Back to Home

Privacy Policy

Last updated: March 22, 2026

At Magnetly, operated by Cydonia Technologies Ltd, registered in England and Wales at Companies House ("we," "us," or "our"), we respect your privacy and are committed to protecting your personal data in accordance with the UK GDPR, the EU General Data Protection Regulation (GDPR), and other applicable data protection laws.

1. Data Controller & Processor Roles

Depending on your interaction with Magnetly, we act in different capacities:

  • Data Controller: We are the controller for information relating to your Creator account — including your login credentials, profile data, and billing information.
  • Data Processor: When you use Magnetly to capture leads from your audience, you (the Creator) are the Data Controller of that lead data. We act as your Data Processor and process that data only on your behalf and according to your instructions.

2. Information We Collect

We collect and process the following categories of personal data:

  • Identity & Contact: Name, professional email address, and profile images provided during registration or profile setup.
  • Financial Information: Payment method details processed exclusively via Stripe. We do not store credit card numbers or full payment credentials.
  • Technical Data: IP addresses, browser type, device information, and session tokens used to secure and operate the Platform.
  • Usage Data: Interactions with Platform features, including magnet views, AI tool usage, and store configuration activity.
  • Lead Data: Names and email addresses submitted by your audience through your lead magnets. Collected on your behalf as your Data Processor.
  • Booking Data: Availability preferences, booking confirmations, and session details for Creators using the booking feature (Scale Plan).
  • Google Calendar Data: Calendar event metadata (availability slots, booking events) accessed only with your explicit consent when you connect Google Calendar. See Section 7 for details.
  • Content Submitted for Moderation: Text, images, and files submitted to the Platform are processed by automated moderation systems. Personal data is anonymised before submission to third-party AI moderation services.

3. How We Use Your Data

We process your data on the following legal bases: performance of a contract, compliance with legal obligations, your explicit consent, and our legitimate business interests. Specific uses include:

  • Creating and managing your Creator account and authenticating your sessions securely.
  • Operating, maintaining, and improving the Platform and its features.
  • Processing subscription payments and detecting and preventing fraud.
  • Sending service-related notifications, technical alerts, and billing communications.
  • Delivering lead magnets and digital products to your audience on your behalf.
  • Managing bookings and calendar availability for Scale Plan users.
  • Moderating uploaded content to detect policy violations and protect the integrity of the Platform.

4. Cookies and Tracking

We use essential session cookies to maintain your login state and ensure the security of your account. We may use analytics cookies to understand aggregate usage patterns and improve the Platform. You can manage cookie preferences through your browser settings. Disabling essential cookies will impair Platform functionality and may prevent you from logging in.

5. Third-Party Sub-Processors

We work with trusted third-party service providers who may process your data on our behalf. These sub-processors are bound by data protection agreements:

  • Google Cloud & Firebase: Core data storage, authentication, and infrastructure. Data processed within Google Cloud's infrastructure in accordance with their DPA.
  • Amazon Web Services (AWS): Secure file storage for digital lead magnets and platform assets, hosted in the Stockholm (eu-north-1) region.
  • Stripe: All payment processing and subscription billing. Stripe is independently PCI-DSS compliant.
  • OpenAI: Automated content moderation and AI-powered suggestions. Personal data is anonymised prior to submission. We do not submit identifiable personal data to OpenAI.
  • Resend: Transactional email delivery (booking confirmations, lead notifications, reminders). A signed Data Processing Agreement is in place. Data is processed in accordance with Resend's privacy and security policies.
  • Vercel: Platform hosting and serverless compute infrastructure.

6. Content Moderation & AI

To maintain a safe platform, content you submit (including text, images, and files) may be processed by automated AI moderation systems. Any personal data included in submitted content is anonymised before being sent to third-party moderation services. Moderation results are used solely to enforce our Acceptable Use Policy and are not used for advertising or profiling.

7. Google API Services & Calendar Data

Magnetly's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

We access your Google Calendar exclusively to:

  • Read your calendar events to determine your availability for bookings.
  • Create and manage booking events on your behalf when a Customer books a session.

We do not sell your Google user data to third parties, use it for advertising purposes, or share it with any party other than those required to operate the booking feature. You may disconnect your Google Calendar at any time from your account settings, which immediately revokes our access and initiates the deletion of any stored calendar tokens.

Data Protection Mechanisms for Google Calendar Data

We apply the following technical and organisational security measures to protect sensitive Google Calendar data:

  • Encryption in transit: All data exchanged between Magnetly and Google APIs is transmitted exclusively over HTTPS/TLS. No calendar data is ever transmitted over unencrypted connections.
  • Encryption at rest: Google OAuth tokens (access tokens and refresh tokens) are stored in Google Cloud Firestore, which encrypts all data at rest by default using AES-256.
  • Server-side only access: OAuth tokens are never exposed to the client side or stored in the browser. All Google API calls are made server-side only, and tokens are never included in API responses sent to end users.
  • Minimal scope: We request only the minimum Google Calendar scopes required to provide the booking feature (calendar.events). We do not request access to email, contacts, Drive, or any other Google services.
  • Access controls: Access to Google Calendar data is strictly restricted using authentication and role-based access controls. Only the authenticated Creator can access their calendar data via the Platform. Internal access by authorised personnel is limited, logged, and only permitted where necessary for security, maintenance, or legal compliance.
  • Token lifecycle management: OAuth tokens are immediately and permanently deleted from our systems when you disconnect your Google Calendar. Refresh tokens are rotated and revoked via the Google OAuth API upon disconnection.
  • Data minimisation: We read only the event metadata required to compute availability (start/end times and busy/free status). We do not read, store, or process event titles, descriptions, attendees, or other calendar event content.
  • Audit logging: Access to calendar integration functionality is logged for security monitoring and incident response purposes.
  • No human access to calendar content: Magnetly does not allow human access to Google Calendar data content. Calendar data is processed automatically by our systems and is not viewed or accessed by employees except where strictly necessary for security or legal compliance.
  • No advertising or profiling: We do not use Google user data for advertising, profiling, or training machine learning models. Google data is used solely to provide and improve the booking feature you have explicitly enabled.

8. Data Retention & Deletion

We retain your personal data only for as long as necessary to provide the service and comply with legal obligations. Specifically:

  • Account data is retained for the duration of your account and for up to 90 days after deletion to allow for recovery in case of accidental deletion, after which it is permanently erased.
  • Lead data you have collected is retained until you delete it or close your account.
  • Billing records are retained for up to 7 years to comply with financial and tax regulations.
  • Google Calendar tokens are deleted immediately upon disconnecting your Google Calendar.

9. Your Rights (GDPR / UK GDPR)

If you are located in the EEA or the United Kingdom, you have the following rights under applicable data protection law:

  • Right to Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete data.
  • Right to Erasure: Request deletion of your personal data, subject to legal retention requirements.
  • Right to Portability: Receive your data in a structured, machine-readable format and transfer it to another service.
  • Right to Restriction: Request that we limit the processing of your data in specific circumstances.
  • Right to Object: Object to processing based on our legitimate interests, including for direct marketing purposes.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.

To exercise any of these rights, please contact us at hello@magnetly.store. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority (in the UK, the Information Commissioner's Office — ico.org.uk).

10. International Data Transfers

While we prioritise storing data within Europe, some processing may occur in countries outside the EEA (for example, via Vercel's global infrastructure or Stripe's payment systems). In such cases, we ensure that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or reliance on adequacy decisions, to ensure your data receives equivalent protection.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice on the Platform. The date at the top of this page reflects when the policy was last revised.

12. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us at:

Magnetly / Cydonia Technologies Ltd
Registered in England and Wales at Companies House
124 City Road, London, England, EC1V 2NX
Email: hello@magnetly.store