligations
    • maintain business records,
    • handle disputes and legal claims,
    • comply with applicable laws and regulations.

You can object to processing based on legitimate interests (see Section 8).

4. Cookies and similar technologies

We use cookies on marginstone.com to:

  • keep sessions secure,
  • remember basic preferences,
  • measure aggregate usage.

Categories:

  • Essential cookies – required for the Site and security; cannot be disabled via our cookie banner.
  • Analytics cookies – used to understand how visitors use the Site; where required by law, we obtain your consent before setting these.

You can manage cookies via your browser settings. Blocking some cookies may affect Site functionality.

5. How we share personal data

We do not sell your personal data.

We may share limited personal data with:

  1. Service providers (processors)
    Companies that help us operate our Site and Services, such as:
    • cloud hosting (Microsoft Azure, in our tenant),
    • customer relationship management tools,
    • analytics and error‑tracking services,
    • email and communications platforms,
    • customer support tools.
    They process data strictly on our instructions and under data processing agreements.
  2. Your organisation
    If you use Marginstone through your employer or another organisation:
    • administrators and authorised contacts at that organisation may see your account details, configuration changes, and activity logs,
    • we may share usage summaries and support cases with them.
  3. Authorities and legal requests
    Where required by law or valid legal process, or to protect our rights or others' safety, we may disclose data to public authorities or legal advisers.
  4. Business transfers
    In the event of a merger, acquisition, reorganisation, or sale of assets, personal data may be transferred as part of the transaction, subject to appropriate safeguards.

We do not intentionally access or disclose the business data running inside your Azure tenant except as explicitly agreed for support or implementation work.

6. International transfers

Our own Azure tenant and core systems are hosted in UK South. We may process and store personal data in that region and, where necessary, in other countries.

When personal data is transferred from the EU/EEA or UK to a country that does not provide an adequate level of protection, we use appropriate safeguards, such as Standard Contractual Clauses (SCCs), along with technical and organisational measures.

Your organisation controls the region(s) used for Marginstone Core deployments in its own Azure tenant and is responsible for its own data residency decisions.

7. Retention

We retain personal data only as long as needed for the purposes described in this Policy, including:

  • Website and analytics logs: typically for up to 12 months, unless we need them longer for security or legal reasons.
  • Customer and prospect records: for the duration of our relationship and a reasonable period afterwards, in line with legal limitation periods.
  • Product account and usage data: for the duration of the customer contract and a limited period afterwards for audit, security, and product improvement (or as otherwise specified in a data processing agreement).
  • Support/co‑build materials: as long as a ticket or project is active and for a defined archival period thereafter, unless you request earlier deletion.

We may retain some records longer where required by law (e.g., tax and accounting regulations).

8. Your rights

Where GDPR, UK GDPR, or similar laws apply, you may have the following rights in relation to personal data we control:

  • Access – request a copy of your personal data.
  • Rectification – request correction of inaccurate or incomplete data.
  • Erasure – request deletion in certain circumstances.
  • Restriction – request that we limit processing in certain situations.
  • Portability – receive data you provided to us in a structured, machine‑readable format and, where feasible, have it transmitted to another controller.
  • Objection – object to processing based on legitimate interests, including direct marketing.
  • Withdraw consent – withdraw consent for processing where we rely on consent (e.g., certain marketing or non‑essential cookies).

To exercise these rights, email tim@marginstone.com and specify your request. We may need to verify your identity.

If your account is managed by your employer or another organisation, we may need to refer you to them for certain requests.

You also have the right to lodge a complaint with your local data protection authority if you believe our processing violates applicable law.

9. Security

We take security seriously and use appropriate technical and organisational measures to protect personal data, including:

  • hosting in Microsoft Azure with industry‑standard security controls,
  • encryption in transit and at rest for our core systems,
  • role‑based access control and least‑privilege principles,
  • logging and auditing of administrative access,
  • regular updates and vulnerability management.

For Marginstone Core deployed in your Azure tenant, your organisation controls many aspects of security (network, identity, data classification). We provide configuration guidance but do not control your tenant.

No system can be fully secure; we work continuously to reduce risk and respond quickly to issues.

10. Children's data

Our Site and Services are intended for business users. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us so we can delete it.

11. Changes to this Policy

We may update this Privacy Policy periodically. When we do, we will:

  • update the "Last updated" date at the top, and
  • where appropriate, notify you through the Site, by email, or through our Services.

Your continued use of the Site or Services after an update means you accept the revised Policy.

12. Contact

For any questions or concerns about this Privacy Policy or our data practices, contact:

Privacy / Data Protection Contact
Aura Sphere Inc.
23 Valentine House, 2 Sands End Lane, SW6 2QH
tim@marginstone.com