Your Privacy Matters. Marginal AI (Quantimental Technologies Ltd.) is committed to protecting your privacy and being transparent about how we collect, use, and share your personal information. This Privacy Policy describes what data we collect from users of the Marginal AI platform (“Service”), how we use and protect that data, and your rights regarding your information. This policy applies to all users globally, including in the European Economic Area (EEA), United Kingdom, United States, Canada, and any other region. We endeavor to comply with all relevant data protection laws, including the EU General Data Protection Regulation (GDPR), UK Data Protection Act, California Consumer Privacy Act (CCPA) (as amended by the CPRA), and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), among others.

Data Controller. For the purposes of applicable data protection laws (including EU/UK GDPR), the Data Controller of your personal data is Quantimental Technologies Ltd. (trading as Marginal AI). Our contact details are set out in the Contact Us section below. Where we are required to appoint an EU/UK representative under Article 27 GDPR (or equivalent UK GDPR requirements), we will update this Privacy Policy with the representative’s contact details.

By using Marginal AI, you agree to the collection and use of your information as described in this Privacy Policy. If you do not agree, please do not use the Service. We may update this policy from time to time (see “Changes to This Policy” below). We encourage you to review this policy periodically. If you have any questions, our contact information is provided at the end.

Information We Collect

We collect or receive several types of information from or about you when you use the Service. The categories of data we collect include:

• Account Information: When you register for Marginal AI, we collect personal information such as your name, email address, username, organization (if provided), region, age range, and password (which is stored in hashed form). This is used to create and secure your account. We may also assign a unique user ID to your account.
• Billing Information: For paid subscriptions, our third-party payment processor (e.g., Stripe) collects your payment card details or other payment credentials. We do not store your full credit card number on our systems; however, we may store limited billing details such as the last four digits of your card, card type, expiration, and billing address, as well as records of your transactions (dates, amounts, and the services subscribed). This information is used for charging subscription fees and complying with financial record-keeping requirements.
• Prompts and AI Interaction Data: When you use Marginal AI’s core features, you may input various queries, prompts, or data (“Prompts”), and the Service generates AI outputs (“Responses”). We collect and store these Prompts and Responses associated with your account. This allows you to access your chat history and ensures continuity in multi-turn conversations. It also helps us to improve the Service (for example, reviewing interactions for quality or debugging. Important: Any personal or sensitive information you include in a prompt will be part of this collected data, so please use caution in what you input. By default, we treat all Prompt/Response content as confidential to you.
• Usage Data: We automatically collect information about how you use the Service. This includes:
• Log Data: When you interact with Marginal AI, our servers record technical details about your usage. This log data may include timestamps of logins and queries, the pages or features used, your IP address, browser type, and operating system. For API usage, logs will include API endpoint calls, request metadata, and Compute Units (CUs) consumed per request. We generate and keep CU usage logs in line with the Data Retention section (generally up to 36 months, with de-identification after 12 months where feasible) for billing, analytics, capacity planning, and security auditing. These logs show how many CUs you used, when, and for what operations, but they do not necessarily contain the full text of your prompts unless needed for debugging.
• Device and Analytics Data: We may collect device identifiers or IDs, approximate location information (based on IP, to infer city or country level location), language preference, and other device-level information. We use first-party and third-party analytics tools to gather information about user actions (such as button clicks, features used, performance metrics, and errors). This helps us understand engagement and improve the user experience. Wherever possible, we aggregate or de-identify analytics data.
• Cookies and Similar Technologies: Our website uses cookies or similar tracking technologies to remember your preferences (e.g., staying logged in, or UI settings) and to collect analytics about our site traffic. These cookies may collect information like your IP, browser type, and pages visited. (Note: We do not use cookies for third-party advertising or tracking outside our own site.)
• Support and Communications: If you contact us for support or communicate with us via email, chat, or our support portal, we will collect the information you choose to share. This might include your contact information, details about your issue or question, screenshots, or other helpful context. We keep records of our correspondence and any attachments to resolve your request and improve our support services. Similarly, if you fill out any feedback forms, surveys, or participate in beta testing, we collect any data you provide about your experience or suggestions.
• Crash and Diagnostic Data: In the event of a software error or crash, we might automatically collect a crash report. This diagnostic data can include technical information about the state of the application when it crashed (device type, OS, stack traces, memory state, etc.), and possibly user IDs or session IDs to correlate the event. These reports help us debug issues and improve stability. We use third-party error monitoring services to manage crash reports in compliance with this policy.
• Sensitive Personal Data: We do not actively collect any special categories of personal data about you (such as race, ethnicity, health information, biometric data, etc.) unless you voluntarily provide it in a prompt or communication. We do not ask for or want any data from children under 17, or any information not relevant to providing our service. Please refrain from providing sensitive personal data via the Service. If you submit sensitive personal data in prompts, we will use reasonable efforts to minimise and restrict processing of that data, limit access to authorised personnel, and not use it for service improvement beyond what is necessary to provide support, ensure safety, and comply with legal obligations. If you do and wish to have it removed, contact us for assistance.

We may combine information that you provide us with information from other sources (for example, if you use multiple features, or we supplement data with publicly available information for verification).

How We Use Your Information

We use personal data for the following purposes, relying on the legal bases noted (for users in jurisdictions like the EU where a legal basis is required):

• To Provide and Operate the Service: We process your data to authenticate you, deliver the features of the Marginal AI platform, and respond to your requests. For example, we use your prompts to generate AI results, use your account data to log you in and maintain your settings, and use CUs to meter your usage. This processing is necessary to perform our contract with you to provide the Service.
• To Maintain and Improve the Service: We analyze usage data, prompts, and feedback to understand performance and improve our AI models and features. This includes debugging and troubleshooting, conducting research and development, and refining algorithms. For instance, our team might review de-identified or pseudonymized snippets (where feasible) of user interactions to ensure the AI is functioning correctly and to make updates (unless you opt out in Settings, where available, of your prompts being used for service improvement activities beyond providing the requested response). We apply access controls and data minimisation, and we do not allow service providers to use your prompts for their own model training. We may also use aggregated usage patterns to guide user interface improvements or new feature development. Our legitimate interests in innovating and enhancing our services form the legal basis for this, and we implement measures to minimize privacy impact (like anonymization and opt-out options).
• Billing and Account Management: We use billing information to process your subscription payments, send invoices or receipts, and keep records of your purchases. If you upgrade/downgrade plans, we use your information to adjust access accordingly. We may also send you service and billing-related communications (e.g., payment confirmations, trial expiration warnings). This is necessary for the performance of our contract and compliance with legal obligations (financial regulations and tax laws requiring record-keeping).
• Customer Support: Information you provide in support requests (like your email and description of a problem) is used to assist you. Support may involve accessing your account information, usage logs, or relevant prompts (with your consent or as necessary) to diagnose issues. We also use support communications to improve future support processes and train our support staff. The legal basis here is performance of contract (if it’s about helping you use the service) and our legitimate interest in maintaining customer satisfaction.
• Communications and Updates: We may send you important service-related announcements or administrative emails, such as welcome emails, password reset notifications, security alerts, or notices of changes to terms or policies. We may also send occasional product updates, newsletters, surveys, or promotional communications about new features or offers. If required by law, we will obtain your consent for marketing communications. You can unsubscribe from marketing emails at any time by clicking the “unsubscribe” link or contacting us but note that you cannot opt out of essential service emails (e.g., security, billing, legal notices) and account-critical push notifications. Surveys and product research communications are optional, and you may opt out through Settings (where available) or by contacting us.
• Security and Abuse Prevention: We use data (especially usage logs, IP addresses, device info, and patterns of activity) to monitor for fraudulent, suspicious, or malicious activity. This helps us detect and prevent misuse of the Service, security breaches, and attacks. For example, if our systems detect a single user account making an abnormal number of requests or requests that match a prohibited behavior pattern, we may investigate or take action. We also may use your account data to verify your identity if you contact us with a sensitive request (such as accessing personal data). Our legitimate interests in protecting our platform and users, as well as compliance with legal obligations (like GDPR’s requirement for data security), form the basis for this processing.
• Legal Compliance: We may process personal information as required to comply with applicable laws, regulations, legal processes, or enforceable governmental requests. For example, we keep transaction records to meet financial regulations and may retain data to comply with data retention laws. If we are involved in litigation or receive a lawful subpoena or order, we may process and disclose data as necessary to respond (after verifying the request’s validity). We also use your information to enforce our Terms of Service and other agreements, or to investigate potential violations thereof. The legal bases for this are compliance with legal obligations and our legitimate interest in enforcing our rights and ensuring lawful use of our Service.
• Business Transfers: If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your information may be transferred as part of such a transaction. In such cases, we will ensure the recipient agrees to handle your personal data in accordance with this Privacy Policy and we will provide notice where required by law. Where legally required and reasonably practicable, we will provide choices (such as opt-out options or deletion requests) in connection with the transfer.

We do not use personal data for automated decision-making or profiling in a way that produces legal or similarly significant effects for you, except for the automated processing intrinsic to providing AI responses at your request. We simply respond to your prompts automatically. Any content filtering (to block prohibited content) is automated for efficiency and security, but if something is flagged that you believe is an error, you can contact support for a manual review.

How We Share Your Information

We understand that your personal information is important, and we are not in the business of selling it to others. We do not sell your personal data to third parties for their own marketing or commercial purposes. We only share information in the following circumstances:

• With Service Providers (“Subprocessors”): We use trusted third-party companies to help us operate and improve Marginal AI. These providers perform services on our behalf, such as:
• Cloud Hosting and Infrastructure: We host our application and data on reputable cloud platforms (for example, Amazon Web Services, Google Cloud Platform, or Microsoft Azure). Personal data (including account info, prompts, outputs, and logs) is stored and processed on their secure servers.
• Payment Processors: As mentioned, we use third-party payment gateways (like Stripe) to process subscription payments. They handle your credit card information securely and are PCI-DSS compliant. We share with them the necessary billing details to charge you (name, email, maybe address and amount to charge).
• AI Model Providers: Marginal AI may use third-party service providers (including, where applicable, model providers) to generate certain responses. In such cases, relevant prompt text may be transmitted to those providers solely to perform the requested processing. These providers act as our processors/sub-processors under written agreements that restrict them to processing personal data only on our instructions and prohibit use of that data for their independent purposes. We send only the minimum necessary content, use encryption in transit, and apply appropriate safeguards for international transfers as described in International Data Transfers.
• Analytics and Crash Reporting: We may use analytics services to collect Usage Data (as described above) and crash reporting services to get automated crash logs. These providers might receive device identifiers, error details, and usage info.
• Email and Communications: We utilize email service providers to send verification emails, alerts, and newsletters. Your name and email address and the content of the email will pass through those systems to reach you. We also may use customer support platforms to manage support tickets or in-app messages, meaning if you contact us, your communications are stored on their platform.
• Other Vendors: This can include security services (for firewalling, DDoS protection - which entails processing IP addresses), content moderation tools (to check prompts for policy violations automatically), or marketing and survey tools if we ever run surveys or campaigns.

Each of our service providers is vetted for security and privacy practices. We have Data Processing Agreements (DPAs) in place with subprocessors as required by GDPR, obligating them to only use the data to provide services to us and to implement adequate safeguards. They are not permitted to use your data for their own purposes. We provide our subprocessors only the minimum information necessary for them to perform their functions.

Within Our Corporate Group: If Marginal AI/Quantimental Technologies has affiliates or subsidiaries (e.g., an EU-based branch), we may share data with them as necessary to operate the Service (for example, if certain engineering or support functions are performed by our affiliate). Any such entity will follow practices at least as protective as those described here. For example, if we have a UK subsidiary helping with UK customer support, they will access user data strictly under this policy’s terms.

• For Legal Reasons: We may disclose your information if required to do so by law or in response to valid legal process (such as a subpoena, warrant, or court order). We will strive to notify you of requests for your data before disclosing, unless legally prohibited. Additionally, we may disclose data if we believe in good faith that such disclosure is necessary to (a) investigate, prevent, or take action regarding suspected illegal activities or to assist government enforcement agencies; (b) enforce our Terms of Service or investigate and defend ourselves against any third-party claims or allegations; (c) protect the security or integrity of our Service (e.g., for fraud protection or credit risk reduction); or (d) exercise or protect the rights and safety of Marginal AI, our users, or others. This includes exchanging information with other companies and organizations for fraud protection and spam/malware prevention.
• Business Transfer: As noted earlier, if we engage in a merger, acquisition, bankruptcy, or sale of all or part of our assets, your data may be transferred to the successor or purchaser as part of that transaction. The new entity would then handle the data in accordance with this policy (unless you’re notified of changes and given a chance to opt out).
• With Your Consent: We will share your personal information with third parties if (and only if) you have given us explicit consent to do so. For instance, if in the future we offer an integration where you ask us to send data to a third-party service (like exporting a report to a different app), we will do so only with your authorization.

No Selling of Data: We reiterate that we do not sell personal data. We do not provide your personal information to advertisers or other companies for their independent marketing or commercial uses. Any data we share is solely for the legitimate, outlined purposes of running our Service. In particular, your prompts and AI outputs are not used to train other companies’ models, nor are they published or shared with other users. By default, your interactions with the AI are private to your account. (The only exception is if you choose to share an output with others via a share/link function or publish it, which is entirely your choice and outside the Service’s default behavior.)

Aggregated or De-Identified Information: We may also share information that has been aggregated (combined with other data so it no longer identifies you personally) or de-identified (stripped of personal identifiers) in a way that cannot reasonably be used to identify you. For example, we might publish reports or insights about general usage trends (e.g., “X% of users asked about topic Y this month”) or performance statistics. This information will not contain any personal data and is not subject to restrictions.

International Data Transfers: Marginal AI may process personal data in the United States and other jurisdictions where we or our service providers operate, including for hosting, support, and security purposes. Where required by law, we rely on approved transfer safeguards such as the European Commission’s Standard Contractual Clauses (SCCs) and, for UK transfers, the UK Addendum to the SCCs or the UK International Data Transfer Agreement (IDTA), together with supplementary measures where appropriate. In certain countries (including parts of the Middle East), cross-border transfers may be subject to additional conditions; where applicable we will implement the required safeguards and/or obtain any necessary consents. We understand that the EEA, UK, and some other jurisdictions have strict rules on transferring personal data outside their borders. When we transfer personal data from the EEA/UK/Switzerland to the U.S. or any other country, we take steps to ensure your data is afforded equivalent protection as under your local laws. However, please note that when data is in another jurisdiction, it may be accessible to foreign courts, law enforcement, and national security authorities under that jurisdiction’s laws (for instance, U.S. authorities under U.S. law). In such cases, we will assess any government data requests carefully and push back or minimize disclosure where appropriate and legally possible to do so. We have not, as of the effective date, received any government request for bulk or indiscriminate access to user data, and if we ever do, we will seek to inform affected users unless prohibited.

By using Marginal AI, you understand that your personal information may be transferred to our facilities and those third parties with whom we share it as described in this policy, including to the United States. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy. If you would like more information about our international transfer practices or to obtain a copy of relevant contractual agreements (like SCCs), you can contact us using the information at the end of this policy.

Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. This means:

• Account Data: We keep your account information (like your name, email, and registration details) for as long as your account is active. If you delete your account or if it’s terminated, we will delete or anonymize this information within a reasonable period after account closure, unless we are required to retain it for longer to comply with legal obligations or resolve disputes. For example, if you cancel a paid subscription, we may retain some identifying and billing information for a certain number of years to comply with tax and financial regulations. Typically, basic account records are kept for up to 7 years post-termination if needed for legal compliance (e.g., tax audit requirements), then deleted or anonymized.
• Prompts & AI Outputs: By default, we retain the content of your prompts and the AI-generated responses in your account history so you can review past answers and to enable ongoing conversations. These are kept until you delete them or delete your account. You have the ability to delete your conversation history (either individual questions or all at once via your account settings). If you delete specific prompts or chats, they will be permanently removed from our production systems (though backups may persist for a short period until rotated out). If you want all your content removed, deleting your account will accomplish that, subject to the caveat that we may retain logs or derived data as noted below. If you have opted out of data use for model training, your prompts may still be stored for your access and for moderation/compliance logs, but not used in our improvement processes.
• Usage Logs: We maintain detailed CU usage logs for up to 36 months to analyze usage trends, handle billing disputes, and perform security audits. This allows us to analyze usage trends, handle billing disputes, and perform security audits. After 12 months, we take steps to de-identify or pseudonymize these logs where feasible (for example by removing direct identifiers and reducing precision of certain fields), while retaining enough detail to support auditability, fraud prevention, and billing verification. Summary usage statistics (which are aggregated and not personally identifiable) may be kept longer for business analytics. Other application logs that contain personal data (like IP addresses in server logs) are typically rotated and deleted within 90 days, unless needed longer for security analysis.
• Support Communications: If you contact support, we may retain those communications and any attachments for up to 3 years after the issue is resolved, in case you have follow-up issues or for training our support team. In some cases, we may keep them longer if needed to establish a record of how an issue was handled (especially if it resulted in a significant change to our terms or systems). If you want us to delete support emails that contain personal data, you can request it, and we will do so unless we need to keep a record for legal reasons.
• Backups: We maintain backup copies of our databases for reliability and disaster recovery. These backups are encrypted and rotate on a fixed schedule (e.g., incremental backups daily, full backups weekly). Backup data typically expires and is overwritten after a retention period (commonly 30-90 days). Therefore, even after you delete data from our live systems, that data may remain in backups for a short time until those backups cycle out, at which point it will be deleted. We do not use backup data for any active purpose except if needed for restoration due to an incident.
• Legal Holds: Notwithstanding the stated retention periods, if we are required by law or court order to retain specific data, or if we anticipate a legal claim might arise, we may preserve relevant data until that issue is resolved. For instance, if we receive a preservation request in connection with litigation, we will retain the data as instructed.

Once the retention period expires, or the data is no longer needed, we will securely delete or anonymize your personal information. When we anonymize data, we strip it of identifiers so it can no longer be linked back to an individual. We may use anonymized data (which is not personal information) indefinitely for analysis, research, and product development.

In summary, we do not keep personal data longer than necessary for the purposes described in this policy or as required by law. If you have specific questions about our data retention for a certain type of data, you can contact us for more detail.

Your Rights and Choices

Depending on your jurisdiction and the applicable data protection laws, you have a number of rights regarding the personal data we hold about you. We are committed to honoring these rights. These may include:

• Right of Access: You have the right to request a copy of the personal data we hold about you. We can confirm whether we’re processing your data and provide you with a copy of that data, as well as information on how we use it. (For EU users, this is Article 15 GDPR – Right of access; for California users, the right to know categories and specific pieces of information).
• Right of Rectification: If any of your personal information is inaccurate or incomplete, you have the right to ask us to correct it. You can update most basic account information by logging into your account settings. For any other corrections, contact us and we will rectify inaccuracies without undue delay.
• Right to Deletion: You have the right to request deletion of your personal data (the “right to be forgotten”), subject to certain exceptions. You can delete your account via the settings or by contacting support, and we will remove your personal data as described in the Data Retention section. If you request deletion of specific data (like a particular prompt history), we will accommodate it. Note that we may retain some data as required by law or for legitimate business purposes (e.g., we cannot delete payment records immediately if required for audit, and your email might be kept to honor an opt-out list). If we have shared your data with processors, we will pass the deletion request along to them as needed.
• Right to Restrict Processing: In certain circumstances (for example, if you contest the accuracy of your data or object to our processing), you have the right to request that we restrict processing of your data. This means we would store it but not actively use it until the issue is resolved. For instance, if you believe our data about you is wrong, you can ask us to stop processing it (aside from storing it) until we verify and correct it.
• Right to Data Portability: You have the right to obtain your personal data in a structured, commonly used, machine-readable format, and to request that we transfer it to another controller where technically feasible. For Marginal AI, this could include things like your prompt/response history or account details. We can provide exports (likely in JSON or CSV format) upon request for data you provided.
• Right to Object: You have the right to object to our processing of your personal data when that processing is based on legitimate interests (including profiling on those grounds) or when done for direct marketing purposes. If you object to direct marketing, we will stop sending you marketing communications. If you object to processing based on legitimate interests, we will evaluate your objection and will stop or limit processing unless we have compelling legitimate grounds to continue or the processing is needed for legal claims. For example, you can object to any use of your data for analytics/improvement - if you do, we will consider if our interest in improving the service is overridden by your rights and freedoms, and if appropriate we will cease that processing for your data (likely by opting you out of any data collection beyond what’s necessary for service provision).
• Right to Withdraw Consent: In cases where we rely on your consent to process data (e.g., for optional uses like sending marketing emails or using certain cookies), you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. For instance, if you gave consent for us to use your data in a beta program, you can revoke it and we will stop that use for the future.
• Right to Non-Discrimination (CCPA/CPRA): If you exercise any privacy rights as a California consumer, you have the right not to receive discriminatory treatment from us. We will not deny you services, charge you different prices, or provide a lesser quality of service because you exercised your rights. (However, note that deletion of certain data might affect our ability to provide the Service in some cases, for example if you ask us to delete your account entirely, you will no longer be able to use the Service - which is a consequence of deletion, not discrimination).
• Rights Related to Automated Decision-Making: Marginal AI does not engage in solely automated decision-making that produces legal or similarly significant effects. If that were to change, you would have rights to human review of automated decisions under certain laws.

To exercise any of these rights, please contact us (see Contact Information below) with your request. We may need to verify your identity before fulfilling the request, to ensure that we do not disclose data to the wrong person or delete data at an improper request. Verification might involve confirming ownership of the email associated with your account or other identification. For certain requests, we may ask for additional information. For example, a request for access or deletion is best made from the email on file for your Marginal AI account; if someone else (like an authorized agent or next of kin) makes the request, we’ll need proof of authorization.

We will respond to your request within the timeframes required by applicable law. Under GDPR, that’s generally one month (extendable by two months for complex requests with notice), and under CCPA/CPRA it’s 45 days (extendable by another 45 days if necessary). Our goal is to handle requests as quickly and smoothly as possible. If we need an extension, we’ll inform you of the reason.

Keep in mind, some rights are subject to exceptions. For example, we can refuse a deletion request if the data is needed to comply with a legal obligation or if the data is necessary to establish or defend legal claims. If we refuse any part of your request, we will inform you of the reason, and you may have the right to appeal or complain to a regulator as described below.

Your Choices in Practice: In addition to formal rights, here are some simple ways you can manage your information:

• You can review and update your basic profile and account settings at any time by logging into Marginal AI and going to your account/settings section.
• You can opt out of marketing emails by using the “unsubscribe” link at the bottom of those emails. (We will still send essential service emails.)
• You can delete conversation histories or specific content by using the delete functions in the interface (if available) or by contacting support.
• If you do not want your prompts to be used for service improvement activities beyond providing the requested response (for example, evaluation, quality assurance, or internal model improvement where applicable), you can indicate that in Settings > Support by messaging our team. By default, we do not permit third-party providers to use your prompts for their own model training. If you opt out, we will not use your prompts for internal improvement beyond what is strictly necessary to deliver, secure, and maintain the Service.
• You can disable cookies via your browser settings and use browser privacy modes if you wish to limit passive data collection. Note that doing so may affect functionality (like staying logged in). For essential cookies necessary for login, we might not have an opt-out other than not using the Service. For non-essential analytics cookies, we will honor “Do log dataNot Track” signals or cookie preference choices if applicable.

We will not retaliate or deny service if you exercise your rights, but please understand some data is needed to provide the Service. For example, if you request deletion of all your account data, we will do so, but that means you can no longer use Marginal AI unless you re-register with new data.

Data Security

We take the security of your personal information seriously and use a combination of administrative, technical, and physical safeguards to protect it. However, no method of transmission over the internet or electronic storage is completely secure, so we cannot guarantee absolute security. We continually work to protect your information from unauthorized access, alteration, disclosure, or destruction. Our security measures include:

• Encryption: All communications with the Marginal AI Service are encrypted in transit. This means any data you send us (your prompts, login credentials, etc.) is protected from eavesdropping while it travels over the internet. Additionally, sensitive data at rest (such as passwords, which are stored as salted hashes, or payment tokens) is encrypted using strong encryption algorithms. We also encrypt stored personal data where appropriate (for instance, any personal fields in our databases may be encrypted at rest).
• Access Controls: We limit access to personal data to authorized personnel who have a legitimate need to know in order to perform their job duties (for example, customer support or engineering troubleshooting). Our staff access to user data is controlled by authentication, role-based access controls, and administrative oversight. We require two-factor authentication for our internal systems that handle sensitive data. Where feasible, we anonymize or pseudonymize data in testing and development environments.
• Network & Application Security: Our platform is hosted in secure data centers with firewall protection and intrusion detection systems. We regularly update our software and dependencies to address security vulnerabilities. We use secure coding practices and undergo code reviews. We also employ automated security scanning and occasional third-party penetration testing to identify and patch potential weaknesses in our app and APIs.
• Monitoring and Auditing: We log administrative access and actions on production systems to maintain an audit trail. Our systems monitor for unusual activities, and we have alerting for certain events (like multiple failed login attempts, suspicious API usage patterns, etc.). We also utilize anti-DDoS and rate-limiting measures to prevent abuse and ensure service availability.
• Subprocessor Security: We choose our subprocessors carefully, ensuring they have robust security policies. For example, our cloud providers maintain industry-standard certifications (such as ISO 27001, SOC 2) and data encryption. We include security requirements in our Data Processing Agreements with them. We also try to minimize the data shared: for instance, when using an AI model API, we only send the content needed for the AI operation, nothing more.
• Organizational Policies: Our team is trained on privacy and security best practices. We have an internal security policy that covers proper data handling, incident response, and use of tools. We restrict usage of production data to defined purposes. In the event of any subcontractors or contractors working with us, they sign confidentiality agreements and adhere to our data protection standards.
• Data Backups and Recovery: We perform regular backups as mentioned, and those backups are stored securely (with encryption) and tested for restoration. This protects against accidental data loss or ransomware scenarios.
• Testing: New features undergo testing in a staging environment before production, including security considerations. We use sandboxing for executing certain untrusted code (e.g., if user uploads a plugin or code, it runs in sandbox).

Despite all measures, no system is foolproof. In the unlikely event of a data breach that affects your personal information, we will follow applicable laws in notifying you and the relevant authorities. This means if a security incident occurs that poses a high risk to your rights (like someone unauthorized accessed our stored personal data), we will inform you without undue delay (via email or conspicuous posting) and will provide information on what happened and what actions we are taking. We have an incident response plan in place for such situations.

As a user, you also play a role in keeping your data secure. Please maintain a strong, unique password for your Marginal AI account and do not share it. Use two-factor authentication if we offer it. Be cautious about phishing attempts – Marginal AI will never ask you for your password via email, and any URL to our service should be a marginal-ai.com domain. If you suspect any unauthorized access to your account, notify us immediately.

Children’s Privacy

Marginal AI is not intended for use by individuals under the age of 17. We do not knowingly collect personal information from children under 17 (or the applicable age of digital consent in your jurisdiction, which might be lower, e.g., 16 in some EU countries, 13 in the US, etc.). If you are under 17, please do not use our Service or provide any information about yourself. If we learn that we have inadvertently collected personal data from a child under 17 without appropriate consent, we will delete that information as quickly as possible.

Parents or guardians: if you become aware that your minor child has provided us with personal information, please contact us and we will take steps to delete such information from our systems. We reserve the right to ask for proof of relationship to the child before taking action, for security reasons.

Note: Because Marginal AI deals with complex information and potentially financial data, it is oriented toward adult professional use. We explicitly restrict account registration to adults in our Terms of Service. We do not use the Service to target minors in any way.

Third-Party Links and Services

Our Service may, from time to time, contain links to websites or services that are not operated by us. For example, within an AI-generated answer, there might be a citation or link to an external news article or source (as part of providing context). Or our website may have blog posts with reference links, or a community forum hosted on another platform. Additionally, you might integrate Marginal AI with third-party services through APIs or plugins.

This Privacy Policy does not apply to information collected by third-party websites or services that you may access through our Service. We are not responsible for the privacy practices of those external sites. If you click a link to a third-party site, or use a third-party service (like a payment provider’s hosted checkout page or an OAuth identity provider), that third party may collect data about you subject to their own privacy policies. We encourage you to review the privacy policy of any site or service you interact with.

For example:

• If we send you to Stripe’s checkout page for payment, the information you provide to Stripe is governed by Stripe’s privacy policy, not ours.
• If an AI output provides a link to a government filing or a news website, and you follow that link, any data that site collects (through cookies or forms you fill there) is under their policy.
• If in the future we allow logging in via Google or Microsoft, any data those companies get from you (like confirmation of your identity) falls under their policies.

We aim to integrate only with reputable third parties and to minimize unnecessary data sharing. But once you leave our Service or interact with a separate service, our responsibility for your data in that context ends. We do not control how third parties operate.

If you have questions about what is third-party on our Service, feel free to reach out. One guiding principle: if you are asked to provide personal info outside our domain or if you see a different brand, be mindful it’s likely a third-party service. We will try to signal when you’re being redirected (like saying “You will be redirected to the payment provider” or similar).

App Store Privacy Disclosures (for Mobile App Users)

If you are using a Marginal AI mobile application (iOS/Apple App Store or Android/Google Play), this section provides a summary of the data practices in a format aligning with app store requirements.

Data Categories Collected: The Marginal AI app collects the following categories of data, which may be linked to your identity for the purposes described in this Policy:

Data Uses: We use the collected data for purposes of App Functionality (e.g., delivering AI responses, authenticating user, preventing fraud), Analytics (understanding user behavior to improve the app), Account Management (maintaining your profile, saving settings), Customer Support, and Legal Compliance (monitoring misuse, meeting regulatory obligations). We do not use your data for Third-Party Advertising or tracking across apps/websites for advertising. We may use contact info for our own marketing to you (e.g., email newsletter) if you haven’t opted out, but we do not share it with ad networks. The app does not share data with brokers or advertisers.

Data Sharing: Some data (as described in “How We Share Your Information”) is shared with our service providers under strict contracts – for example, analytics data to analytics provider, crash data to crash analytics service, and payment info to payment processor. All such sharing is for App Functionality or Analytics. We do not allow those partners to use it for their marketing. The data is linked to you in the sense that it’s associated with your account or device for syncing your experience across devices (if applicable) and personalizing responses. However, we do not link any data for third-party advertising purposes.

Tracking: The Marginal AI app does not engage in “tracking” as defined by Apple (we do not link user or device data collected from our app with third-party data for targeted advertising, nor do we share it with data brokers). We do not use third-party SDKs for advertising tracking, and we do not share data with data brokers. If we use analytics or crash reporting tools, they are configured for product performance and reliability, not to track users across other companies’ apps or websites for advertising. Any analytics or crash data collected is for our internal use to improve our product and is not used to follow users across apps/websites. In summary, we do not track users in a way that requires the App Tracking Transparency prompt.

This table and information is provided to give you an overview in line with app store disclosure requirements. For full details, please refer to the rest of our Privacy Policy above. If anything in this section conflicts with earlier parts of the Privacy Policy, the more privacy-protective interpretation should govern.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. When we make changes, we will post the updated policy with a new “Effective Date” at the top. If the changes are material, we will also provide a more prominent notice, such as an email notification or an in-app alert, prior to the change becoming effective (at least where feasible and required by law). Material changes might include, for example, using personal data for a new purpose not originally collected for, or sharing data with new categories of recipients in a way that you might not expect under the current policy.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. If you continue to use Marginal AI after the updated policy takes effect, it signifies your acceptance of the changes. If you do not agree to any updated terms, you should stop using the Service and may request deletion of your data.

For historical reference, we will keep prior versions of this policy or a change log accessible (e.g., on our website or upon request) so you can see how our practices have evolved.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Email: support@marginal-ai.com

Postal Mail: Privacy Officer – Marginal AI (Quantimental Technologies Ltd.). 1111B S. Governors Ave STE 25426, Dover, DE 19904, USA

We will do our best to promptly respond and address your inquiry. If you contact us to exercise a privacy right, please detail your request clearly, and we may need to verify your identity (as described above).

If you are in the European Economic Area, United Kingdom, or Switzerland, you also have the right to lodge a complaint with a Supervisory Authority (Data Protection Authority) in your country if you believe we have infringed your data protection rights. For example, in the UK you would contact the Information Commissioner’s Office (ICO); in the EU, you can find the list of Data Protection Authorities here. In Canada, you can contact the Office of the Privacy Commissioner. In California, if you have concerns that we did not address, you can contact the California Attorney General’s Office. We kindly ask that you attempt to resolve any issues with us first, as we are committed to protecting your privacy and would appreciate the chance to address your concerns directly.

Thank you for trusting Marginal AI with your data. We value your privacy and work hard to keep your personal information secure and handled with care.