MagicApp Privacy Policy

Last updated: August 13, 2025

MagicApp (“we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy describes how we collect, use, share, and protect your personal information when you use the MagicApp mobile applications including all related software, services, and documentation (the “App”). It also explains your rights and choices regarding your information.

By using our App, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the App. We encourage you to read this Policy carefully alongside our Terms and Conditions. If you have any questions, feel free to contact us at support@magicapp.co.

We may update this Privacy Policy from time to time to reflect changes in our services, technology, or legal requirements. If we make material changes, we will notify you (for example, via an in-app notice or email) before the changes take effect. We encourage you to review this Policy periodically. The “Last updated” date above indicates when this Policy was last revised. Your continued use of the App after updates become effective signifies your acceptance of the revised Policy.

Data Controller and Contact Information

APPLYFT LTD is the data controller (the organization responsible for determining how and why personal information is processed) for the App. You can reach us with any privacy-related inquiries at: Parnithos 9, Flat/Office A, Germasogeia, 4040, Limassol, Cyprus, support@magicapp.co

Information We Collect

We collect personal information (“Personal Information”) that you provide to us directly, that is generated through your use of the App, or that we obtain from third-party services integrated into the App. The types of Personal Information we collect include:

Account and Contact Information: When you create an account, we collect information such as your email address, username or nickname, avatar. If you contact us for support, we will collect your contact details (like email) and the content of your communications.
User Content (Including Photos): We collect any content you upload or create within the App. This includes photos you upload for our AI Interior Design feature and any other images (photos), text, or media you submit or generate (collectively, “User Content”). For example, if you use the AI Interior Design tool to redesign a room, the original room photo you provide and the AI-generated redesigned images are considered User Content. Please only upload photos that you have the right to use and share. We also collect certain metadata about the images you process. Specifically, we may record the timestamp of when an image was generated or processed (for instance, to help you keep track of your design history). This metadata is stored alongside the generated images in our cloud storage.
Device and Technical Information: We automatically collect information about the mobile device and software you use to access the App. This includes data such as your device model, operating system version, unique device identifiers (e.g. IDFA or Android Advertising ID), language and locale, time zone, and device country/region settings. We also collect information about your device’s network (e.g. IP address which may indicate general location) and app version. For example, we may record your device’s model and OS to ensure compatibility and optimize our app’s performance on your device.
Usage Data: We collect information about how you interact with the App. This includes features you use, content you view or generate, pages or screens you navigate, and the dates/times of your activities. For example, we may log that you used the AI Interior Design feature and how many designs you generated, or track click-stream data within the App. We also collect diagnostic and crash data — such as crash logs, error messages, and stack traces — if the App crashes or malfunctions, in order to debug and improve the App’s stability.
Analytics and Attribution Data: We use third-party analytics and attribution tools to collect data about how users discover and use the App. This means we collect information about the source of your App installation (e.g. which marketing campaign, advertisement, or deep link led you to install the App). For example, we use AppsFlyer to determine which advertisement or campaign brought you to MagicApp. This may involve collecting device identifiers and campaign tags that indicate whether you installed the App via a specific ad or link. We also receive aggregated metrics such as how many users opened the App from a particular campaign. This information helps us measure the effectiveness of our marketing and tailor the user experience based on acquisition source.
Transactional Information: If you make any purchases or subscribe to premium features through the App, we will collect information about the subscription or purchase (such as the type of subscription and its duration, or purchase confirmation). Note: We do not collect or process your payment card details ourselves. Purchases in the iOS or Android apps are handled by Apple’s App Store or Google Play Store, respectively, and any sensitive payment information (like credit card numbers) is provided directly to those platforms. We receive only limited information needed to record your transaction, such as an anonymized transaction ID and the fact that payment was completed, as well as the product purchased.
Cookies and Tracking Technologies: Although cookies (small text files stored on browsers) are not used in the mobile app context as they are on websites, we and our partners use analogous mobile tracking technologies to collect data. For example, we use mobile analytics SDKs and advertising identifiers (like Google Analytics for Firebase and device ad IDs) to recognize your device and understand usage over time. These technologies allow us to remember your preferences, keep you logged in, and gather usage statistics. We also use attribution tools (like AppsFlyer) that utilize device identifiers to track when an install or app launch is attributable to a marketing source. For users who visit our website or web-based content, we use cookies and similar technologies as described in our Privacy Policy on the respective website. You have choices to control tracking technologies, which we describe in Cookies and Tracking Technologies below.

Device Permissions: To provide certain features, the App may request access to your photos (for selecting or saving images) and your camera (to capture new photos). On iOS, the system will display a prompt tied to the relevant permission (e.g., Photo Library add-only, Camera). We use the system photo picker where available (iOS and Android) so you can select specific photos without giving full library access; on devices/versions where the system picker isn’t available, we use the minimum necessary OS mechanism and permissions. You can change these permissions anytime in your device settings. We access these resources only to deliver the features you request.

We limit our collection of Personal Information to what is necessary for the purposes described in this Policy (see How We Use Your Information). We do not knowingly collect sensitive personal information such as government ID numbers, biometric identifiers, or precise geolocation data. We also do not intentionally collect personal information from children under 13 (see Children’s Privacy). If you provide us with personal data of others, you must ensure you have the right to do so.

How We Use Your Information

We use the collected information for the following purposes, in accordance with applicable law. In each case, we process Personal Information only as needed for that purpose and rely on an appropriate legal basis (such as performing our contract with you, pursuing our legitimate interests, obtaining your consent, or complying with legal obligations). The specific ways we use your information include:

Providing and Improving the Core App Services: We use your information to operate the App and provide its features and functionalities. This includes processing your data to generate content and deliver results as part of the App’s services. For example, to provide the AI Interior Design feature, we use the photos you upload to create redesigned room images using our AI tools. We send your photo to our integrated third-party AI service (as described in Data Sharing) and return the generated image to you. We also use your device and usage data to ensure the App functions correctly on your device (e.g. using device model information for compatibility) and to personalize and improve core features. Legal basis: This processing is generally necessary to perform our contract with you (our Terms and Conditions), i.e. to deliver the services you request. In some respects, we also rely on our legitimate interest in providing an effective, personalized, and innovative service (for example, improving features based on usage patterns), balanced against your rights.
Account Creation and Management: We use the information you provide at sign-up (such as your email and nickname) to create and maintain your user account, authenticate you when you log in, and allow you to use the App. We may use your email to send account verification messages, and we associate any User Content you create with your account so that you can access it across sessions. Legal basis: Contract (to provide the account-based services you request).
AI Feature (Image Processing): When you use this feature, we transmit your uploaded User Content to our third-party AI processing partner via a secure API in order to generate the result. We use your User Content strictly to fulfill your request and for no other purposes. The processing happens automatically: the User Content is analyzed by the AI model and a transformed User Content is returned to us, which we then show to you and store in your account. We do not save the original User Content after the process completes, only the AI-generated result. Legal considerations: By using this feature and uploading User Content you are explicitly requesting and consenting to this processing of your personal data for the purpose of obtaining the AI-generated result. We rely on this context as the legal basis (contractual necessity to deliver the service you asked for, and/or consent) for handling your User Content. If the images contain personal data of others, you should ensure you have the right to share them. AI service provider uses User Content for the purpose of providing this feature and not to retain or use them beyond that scope.
Analytics and Product Improvement: We analyze usage data, device information, and aggregated user behavior to understand how our App is used and to improve the user experience. This includes using analytics tools to determine which features are most popular, how users navigate the interface, where they encounter errors, etc. We may conduct A/B testing and experiments to evaluate and improve features. We also analyze the effectiveness of marketing campaigns by examining installation sources and user engagement. This helps us make informed decisions about product design and marketing strategies. Wherever possible, we use aggregated, de-identified, or statistical data for analytics to minimize impacts on your privacy. Legal basis: Legitimate interests – we have a legitimate interest in analyzing and improving our services, and we consider this also benefits our users (e.g. by enhancing functionality and fixing issues). In jurisdictions that require consent for certain analytics, we will obtain your consent when required.
Personalizing User Experience: We may use the information we have about you to tailor and personalize aspects of the App to your interests or to optimize your experience. For instance, if we know you came to the App via a certain ad campaign offering content about living room designs, we might customize your onboarding or in-app suggestions to highlight similar interior design content. We might also use your past interactions (e.g. types of designs you have shown interest in) to recommend other features or content you might enjoy. Personalization helps make the App more relevant to you. Legal basis: Legitimate interests (to provide a more engaging service) or consent, as appropriate under applicable law.
Advertising and Monetization: MagicApp may deliver advertisements to you within the App to support our services. We work with third-party advertising networks that serve these ads. We share certain device and usage data with these partners to enable ad delivery and targeting (see How We Share Your Information for details). We or our ad partners use data such as your device identifiers and in-app actions to determine what ads may be relevant to you. For instance, AdMob (Google) may use your device’s advertising ID and contextual information about your app usage to show you ads that are likely of interest. Depending on your location and settings, you may receive personalized ads (based on your interests or app activity) or only contextual ads. Legal basis: We rely on legitimate interests to provide an ad-supported service (we have an interest in earning revenue, and you have an interest in free or lower-cost services) or your consent where required by law (for example, on iOS we will ask for permission via App Tracking Transparency for tracking-based ads, and in the EU we ask consent for personalized ads). You can adjust your preferences by using in-app privacy settings (if available), device settings (such as “Limit Ad Tracking”), or as described in Your Privacy Rights and Choices.
Performance Monitoring and Crash Remediation: We use device and crash data to monitor the technical performance of the App, diagnose bugs, and fix crashes or other issues. For example, if the App crashes on a particular device model, the crash report helps us identify and resolve the cause. We use tools like Firebase Crashlytics to receive crash reports which include details like error codes and stack traces. This information is used solely to maintain and improve the technical quality and reliability of our App. Legal basis: Contract (ensuring the service works as intended for you) and legitimate interests (improving service stability).
Customer Support: If you contact us for support, we will use your information to assist you. All customer support communications are used only for assisting you and improving our support processes. Legal basis: Contract (we need to process your info to provide support you requested) or legitimate interests (improving user satisfaction).
Newsletters and Marketing Communications: With your consent, we may use your email address to send you newsletters or promotional communications about MagicApp, such as product updates, new features, or special offers. These communications are optional and you can opt-out at any time. We will only send you marketing emails if you have subscribed or agreed to receive them. Each email will include an unsubscribe mechanism. Legal basis: Consent. (If you do not consent, we will not send you marketing emails. Even if you do consent, you can withdraw your consent at any time as described in Your Privacy Rights and Choices.)
Security and Fraud Prevention: We may process information as necessary to protect the rights, property, or safety of MagicApp, our users, and the public. This includes using data to detect, investigate, and prevent fraudulent transactions, spam, abuse, security incidents, and other harmful or illegal activities. For example, we might use device identifiers to ensure that free trial offers are not abused, or monitor usage patterns to detect bots or malicious behavior. We also may use your information to enforce our Terms and Conditions or other legal terms and to comply with applicable laws and regulations. Legal basis: Compliance with legal obligations (where we have a duty to prevent illegal activity or protect data) and legitimate interests (to keep our platform safe and secure).

We will not use your Personal Information for purposes that are incompatible with the above, unless we obtain your consent or have a legal obligation or right to do so. If we plan to use your data for a new purpose not described here, we will update this Privacy Policy and, if required, seek your consent. We do not engage in any automated decision-making that produces legal or similarly significant effects on you without human involvement – any profiling we do (e.g. recommending content) is solely to enhance your experience and has no substantial impact on your rights or freedoms.

Cookies and Tracking Technologies

In-App Tracking: Although cookies are typically text files used in web browsers, the mobile App itself does not use cookies. However, we and our service providers use similar tracking technologies within the App environment to collect information automatically. These include software development kits (SDKs) and device identifiers that function analogously to cookies. For example, we use Google’s Firebase Analytics SDK to collect usage analytics, which may automatically gather data like your device’s advertising ID and events within the app (page views, session duration, etc.). We also integrate the AppsFlyer SDK for attribution, which uses device and network identifiers to help us understand through which ad or campaign a user discovered our App. Advertising partners may use their own trackers or unique identifiers to show ads and measure their effectiveness. These technologies are essential to running our App, allowing features such as remembering your login session, delivering content faster, and personalizing your experience and ads.

Website Cookies: If you visit our website, cookies and similar technologies will be used as described in the website’s Privacy policy.

Your Choices: You have controls over tracking technologies:

On mobile devices, you can reset or limit the use of your mobile advertising IDs. For example, on iOS devices, you can select “Limit Ad Tracking,” and on Android devices, you can opt out of ads personalization or reset your advertising ID. Our advertising partners will receive and honor these system-level choices (so if you opt out, we will not serve you personalized ads). Also, if Apple’s App Tracking Transparency prompt is presented in the app, you can choose “Ask App Not to Track,” which we and our third-party partners will respect for the limited purposes it covers (e.g. linking data across different apps for advertising).
Within the App, we may provide settings to disable certain analytics or personalized content features if feasible. If such options are available, you can find them in the App’s settings.
If you are using a web browser, you can control cookies through your browser settings. Options are available in most browsers to block or delete cookies. (For example, you can typically find cookie settings under sections named "Privacy" or "Security".) You can also use browser extensions to manage trackers. Note that blocking all cookies might affect website functionality.
To opt out of Google Analytics on websites, Google provides a browser add-on tool. For other analytics or ad partners, check their privacy policies for opt-out mechanisms (see How We Share Your Information for links to these third parties).

Please note that even if you opt out of personalized advertising, you may still see ads in our App – they will just be contextual or generic ads not based on your personal data. Also, our App must still use certain necessary tracking (like device identifiers for login security or basic analytics) to operate properly. We do not sell or share data obtained through cookies or trackers with third parties for their independent use, except as outlined in this Policy.

How We Share Your Information

We do not sell your Personal Information to third parties. We only share your information in the following circumstances and with appropriate safeguards:

- Analytics and Attribution Providers: We use analytics platforms to understand app usage and performance. For example, we use Google Analytics for Firebase and Google Analytics to collect usage statistics (Google’s relevant privacy information is here) and AppsFlyer (Privacy Policy is here) for install attribution and analytics (AppsFlyer helps us measure which campaigns lead to installs and in-app events). These platforms receive device identifiers and event data from our App. They act as our processors/service providers and are not permitted to use your data for any purpose other than providing services to us. For more information, you can review their privacy policies.
- Advertising Networks and Partners: We work with third-party advertising networks to show ads in the App. The partners we use include, for example, Google AdMob/AdSense, Meta Audience Network (Facebook/Instagram’s advertising platform), and AppLovin. These ad partners collect device information and usage data (such as app interactions and ad impressions) to serve you ads and to perform ad targeting and analytics. For instance, Google may receive your device identifier and info that our app was used, in order to provide relevant ads in accordance with Google’s policies. Meta Platforms may receive similar data when ads are served from the Facebook network. AppLovin, which powers in-app ad auctions and delivery, will also process device and contextual data to provide ads. Importantly, we do not share any direct identifiers like your name or email with ad networks, only device-level or contextual information needed for ads. These partners may be considered “third-party” recipients or “processors” depending on the jurisdiction. We contractually require them to use any personal data from our users only for serving our App’s ads and not for their own unrelated purposes. You can learn more or opt-out options in each of their privacy notices (e.g., see Google’s ad privacy guide, Meta’s Privacy Policy, AppLovin’s Privacy Policy).
- Cloud Storage and Infrastructure: We use third-party cloud infrastructure to host and store data. Notably, we use Google Firebase (a platform by Google Cloud) to store user data and media. For example, the images generated by the AI Interior Design feature are stored in Firebase Cloud Storage (part of Google Cloud). Storing data with Firebase means that Google acts as a data processor to hold data on our behalf. Firebase also provides various utilities like databases, authentication, etc., which may process personal data incidentally as part of providing their service. Google’s Firebase maintains industry-standard security and privacy certifications. Our contract with Firebase (Google) includes data protection terms ensuring your data is handled lawfully and securely. Aside from Google, if we use any other cloud providers or hosting services in the future, they would be under similar obligations. See Privacy and Security for Firebase for detailed information.
- Crash Reporting and Diagnostics: As mentioned, we use Firebase Crashlytics (by Google) for crash reporting. Crashlytics collects crash logs and device info when the App encounters an error, helping us debug issues. This information (which may include device identifiers and user IDs in crash stack traces) is transmitted to Google’s servers. Google, as our service provider, holds that data for a limited time (Crashlytics crash data is typically retained for 90 days) and provides it to us in a console for analysis. Crash data is not used by Google for any purpose other than providing the Crashlytics service to us.
- Third-Party AI Processing Services: To deliver AI-driven features, we integrate external AI tools that process user-provided content, such as Replicate, Inc., which is used for the AI Interior Design image generation feature. When you upload a room photo for redesign, we utilize Replicate’s AI platform via API to process the image and return a new design. Notably, according to Replicate’s documentation, any images or data sent to their API are deleted after processing, meaning they do not retain your photos long-term. We store the resulting output image ourselves (in Firebase as noted) but not the original photo. These AI tool providers act in our direction to perform the processing you request. We share with them only the data necessary (e.g., the image or prompt) and receive back the result. They may temporarily store data for processing but are not permitted to use it for other purposes. We ensure such transfers are protected (for example, images are sent securely, and we rely on contractual and technical measures to safeguard your data). Replicate’s privacy policy is available here.
- Other Vendors: We may share limited information with other service providers and vendors as needed for operations. In all cases, they will only get the minimum data necessary and will be bound to use it only for our specified purposes.
Affiliates: If we have affiliate companies or subsidiaries (entities under common ownership or control), we may share your information with them for business and operational purposes. If our company structure changes (e.g., through reorganization), your information may be transferred to the new operating entity but will remain subject to the protections in this Policy (unless you’re notified otherwise and consent to any new policy).
Legal Compliance and Protection: We may disclose your Personal Information when we believe in good faith that such disclosure is necessary to comply with a legal obligation or valid legal process. This includes responding to subpoenas, court orders, or lawful requests by government authorities (such as law enforcement) to produce information. We may also disclose your information to establish or exercise our legal rights, or to defend against legal claims. Additionally, we will disclose data if we believe it is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, or violations of our Terms of and Conditions or other agreements. For example, if required by law to report unlawful content uploaded by a user, we will share whatever information is legally necessary with the appropriate authorities.
Business Transfers: In the event that we consider or undertake a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your Personal Information may be disclosed to prospective or actual successors or transferees as part of evaluating or executing the transaction. We will ensure that any such third party is bound to strict confidentiality and data protection obligations. If a new entity assumes ownership of our business or the App, your Personal Information would likely be one of the assets transferred, but it would remain subject to this Privacy Policy (unless you are notified of changes). We will notify you of any ownership change or data transfer as required by law.
With Your Consent or At Your Direction: We will share your information with third parties outside of the above conditions only with your consent or at your explicit direction. Similarly, if we ever want to use your information in a manner not covered by this Policy, we would seek your consent. You are in control of whether we disclose your information in such ways.

In all cases of sharing, we strive to minimize the amount of Personal Information disclosed to what is necessary for the intended purpose. We also require recipients to safeguard your information and to not use it for purposes other than as we’ve agreed. Where required by law, we will ensure that third-party recipients are subject to data protection agreements (for example, standard contractual clauses for international data transfers – see International Data Transfers below).

Finally, we may share aggregated or de-identified data (information that cannot reasonably identify you) with third parties freely, as this does not constitute Personal Information. For example, we might share statistics like “X% of users use the AI Interior Design feature weekly” without any personal details.

International Data Transfers

Your information may be transferred to and processed in countries other than your own. This means that when we collect your Personal Information, it may be processed outside of your home country. For example, if you are located in the European Economic Area (EEA) or United Kingdom, your information will likely be transferred to countries outside the EEA/UK, such as the United States, because our third-party providers (Google, Replicate, Appsflyer, etc.) and certain database storage are based there. Likewise, if you’re outside of the EU, your data might be transferred to the EU or U.S. for processing.

We take steps to ensure that international transfers of personal data are protected by appropriate safeguards as required by applicable law. When we transfer Personal Information out of the EEA, UK, or Switzerland to countries not deemed by those jurisdictions to provide an adequate level of data protection, we rely on lawful transfer mechanisms such as the European Commission’s Standard Contractual Clauses (SCCs). These are contractual commitments between companies transferring personal data, which bind the recipient to protect the data to EU privacy standards. We have SCCs or equivalent agreements in place with our U.S.-based service providers like Google and others, as needed. In some cases, we may rely on other measures, such as an adequacy decision (if the country has been officially deemed to have adequate protections), consent from the individual for the transfer (in limited situations), or other derogations permitted by GDPR (e.g. transfer necessary to perform a contract at your request).

For transfers from the EEA/UK to the U.S., note that Google (Firebase, Analytics) and certain other providers have certifications or commitments under frameworks like the EU-U.S. Data Privacy Framework, which was adopted in 2023. Google has self-certified its compliance with the EU-U.S. and Swiss-U.S. Privacy Frameworks to facilitate lawful and secure data transfers. These frameworks and the SCCs aim to ensure that your data receives a similar level of protection as it would under European law.

If you reside in other regions with data transfer requirements (for example, Brazil or Canada), we similarly ensure that transfers of your data comply with those requirements. By using MagicApp, or by providing us with your information, you understand that your Personal Information may be transferred to our facilities and those third parties with whom we share it as described in this Policy, even if located in other countries. Regardless of where your data is processed, we will protect it in the manner described in this Privacy Policy. We maintain uniform data protection standards across all locations, meaning we afford your data the same level of security and privacy safeguards in every country.

However, different countries have different laws. When your data is in another jurisdiction, it may be accessed by the courts, law enforcement, and national security authorities in accordance with local laws. Specifically, Personal Information stored in the United States may be subject to lawful requests by U.S. authorities. We will, when required, provide or facilitate such access strictly in compliance with legal processes and this Privacy Policy.

If you have questions about our international data transfers or need more information about the specific transfer mechanisms in place, please contact us (see Contact Us below). We can provide additional details, such as copies of relevant contractual clauses, subject to confidentiality considerations.

Data Security and Retention

Security Measures: We implement a variety of technical and organizational measures to protect your personal information. These include industry-standard practices such as encryption of data in transit (SSL/TLS), encryption of sensitive data at rest, firewalls and network security controls, and regular security assessments. We limit access to personal data to authorized employees and contractors who need to know that information in order to process it, and who are subject to strict confidentiality obligations. We also maintain procedures to address suspected security incidents. While we strive to protect your data, no method of transmission over the internet or electronic storage is completely secure. Therefore, we cannot guarantee absolute security. However, we follow best practices and comply with applicable data security regulations to minimize risks. If a data breach ever occurs that compromises your personal information, we will notify you and the appropriate authorities as required by law (for example, we comply with GDPR breach notification rules and relevant U.S. state laws on data breach notification).

Data Retention: We retain Personal Information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. In general:

Active Account Data: If you have an account with MagicApp, we will keep your Personal Information while your account is active. This allows us to provide the service to you continuously. All the data associated with your account (profile info, content, preferences, etc.) is maintained so that you can use the App over time.
Account Deletion or Inactivity: If you choose to delete your account, or if you request that we delete specific Personal Information, we will promptly delete or anonymize the data in question (except as noted below for legal requirements or limited exceptions). If you stop using the App without formally deleting your account, we will not retain your Personal Information indefinitely. Our policy is to retain account data for no longer than 3 years from your last activity/login, after which we will take steps to delete or anonymize the data if the account appears inactive. We chose 3 years as a reasonable period in case you return to the App, but not so long as to retain data unnecessarily. We may attempt to notify you before deletion of an inactive account to give you an opportunity to keep it active. Legal basis for EU users: our legitimate interest in not storing data longer than needed, and compliance with data minimization principles.
Subscription/Purchase Records: If you made purchases, we may retain transactional records (excluding payment details we never had) for a longer period as required for financial reporting and audits, or as required by applicable law (e.g., tax regulations might require keeping transaction logs for a number of years). These records would typically include minimal info like date of purchase, product, and price, but not your card number.
Support Communications: Communications you have with us (support emails, chat logs) may be retained for a period of time after your inquiry is resolved, primarily for training and quality assurance purposes, or to establish a record in case of later disputes. We will typically retain support records for up to 2 years, unless a longer period is necessary (e.g. if the correspondence is relevant to an ongoing issue or legal matter).
Backup and Archived Data: Please note that deletion from our live systems may not be immediately reflected in backups. We maintain backups of our databases for reliability and disaster recovery purposes. It is impractical to remove individual data from backups, but backups have retention limits and rotate out. Thus, even after you delete data, it may remain in secured backups for a certain time (commonly up to 90 days) until those backups are cycled out or destroyed. We will not restore deleted Personal Information back into active service except if needed for security or legal reasons (e.g., investigating fraud), and even then, only if justified.
Legal Obligations and Disputes: Sometimes we may need to retain certain Personal Information for longer than our standard retention period due to legal reasons. For example, if we receive a legal hold or request from law enforcement, or if we are involved in a legal dispute with you or a third party, we will retain relevant information until that matter is resolved. We also might keep data if necessary to enforce our Terms or to comply with record-keeping laws. In all such cases, we will only retain what is necessary and for the duration required by the obligation.
AI Feature Data: As noted, original photos you upload are not stored by us after processing. They are sent to the AI service and then discarded from our side once the result is obtained. The generated images that result from the AI processing are saved in your account. We treat those like other User Content you create – meaning they will remain accessible to you in the App until you delete them or delete your account. If you delete a generated image from within the App (assuming we provide that functionality), it will be removed from our storage. If you delete your account, all generated images associated with your account will be deleted as well (subject to the backup caveat above).
Third-Party Data Retention: Personal Information that has been shared with third-party service providers will be retained by them only as long as necessary for their functions. We have provisions in our contracts to ensure they do not keep your data indefinitely. For example, Astria (AI provider) may retain the content you sent for up to 30 days in accordance with its terms, after which it should be deleted from Astria’s systems. Replicate (as mentioned) deletes API prediction data within hours. AppsFlyer and Analytics data: We configure our analytics retention settings to only keep raw analytics logs for a reasonable period (often 13 months for Google Analytics by default, unless we specify otherwise) and/or to receive only aggregated data. Crashlytics retains crash reports for 90 days then purges them. Advertising networks typically do not keep device logs longer than necessary to serve and reconcile ads. While we cannot enumerate the exact retention policy of every partner here, we ensure via agreements that they follow applicable laws and do not hold onto personal data longer than needed to provide the service to us.

After the applicable retention period has elapsed, or upon your valid deletion request, we will either securely delete or irreversibly anonymize your Personal Information. “Deletion” means removing the data from our active databases, and making reasonable efforts to also remove or scramble it in archival systems. “Anonymization” means transforming the data such that it can no longer be linked to you (for example, aggregating it or replacing identifying fields with random values). Once anonymized, the information is no longer associated with you and may be retained for analytical or statistical purposes indefinitely without further notice to you.

In summary, we keep your data only as long as we have a valid reason to keep it. When we no longer need it, we remove it from our systems. If you have any specific questions about our data retention practices (for example, if you want to know if we still have certain information about you), you can contact us for more information.

Your Privacy Rights and Choices

Depending on your jurisdiction and the applicable privacy laws, you have certain rights regarding your Personal Information. MagicApp is committed to honoring your rights and providing you with control over your data. The following outlines your rights and how you can exercise them:

Rights for Users in the European Economic Area (EEA), United Kingdom, and Equivalent Jurisdictions (GDPR Rights)

If you are located in the EEA, UK, or a country with similar laws, you have the following rights under the General Data Protection Regulation (GDPR) and applicable local legislation:

Right of Access: You have the right to request a copy of the Personal Information we hold about you, as well as to obtain information about how we process it. This includes why we have your data, what categories of data we have, who we disclose it to, how long we keep it, and the safeguards for data transfers. Our commitment: Upon request and verification of your identity, we will provide you with a summary or copy of your personal data. For additional copies, we may charge a reasonable fee as permitted by law. If you make the request electronically (e.g., via email), and unless you request otherwise, we will provide the information in a commonly used electronic form.
Right to Rectification: You have the right to ask us to correct or update any Personal Information that is inaccurate or incomplete. Our commitment: If you identify that we have incorrect information about you (for example, an outdated email or an incorrect profile detail), you can either correct it through your account settings (if applicable) or ask us to correct it. We will rectify inaccuracies promptly after verification. We may need to verify the new information you provide, but will then update our records accordingly.
Right to Erasure (Right to be Forgotten): You have the right to request the deletion of your Personal Information in certain circumstances. This right is not absolute, but applies, for example, if the data is no longer needed for the purposes it was collected, or if you withdraw consent and we have no other legal basis, or if we unlawfully processed your data. Our commitment: Upon your request, we will erase your Personal Information from our records and instruct any service providers to do the same, provided that (a) the data is no longer necessary, (b) you have withdrawn consent (where applicable), or (c) erasure is required to comply with legal obligations. We will confirm once deletion is completed. If we must retain certain data (e.g., for legal compliance), we will inform you of that and will isolate and protect that data from further use.
Right to Restrict Processing: You have the right to ask us to restrict (pause) the processing of your Personal Information under certain conditions. For example, you can request restriction if you contest the accuracy of your data (until we verify or correct it), or if you object to our processing based on legitimate interests (while we consider your objection). You can also request restriction instead of deletion if you need us to keep the data (e.g., for a legal claim) even if we would otherwise delete it. Our commitment: When processing is restricted, we will continue to store your Personal Information but will not use or share it except for limited purposes such as with your consent, for legal claims, or to protect others’ rights. We will lift the restriction once the reason for the restriction is resolved (and inform you).
Right to Data Portability: You have the right to receive certain Personal Information in a structured, commonly used, and machine-readable format, and to have that information transmitted to another controller, where technically feasible. This right applies to Personal Information you provided to us, that we process by automated means, and which we process based on your consent or to fulfill a contract (e.g., account data). Our commitment: Upon request, for qualifying data, we will provide you with a file of your data in a format like CSV or JSON, which you can then import to other services. If you request a direct transfer to another service and it’s technically feasible through some integration or API, we will attempt to do so.
Right to Object: You have the right to object to our processing of your Personal Information when that processing is based on our legitimate interests (or those of a third party). You may also object separately to processing for direct marketing purposes. Our commitment: If you object to processing based on legitimate interest, we will evaluate your objection. We will stop processing your data for the contested purpose unless we can demonstrate compelling legitimate grounds that override your rights and interests, or the processing is necessary for legal claims. If your objection is to direct marketing, we will stop using your data for that purpose immediately (and this is an absolute right – no override test). For example, if you object to receiving personalized recommendations, we will cease profiling your data for that purpose.
Right to Withdraw Consent: Where we rely on your consent to process Personal Information (for instance, for sending marketing emails or for using certain cookies/trackers), you have the right to withdraw that consent at any time. Our commitment:
If you withdraw consent, we will stop the processing that was based on consent. For example, if you withdraw consent for our newsletter, we will stop sending you emails. Withdrawing consent does not affect the lawfulness of processing we conducted prior to withdrawal, and if we have another legal basis for the processing (e.g., we still need your data to perform a contract with you), we may proceed on that basis. But generally, if consent was the only basis, we will cease processing. We make it as easy to withdraw consent as it was to give it – for instance, by providing unsubscribe links and in-app settings.
Right to Lodge a Complaint: If you believe that we have infringed your data protection rights or processed your information unlawfully, you have the right to file a complaint with a supervisory authority (data protection regulator) in the EU/EEA or with the UK Information Commissioner’s Office (ICO) in the UK. You can do this in the EU country where you live, where you work, or where the alleged infringement occurred. Our request: We kindly ask that you consider raising any issue with us first, so we can try to resolve it directly. But you are free to go to a regulator at any time. We will cooperate fully with any official inquiries and follow the guidance of regulators.

To exercise any of the above rights, please contact us (see Contact Us at the end of this Policy). For security and identity verification, we may ask you to provide certain information or follow a verification procedure (especially for sensitive requests like access or deletion) to confirm that you are the account holder or data subject in question. This is to ensure we do not provide or delete data improperly at someone else’s request.

Response Time: We will respond to your valid GDPR-related requests without undue delay, and at the latest within one month of receiving the request. If your request is complex or if we have received many requests, we are allowed to extend this period by an additional two months. If we need such an extension, we will notify you within the first month and explain the reason for the delay. Rest assured, we take your rights seriously and will work to address your concerns as quickly as possible.

Some restrictions apply to these rights. For example, if fulfilling your request would adversely affect the rights and freedoms of others (such as privacy or intellectual property rights of others), we may not be able to fully comply. Also, certain data may be exempt from access, correction, or deletion requests under local law (e.g., if it was processed solely for journalistic or research purposes, or if retention is required by law). We will inform you if we cannot fulfill a request due to an exemption.

Rights for California Residents (CCPA/CPRA)

If you are a resident of California, you have specific privacy rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). These rights are designed to give California consumers greater visibility into and control over their personal information. The rights include:

Right to Know: You have the right to request that we disclose the personal information we have collected about you in the 12-month period preceding your request. This includes the categories of personal information, the categories of sources, the business or commercial purposes for collection, the categories of third parties with whom we shared the information, and specific pieces of personal information we have collected. Essentially, you can ask for a report of “what personal data do you have about me and how have you used/shared it.” Our commitment: Upon receiving and verifying a verifiable consumer request from you, we will provide the required information covering the prior 12 months, free of charge (twice per 12-month period as allowed by law). We will typically provide this in an electronic format that is portable and, if feasible, in a readily usable format that you can transmit to another entity (this overlaps with the concept of data portability).
Right to Delete: You have the right to request that we delete personal information we have collected from you, subject to certain exceptions. For example, we may not delete information that we need to complete a transaction you requested, detect security incidents, comply with legal obligations, or for certain other internal uses that are lawful under CCPA. Our commitment: Upon receiving a verified deletion request, we will delete (and instruct our service providers to delete) your personal information from our records, unless an exception applies. If we deny your deletion request due to an exception, we will inform you of the basis for the denial. Note that if you have an account with us, deletion may be accomplished by closing your account, after which we will delete the associated info (except for retained data as allowed by law).
Right to Correct: Under CPRA, you have the right to request correction of inaccurate personal information that we maintain about you. Our commitment: If you submit a verifiable request pointing out that some of your personal data is incorrect or outdated, we will use commercially reasonable efforts to correct the information, taking into account the nature of the personal information and the purposes of processing. In many cases, you can also make changes yourself via your account settings.
Right to Opt-Out of Sale or Sharing of Personal Information: CCPA grants you the right to opt out of the “sale” of your personal information to third parties. The CPRA expanded this to include the right to opt out of “sharing” your personal information for cross-context behavioral advertising. Important: MagicApp does not sell personal information to third parties for money. We also do not share personal information for cross-context behavioral advertising in the sense of disclosing it to unaffiliated companies for their targeted advertising. The only “sharing” that occurs is with our service providers and partners as described in How We Share Your Information, and that is for our own App’s purposes, not for others to market to you. Our commitment: Because we do not sell personal info or share it for others’ advertising, we do not provide a “Do Not Sell or Share My Personal Information” link (as it’s not applicable). If in the future our practices change, we will update this Policy and provide appropriate opt-out mechanisms. If you still wish to inquire or ensure no sale/sharing, you can contact us and we will confirm our practice.
Right to Limit Use of Sensitive Personal Information: CPRA gives consumers the right to limit the use or disclosure of “sensitive personal information” if a business uses it for purposes other than those authorized. Sensitive data includes things like precise geolocation, race/ethnicity, health data, etc. Our stance: MagicApp does not collect or process sensitive personal information like Social Security numbers, driver’s license numbers, financial account info, precise geolocation, biometric identifiers, or racial/ethnic origin – at least not in a manner that is subject to the CPRA’s special provisions. Therefore, there is no sensitive personal data use that you would need to limit with us. We simply don’t use such data.
Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising any of your CCPA/CPRA rights. This means we will not deny you services, charge you a different price, or provide a lower quality of service just because you exercised your privacy rights. Our commitment: MagicApp treats all users equally, regardless of choices made concerning personal information. If you opt out of certain processing (like personalized ads) or exercise your deletion rights, we will not retaliate or impose unjustified penalties. However, note that if a certain piece of data is necessary for providing a feature, deleting that data might result in that feature not working – but that is a logical consequence, not discrimination. For example, if you ask us to delete your account data, you will no longer be able to use the App because the service cannot function without an account – this is not discrimination, but a result of your request.

Exercising California Rights: If you are a California resident and want to exercise your Right to Know, Delete, or Correct, you (or your authorized agent) can submit a verifiable consumer request to us by contacting our support (see Contact Us). Please indicate that you are a California consumer making a CCPA/CPRA request, and specify which right you seek to exercise. We will need to verify your identity to a reasonable degree of certainty before fulfilling the request. This might involve matching information you provide in the request with information we have on file. For sensitive requests (like obtaining specific pieces of info or deletion), we may require additional verification such as a signed declaration under penalty of perjury that you are the consumer whose personal info is the subject of the request.

If you have an authorized agent (such as someone with power of attorney or a company you have formally authorized) submit a request on your behalf, we will require proof of the agent’s identity and authorization. For example, the agent should provide a signed permission from you or proof of legal authority, and we may still ask you to verify your identity directly with us or confirm that you provided the agent permission. This is to prevent fraud.

We aim to respond to California consumer requests within 45 days of receipt. If necessary, we can take an extension of another 45 days (for a total of 90 days), but if so we will inform you of the reason and extension in writing within the initial 45-day period. If we cannot comply with a request, we will explain the reasons (e.g., we could not verify your identity, or the data falls under an exemption).

For the Right to Know, our response will either provide the requested information or refer you to the sections of this Policy that contain that information (as permitted by CCPA). For specific pieces of information requests, we will provide that data via a secure method. For deletion requests, we will confirm once the data is deleted (or if an exception applies, we’ll let you know what was kept and why). For correction requests, we will confirm the data is corrected or if we cannot fulfill it (with explanation).

We do not charge a fee for processing your verifiable consumer requests, unless they are excessive, repetitive, or manifestly unfounded (in which case we may decline or charge as allowed by law, but we have no intention to do so under normal circumstances).

Additionally, California’s “Shine the Light” law (Civil Code §1798.83) allows residents to ask companies once a year what personal information they have shared with third parties for those third parties’ direct marketing purposes. We do not disclose personal information to third parties for their own direct marketing without your consent. Therefore, we believe we are in compliance with this requirement. If you still wish to make a Shine the Light inquiry, you can contact us and we will respond as required.

Other US State Privacy Rights

Several other U.S. states (such as Virginia, Colorado, Connecticut, and Utah) have passed privacy laws that confer rights similar to, and in some cases extending beyond, the CCPA. If you are a resident of these states (effective from their respective dates), you may have the following rights (which largely overlap with what we’ve described above):

Right to confirm whether we process your personal data and to access such personal data.
Right to correct inaccuracies in your personal data.
Right to delete personal data provided or obtained about you.
Right to obtain a copy of your personal data in a portable and, to the extent technically feasible, readily usable format (for data you provided).
Right to opt out of the processing of your personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.

MagicApp’s practices are generally aligned with these rights. We do not sell personal data. We do use personal data for targeted advertising in our App, but we provide opt-outs (via device settings or in-app prompts) similar to those laws’ requirements. If you wish to exercise any of these state-specific rights, please contact us with your request, specifying your state of residence. We will verify and respond consistent with the applicable law’s requirements. Notably, Virginia and some other states allow an appeal if you are dissatisfied with our decision regarding your request – if that happens, we will inform you of how to appeal.

We treat privacy seriously for all users. Even if you are not in a jurisdiction with specific privacy laws, we strive to provide you with control over your data wherever feasible. For instance, any user can contact us to request deletion of their account or data, and we will honor it in line with our retention policy and legal obligations. We also allow anyone to unsubscribe from marketing and to control certain tracking.

Data Security and Breach Response

We take the security of your Personal Information very seriously. We have implemented a combination of administrative, technical, and physical safeguards designed to protect your data from unauthorized access, disclosure, loss, misuse, or alteration. These measures are in line with industry standards and are regularly reviewed and updated to address new threats.

Security Measures: Some of the key security practices we follow include:

Encryption: We use encryption to protect data in transit and at rest. For example, our App uses HTTPS/TLS protocols for all communication, which means that data transmitted between your device and our servers (or our service providers) is encrypted. If we store sensitive personal data, we also encrypt it at rest on our servers or in the cloud database.
Access Controls: We limit access to Personal Information strictly to personnel and service providers who have a need to know it for the purposes described in this Policy. We employ role-based access controls, ensuring that employees only access the data necessary for their role. All staff with such access are bound by confidentiality obligations.
Authentication and Account Security: If our App uses authentication (email/password or other), we store passwords in hashed form (never in plaintext) and follow best practices for credential security. We encourage you to use a strong unique password and enable any additional security features we may offer (such as two-factor authentication, if available).
Network and System Security: Our servers and databases are protected by firewalls, intrusion detection systems, and monitoring solutions to guard against external attacks. We keep our software and infrastructure updated with security patches. We also use anti-virus and anti-malware tools as appropriate. Regular security audits and penetration testing are conducted (either internally or with the help of external experts) to identify and address potential vulnerabilities.
Employee Training: We train our team about the importance of data privacy and security. Employees are trained to handle Personal Information properly and are instructed to report any potential security issues immediately.
Vendor Due Diligence: When we engage third-party service providers (as discussed in How We Share Your Information), we evaluate their security practices. Our major partners like Google Firebase, AppsFlyer, etc., maintain robust security certifications (for example, Firebase is ISO 27001, SOC 2, etc. certified). We also ensure through contracts that they commit to appropriate security measures.
Data Minimization: As a security principle, we try to minimize the personal data we collect and store. If we don’t have it, it can’t be stolen or misused. For instance, we do not store original photos after processing in the AI feature, and we avoid collecting highly sensitive data in the first place.

Despite all these measures, it’s important to note that no system is 100% secure. The transmission of information via the internet is not completely without risk; there is always a possibility of a security breach or some unauthorized access. We strive to protect your Personal Information, but we cannot guarantee its absolute security. You should also play a part in protecting your data by keeping your account credentials confidential and notifying us if you suspect any unauthorized use of your account.

Breach Response: In the unlikely event of a data breach that affects your Personal Information, we have a breach response plan in place. This plan includes:

Investigating the incident promptly and identifying the scope of the breach and the users affected.
Taking immediate steps to contain and remediate the breach (for example, shutting down intrusions, patching vulnerabilities, restoring integrity of systems).
Notifying affected users and relevant authorities as required by law. If you are in a jurisdiction with breach notification laws (like the EU or many US states), we will comply with those obligations. For instance, GDPR mandates that we notify the supervisory authority within 72 hours of becoming aware of a notifiable personal data breach, and also notify individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms. Likewise, many jurisdictions require notifying individuals if certain sensitive info is compromised.
Our notification to you (if required) would include the nature of the breach, what data was involved (generally), steps we have taken to secure it, and any steps we recommend you take to protect yourself (such as changing passwords if credentials were leaked, watching out for fraud if certain info was exposed, etc.). We may notify you via email, in-app notification, or other direct communication.
We will also engage, as needed, law enforcement and cybersecurity experts to assist in the investigation and response.
After containment, we will perform a post-mortem analysis to learn from the incident and further strengthen our security measures to prevent future breaches.

We also comply with any industry-specific or region-specific regulations concerning data security. For example, if MagicApp is subject to California’s requirements, we implement reasonable security measures appropriate to the nature of the information (California law requires businesses to use reasonable security for personal data). Similarly, we adhere to standards under Canada’s PIPEDA or Australia’s Notifiable Data Breaches scheme if applicable.

In summary, we employ strong safeguards to protect your data and have policies and procedures to deal with any security incident in an effective and transparent manner.

Children’s Privacy

MagicApp is not intended for children under the age of 13. We do not knowingly collect personal information from anyone under 13 years old. If you are under 13, please do not use the App or provide any information about yourself (such as your name, address, or email). If we discover that we have inadvertently collected personal information from a child under 13 without proper consent, we will delete that information as quickly as possible.

For residents in the European Union or other countries with stricter age limits: our App is generally not intended for anyone under the age at which consent for data processing is required in your jurisdiction. In most EU countries, that age is 16 (unless a member state has set a lower age, which can be no lower than 13). We do not knowingly collect data from children under 16 in the EU without parental consent. For example, if we become aware that a 14-year-old from an EU country has signed up without a parent’s consent, we will take steps to remove their data.

If you are a parent or legal guardian and you believe that your child under the applicable age has provided us with personal information, please contact us immediately. We will take steps to verify your identity as the parent/guardian and then will help you to exercise any rights on behalf of your child. This may include deleting the child’s personal information from our records (unless an exemption applies) and terminating the child’s account.

Changes to This Policy

We may update or modify this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. If we make changes, we will post the updated Policy on this page with a new “Last updated” date. We encourage you to periodically review this Privacy Policy to stay informed about our data practices and any updates. It’s important that you understand how your information is handled.

If you continue to use the MagicApp after a revised Privacy Policy has been posted and become effective, that means you accept the revisions. Of course, if you do not agree with any changes, you should stop using the App and may request that we delete your data.

In summary: your use of the App following the posting of an updated Privacy Policy constitutes your acceptance of those changes, to the extent permitted by law. If required by law (for example, if any change requires fresh consent), we will obtain your consent.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the handling of your Personal Information, please feel free to reach out to us:

Applyft Ltd

Parnithos, 9 Flat/Office A

Germasogeia, 4040, Limassol, Cyprus

Email: support@magicapp.co

We will do our best to respond promptly to your inquiry. For privacy-specific requests (exercise of rights, etc.), it may be helpful to put “Privacy Request” in the subject line of your email and indicate the nature of your request (e.g., “Access Request” or “CCPA Deletion Request”).

If you prefer to contact us by mail, please address your correspondence to the mailing address above. Keep in mind that postal communications may take longer than email.

Thank you for reading our Privacy Policy. We value your trust and are dedicated to protecting your personal information while providing a useful and enjoyable app experience.