✦ NOW LIVE FOR FOUNDERS  ·  get mag working →
magig
  • How it works
  • What Mag does
  • Mag learns
  • How Mag thinks
  • Pricing
  • FAQ
  • Get started →
↘ how we handle your data

Privacy policy.

LAST UPDATED · May 19, 2026 (Google Ads handling section added)

Short version: your data is yours. We collect what we need to run your campaigns and send you a useful dispatch — nothing more — and we don’t train shared models on it or sell it. The long version is below. Questions: hi@magig.app.

01What we collect

We collect only what we need to deliver the service:

  • Account info — your name, email, password hash, billing details, and basic business context (company, role, what you sell).
  • Ad platform tokens — OAuth credentials you give us so Mag can act inside your Meta, Google, and other ad accounts. Stored encrypted; we never log raw tokens.
  • Campaign & performance data — the creative, audiences, budgets, and metrics returned by the platforms for the campaigns Mag runs.
  • Funnel data — Stripe and analytics signals you connect, used to optimise for paying customers rather than vanity metrics.
  • Customer lists you upload — used solely to build lookalike audiences inside your own ad accounts.
  • Support communications — emails and in-app messages you send us.
  • Usage / product analytics — pages visited, features used, errors hit, all tied to your account so we can debug and improve the product.

02What we don’t collect

  • We don’t buy data about you from third-party brokers.
  • We don’t track you across other websites.
  • We don’t collect special categories (health, biometric, etc.) — if you upload a customer list that contains any, please scrub it first.

03How we use your data

We use what we collect to operate the service: running and optimising your campaigns, sending the daily dispatch, supporting you, processing billing, and keeping the platform secure. We also use aggregated, anonymised patterns (e.g. “creative variants on saturated keywords tend to underperform”) to improve how Mag thinks — never tied back to an individual or business.

04What we don’t do

  • We don’t train shared AI models on your data. Your ad performance, creative, customer list, and brief stay yours and are only used to optimise your own campaigns.
  • We don’t sell your data. Not to advertisers, not to brokers, not to anyone.
  • We don’t share your data with other magig customers.

05Who we share data with (sub-processors)

To run the service, we share data with a small, vetted set of providers:

  • Ad platforms (Meta, Google, others as we add them) — to read your account state and execute campaign actions you authorise.
  • Stripe — to process payments and (if you connect it) to read funnel signals.
  • Anthropic — Mag uses large language models to generate creative and reason about your data. We send the minimum context needed for each task and don’t opt into training-data use.
  • Infrastructure providers (hosting, database, queue, email delivery) — to host the application and send transactional email.
  • Product analytics — privacy-respecting analytics for understanding usage, with PII scrubbed.

Each provider is bound by a data-processing agreement consistent with this policy.

06Google Ads data

When you connect a Google Ads account to magig, we use the Google Ads API to read and (with your explicit approval) modify campaigns in your account. This section spells out exactly what that means.

  • OAuth scope. We request only https://www.googleapis.com/auth/adwords. Nothing else.
  • What we read. Campaign metadata, ad groups, ads (with headlines, descriptions, and ad strength), keyword counts, and aggregated last-30-day performance metrics (impressions, clicks, conversions, cost, CTR, conversion rate). Only for campaigns you explicitly select for import — never bulk-scraped across your account.
  • What we write. Today: nothing. The current read-only flow only generates a written analysis. Once we ship write-back support, every mutation (pause, budget change, headline swap) requires an explicit per-change approval click in the magig dashboard. Nothing autonomous.
  • How we store tokens. Your OAuth refresh token is encrypted with AES-256-GCM before it touches our database. The encryption key lives in a managed-secrets store, not in source. Access tokens are decrypted in memory just before each API call and discarded after — never persisted to disk or written to logs.
  • How to revoke. Two ways, both immediate: disconnect from Settings → Connected ad accounts in the magig dashboard, or revoke at myaccount.google.com/permissions. On disconnect, we delete the encrypted tokens immediately.
  • What we don’t do. We don’t resell Google Ads data, we don’t aggregate it across customers, and we don’t use it to train any model. Your campaign data is visible only to you (and to the magig staff members triaging support tickets you file, with the same restrictions).
  • Sub-processor for analysis. When you import a campaign, we send the snapshot to Anthropic (our LLM provider) to generate the written analysis. Customer-identifying fields (your name, your email, your Google customer ID) are not sent — only the campaign data and your workspace ID for cost attribution. Anthropic’s API has zero data retention for paid customers.

magig’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

07Cookies

We use a small number of first-party cookies to keep you signed in and to remember your preferences. We use a privacy-respecting analytics tool that doesn’t set third-party tracking cookies. We don’t run advertising cookies on this site.

08Where your data lives

Data is stored on infrastructure operated by our hosting and database providers, primarily in the United States and the European Union. By using magig you consent to this storage and processing. We apply industry-standard security (encryption in transit and at rest, principle-of-least-privilege access, audit logging).

09How long we keep your data

  • While your account is active — for as long as you use magig, plus the time we need it for billing, audit, and legal reasons.
  • After cancellation — you can export your data for 30 days, then we delete it from production systems on a regular schedule. Anonymised, aggregated data may be retained longer for product analytics.
  • Tokens to ad platforms — deleted immediately when you disconnect a platform or cancel.

10Your rights

You can, at any time:

  • Access the personal data we hold about you.
  • Correct anything that’s wrong.
  • Export your data in a portable format.
  • Delete your account and the data associated with it.
  • Withdraw consent for any optional processing.
  • Object to processing, or request restriction, where you have grounds under applicable law (e.g. GDPR, CCPA).

Most of these you can do from your account settings. For anything you can’t, email hi@magig.app and we’ll handle it within 30 days.

11Children

magig is built for founders running businesses. We don’t knowingly collect data from anyone under 18 — if you believe we have, write to us and we’ll delete it.

12Security incidents

If we ever discover a breach that affects your data, we’ll notify you without undue delay — typically within 72 hours of confirmation — with what happened, what data was affected, and what we’re doing about it.

13Changes to this policy

We may update this policy as the product or the law evolves. We’ll post the new version here, update the “last updated” date, and email active users when a change is material.

14Contact

Anything privacy-related — questions, requests, complaints — goes to hi@magig.app. We read everything and we respond.

✦MAGIGmade by humans + Mag
hi@magig.appTermsPrivacy© 2026