Privacy Policy
Margifi is a B2B profit analytics platform. We connect to your Meta, Shopify, and delivery accounts to show you your real delivered ROAS and net margin — and we take how we handle that data seriously. This policy tells you exactly what we collect, why, who we share it with, and how you can control it.
Margifi ("we", "us", or "our") operates a D2C profit analytics platform for Indian direct-to-consumer brands. This Privacy Policy applies to Clients (business entities subscribing to the Service) and their Users (individuals accessing the Service on the Client's behalf). It is published in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
Margifi is operated by Margifi Limited, registered at Ground Floor, WeWork Forum, DLF Cyber City, DLF Phase 3, Sector 24, Gurugram, Haryana 122002, India.
1. What data we collect
1.1 Account data
When a Client registers for Margifi, we collect:
- Full name of the account holder
- Business email address
- Company or brand name
- Subscription and billing information — payment processing is handled by Razorpay; Margifi does not store raw card numbers or UPI credentials
1.2 Integration data
When the Client connects their third-party platforms to Margifi, we collect:
- Meta Ads data: advertising spend, impressions, reach, clicks, conversions, ROAS, campaign and ad set names, and other performance metrics accessible via the Meta Marketing API
- Google Ads data: advertising spend, impressions, clicks, campaign and ad group performance metrics, ROAS, and related analytics accessible via the Google Ads API
- Shopify data: order IDs, order amounts, product details, fulfilment status, order source, and sales channel data accessible via the Shopify Partner API
- Payment gateway data (Razorpay / Cashfree): payment settlement amounts, transaction IDs, payment status, and payout timing data
- Shipping and logistics data (Delhivery / Shiprocket): shipment IDs, delivery status, return and RTO outcomes, and NDR (non-delivery report) data
1.3 Usage data
When you use the Margifi dashboard, we automatically collect:
- Pages and features accessed within the dashboard
- Button clicks, navigation patterns, and session duration
- Dashboard configuration preferences
- Timestamps of feature interactions
1.4 Technical data
- IP address at the time of login and during active sessions
- Browser type and version
- Operating system and device type
- Session identifiers managed via Clerk
- Error logs and diagnostic data collected via Sentry
1.5 Communications data
- Email correspondence with Margifi support
- Any information the Client provides when submitting support tickets or feedback
2. What we do not collect
Margifi is designed for B2B analytics. We take deliberate steps to limit the collection of personal data relating to the Client's end-customers:
- Margifi does not collect or store the full names, email addresses, phone numbers, home addresses, payment card numbers, or other directly identifying personal data of the Client's end-customers beyond what is strictly necessary for attribution matching — for example, anonymised or hashed identifiers used to match conversions to ad campaigns.
- Margifi does not build individual consumer profiles of the Client's end-customers for Margifi's own commercial purposes.
- Margifi does not use Integration Data for advertising targeting, re-targeting, or audience building on any advertising platform.
- Margifi does not sell, rent, or trade any Client Data or personal data to data brokers or third parties for commercial gain.
3. Why we collect it — purposes and legal bases
The table below sets out every purpose for which we process personal data, the data category used, and the legal basis under the DPDP Act 2023.
| Purpose | Data used | Legal basis |
|---|---|---|
| Providing the Service — ingesting platform data and generating analytics | Integration Data, Account Data | Contract performance (Data Processor acting under Client instruction) |
| Account authentication and security | Account Data, Technical Data | Contractual necessity; legitimate interest (security) |
| Billing and subscription management | Account Data (payment via Razorpay) | Contractual necessity |
| Product improvement and bug resolution | Usage Data, Technical Data (Sentry, PostHog) | Legitimate interest |
| Customer support | Communications Data, Account Data | Contractual necessity; legitimate interest |
| Legal compliance and fraud prevention | All categories as required | Legal obligation; legitimate interest |
| Sending transactional emails (onboarding, invoices, alerts) | Account Data (email address) | Contractual necessity |
In relation to data received through Integrated Platforms that may include identifiers relating to the Client's end-consumers, Margifi processes such data as a Data Processor acting under the instructions of the Client as Data Fiduciary, as described in our Data Processing Agreement.
4. Third-party sub-processors
Margifi uses the following third-party service providers. Each receives only the data necessary for their specific function. Margifi requires all sub-processors to maintain appropriate data protection and security standards.
| Service | Function | Data received |
|---|---|---|
| Clerk | Authentication and user session management | Name, email address, session tokens |
| Supabase (PostgreSQL) | Primary database and data storage | All Client Data, Integration Data, Account Data |
| DigitalOcean | Cloud hosting infrastructure | All data hosted on platform servers |
| Cloudflare | CDN, DDoS protection, TLS termination | IP addresses, request metadata |
| Razorpay | Subscription billing and payment processing | Client name, email, payment method details (PCI-DSS compliant) |
| Meta (Meta Marketing API) | Read-only access to Client's ad account data | API credentials; Margifi reads ad performance data on the Client's behalf |
| Google (Google Ads API) | Read-only access to Client's Google Ads data | API credentials; Margifi reads campaign performance data on the Client's behalf |
| Shopify (Shopify Partner API) | Read-only access to Client's Shopify store data | API credentials; Margifi reads order and product data on the Client's behalf |
| Sentry | Error monitoring and crash reporting | Error stack traces, IP addresses, session metadata — no Client business data is intentionally transmitted |
| PostHog | Product analytics and session recording | User interaction data within the dashboard (anonymised user IDs, feature usage, page views) |
| Resend | Transactional email delivery | Client email address; email content for onboarding, invoices, and alerts |
| Delhivery / Shiprocket | Shipping data ingestion via APIs | API credentials; Margifi reads shipment and delivery status data |
5. Data storage, security and retention
Storage
Client Data is stored in Supabase (PostgreSQL) databases hosted on cloud infrastructure. All data in transit between the Client's browser and the Margifi Platform is encrypted using TLS 1.2 or higher. Data stored in the database is encrypted at rest.
Personal data is stored and processed primarily on infrastructure located in India (Mumbai / Bangalore regions).
Security measures
- Encryption in transit: TLS 1.2 or higher, enforced via Cloudflare
- Encryption at rest: Supabase (PostgreSQL) database data is encrypted at rest
- Access controls: access to production data and infrastructure is restricted to authorised Margifi personnel on a need-to-know basis, with role-based access controls enforced
- Authentication security: all Margifi employee and User authentication is managed via Clerk with support for multi-factor authentication
- Error monitoring: Sentry is used to detect and alert on application errors to enable rapid incident response
- Dependency and vulnerability monitoring: Margifi performs periodic reviews of software dependencies and applies security patches in a timely manner
No system is completely secure. Margifi cannot guarantee absolute security of data transmitted over the internet.
Retention periods
| Data category | Retention period |
|---|---|
| Account Data | Duration of active subscription + 30 days post-cancellation |
| Integration Data (ad, order, delivery, payment) | Duration of active subscription + 30 days post-cancellation |
| Usage and Technical Data | Up to 12 months for product improvement and debugging |
| Billing records | 7 years as required under applicable Indian tax and accounting law |
| Support correspondence | 3 years from the date of the last correspondence |
At the expiry of the applicable retention period, data is either permanently deleted or anonymised such that it can no longer be attributed to the Client or any individual.
Clients may request early deletion of their data by contacting admin@margifi.com. Margifi will respond within 7 business days, subject to any legal retention obligations.
Data breach notification
In the event that Margifi becomes aware of a personal data breach likely to result in risk to the rights of individuals, Margifi will:
- Notify affected Clients at their registered email address within 72 hours of becoming aware of the breach
- Provide details of the nature of the breach, the categories of data affected, and the steps being taken to address it
- Report the breach to the Data Protection Board of India, as and when required under applicable regulations
Clients who become aware of any suspected data breach or security vulnerability in connection with Margifi must promptly notify Margifi at admin@margifi.com.
6. Your rights under the DPDP Act 2023
Margifi processes personal data of individual Users on the following legal bases under the DPDP Act 2023: consent (obtained at account registration for service-related communications), contractual necessity (processing necessary to provide the subscribed Service), and legitimate interest (improving the platform, maintaining security, and preventing fraud).
As a data principal, you have the following rights:
Request confirmation of whether your personal data is being processed and receive a summary of it.
7 business daysRequest correction of inaccurate or incomplete personal data held by Margifi.
7 business daysRequest deletion of personal data where there is no legitimate basis for continued processing.
7 business daysRaise complaints about data processing and receive a substantive response. Acknowledgement within 48 hours.
7 business daysNominate another person to exercise rights on your behalf in the event of death or incapacity.
As required by the ActHow to exercise your rights: submit a written request to admin@margifi.com from your registered account email address. Margifi reserves the right to decline requests that are manifestly unfounded, repetitive, or that would require retention of data under a legal obligation.
If you are not satisfied with Margifi's response, you may raise a complaint with the Data Protection Board of India once such Board is constituted and operational under the DPDP Act.
7. International data transfers
Margifi acknowledges that some third-party sub-processors — including Supabase, Clerk, Sentry, PostHog, Cloudflare, and DigitalOcean — operate infrastructure outside India. By using the Service, the Client acknowledges and consents to such international data transfers to the extent necessary for the delivery of the Service. Margifi ensures that such transfers are made under appropriate contractual protections as required under applicable law.
Margifi transfers personal data only to countries that are not restricted by the Central Government under Section 16 of the DPDP Act, 2023, under contractual data-protection safeguards.
8. No advertising use
Your data is never used for ad targeting
Margifi does not use Client Data, Integration Data, or any personal data accessed through the Service for the purpose of serving targeted advertising to the Client's customers or for building advertising audiences. Client Data will not be shared with Meta, Google, or any other advertising platform for advertising targeting purposes — except as strictly necessary to execute the read-only API calls that fetch the Client's own advertising data from those platforms.
9. Cookies, children, policy changes and contact
Cookies
Margifi uses cookies and similar tracking technologies on the platform. Full details — including which cookies we set, their purpose, and how to manage them — are set out in our Cookie Policy.
Children's data
The Service is not directed at individuals under the age of 18. Margifi does not knowingly collect personal data from minors. If Margifi becomes aware that personal data of a minor has been inadvertently collected, it will be deleted promptly.
Changes to this policy
Margifi may update this Privacy Policy from time to time. When material changes are made, Margifi will notify Clients via email and/or dashboard notice at least 14 days before the changes take effect. Continued use of the Service following the effective date constitutes acceptance of the revised policy. The most current version of this policy will always be available at margifi.com/privacy-policy.
Contact and Grievance Officer
Get in touch
To exercise any right or raise a data-related complaint, email us from your registered account email address. We will acknowledge your request within 48 hours and respond substantively within 7 business days.