Legal

Privacy Policy

Last updated: 8 May 2026 · Magneety EU Ltd.

This Privacy Policy explains how Magneety collects, uses, and protects your personal data when you use the Magneety platform at app.magneety.com and magneety.com. It is written in plain English and structured for users, platform reviewers, and data protection regulators.

1. Who we are

Magneety is operated by Magneety EU Ltd, registered in Bulgaria (UIC 208453175, VAT BG208453175), with offices at 5 Ekzarh Yosif I Str., 2nd floor, Office 1, 9300 Dobrich, Bulgaria. We are the data controller for personal data processed in the Magneety platform. Contact: info@magneety.com.

2. What data we collect

Account data: name, email, password (hashed with bcrypt), organization name, role, last login time and IP.
Brand data: what you tell Magneety about your business (voice, audience, products) plus information we extract from your website when you use the auto-extract feature.
Connected account tokens: OAuth access and refresh tokens for Google Ads, Meta (Facebook + Instagram), LinkedIn, TikTok, X (Twitter), GA4, Klaviyo, and Shopify. Stored encrypted at rest using AES-256-GCM with keys held outside the database.
Marketing performance data: impressions, clicks, spend, conversions, ROAS, follower counts, post engagement, and similar metrics retrieved from your connected accounts to populate dashboards and reports.
Inbox content: messages, comments, and DMs from the social platforms you have connected, retrieved so you can read and reply from a unified inbox.
Content you create: scheduled posts, ad creatives, AI-generated assets (images, captions, carousels), brand kit files.
Billing data: handled by Stripe. We never see or store full card numbers; we receive only billing email, last 4 digits, brand, country, and subscription state.
Usage data: log-in events, feature usage analytics, error reports, audit log entries (for security and product improvement).
Cookies: a session cookie (login token) and an optional analytics cookie (only fires after consent). No third-party advertising cookies.

3. Why we process this data (lawful basis under GDPR)

To deliver the service you signed up for - contractual necessity, GDPR Art. 6(1)(b).
To bill you and meet legal/tax obligations - Art. 6(1)(c).
To secure the service and prevent abuse - legitimate interest, Art. 6(1)(f).
To send transactional emails related to your account (verification, password reset, billing receipts, trial reminders) - contractual necessity.
To send marketing emails or product updates - only with your consent, which you can withdraw any time in Settings → Notifications, Art. 6(1)(a).
To improve the product using anonymized usage analytics and aggregate, non-identifiable performance data - legitimate interest.

We do not sell your data to third parties. We do not use your advertising account data to train AI models or share it with other users.

4. Meta Platform Data (Facebook + Instagram)

When you connect your Facebook Page or Instagram Business account, Magneety receives an OAuth access token granting only the permissions you approved on Meta's consent screen. We use Meta data exclusively to:

Display your Pages and Instagram accounts so you can choose which to manage.
Pull engagement metrics (reactions, comments, shares, reach, impressions) for the dashboard.
Read and reply to DMs and comments via the unified inbox - only within Meta's standard 24-hour messaging window.
Schedule and publish posts, reels, and stories to your selected accounts.
Retrieve ad campaign metrics if you have also connected Meta Ads.

We do not use Meta data for any purpose outside the features you actively use, do not share it with advertising networks, and do not sell it. We do not transfer Meta data to other connected platforms.

You can revoke Magneety's access at any time from your Facebook account: Settings & privacy → Settings → Apps and websites → Magneety → Remove. Meta will then call our data deletion callback at app.magneety.com/api/connections/meta/data-deletion, which immediately deletes all Meta tokens, connected accounts, and synchronized Meta data tied to that user. You can also disconnect from inside Magneety at Settings → Connections → Meta → Disconnect.

5. Google API Services data (Limited Use disclosure)

Magneety's use and transfer of information received from Google APIs (including the adwords and Google Analytics scopes) adheres to the Google API Services User Data Policy, including the Limited Use requirements.

We use Google user data only to provide and improve the user-facing features of Magneety (campaign reporting, campaign management, GA4 dashboards).
We do not sell, transfer, or use Google user data for advertising purposes outside of the Magneety platform.
We do not use Google user data to train generalized AI/ML models. Brand-specific AI features (voice, image generation) only use data within your own organization's scope.
Human access to Google user data is restricted to Magneety personnel for security investigations, legal compliance, or with your explicit consent.

6. TikTok data

Connected TikTok accounts share basic profile information and video-publishing access (user.info.basic, video.upload, video.list, video.publish) used solely to display the connected username, list your videos for reference in the dashboard, and publish videos you upload through Magneety's content calendar. TikTok data is never reused for other platforms or for advertising outside TikTok.

7. Shopify data

When you connect your Shopify store, Magneety receives an OAuth access token granting the scopes you approved on Shopify's consent screen (read_orders, read_products, read_customers, read_analytics). We use Shopify data exclusively to:

Sync your product catalog (title, handle, image, price range, inventory, body description) so AI-generated social posts and ad copy reference your real SKUs and prices instead of inventing them.
Sync order totals on a rolling 30-day window (order ID, timestamp, total_price, currency, line_items) to compute Return-On-Ad-Spend (ROAS) against your paid ad campaigns on Meta Ads, Google Ads, and LinkedIn Ads in the unified dashboard.
Surface store revenue context to the AI weekly summary so it can compare ad spend to actual sales in plain English.

We do not read or store individual customer names, email addresses, phone numbers, billing or shipping addresses. Our requested data classification is Shopify "Level 1" (protected customer data excluding name, address, phone, email). The read_customers scope is requested only to retrieve aggregated customer counts for the dashboard; no per-customer fields are persisted.

You can disconnect at any time from Settings → Integrations → Shopify → Disconnect. On disconnect Magneety automatically (a) revokes the access token at Shopify, (b) deletes every cached product row, and (c) parks any pending scheduled posts that depend on Shopify data. If you instead uninstall Magneety from your Shopify admin, the app/uninstalled webhook produces the same cleanup, and 48 hours later the shop/redact webhook completes a final hard-delete of all data we hold for the store (aggregated revenue history included).

Privacy compliance requests forwarded by Shopify (customers/data_request, customers/redact, shop/redact) are received at app.magneety.com/api/webhooks/shopify and processed as described above.

8. Sub-processors

We share data with the following processors strictly to deliver the service:

Railway (USA / EU regions, Standard Contractual Clauses) - application hosting + managed PostgreSQL database
Cloudflare R2 (EU region) - file storage for uploaded media and generated assets
Cloudflare Pages (EU region) - hosting for the marketing site
Stripe (Ireland, GDPR-compliant) - payments and subscription management
Resend (Ireland, GDPR-compliant) - transactional email delivery
Anthropic (USA, SCCs) - Claude AI for content generation, summaries, and reply suggestions; data is not used to train Anthropic's models per Anthropic's Commercial Terms
Replicate (USA, SCCs) - AI image and video generation
FAL.ai (USA, SCCs) - alternative AI image generation provider when enabled
Sentry (USA, SCCs) - error monitoring and performance tracing

Connected ad and marketing platforms (Meta, Google, LinkedIn, TikTok, X, Klaviyo, GA4, Shopify) act as independent data controllers for the data they hold; you remain bound by their respective privacy policies for that data. We will update this list and notify you of material changes to sub-processors at least 30 days in advance.

9. How we secure your data

HTTPS enforced everywhere; HSTS preload eligible.
Passwords hashed with bcrypt (work factor 12), never stored in plaintext.
OAuth tokens encrypted at rest with AES-256-GCM. Keys are managed outside the database.
JWT-based session cookies with HttpOnly, Secure, SameSite=Lax flags.
HMAC-signed OAuth state parameters prevent CSRF and replay attacks.
Webhook signatures verified for Stripe, Meta, and TikTok callbacks.
Data isolation: every database query is scoped by organization ID; cross-tenant access is impossible by design.
Regular dependency updates and automated security scanning.
Audit log of sensitive actions (account connect/disconnect, role changes, exports) retained for security review.

In the event of a personal data breach affecting your data, we will notify you and the relevant supervisory authority within 72 hours of becoming aware, in line with GDPR Art. 33-34.

10. How long we keep data

We retain account and brand data while your subscription is active. After cancellation we keep the data for 30 days to allow you to reactivate without loss, then permanently delete. You can request immediate deletion at any time (see Section 11). Audit log entries are retained for 12 months for security purposes. Billing records are retained for 7 years to comply with EU tax law.

OAuth tokens: deleted within 24 hours of disconnecting a platform, or immediately upon account deletion.
Platform performance data (ad metrics, campaign data): deleted within 30 days of disconnecting the relevant platform, or upon account deletion.
Waitlist data: email addresses are deleted upon request or when the waitlist is no longer active.

11. International transfers

Some sub-processors are based in the USA or other countries outside the EU/EEA. Data transfers rely on Standard Contractual Clauses (SCCs) approved by the European Commission, plus additional safeguards where appropriate. A copy of the SCCs is available on request.

12. Your rights (GDPR + UK GDPR)

Access - request a complete export of your data via Settings → Profile → Download my data, or by emailing us.
Correction - edit your data in Settings, or email us.
Erasure - delete your workspace via Settings → Profile → Delete workspace, or email us. Deletion is permanent and includes all OAuth tokens, content, and metrics.
Portability - the export is machine-readable JSON.
Objection / restriction - email us.
Withdraw consent - for marketing emails, in Settings → Notifications. Withdrawal does not affect processing carried out before withdrawal.
Complaint - to your local data protection authority. In Bulgaria: Commission for Personal Data Protection (www.cpdp.bg).

We respond to verified rights requests within 30 days, free of charge unless excessive or repetitive.

13. California residents (CCPA / CPRA)

Magneety does not sell or share personal information for cross-context behavioral advertising. California residents have the rights to know, delete, correct, and limit the use of sensitive personal information, exercisable through the same channels as the GDPR rights above. We do not discriminate against you for exercising these rights.

14. Children's privacy

Magneety is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided personal data to Magneety, contact us and we will delete it promptly.

15. Automated decisions and AI

Magneety uses AI to generate suggested content (captions, headlines, image variations), summarize performance, and propose campaign settings. These outputs are recommendations only - no decision that produces legal or similarly significant effects on you is made solely by automated processing. A human (you) reviews and approves every published post and live ad campaign.

16. Cookies

We use a small number of cookies:

Session cookie (essential) - keeps you logged in; expires when you log out or after 7 days of inactivity. No consent required under ePrivacy.
CSRF token (essential) - protects forms from cross-site request forgery.
Cookie consent state - remembers whether you accepted the cookie banner.

We do not use third-party advertising cookies, tracking pixels, or fingerprinting on app.magneety.com.

17. Changes to this policy

Material changes will be announced via email at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

18. Contact

Questions, complaints, or rights requests: info@magneety.com. We respond within 24 hours on business days.

Magneety EU Ltd. · 5 Ekzarh Yosif I Str., 2nd floor, Office 1, 9300 Dobrich, Bulgaria