Privacy Policy
Effective date: 24 May 2026 · Last updated: 24 May 2026
Who we are
CheckMargin is published by Sico Software Ltd, a company registered in Scotland. CheckMargin helps solo fitness coaches track profit clarity, connect Stripe and PayPal income, estimate taxes, and manage client subscriptions. We are registered with the UK Information Commissioner's Office (ICO). Privacy questions: privacy@sico.software.
Data we collect
Account data. When you register, we store your email address via our authentication provider (SuperTokens).
Stripe read-only key. When you link Stripe, we store the read-only restricted key you create in your own Stripe dashboard, encrypted at rest. We use it only to read your charges and invoices to import income automatically. It can never move money, issue refunds, or change anything in your Stripe account.
PayPal OAuth token. When you connect PayPal, we store an OAuth access token to read your PayPal transaction history.
Income records. Payment records imported from Stripe and PayPal, including amount, date, and client label.
Expense records. Expenses you add manually, including amount, date, category, and description.
Offer configurations. Coaching offer types and pricing you configure (e.g. 1:1 sessions, group programmes, subscriptions).
Subscription records. Client subscription data managed through CheckMargin's billing feature, including client name, offer, and status.
Usage events. Anonymised usage events (page views, feature interactions) used to improve the product. No personal income data is included.
We do not store payment card details. Any subscription billing is handled directly by Stripe.
How we use your data
- To auto-import income from Stripe and PayPal
- To calculate net take-home and tax estimates
- To track offer margin and leakage across expense categories
- To send billing emails for client subscriptions
Data sharing
We do not sell your data. We share data only with sub-processors required to operate the service:
- SuperTokens Inc. — Authentication provider. Your email address is stored in SuperTokens for login and session management.
- Stripe, Inc. — Income import and CheckMargin subscription billing. We read your income using a read-only restricted key you create in your own Stripe dashboard (Charges and Invoices read access only), and we use Stripe to charge your CheckMargin Pro subscription. CheckMargin can never move money or change anything in your Stripe account, and does not process or hold payments from your clients.
- PayPal, Inc. — Income import. We use PayPal's OAuth API to read your transaction history on your behalf.
- Resend, Inc. — Transactional email. Billing notifications and account emails are sent via Resend.
- Hetzner Online GmbH — Hosting provider. All data is stored on servers operated by Hetzner in the EU.
- Hetzner Online GmbH — our VPS provider (Germany, EU). All personal data is stored on this server.
- Resend Inc. — transactional email (account and billing notifications).
- PostHog Inc. — product analytics (page views, feature usage; no personal data).
- Sentry Inc. — error monitoring (stack traces; personal data scrubbed before transmission).
Data retention
We retain your personal data for as long as you hold an active account. You can delete your account at any time from your billing page — all personal data is erased immediately. To request deletion by email instead, contact privacy@sico.software with the subject line "Delete my data" and we will action it within 30 days.
Financial records. Payment transaction records (amount, date, product, and Stripe reference) may be retained for up to 6 years after the end of the tax year in which the transaction occurred. This is required by UK law (HMRC record-keeping obligations) and is exempt from the right to erasure under UK GDPR Article 17(3)(b). These records do not contain your CV, career data, or any application-level personal data.
Deletion audit log. When an account is deleted we record a timestamped entry containing a masked email address (e.g. "s*****n@example.com"), your anonymised account reference, and the deletion timestamp. This log has no expiry — it is the evidence we would produce to the ICO if asked to demonstrate that we honoured your erasure request.
Your rights under UK GDPR
As a UK resident you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — correct inaccurate data
- Erasure — ask us to delete your data ("right to be forgotten")
- Portability — receive your data in a machine-readable format
- Restriction — ask us to limit how we process your data
- Objection — object to processing based on legitimate interests
To exercise any right, email privacy@sico.software. We will respond within 30 days. You also have the right to lodge a complaint with the ICO at ico.org.uk.
Security
All data is transmitted over TLS. Our server (Hetzner, Germany) is access-controlled via SSH key and Tailscale VPN. Integration credentials and API keys are encrypted at rest using pgcrypto symmetric encryption.
Cookies
We use one strictly necessary session cookie to keep you logged in. We do not use advertising or tracking cookies. PostHog analytics uses a first-party cookie; it does not track you across other sites.
Changes to this policy
Material changes will be communicated by email and by updating the effective date above. Continued use of the service after notification constitutes acceptance.
Contact
Sico Software Ltd · privacy@sico.software