Magic Agent — Privacy Policy

Last updated: May 22, 2026

Magic Agent ("we", "our", or "the app") is committed to protecting your privacy. This policy explains what information we collect, how we use it, and your rights.

1. Information We Collect

• Phone number — used as your account identifier.
• Name — displayed in your profile and shared with group members.
• Chat messages — the text you send to the AI agent, used to generate responses.
• Documents — files you upload for analysis and storage within the app.
• Push notification token (optional) — an anonymous device token used to deliver reminder notifications, collected only if you grant notification permission. Removed when you log out or delete your account.

2. Information We Do Not Collect

• We do not collect your device location.
• We do not use advertising identifiers or tracking pixels.
• We do not engage in cross-app or cross-site tracking.

2a. How We Handle Contacts

Magic Agent accesses your device address book only when you actively use specific features:

• Group invite picker — when you add members to a group, your contacts are loaded on your device so you can pick whom to invite. Your contact list is never uploaded. Only the phone numbers of contacts you explicitly select are sent to our servers, in order to add them to the group or send them an invite.
• Saving the Magic Agent contact — we add the Magic Agent number to your address book so you can forward documents on WhatsApp. This is a local write to your device; no contact data is sent to us.
• Detecting whether the Magic Agent contact is already saved — we read your contacts locally to check this. The result stays on your device.

Contact names are never transmitted to or stored on our servers. You can revoke contacts permission at any time from your device settings.

3. How We Use Your Information

Your chat messages and uploaded documents are sent to AI providers — Google Gemini and DeepSeek (accessed via OpenRouter) — for AI processing. This allows the agent to understand your requests and generate helpful responses.

Your data is not used to train AI models. Both providers process API inputs under terms that prohibit using customer inputs for model training.

4. Document Storage & Security

Documents you upload are stored on Amazon Web Services (AWS) S3 with the following protections:

• All documents are encrypted at rest using AES-256 server-side encryption.
• All data in transit is encrypted via HTTPS/TLS.
• Each document is stored in a user-specific path. Only you (and group members you explicitly share with) can access your documents.
• Documents are accessed only programmatically by the app to display, analyse, or process them on your behalf. No human ever views, reads, or has access to your documents.
• When you ask the AI agent a question about a document, the document content is sent to the Google Gemini API for analysis and is not stored by Google.

5. Notifications, Widgets & Background Activity

If you grant notification permission, Magic Agent uses notifications and home-screen widgets to surface reminders and items due today.

• Push notification token — when you allow notifications, your device generates an anonymous push token (issued by Apple's APNs on iOS or Google's FCM on Android, retrieved via the Expo push service). This token is sent to our servers so we can deliver reminders to your device. The token does not identify you personally and is deleted when you log out or delete your account.
• Reminder content in notifications and widgets — the reminder titles you create in the app may appear in OS notifications and on your home-screen widget. This is the same content you see inside the app, displayed on a different surface. Notification content is rendered on your device only.
• Background refresh — on Android, the app uses two background refresh mechanisms (each running approximately every 30 minutes) to keep notifications and your home-screen widget current even when the app is closed: one fetches items due today for the reminder notification, and the Android widget framework separately fetches widget data. Both use your network connection only. We do not access location, microphone, camera, or any other sensors in the background.
• Widget data caching — for fast widget rendering, your most recent reminders are cached in your device's encrypted local storage. This cache is cleared on logout.

You can revoke notification permission at any time from your device settings. Doing so stops all reminder notifications immediately, and your push token is removed from our servers when you next log out or open the app while signed out.

6. Account Security

• Passwords are cryptographically hashed (PBKDF2-SHA256) and never stored in plain text.
• Authentication uses one-time passwords (OTP) sent to your phone number, with a 5-minute expiry.
• Session tokens are stored securely on your device using platform-level encrypted storage.

7. Data Sharing

We do not sell, rent, or share your personal information with third parties for marketing or advertising purposes.

The third-party services that process your data on our behalf are:

• Google Gemini API (Google LLC) — powers the AI agent's responses. Google does not use API inputs to train their models.
• OpenRouter, used to access the DeepSeek model — powers selected AI agent capabilities. OpenRouter does not retain inputs for model training.
• ElevenLabs — provides the voice agent that places phone calls on your behalf when you ask the agent to make a call. Call audio and transcripts are processed by ElevenLabs to fulfil that request.
• Bright Data — performs web searches when you ask the agent a question that requires looking up information online. Your search queries are sent through this service.
• Amazon Web Services (AWS) — hosts our application servers and stores your uploaded documents on S3, as described in Section 4.
• Amazon SES (AWS) — delivers emails that your agent sends on your behalf, and any service emails we send to you.
• Expo push service (Expo, Inc.) — issues the anonymous push token described in Section 5 and relays reminder push payloads to Apple's APNs and Google's FCM. Expo does not retain the content of delivered notifications.

8. Data Deletion

You can permanently delete your account and all associated data at any time from within the app. Navigate to the Me tab and tap Delete Account. This action is irreversible and removes:

• Your profile and personal information
• All uploaded documents (permanently deleted from cloud storage)
• Group memberships and shared document access
• Chat history and conversation data

If you cannot access the app, email us at [email protected] with your registered phone number and we will process the deletion within 48 hours.

9. Data Retention

We retain your personal data only for as long as necessary to provide the service:

• Account data (name, phone number) — retained while your account is active. Deleted immediately when you delete your account.
• Chat messages — retained while your account is active to provide conversation history. Permanently deleted upon account deletion.
• Uploaded documents — stored until you manually delete them or delete your account. All files are permanently removed from cloud storage upon deletion.
• Server logs — retained for up to 30 days for debugging and security monitoring, then automatically purged.

After account deletion, all your data is permanently removed within 48 hours. We do not retain backups of deleted user data.

10. Children's Privacy (COPPA Compliance)

Magic Agent is not intended for children under the age of 18. We do not knowingly collect personal information from anyone under 18 years of age.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected] and we will promptly delete the information.

If we become aware that we have collected personal information from a child under 18 without parental consent, we will take steps to delete that information immediately.

11. GDPR — European Users

If you are located in the European Economic Area (EEA), you have the following additional rights under the General Data Protection Regulation (GDPR):

• Legal basis for processing — we process your data based on your explicit consent (provided during account creation) and as necessary to perform the service you requested.
• Right of access — you can view all your data within the app at any time.
• Right to rectification — you can update your data (except name, phone number, and email) by talking to the AI agent.
• Right to erasure — you can delete your account and all associated data at any time.
• Right to data portability — contact us to request a machine-readable copy of your data.
• Right to withdraw consent — you can stop using the app and delete your account at any time.
• Right to lodge a complaint — you have the right to file a complaint with your local data protection authority.

Data controller: Prasanna Munot, reachable at [email protected].

International transfers: Your data is stored on servers in India (AWS ap-south-1). If you access the service from the EEA, your data is transferred to India. We protect this transfer through encryption and our security measures described above.

12. Your Rights

• Access — you can view all your data within the app at any time.
• Deletion — you can delete your account and all data from the Me tab.
• Withdraw consent — you can stop using the app at any time.
• Export — contact us to request a copy of your data.

13. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of significant changes by displaying a notice within the app. Your continued use of the app after changes are posted constitutes acceptance of the updated policy.

14. Contact Us

If you have any questions or concerns about this privacy policy, please contact us at:

[email protected]