Privacy Policy

Effective Date: February 17, 2026
Last Updated: February 17, 2026
Contact: legal@magicassist.co

Introduction

MagicAssist is a personal AI assistant built on OpenClaw, designed to help individuals, teams, and businesses automate workflows, manage tasks, and streamline operations. This Privacy Policy explains how we collect, use, store, and protect your information.

We believe in transparency. We won't bury important information in dense legalese. If something in this policy is unclear, email us at legal@magicassist.co and we'll explain it in plain language.

Who We Are

MagicAssist is operated by [Your Legal Entity Name]. We provide AI automation services through three delivery models:

Self-hosted installations — you run MagicAssist on your own infrastructure ($149/year license)
Done-for-you setups — we configure and deploy on your infrastructure, then step back ($499 one-time)
Cloud service — coming soon; we host and manage everything for you

Data handling differs significantly between these models. We'll explain each.

Technology Partners

MagicAssist is built on OpenClaw, an open-source AI agent framework that powers core automation capabilities. We also rely on:

OpenClaw

The underlying platform for agent execution, tool use, scheduling, and workflow automation. MagicAssist is a layer built on top of OpenClaw — we're proud to build on open-source infrastructure.

Convex

Real-time database and backend infrastructure. Task data, project metadata, agent activity logs, and business data are stored in Convex for cloud deployments. See Convex's Privacy Policy.

Anthropic (Claude)

AI language model used for natural language processing and agent intelligence. Your prompts and inputs are sent to Anthropic for processing. See Anthropic's Privacy Policy. Anthropic does not train on your data under enterprise agreements.

Other AI Providers

Depending on your configuration, agents may also use models from OpenAI, Google (Gemini), and others as configured by your installation. Each provider has their own data handling terms you should review.

Stripe (Payments)

Payment processing is handled by Stripe. We never store full credit card numbers. Stripe is PCI-DSS compliant. See Stripe's Privacy Policy.

Vercel

Website hosting and edge functions. The magicassist.co website is hosted on Vercel.

What Data We Collect

Self-Hosted Installations

When you run MagicAssist on your own infrastructure, we do not collect your operational data. Your tasks, messages, files, AI conversations, and business information stay on your servers.

We collect only:

License validation data: Email address, license key, installation ID (to verify your active subscription)
Crash reports (optional, can be disabled): Anonymized error logs and stack traces
Analytics (optional, can be disabled): Anonymized feature usage and performance metrics

Done-for-You Setup

During setup, our team temporarily accesses your infrastructure to configure MagicAssist. We don't retain access after delivery. All data collected follows the self-hosted model above.

Cloud Service (When Available)

When we host MagicAssist for you, we collect:

Account data: Name, email, company name, billing information
Operational data: Tasks, projects, files, messages, AI conversations, calendar events, integration data — everything you put into MagicAssist
Usage data: Feature usage, session logs, performance metrics
Device data: IP address, browser type, operating system

Website Visitors (magicassist.co)

Analytics: Page views, referrers, session duration (privacy-respecting, no fingerprinting)
Forms: Email address and name if you submit a contact or waitlist form
Cookies: See the Cookies section below

How We Use Your Data

We use collected information to:

Provide the service: Run AI workflows, manage tasks, sync integrations, display your dashboard
Improve the product: Identify bugs, optimize performance, develop new features based on usage patterns
Communicate with you: Send product updates, respond to support requests, notify you of security issues
Process payments: Charge for subscriptions, issue invoices, handle refunds
Comply with legal obligations: Respond to lawful requests, prevent fraud, protect user safety

We do not sell your data. We do not use your data for advertising. We do not share your data with third parties for their own marketing.

AI Processing

When you interact with MagicAssist, your inputs are sent to AI model providers (primarily Anthropic Claude) for processing. Key facts:

Prompts and responses are processed to generate AI outputs in real time
Under enterprise agreements, providers like Anthropic don't train models on your data
All data is transmitted over encrypted connections (TLS 1.3)
You should review each provider's privacy policy for complete details

Data Storage & Security

Self-Hosted

Your infrastructure, your control. Data stays on your servers. We're responsible for the security of license validation servers and your subscription data — nothing more.

Cloud Service

Storage location: United States (Convex infrastructure)
Encryption in transit: TLS 1.3 for all data transmission
Encryption at rest: AES-256 for all stored data
Access controls: Role-based access, multi-factor authentication for admin accounts
Backups: Daily automated backups retained for 30 days
Monitoring: 24/7 security monitoring and anomaly detection

Security Practices

Encrypted data transmission (HTTPS/TLS)
Secure authentication (OAuth 2.0, API keys, JWT tokens)
Employee access controls (least privilege principle)
Regular security audits and vulnerability assessments
Incident response plan for data breaches

No system is 100% secure. If you discover a vulnerability, report it to security@magicassist.co.

Data Retention

Self-Hosted

You control retention completely. Delete data anytime via the MagicAssist interface or by deleting your database.

Cloud Service

Active accounts: Data retained while your account is active
Canceled accounts: Data deleted 30 days after cancellation (unless you request earlier deletion)
Backup copies: Deleted 60 days after account cancellation
Legal holds: Data retained longer if required by law (tax records, litigation holds, regulatory requirements)

License & Billing Records

We retain billing and transaction records for 7 years as required by applicable tax and accounting regulations, regardless of account status.

Your Rights

Depending on your location, you have specific rights over your personal data. We honor these regardless of whether you're legally in a jurisdiction that mandates them — because it's the right thing to do.

GDPR (European Union & UK)

If you're in the EU or UK, you have the right to:

Access: Request a copy of your personal data in a portable format (JSON or CSV)
Rectification: Correct inaccurate or incomplete data
Erasure ("Right to Be Forgotten"): Request deletion of your data (subject to legal obligations)
Restriction: Ask us to limit how we process your data
Portability: Export your data to another service
Objection: Object to processing based on legitimate interests or direct marketing
Withdraw Consent: Withdraw consent where processing is based on consent
Automated Decision-Making: Not be subject to solely automated decisions that significantly affect you

You also have the right to lodge a complaint with your national data protection authority (e.g., ICO in the UK, CNIL in France).

CCPA (California Residents)

If you're a California resident, you have the right to:

Know: What personal information we collect, use, disclose, and sell (we don't sell)
Delete: Request deletion of your personal information
Opt-Out: Opt out of sale of personal information (we don't sell data)
Non-Discrimination: Not be discriminated against for exercising your rights
Correct: Request correction of inaccurate personal information
Limit Use: Limit use and disclosure of sensitive personal information

How to Exercise Your Rights

Email legal@magicassist.co with your request. Include:

Your full name and email address associated with your account
The specific right you're exercising
Any relevant details to help us locate your data

We'll respond within 30 days (GDPR) or 45 days (CCPA). We may ask you to verify your identity before processing the request.

Cookies & Tracking

Essential Cookies

Required for the service to function. You can't opt out of these without breaking functionality:

Authentication: Keep you logged in across sessions
Session management: Maintain your session state
Security: Prevent CSRF attacks and unauthorized requests

Analytics Cookies

Optional — you can opt out:

Usage analytics: Track feature usage to identify bugs and improve the product
Performance monitoring: Measure load times and optimize speed

What We Don't Use

We don't use third-party advertising cookies, cross-site tracking, or behavioral profiling. Our analytics are first-party or use privacy-respecting tools that don't track you across the web.

Managing Cookies

You can block or delete cookies in your browser settings. Note that blocking essential cookies may prevent login and core functionality from working.

Data Sharing

We do not sell your data. Full stop.

We share data only in these circumstances:

Service Providers

Third parties who help us operate MagicAssist:

Convex — database hosting (cloud deployments)
Anthropic — AI processing (all deployments using Claude)
Stripe — payment processing
Vercel — website hosting

These providers are contractually bound to protect your data and use it only for services on our behalf.

Legal Requirements

We may disclose data when required by law:

Court orders, subpoenas, or other valid legal process
To investigate fraud, security threats, or violations of our policies
To protect the rights, property, or safety of MagicAssist, our users, or the public

We'll attempt to notify you of legal requests unless prohibited by law or doing so would interfere with an investigation.

Business Transfers

If MagicAssist is acquired, merged, or sold, your data may be transferred to the new owner. We'll provide 30 days advance notice and the option to delete your account before the transfer.

International Data Transfers

MagicAssist operates globally. If you're outside the United States, your data may be transferred to and processed in the US (where Convex and Anthropic operate).

For EU/UK users:

We use Standard Contractual Clauses (SCCs) for transfers to non-EU countries
Our providers (Anthropic, Convex) maintain GDPR-compliant data transfer mechanisms
We conduct transfer impact assessments as required

Children's Privacy

MagicAssist is not intended for users under 13 years of age (or 16 in the EU). We don't knowingly collect personal information from children. If you believe a child has provided us data, contact legal@magicassist.co and we'll delete it promptly.

Changes to This Policy

We may update this policy as we add features or comply with new regulations. Changes will be posted at magicassist.co/privacy with a new effective date.

Minor changes: Updated with the new date on this page
Material changes: Email notification and/or in-app notification with 30 days advance notice

Continued use of MagicAssist after changes take effect means you accept the updated policy.

Contact & Data Protection

For privacy-related questions and requests:

General inquiries: legal@magicassist.co
Security issues: security@magicassist.co
Data protection (GDPR/DPO): dpo@magicassist.co

Response time: We aim to respond within 48 business hours.

[Your Legal Entity Name]
[Street Address]
[City, State, ZIP]
[Country]

Acknowledgments

MagicAssist is built on OpenClaw, an open-source AI agent framework. We're grateful to the OpenClaw team and community for building the foundation that powers our product.