Magnis AppBack to Sign Up

Privacy Policy

Effective Date: 1 April 2025  ·  Last Updated: 22 April 2026

Magnis Technologies Private Limited ("Magnis App", "we", "us", or "our") is committed to protecting your privacy and handling your personal data responsibly, in accordance with the Digital Personal Data Protection Act, 2023 ("DPDPA") and other applicable Indian laws. This Privacy Policy explains what data we collect, how we use it, and your rights with respect to it.

1. Scope

This Policy applies to personal data collected by Magnis App when you visit our website, sign up for our Service, or use any Magnis App product. It does not apply to data processed by you about your own customers ("Customer Data") — you are the Data Fiduciary for that data and we process it only as your Data Processor under your instructions.

2. Data We Collect About You (Account Holders)

CategoryExamplesPurpose
IdentityName, phone number, OTP verificationAccount creation, authentication
OrganisationCompany name, workspace URL, vertical/industryWorkspace provisioning, product configuration
BillingPayment details (processed by our payment gateway), plan selection, invoice historySubscription management, invoicing, fraud prevention
Usage & Log DataIP address, browser type, pages visited, API calls, error logsSecurity, debugging, service improvement
CommunicationsSupport tickets, emails, chat messages with our teamCustomer support, legal compliance
Device & TechnicalDevice type, OS, session tokens, cookiesAuthentication, session management, analytics

2A. Mobile App — Data Collected on Device

When you use the Magnis App on iOS or Android, additional data may be collected from your device with your explicit permission. The app requests permissions only when the related feature is used. You may revoke any permission at any time from your device settings.

Permission / DataWhy we need itOptional?
CameraCapture photos for site visit reports, lead activity uploads, and document evidence. Photos are uploaded to your workspace storage; we do not access your camera in the background.Optional
Photo libraryAttach existing images from your device to leads, site visits or booking documents.Optional
MicrophoneRecord voice notes on leads and inbox conversations. Recordings are uploaded to your workspace storage and never used for advertising or shared with third parties.Optional
Approximate locationTag site visits with a coarse location for audit purposes when fine GPS is unavailable.Optional
Precise location (GPS)Verify field-agent check-ins at site visits, geo-tag photos, and detect arrivals at scheduled property tours. Location is captured only at the moment of an explicit user action; we do not track your location continuously in the background.Optional
Files and documentsUpload booking documents (PAN, Aadhaar, payment receipts, allotment letters etc.) to your workspace storage as part of the property booking workflow.Optional
Push notificationsReceive task reminders, lead alerts, site-visit confirmations, dairy collection alerts, and variance notifications. We use your device's push token (FCM on Android, APNs on iOS) to deliver these messages. Tokens are stored encrypted and rotated when the app is reinstalled.Optional
Biometric (Face ID / Fingerprint)Quickly unlock the app after first login. Biometric matching happens entirely on your device — biometric templates never leave your phone and are never sent to our servers.Optional
Device IDs / DiagnosticsDetect crashes and diagnose device-specific issues. Aggregated and anonymised; no personally identifiable data is shared with third parties.Required
In-app messages (inbox content)WhatsApp, email and SMS conversations between you (or your agents) and your customers, processed and stored as part of the shared inbox feature you have subscribed to.Required (for inbox feature)

What we do not do: We do not collect data for advertising, do not share data with advertising networks, do not use third-party analytics SDKs that track you across apps, and do not access SMS messages, contacts, or calendar.

Encryption in transit: All data sent from the mobile app to our servers is encrypted using TLS 1.2 or higher.

Data deletion: You can request deletion of your account and all associated data at any time by emailing support@magnisai.com or by using the Erasure Request feature in Settings → Data & Privacy. We process erasure requests within 30 days as required under DPDPA.

3. How We Use Your Data

  • Service Delivery: To provision your workspace, manage your subscription, and operate the features you have subscribed to.
  • Authentication & Security: OTP-based login, session management, fraud detection, and account protection.
  • Billing & Payments: Processing payments, issuing invoices, managing renewals and cancellations.
  • Communications: Sending transactional messages (OTP, receipts, alerts), product updates, and — where you have opted in — marketing communications.
  • Product Improvement: Analysing aggregated, anonymised usage patterns to improve features and performance. We do not sell individual usage data.
  • Legal Compliance: Meeting obligations under applicable law, responding to lawful requests from government authorities.

4. Lawful Basis for Processing (DPDPA)

  • Consent: You provide consent at account registration for use of your personal data to provide the Service. You can withdraw consent at any time (subject to consequences for service delivery).
  • Contractual Necessity: Processing required to fulfil our contract with you (e.g., billing, provisioning).
  • Legitimate Interests: Security monitoring, fraud prevention, and product analytics — balanced against your rights.
  • Legal Obligation: Tax compliance, response to lawful government orders.

5. Data Storage & Security

  • Location: All personal data is stored in India (AWS ap-south-1 / Mumbai region). We do not transfer personal data outside India without your explicit consent except where required by law.
  • Encryption: Data at rest is encrypted using AES-256. Data in transit is protected by TLS 1.2 or higher.
  • Access Controls: Access to personal data by our employees is on a need-to-know basis, enforced via role-based access controls and audit logging.
  • Backups: Encrypted backups are retained for up to 60 days for disaster recovery purposes.
  • Penetration Testing: We conduct regular third-party security assessments. Critical vulnerabilities are patched within 7 days of discovery.

6. Data Sharing & Sub-Processors

We do not sell your personal data. We share data only with:

Sub-ProcessorPurposeData Location
AWS / Supabase (PostgreSQL)Database hostingIndia (ap-south-1)
CloudflareCDN, Workers, KV, R2 file storageIndia / nearest edge
Evolution APIOTP delivery (WhatsApp)India
ResendTransactional email deliveryUS (email headers only)
Meta (WhatsApp Business API)WABA messaging (if enabled)Meta infrastructure
SentryError monitoring (anonymised)US (no PII in error logs)

All sub-processors are bound by contractual data protection obligations. We will notify you of any material changes to sub-processors.

7. Cookies & Tracking

  • Essential Cookies: Session tokens and authentication cookies required for the Service to function. Cannot be disabled.
  • Analytics: We use anonymised, aggregated analytics (via Cloudflare Analytics — no third-party tracking pixels, no cross-site tracking). No personally identifiable usage data is shared with advertising networks.
  • We do not use Google Analytics, Facebook Pixel, or similar advertising tracking technologies.

8. Retention

  • Account data is retained for the duration of your subscription plus 30 days after termination.
  • Billing records are retained for 7 years as required under Indian tax laws.
  • Audit logs are retained for 12 months.
  • Backup copies are retained for up to 60 days and then securely destroyed.
  • On verified deletion request, personal data is removed within 30 days except where retention is required by law.

9. Your Rights (DPDPA & General)

As a Data Principal under the DPDPA, you have the right to:

  • Access: Request a summary of personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete data.
  • Erasure: Request deletion of your personal data (subject to legal retention obligations).
  • Withdraw Consent: Withdraw your consent for non-essential processing at any time. Withdrawal does not affect the lawfulness of prior processing.
  • Grievance Redressal: Lodge a complaint with our Data Protection Officer or with the Data Protection Board of India.
  • Nomination: Nominate a person to exercise your rights in the event of death or incapacity.

To exercise any right, contact our Data Protection Officer at support@magnisai.com. We will respond within 30 days.

10. Data Breach Notification

In the event of a personal data breach affecting your rights, we will notify you within 72 hours of becoming aware (as required under DPDPA). Notification will include the nature of the breach, data categories affected, likely consequences, and steps taken to mitigate.

11. Children's Data

The Service is not directed at or intended for use by persons under 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, contact us immediately at support@magnisai.com and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email and in-app notification at least 14 days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance.

Contact & Data Protection Officer