Privacy Policy

Last updated: 6 May 2026

Marginalia (the "Service") is operated by Jacques Bartoli, a registered auto-entrepreneur based in France ("we", "us"). This page explains what we collect, why, and what your rights are. We aim to keep this short and honest.

1. What we collect

• Email address — used to authenticate you (magic link sign-in) and send transactional notices (subscription receipts, expiry warnings, password-less login links).
• Stripe customer ID — issued by Stripe when you start a paid subscription. We do not see or store your card number.
• reMarkable cloud device token — generated when you pair your reMarkable. This token is stored locally on your device (desktop or mobile app). We do not store it on our servers.
• Highlights cache — extracted highlights and handwritten notes are temporarily cached server-side, encrypted at rest, to allow background sync to your destinations (Obsidian, Notion, Readwise). Cache entries are deleted automatically after sync completes, or within 30 days, whichever comes first.
• Server logs — IP address, timestamp, and request path are kept for 14 days for security and abuse prevention, then deleted.

2. Service providers we use

• Stripe (payment processing, Merchant of Record) — stripe.com/privacy
• Resend (transactional email delivery) — resend.com/legal/privacy-policy
• Cloudflare (hosting, CDN, DDoS protection) — cloudflare.com/privacypolicy

These are the only third parties that ever touch your data. They act as data processors under our instructions.

3. What we do not do

• No advertising, no advertising trackers, no third-party analytics.
• No selling, renting, or sharing your data with anyone.
• No reading your highlights for any purpose other than syncing them to the destination you chose.
• No training of AI models on your content.

4. Legal basis (GDPR)

We process your data on the basis of contract (delivering the Service you signed up for) and, where applicable, legitimate interest (security, fraud prevention). We do not rely on consent for marketing because we do not do marketing emails.

5. International transfers

Our infrastructure is hosted on Cloudflare's global network. Data may be processed in the EU, UK, or United States. Where data leaves the EEA, transfers are covered by the EU Standard Contractual Clauses adopted by our processors.

6. Your rights

Under GDPR (EU/UK), CCPA (California), and similar laws, you have the right to:

• Access a copy of the data we hold about you
• Request correction of inaccurate data
• Request deletion of your data ("right to be forgotten")
• Export your data in a portable format
• Object to processing or withdraw consent
• Lodge a complaint with your local supervisory authority (in France, the CNIL)

To exercise any of these rights, email hello@marginalia.pro. We respond within 30 days, usually within 72 hours.

7. Data retention

Account data is kept while your subscription is active, plus 90 days after cancellation for accounting and dispute resolution. Invoices are kept 10 years as required by French law.

8. Security

All traffic is encrypted in transit (TLS 1.3). The highlights cache and any token material at rest is encrypted with AES-256. Passwords are not stored — we use email-based magic links exclusively.

9. Children

Marginalia is not directed at children under 16. We do not knowingly collect data from minors.

10. Changes to this policy

If we make material changes, we'll email active subscribers and update the "Last updated" date above. Continued use after notice constitutes acceptance.

11. Contact

Data controller: Jacques Bartoli, auto-entrepreneur, France.
Email: hello@marginalia.pro