Privacy Policy

1. Introduction

MagicAuth ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our passwordless authentication service.

We operate as a data processor for developers (our customers) and handle end user data on their behalf.

2. Information We Collect

2.1 Developer Account Information

When you create a developer account, we collect:

• Email address: For account access and notifications
• Company name: Optional, for billing and invoicing
• Payment information: Processed by Stripe (for paid plans)
• OAuth data: If you sign in with Google (email, name, profile picture)
• API usage metrics: Request counts, endpoint usage, error rates

2.2 End User Authentication Data

When your end users authenticate via MagicAuth, we collect:

• Email addresses: To send magic links
• IP addresses: Hashed with SHA-256 for rate limiting (never stored plain)
• User agent: For security and fraud detection
• Timestamps: When magic links are sent and verified
• Click tracking: Whether magic link emails were opened/clicked

2.3 Automatically Collected Information

• Browser information: Browser type, version, language
• Device information: Operating system, screen resolution
• Usage data: Pages viewed, features used, time spent
• Cookies: Session cookies for dashboard access (see Section 5)

3. How We Use Your Information

3.1 For Developers

• Provide and maintain the authentication service
• Process API requests and deliver magic links
• Generate analytics and usage reports
• Send account notifications and security alerts
• Process payments (via Stripe)
• Provide customer support
• Detect and prevent fraud or abuse

3.2 For End Users

• Send magic link authentication emails
• Verify authentication tokens
• Rate limit requests to prevent abuse
• Detect suspicious login attempts

4. Data Sharing and Disclosure

We do not sell your personal information. We may share data with:

• Service providers: Mailgun/SendGrid (email delivery), Cloudflare (CDN), Supabase (database)
• Payment processors: Stripe (for paid plans)
• Analytics providers: Aggregated, anonymized usage statistics
• Law enforcement: When required by law or court order
• Business transfers: In the event of a merger, acquisition, or sale

5. Cookies and Tracking

5.1 Developer Dashboard Cookies

We use the following cookies:

• Session cookies: Keep you logged in (expires after 7 days)
• Preferences cookies: Remember your dashboard settings
• Analytics cookies: Understand how you use the dashboard (Google Analytics)

5.2 End User Cookies

Magic link emails: No cookies are used. End users who click magic links receive a token in the URL that is exchanged for a session on your application (not ours).

5.3 Ad Network Cookies (Free Tier Only)

If you're on the free tier, magic link emails include advertisements from:

• A-Ads: Anonymous Bitcoin ads (no tracking cookies)
• Coinzilla: Cryptocurrency ads (may use cookies for targeting)

6. Data Security

We implement industry-standard security measures to protect your information:

• Encryption in transit: All data transmitted via HTTPS/TLS 1.3
• Encryption at rest: Database encryption with AES-256
• IP hashing: End user IPs hashed with SHA-256 (irreversible)
• Access controls: Role-based access to production systems
• Rate limiting: Prevents brute force attacks
• HMAC verification: All API requests cryptographically signed
• Token expiration: Magic links expire after 15 minutes
• Regular audits: Quarterly security audits and penetration testing

7. Data Retention

• Developer accounts: Retained until you delete your account
• Authentication logs (free tier): 90 days
• Authentication logs (paid): Custom retention (default 1 year)
• Deleted accounts: Purged within 30 days
• Email tracking data: 30 days
• Billing records: 7 years (tax compliance)

8. Your Rights (GDPR & CCPA)

You have the following rights regarding your personal data:

• Right to access: Request a copy of your personal data
• Right to rectification: Correct inaccurate data
• Right to erasure ("right to be forgotten"): Delete your data
• Right to data portability: Export your data in JSON format
• Right to object: Object to processing of your data
• Right to restrict processing: Limit how we use your data
• Right to withdraw consent: Opt out of marketing emails

To exercise these rights, email privacy@magicauth.app. We will respond within 30 days.

Note for developers: You are the data controller for your end users' data. We process it on your behalf. End users should contact you (not us) to exercise their rights.

9. International Data Transfers

Your data may be transferred to and processed in countries outside your residence:

• Primary servers: United States (AWS us-east-1)
• CDN: Cloudflare global network (200+ data centers)
• Email delivery: Mailgun (United States) / SendGrid (United States)
• GDPR compliance: EU users' data stored in EU regions when possible

10. Children's Privacy

MagicAuth is not intended for children under 13. We do not knowingly collect personal information from children. If you believe we have collected data from a child, contact us immediately at privacy@magicauth.app.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be announced via:

• Email notification to developers
• Dashboard banner notification
• Updated "Last updated" date at the top of this page

Continued use of the Service after changes take effect constitutes acceptance of the new Privacy Policy.

12. Contact Us

For privacy-related questions or concerns:

• Privacy Officer: privacy@magicauth.app
• Data Protection Officer (EU): dpo@rewarders.app
• General Support: support@magicauth.app
• Website: https://magicauth.app

13. Third-Party Services

MagicAuth integrates with the following third-party services. Please review their privacy policies:

• Supabase: Privacy Policy
• Cloudflare: Privacy Policy
• Mailgun: Privacy Policy
• Stripe: Privacy Policy
• Google OAuth: Privacy Policy