Privacy Policy — Magical Image

1. Introduction

Magical Image ("we", "our", or "us") operates the Magical Image website and AI-powered visual content tools (collectively, the "Service"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains what information we collect, why we collect it, how we use it, and what rights you have in relation to it.

By using our Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of the Service.

2. Who We Are

Magical Image is an AI-powered visual content platform currently offering tools such as AI infographic generation and image card generation. We serve both registered users and unregistered guest users globally.

For purposes of applicable data protection laws, Magical Image is the "data controller" of the personal information described in this policy.

3. Information We Collect

3.1 Information You Provide Directly

Account Information: When you register, we collect your email address and, if using OAuth (Google / GitHub), your public profile name and avatar URL provided by those services.
Payment Information: When you purchase credit packs, our payment processors (Stripe, PayPal) collect your payment card details or PayPal account information. We do not store full card numbers on our servers — only transaction metadata such as order ID, amount, currency, and payment status.
Communications: If you contact us by email or support form, we retain the content of your message and your contact information to respond and track resolution.
AI Inputs and Generation Records: Prompts you submit, images you upload or reference, editing instructions, generated outputs, internal content identifiers, model routing, and necessary request records needed to handle compliance, complaints, payment disputes, or safety incidents.

3.2 Information We Collect Automatically

Usage Data: Pages visited, features used, timestamps, tool execution results (image dimensions, generation type), and error events.
Device & Browser Data: Browser type and version, operating system, screen resolution, language preferences, and time zone. This is used to ensure compatibility and improve the user experience.
IP Address: Used to determine approximate country/region for localization, enforce per-IP rate limits on free credits, and detect abuse.
Cookies and Similar Technologies: We use HttpOnly session cookies (guest_id) to maintain your anonymous guest session across page loads. These are essential cookies necessary for the Service to function and do not require consent. See Section 7 (Cookies) for details.
Browser Fingerprint: We use FingerprintJS (open-source) to compute a probabilistic browser identifier derived from your browser configuration — including browser type, rendering engine, installed fonts, Canvas and WebGL rendering output, audio context characteristics, screen properties, and time zone. This fingerprint:
- Does not involve tracking across third-party websites.
- Is used solely to prevent abuse of free credits — specifically to allow the same browser to reuse a single guest identity rather than creating unlimited new accounts via incognito mode or cookie deletion.
- Is not shared with advertising networks or data brokers.
- Is stored as a hashed identifier and is not linked to your real-world identity.
Our legal basis for this processing is our legitimate interest in preventing fraudulent consumption of computational resources (GDPR Art. 6(1)(f)).

3.3 Information from Third-Party Services

OAuth Providers (Google, GitHub): When you choose to sign in via OAuth, we receive your name, email address, and profile picture from the provider. We do not receive your password or other account data.
Payment Processors: Stripe, PayPal, and WeChat Pay may share transaction details, billing addresses, and fraud signals with us as part of payment processing.
AI and Image Processing Providers: We may send your inputs, reference images, and generation requests to AI model or image processing providers to provide generation, editing, and file processing capabilities.

4. How We Use Your Information

Service Delivery: To generate visual content, deduct credits, maintain your account balance, and fulfill your orders.
Account Management: To create and manage your account, send authentication emails (magic link), and handle password/session management.
Guest Session Management: To maintain a consistent free-tier experience for unregistered users through session cookies and browser fingerprinting.
Billing & Payments: To process payments, issue receipts, handle refunds, and maintain financial records required by law.
Abuse Prevention: To enforce rate limits on free credits, identify automated abuse, and protect the integrity of our credit system.
Service Improvement: To analyze aggregate usage patterns, diagnose errors, and improve features. We do not use individual user data for AI model training without explicit consent.
Legal Compliance: To comply with applicable laws, respond to lawful government requests, and enforce our Terms of Service.
Customer Support: To respond to inquiries, resolve disputes, and troubleshoot issues.
Content Policy and Traceability: To handle reports, investigate abuse, and trace generated images through internal content identifiers.

5. Credit Migration

If you use our Service as a guest (unregistered) user and subsequently create an account or sign in, we will automatically migrate your guest credits, order history, and usage logs to your new account. During this migration, your guest record is marked as "merged" and your guest session cookie is deleted. The original guest access link will no longer provide access to the credits, as they have been transferred to your registered account.

6. How We Share Your Information

We do not sell your personal information. We may share it in the following limited circumstances:

Service Providers: We share information with trusted vendors who help us operate the Service, including:
- Supabase (database and authentication hosting)
- Vercel (application hosting and edge delivery)
- Stripe and PayPal (payment processing)
- Cloudflare (CDN and DDoS protection)
These vendors are contractually obligated to protect your information and may only use it to provide services on our behalf.
Legal Requirements: We may disclose your information if required to do so by law, court order, or governmental authority, or if we believe disclosure is necessary to protect the rights, property, or safety of Magical Image, our users, or the public.
Business Transfers: If Magical Image is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on the Service before your information is transferred and becomes subject to a different privacy policy.
With Your Consent: We may share your information for any other purpose with your explicit consent.

7. Cookies and Tracking Technologies

Essential Cookies

We use a single essential cookie: guest_id (HttpOnly, Secure, SameSite=Lax). This cookie stores your anonymous guest session identifier and is required for the Service to function. It expires after 90 days. This cookie cannot be disabled without preventing the Service from working for unauthenticated users.

Authentication Cookies

When you sign in, Supabase sets session cookies to maintain your authenticated state. These are essential for account access and expire when you sign out or after your session expires.

No Advertising Cookies

We do not use advertising cookies, third-party tracking pixels, or behavioral retargeting technologies. We do not participate in cross-site tracking.

Browser Fingerprinting (Anti-Abuse)

As described in Section 3.2, we compute a browser fingerprint for abuse prevention purposes only. This is not a cookie and cannot be deleted by clearing browser cookies. If you wish to opt out, please contact us and we will remove your fingerprint record from our database.

8. Data Retention

Guest records: Retained for 90 days of inactivity, then deleted or anonymized.
Merged guest records: Retained for 1 year for audit purposes, then deleted.
Account data: Retained for the lifetime of your account. Upon account deletion, personal data is deleted within 30 days, except where we are required to retain it by law (e.g., financial records retained for 7 years).
Usage logs: Retained for 12 months for abuse detection and debugging, then aggregated or deleted.
Payment records: Retained for 7 years as required by applicable financial regulations.
Generation request records: Necessary request records, internal content identifiers, and model request records linked to generated content are retained for as long as needed to handle compliance, complaints, disputes, regulatory requests, or safety incidents, with access limited to authorized personnel.

9. Data Security

We implement industry-standard security measures including:

TLS encryption for all data in transit
AES-256 encryption for data at rest (via Supabase)
Row-Level Security (RLS) policies ensuring users can only access their own data
HttpOnly, Secure, SameSite cookies to prevent XSS-based session theft
Separate service role keys for server-side operations, never exposed to the client
Regular security audits and dependency updates

No method of electronic storage or transmission is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security. In the event of a data breach that affects your personal information, we will notify you in accordance with applicable law.

10. International Data Transfers

Magical Image is operated from servers located in the United States and/or European Union (depending on your region). If you access our Service from outside these regions, your information may be transferred to and processed in a country with different data protection laws.

For transfers from the European Economic Area (EEA) or United Kingdom to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for transfer. Our infrastructure providers (Supabase, Vercel) maintain appropriate transfer mechanisms.

11. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

For All Users

Access: Request a copy of the personal information we hold about you.
Correction: Request correction of inaccurate or incomplete information.
Deletion: Request deletion of your personal information (subject to legal retention requirements).
Portability: Request your data in a machine-readable format.
Opt-out of fingerprinting: Request removal of your browser fingerprint from our database.

For EEA / UK Residents (GDPR)

Right to Restriction: Request we restrict processing of your data in certain circumstances.
Right to Object: Object to processing based on legitimate interests (including fingerprinting for abuse prevention).
Right to Lodge a Complaint: Lodge a complaint with your local supervisory authority (e.g., ICO in the UK, your national DPA in the EU).

For California Residents (CCPA / CPRA)

Right to Know: Know what personal information we collect, use, and disclose.
Right to Delete: Delete personal information we have collected.
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
We do not sell personal information as defined under CCPA.

To exercise any of these rights, please contact us. We will respond within 30 days (or as required by applicable law).

12. Children's Privacy

Our Service is not directed to children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately and we will delete it.

13. Third-Party Links and Services

Our Service may contain links to third-party websites or services (e.g., payment processors, OAuth providers). This Privacy Policy applies only to our Service. We encourage you to read the privacy policies of any third-party services you access through our Service.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the "Effective Date" at the top of this page and, where required by law, by sending an email notification or displaying a prominent notice on the Service. Your continued use of the Service after changes become effective constitutes your acceptance of the revised policy.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy, please contact us:

Email: [email protected]
Website: https://magicalimg.modbuskit.com

For EEA/UK residents with unresolved concerns, you have the right to contact your local data protection authority.