PlateMargin ("we", "our", "the Service") is operated by SteadyDeveloper LLC.
This policy explains what data we collect, why we collect it, and how we
handle it.
What we collect
Account data. Your name, email address, organization name, and the password hash for your sign-in credentials.
Operational data. Recipes, ingredients, vendors, purchase orders, menu items, and operating costs that you enter into the Service.
Connected POS data. When you connect a Square account, we read sales orders, line items, payments, locations, devices, and catalog items so we can match them against your recipes. We never write back to Square.
Usage data. Standard server logs (IP address, request paths, error traces) for security and debugging.
Billing data. Subscription state, plan, and Stripe customer / subscription identifiers. We do not store payment cards — Stripe holds those directly.
What we don't collect
We do not sell your data.
We do not use your operational data to train AI models.
We do not share your operational data with other PlateMargin customers.
Where your data lives
Your data is stored in Microsoft Azure (United States region) using
industry-standard encryption at rest. Sensitive credentials (Square access
tokens, Stripe keys, JWT signing keys) are stored in Azure Key Vault with
field-level encryption. Backups are retained for the period Azure SQL's
point-in-time-recovery window allows (currently 7 days).
Subprocessors
We rely on the following third parties to deliver the Service:
Microsoft Azure — cloud hosting, database, secrets.
Stripe — payment processing.
Square — POS integration (when you connect it).
Mailgun — transactional email delivery.
Anthropic — optional AI recipe / purchase-order assistance (only when you enable it).
Your rights
Export. Request a copy of your organization's data via support@platemargin.com. We respond within 30 days.
Correction. Most data is editable directly in the app.
Deletion. Cancel your subscription and email support@platemargin.com to request full deletion. Backups containing your data age out within 7 days of the deletion.
Opt out of AI features. Disable in Settings → AI Recipe Suggestions; we'll stop sending data to Anthropic.
Security
Passwords use PBKDF2-HMAC-SHA256 with per-user salts. Sensitive fields
are encrypted at the application layer with keys held in Azure Key Vault,
so a database snapshot leak alone is not enough to read the protected
data. We use HSTS, CSP, and HTTP-only secure cookies.
If we discover a breach affecting your data, we'll notify the email on
your account within 72 hours and post a notice at the URL above.
Cookies
We use a small number of strictly-necessary cookies for session login
and CSRF protection. We do not run ad trackers, third-party analytics,
or marketing pixels.
Children
The Service is not directed at children under 13 and we do not knowingly collect their data.
Changes
We'll update this page when our practices change and update the "Last
updated" date. Material changes will also be emailed to active accounts.