Privacy Policy
Last updated: March 26, 2026
Marginalia is a reading and social annotation service operated by Digitalheads (digitalheads.pl). This policy explains what data we collect, why, how we protect it, and your rights under the EU General Data Protection Regulation (GDPR).
Data we collect
- Account data
- Email address, username, display name, bio, and avatar URL. Collected when you register.
- Library data
- EPUB files you upload and their metadata (title, author, ISBN, cover image). Stored so you can read and manage your books.
- Reading activity
- Current reading position (EPUB CFI), progress percentage, and reading sessions. Used to sync your position across devices.
- Highlights and annotations
- Highlighted text passages, their locations in the book (EPUB CFI anchors), optional notes, visibility setting (private or public), and highlight color.
- Social data
- Who you follow and who follows you, and your public profile information.
- Technical data
- IP addresses in server logs (retained for security and debugging) and session cookies required to keep you logged in.
How we use your data
- •To provide the reading, highlighting, and social annotation service
- •To sync your reading progress across devices
- •To display your public highlights to your followers (only when you explicitly set a highlight's visibility to public)
- •To maintain the security and reliability of the service
We do not sell your data. We do not use your data for advertising. We do not train machine learning models on your data.
Privacy by default
- •All highlights default to private
- •Reading activity defaults to private
- •Nothing is shared publicly unless you explicitly opt in
Data storage and security
- •Application and database hosted on DigitalOcean infrastructure
- •EPUB files stored in DigitalOcean Spaces (object storage)
- •Database: managed PostgreSQL with automated backups
- •All connections encrypted via TLS
- •Passwords are hashed using bcrypt and never stored in plain text
Cookies
Marginalia uses only strictly necessary cookies:
- •Session cookie — keeps you logged in
- •CSRF token — protects against cross-site request forgery
We do not use analytics cookies, advertising cookies, or any third-party tracking cookies.
Third-party services
The following services may process data on our behalf:
- •DigitalOcean — cloud infrastructure (servers, database, file storage)
- •Postmark — transactional email delivery (account confirmation, password reset)
- •Google Fonts — typefaces loaded in the browser (Google may log requests; no cookies are set)
- •jsDelivr — open-source CDN used to load the EPUB reader library (may log requests; no cookies are set)
Your rights under GDPR
If you are in the European Economic Area, you have the following rights regarding your personal data:
- Access
- — You can view all your data directly in the app (profile, library, highlights, reading activity).
- Rectification
- — You can edit your profile, annotations, and highlights at any time.
- Erasure
- — You can delete your account and all associated data from the Settings page. Deletion is permanent and immediate.
- Data portability
- — You can request a copy of your data by contacting us. We are working on built-in export features.
- Withdraw consent
- — You can make all your data private at any time by changing your privacy settings.
- Restriction and objection
- — Contact us to request restricted processing or to object to specific uses of your data.
Contact
Data controller: Digitalheads (digitalheads.pl)
For privacy inquiries, data requests, or complaints: privacy@digitalheads.pl
If you believe your data protection rights have not been addressed, you have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence.
Changes to this policy
We may update this privacy policy from time to time. When we make significant changes, we will notify you through the app or by email. The "last updated" date at the top of this page reflects the most recent revision.