Privacy Policy

Effective date: March 11, 2026 · Last updated: March 12, 2026

maigica ("we", "us", "our") is a conversational AI assistant platform operated by MPFlex. This policy explains what data we collect, how we use it, and your rights.

    Summary: We collect only what's needed to run the service. We don't sell your data. Conversation logs are kept for up to 30 days to improve service quality, then automatically deleted. Voice audio is processed by OpenAI and never saved on our servers.

1. Data We Collect

Category	Data	Purpose
Account	Email address, name	Authentication, email notifications
Password	Bcrypt hash only (never plaintext)	Login authentication
Session	Session ID, login state	Keep you signed in
Device	Randomly generated device ID (UUID)	Pair your device with your assistant
Usage	Minutes used, token counts (per session)	Quota enforcement, billing
Notebook	User-created collections and entries	Smart Notebook feature (your personal data)
Conversation logs	Your messages, assistant responses, tool calls used	Service quality, debugging, session recovery after restarts

2. Data We Do NOT Collect

Voice recordings — Audio is streamed to OpenAI Whisper for transcription and immediately discarded. We do not store audio files.
Location data — We do not collect GPS coordinates or track your location.
Tracking / analytics — We do not use Google Analytics, tracking pixels, or any third-party analytics services.
Advertising profiles — We do not build advertising profiles or sell data to advertisers.

3. Third-Party Services

To provide the AI assistant, we share limited data with the following services:

Service	Data Shared	Purpose	Their Policy
OpenAI	Text prompts, audio (STT)	Language model responses, speech-to-text	openai.com/privacy
ElevenLabs	Response text	Text-to-speech synthesis	elevenlabs.io/privacy
DuckDuckGo	Search queries	Web search results (when you ask to search)	duckduckgo.com/privacy
Open-Meteo	Optional coordinates	Weather forecasts (when you ask about weather)	open-meteo.com/terms

We do not share your data with any other third parties. We do not sell, rent, or trade your personal information.

4. Email Tool

If you connect your email account through the configurator:

Your IMAP/SMTP credentials are stored on our server to access your mailbox on your behalf.
Email content is accessed in real-time and is not stored on our servers.
Connections are short-lived — opened per request, then closed.
You can disconnect your email account at any time through the configurator.

5. Conversation Logs

To maintain service quality and diagnose issues, we store conversation logs on our server. These logs contain:

Your messages and the assistant's responses
Which tools were invoked (e.g. web search, weather) and their results
A short running summary used to maintain context within a session
Session ID and assistant ID (no IP addresses or device fingerprints)

    Retention: Conversation logs are automatically deleted after 30 days. They are stored as server-side files, never exposed to other users, and not used for advertising or profiling.

Legal basis (GDPR Art. 6(1)(f)): Legitimate interest in maintaining and improving the service. You can request deletion of your conversation logs at any time by contacting us.

6. Cookies

We use a single essential cookie:

maigica.sid — Server-side session cookie. HttpOnly, SameSite=Lax. Expires after 7 days. Required for login.

We do not use advertising cookies, tracking cookies, or third-party cookies.

7. Data Retention

Data	Retention
Account information	Until you delete your account
Conversation logs	Automatically deleted after 30 days
Session cookies	7 days (auto-cleanup every 15 minutes)
Verification / reset tokens	24 hours / 1 hour (auto-expire)
Usage / billing records	Retained for accounting purposes
Notebook entries	Until you delete them
TTS audio cache	Cached server-side for performance; contains no personal data

8. Data Security

All connections are encrypted via HTTPS (TLS).
Passwords are hashed with bcrypt (10 salt rounds); we never store or see your plaintext password.
Session tokens are HttpOnly (not accessible to JavaScript).
API keys (OpenAI, ElevenLabs) are stored in server environment variables, never exposed to clients.
Database access is restricted to the server process only.

9. Your Rights

Under GDPR and applicable data protection laws, you have the right to:

Access — Request a copy of data we hold about you.
Rectification — Correct inaccurate personal data.
Erasure — Request deletion of your account and all associated data.
Portability — Export your Notebook data as CSV.
Restriction — Restrict processing of your data.
Objection — Object to processing of your data.

To exercise any of these rights, contact us at privacy@maigica.com.

10. Children's Privacy

maigica is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Continued use of the service after changes constitutes acceptance of the updated policy.

12. Contact

For privacy-related questions or requests:

Email: privacy@maigica.com
Website: maigica.com