Privacy Policy

Effective date: 22 May 2025

Magic Engine (“we”, “us”, or “our”) is an AI-powered SEO, social-media, advertising, and GEO execution platform operated by Magic Lab. This Privacy Policy explains what information we collect, how we use it, and your choices regarding your data when you use our platform at https://magicengine.com.au.

1. Information We Collect

1.1 Account Information

When you sign up, we collect your name, email address, and password (stored as a salted hash). We also record your organisation name and any client workspaces you create.

1.2 Google Account Data (OAuth 2.0)

If you or your clients choose to connect a Google account, we request the following OAuth 2.0 scopes via Google’s secure authorisation flow:

  • email — to identify which Google account has been connected.
  • webmasters.readonly — read-only access to Google Search Console data (impressions, clicks, rankings) for websites you manage.

We store only the OAuth access token, refresh token, and the connected Google email address. We never read, store, or share the contents of your Gmail, Google Drive, Google Calendar, or any other Google product beyond the scopes listed above.

1.3 Website & Usage Data

We collect standard server logs (IP address, browser type, pages visited, timestamps) for security monitoring and performance optimisation. This data is retained for 90 days and is not linked to individual user profiles.

1.4 Client Data You Upload

When you use Magic Engine on behalf of your clients, you may upload or input data such as website URLs, keywords, advertising performance figures, and content briefs. This data is processed to generate reports and recommendations and is not used for any other purpose.

2. How We Use Your Information

  • Service delivery — to generate SEO reports, keyword analysis, content recommendations, and advertising insights on your behalf.
  • Google Search Console data — used solely to display organic performance metrics within your Magic Engine dashboard. We do not sell, share, or use this data to train AI models.
  • Account management — to authenticate you, send essential service emails (password reset, usage alerts), and manage your subscription.
  • Security & fraud prevention — to detect and prevent unauthorised access to accounts.
  • Product improvement — aggregated, de-identified usage patterns help us improve platform features. Individual user data is never used for this purpose.

Magic Engine’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

3. Data Sharing

We do not sell your personal data. We share data only in the following limited circumstances:

  • Service providers — we use Supabase (database), Render (hosting), and OpenAI / Anthropic (AI processing). These providers are contractually bound to process data only as directed by us.
  • Legal obligations — if required by law or court order, we may disclose information to appropriate authorities.
  • Business transfer — in the event of a merger or acquisition, data may transfer to the successor entity under equivalent privacy protections.

4. Data Retention

  • Account data — retained for the duration of your account plus 30 days after deletion to allow recovery.
  • Google OAuth tokens — retained while the connection is active. Tokens are deleted within 7 days of you revoking access or deleting your account.
  • Client workspace data — retained until you delete the workspace.
  • Server logs — retained for 90 days, then automatically purged.

5. Revoking Google Access

You can disconnect your Google account at any time in two ways:

  1. Within Magic Engine — navigate to the client workspace › Connectors › Google Search Console and click “Disconnect”.
  2. Via Google — visit myaccount.google.com/permissions, find “Magic Engine”, and click “Remove access”.

Upon disconnection, all stored tokens are deleted within 7 days.

6. Your Rights

Under the Australian Privacy Act 1988 and the New Zealand Privacy Act 2020, you have the right to:

  • Access the personal information we hold about you.
  • Request correction of inaccurate or incomplete information.
  • Request deletion of your account and associated personal data.
  • Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or the New Zealand Privacy Commissioner at privacy.org.nz.

To exercise any of these rights, email us at raydeng@magicengine.com.au. We will respond within 30 days.

7. Security

We protect your data using industry-standard measures: TLS encryption in transit, AES-256 encryption at rest, HMAC-signed session tokens, and role-based access controls. OAuth tokens are stored encrypted and are never exposed to client-side code. Despite these measures, no system is perfectly secure; we encourage you to use a strong, unique password and to report any suspected security issues to raydeng@magicengine.com.au.

8. Cookies

We use a single session cookie to keep you signed in. We do not use advertising cookies, third-party tracking pixels, or fingerprinting technologies. You can disable cookies in your browser settings, but this will prevent you from staying signed in.

9. Children's Privacy

Magic Engine is intended for business use and is not directed at persons under the age of 18. We do not knowingly collect personal information from minors.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified by email or by a prominent banner on the platform at least 14 days before taking effect. Continued use of Magic Engine after the effective date constitutes acceptance of the updated policy.

11. Contact Us

For privacy-related questions, data access requests, or to report a concern, contact us at:

Magic Lab
98 Beatrice Terrace, Ascot, Brisbane, Queensland, Australia
Email: raydeng@magicengine.com.au