Privacy Notice

Account data. When you sign up we collect a work email address, name, role, the company you represent, and the password or single-sign-on token you authenticate with.

Connected-service tokens. When you authorise the Service to read from or write to a third-party platform, we receive OAuth tokens or API credentials needed to perform those actions on your behalf. We store these in a Vault-encrypted secrets table and limit decryption to the runtime agents that need them for a specific job.

Customer Data flowing through the Service. Catalog records, performance metrics, advertising spend, inbox messages, and customer records may be ingested from your Connected Services to support agent decisions. Magistry processes this data as a processor and only for purposes you instruct.

Usage and device data. When you use the Service we collect log data describing pages visited, features used, timestamps, IP address, browser type, operating system, and a hashed session identifier to help us secure your account.

Communications. When you contact us via support@magistry.io, sales@magistry.io, or any in-product messaging, we keep a record of the messages, contact details, and any attachments.

Billing data. When you pay for the Service, our payment processor collects card details or bank information. We receive only billing metadata (issuer country, last four digits, expiry) — full card details are not stored on Magistry infrastructure.

• To provide and operate the Service, including running the autonomous agents you have authorised.
• To authenticate users and detect, prevent, and investigate fraud, abuse, or security events affecting the Service.
• To bill you for the Service, including issuing invoices and recovering past-due amounts.
• To improve the Service, including analysing aggregated usage patterns and debugging errors via Sentry.
• To send transactional and service-related communications such as receipts, security alerts, and notices required by these terms.
• To send marketing communications where we are permitted to do so, with a clear opt-out in every message.
• To comply with legal obligations and to enforce our Terms of Service.

Magistry does not sell personal data. We do not train foundation models on Customer Data, and the LLM providers we use process Customer Data under zero-retention commitments.

Where the EU or UK General Data Protection Regulation applies, we process personal data on the following legal bases:

• Contract. To take steps at your request before entering into a contract and to perform the contract under which we provide the Service to you.
• Legitimate interests. To secure the Service, prevent fraud, improve our product, and run direct marketing to business contacts in a manner consistent with their reasonable expectations. You can object to processing on this basis at any time.
• Legal obligation. To retain billing records, respond to lawful requests from authorities, and comply with tax, accounting, and other statutory obligations.
• Consent. For non-essential cookies, marketing emails outside an existing business relationship, and any processing for which consent is the most appropriate basis. You can withdraw consent at any time without affecting the lawfulness of prior processing.

We keep personal data only as long as needed for the purposes described in this notice, to comply with legal obligations, to resolve disputes, and to enforce our agreements. Indicative retention periods are:

• Account profile data — for the life of your Account plus thirty (30) days.
• Connected-service tokens — for as long as the integration is authorised, then deleted on revocation.
• Customer Data ingested into the Service — per the retention rules you configure in your workspace, with a default of twenty-four (24) months.
• Decision-log entries — retained for the life of the workspace and then thirty (30) days post-termination, as an immutable audit trail.
• Billing records — for seven (7) years to comply with tax-and-accounting law.
• Support correspondence — for two (2) years from the last interaction.
• Web-analytics events — for fourteen (14) months, then aggregated.

Our primary data residency for Customer Data is the European Union (EU-West). Some of our sub-processors are based outside the European Economic Area, including providers of LLM inference and payment processing. Where personal data is transferred outside the EEA or the UK to a country without an adequacy decision, we rely on the European Commission’s Standard Contractual Clauses (Module 2, controller-to-processor, or Module 3 where applicable) supplemented by additional technical and organisational measures such as encryption in transit and at rest, access controls, and contractual restrictions on government-access requests.

We have completed transfer-impact assessments for each non-EEA sub-processor and keep these records available for review under the Data Processing Addendum. A copy of the SCCs in force can be requested from privacy@magistry.io.

Where the GDPR or a similar regime applies, you have the following rights in relation to your personal data:

• Access. Confirm whether we process personal data about you and obtain a copy of that data.
• Rectification. Have inaccurate personal data corrected and incomplete data completed.
• Erasure. Have personal data deleted where there is no longer a legal basis for processing it.
• Restriction. Restrict processing in defined situations, for example while the accuracy of personal data is being verified.
• Portability. Receive personal data you provided in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible.
• Objection. Object to processing based on legitimate interests, including direct marketing.
• Withdraw consent. Withdraw consent at any time without affecting the lawfulness of prior processing.
• Complain. Lodge a complaint with a supervisory authority. The lead authority for Magistry is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

Where Magistry processes personal data as a processor on behalf of a Customer, you should direct your request to that Customer, who is the controller. We will assist the Customer in responding within the timeframes required by law.

We use a small number of cookies to operate the Service and to understand how it is used. We use a privacy-respecting analytics provider for aggregate usage statistics and do not deploy advertising or cross-site tracking cookies on our marketing site.

Full details of the cookies we set, how long they last, and how to manage your preferences are in our Cookie Notice.

We maintain administrative, technical, and physical safeguards designed to protect personal data against unauthorised access, use, disclosure, alteration, and destruction. Highlights include TLS-1.3 transport encryption, AES-256 encryption at rest for primary data stores, Vault-encrypted secrets, role-based access controls, mandatory two-factor authentication for staff, separation of production and development environments, and continuous logging via Sentry.

SOC 2 Type II certification is in progress. The Type II report will be published in the Trust Center on completion. No information system is perfectly secure; we encourage you to report any suspected vulnerability to security@magistry.io.

The Service is intended for use by businesses and is not directed to children. We do not knowingly collect personal data from children under the age of sixteen (16). If you believe a child has provided us with personal data, please contact privacy@magistry.io and we will take appropriate steps to delete it.

We may update this Privacy Notice from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will update the “Last updated” date at the top of this notice and, where appropriate, notify you by email or via an in-product banner. Continued use of the Service after the effective date of an updated notice constitutes acceptance of the updated notice.

For questions about this Privacy Notice or to exercise your rights, write to privacy@magistry.io.

Magistry has appointed an external Data Protection Officer to oversee privacy compliance and act as the point of contact for supervisory authorities. The EU DPO can be reached at dpo@magistry.io or by post at the registered office below.