DRAFT — NOT LEGAL ADVICE — counsel must review before go-live

Magic Sites Privacy Policy

Last updated: 2026-04-23 Jurisdiction / governing law: [STATE TBD BY COUNSEL] Data controller: Magic Life LLC (“AMS”)

Counsel TODO:

• Confirm controller vs processor roles for each data flow (we are processor for Customer Content; controller for account/billing/telemetry).
• Confirm EU/UK representative appointment under GDPR Art. 27 (and UK GDPR) — required if we offer the Service to EU/UK residents without an EU establishment.
• Confirm AU Privacy Act APP 5/APP 8 notice language for cross-border disclosures and whether we meet the small-business exemption threshold (assume no, draft to full APP compliance).
• Confirm cookie banner / consent mechanism (GDPR + ePrivacy; CCPA “Do Not Sell or Share” link).
• Confirm retention schedule (30-day grace drafted; counsel should validate against accounting/tax retention obligations — likely 7 years for invoices).
• Confirm “sensitive personal information” (CPRA) — we should not collect any by default.
• Confirm children’s privacy — COPPA (<13 US), plus GDPR Art. 8 (varies 13–16 by Member State), plus AU Privacy Act capacity considerations.

1. Introduction

This Privacy Policy explains how Magic Life LLC (“AMS”, “we”) collects, uses, and shares personal information when you use Magic Sites (the “Service”). It applies to visitors, account holders, and end users of sites hosted on the Service, subject to the roles described below.

2. Our role

• Controller: for account data, billing data, and product telemetry we collect from you as a Magic Sites customer.
• Processor: for Customer Content and end-user data that our customers process through sites built on Magic Sites. The customer is the controller of that data; our processing is governed by the DPA (dpa.md).

3. Information we collect

Account data: name, email, organization, role, hashed authentication credentials (via WorkOS), locale. Billing data: billing address, tax ID where applicable, and payment-method metadata (PAN stored by Stripe; we store only card brand and last four). Site content: pages, media, configuration, and plugin data you create on your Magic Sites tenant. Stored in Cloudflare (R2, D1, KV, Workers). Usage analytics: product events, page views, feature interactions, and performance telemetry via PostHog. IP address is truncated where feasible. Communications: support messages and email you send to support@ or legal@. Transactional email metadata: delivery, bounce, and complaint events via Resend. Device/log data: IP, user agent, timestamps, request paths, and error traces.

4. How we use information

• Provide, operate, and improve the Service.
• Authenticate users and prevent abuse (via WorkOS and internal controls).
• Process payments and billing (via Stripe).
• Send transactional email and service notices (via Resend).
• Analyze usage and improve UX (via PostHog).
• Respond to support requests.
• Comply with legal obligations.
• Establish, exercise, or defend legal claims.

GDPR legal bases: contract performance (Art. 6(1)(b)), legitimate interests (Art. 6(1)(f)) for security, fraud prevention, and analytics, consent (Art. 6(1)(a)) for optional cookies and marketing, and legal obligation (Art. 6(1)(c)) for tax/accounting.

5. How we share information

We share personal information only with the sub-processors listed in sub-processors.md and with:

• Professional advisors (counsel, accountants) under confidentiality.
• Authorities when legally required or to protect rights, safety, or the Service.
• A successor in a merger, acquisition, or asset sale, subject to equivalent privacy protections.

We do not sell personal information. We do not “share” personal information for cross-context behavioral advertising as defined by the CPRA.

6. International transfers

The Service is operated primarily from the United States. We rely on Standard Contractual Clauses (EU 2021/914), the UK International Data Transfer Addendum, and equivalent safeguards for transfers originating in the EU/EEA, UK, and Switzerland. For AU data subjects, transfers are governed by APP 8 and reasonable-steps assurances with each sub-processor.

7. Data subject rights

GDPR (EU/EEA/UK/Switzerland)

Access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. Right to lodge a complaint with a supervisory authority.

CCPA / CPRA (California)

Right to know, delete, correct, limit use of sensitive PI, and opt out of sale/sharing. We do not sell or share as defined by CPRA. Non-discrimination for exercising rights. Submit requests via privacy@auramediastudios.com.

AU Privacy Act / Australian Privacy Principles

Access and correction (APP 12–13), notification of collection (APP 5), use/disclosure limits (APP 6), cross-border safeguards (APP 8), and complaints to the OAIC.

To exercise any right, contact privacy@auramediastudios.com. We will verify your identity before fulfilling requests.

8. Retention

• Account data: for the life of the account plus 30 days (reactivation grace), then deleted or anonymized, subject to legal-hold and accounting-retention exceptions.
• Billing records: retained for the period required by tax and accounting law ([COUNSEL TO CONFIRM — likely 7 years]).
• Customer Content: per customer instruction; default 30 days after cancellation, then deleted.
• Logs and telemetry: 90 days by default; aggregated metrics may be retained longer.

9. Security

We use encryption in transit (TLS 1.2+) and at rest, least-privilege access, audit logging, SSO/MFA for internal systems, and regular reviews. No system is perfectly secure. Breach notifications follow the DPA timeline (72 hours to affected customers).

10. Children’s privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13 (or the applicable age under GDPR Art. 8 / local law). If you believe a child has provided us information, contact privacy@auramediastudios.com and we will delete it.

11. Cookies and similar technologies

We use strictly-necessary cookies for authentication and session integrity, and optional analytics cookies (PostHog) subject to your consent where required. You can manage preferences via our cookie banner or browser settings. Details: [LINK TO COOKIE NOTICE — TBD].

12. Changes

We will post updates here with a new “Last updated” date. Material changes will be announced by email or in-product notice.

13. Contact

• Privacy requests: privacy@auramediastudios.com
• Data Protection Officer / EU representative: [TBD BY COUNSEL]
• Mailing address: [ADDRESS TBD BY COUNSEL]