Privacy policy
MAGIC Privacy Policy — United States
This Privacy Policy explains how MAGIC TECH LTD ("we", "us", "our") collects, uses, shares and protects your personal information when you use the MAGIC mirror, the MAGIC mobile app and our website at magic.fit (together, the "Services").
U.S. customer contact: team@magic.fit
111b South Governors Avenue Dover, Delaware 19904
1. Information We Collect
1.1 Information you provide directly
Name, email address, password, billing address, payment details (processed by Stripe — full card numbers are not stored by us), date of birth, gender, height, weight, fitness goals, sub-account information.
1.2 Information generated by your use of the Services
Workout history, body-scan images and derived measurements, pose-tracking data, in-app browsing and interaction data, subscription status, device identifiers.
1.3 Information collected automatically
IP address, approximate location, device type and operating system, crash logs, telemetry, cookies and similar technologies.
2. Categories of Personal Information — CCPA / CPRA Notice
In the past twelve (12) months we have collected the following categories of personal information from California residents. The same categories are collected from users in other US states.
|
Category |
Examples |
Collected? |
|---|---|---|
|
A. Identifiers |
Real name, postal address, telephone or mobile number, unique personal identifier, online identifier, IP address, email address, account name, device identifiers |
YES |
|
B. Personal information as defined in the California Customer Records statute |
Name, contact information, financial information (payment details processed via our payment processor) |
YES |
|
C. Protected classification characteristics under state or federal law |
Gender and date of birth |
YES |
|
D. Commercial information |
Transaction information, purchase history, subscription history, payment information |
YES |
|
E. Biometric information |
Body-scan images and derived body measurements (see Image and Body-Scan Data section). Whether this constitutes “biometric information” under applicable state law depends on how the data is processed; we treat it as sensitive personal information regardless. |
YES — see note |
|
F. Internet or other similar network activity |
Browsing history within the Services, in-app interactions, search history, interactions with features, application analytics |
YES |
|
G. Geolocation data |
Approximate location derived from IP address. We do not collect precise geolocation. |
YES (approximate only) |
|
H. Audio, electronic, visual, thermal, olfactory, or similar information |
Images and video associated with body-scan and pose-tracking features |
YES |
|
I. Professional or employment-related information |
Not collected |
NO |
|
J. Education Information |
Not collected |
NO |
|
K. Inferences drawn from collected personal information |
Inferences drawn from the above to personalise workouts, recommendations and content |
YES |
|
L. Sensitive personal information |
Account login credentials, health and fitness data, body-scan images and derived measurements |
YES |
Sources of personal information: directly from you, automatically from your use of the Services, and from our service providers and sub-processors.
Purposes of collection: providing the Services, personalising workouts, processing payments and subscriptions, communications, analytics and improvement, security and fraud prevention, legal compliance.
We do not sell or share personal information for cross-context behavioural advertising. We do not use sensitive personal information for purposes that would require a right-to-limit under California law.
3. Consumer Health Data — Washington MHMDA and Nevada SB 370
If you are a resident of Washington or Nevada, this section describes how we collect and process "consumer health data" as defined by the Washington My Health My Data Act (RCW 19.373) and Nevada SB 370 (NRS 603A.400-920).
3.1 Categories of consumer health data
We collect and process: workout history and performance data, body-scan images and derived body measurements, pose and movement data, fitness goals and self-reported health information you provide.
3.2 Sources, purposes and sharing
Sources: directly from you and from your use of the Services. Purposes: to provide the Services, generate personalised workouts and recommendations, and improve the Services. We share consumer health data with our processors as described in this Policy. We do not sell consumer health data, and we will not share or sell consumer health data without your separate authorisation as required by applicable law.
3.3 Your rights
You have the right to: confirm whether we are collecting your consumer health data, access it, withdraw consent to its collection, request its deletion, and authorise the sharing or sale of consumer health data (which we will not do absent your authorisation). To exercise these rights contact above contact details.
3.4 No geofencing
We do not use geofences around healthcare facilities to collect, identify, track or send notifications to consumers based on their proximity to such facilities.
4. Biometric Information
If you use the body-scan feature on your MAGIC mirror, we collect images of you and derive body measurements and pose data from those images. Depending on how this data is processed, it may constitute a "biometric identifier" under the laws of certain US states, including the Illinois Biometric Information Privacy Act (740 ILCS 14).
You authorise this collection and processing when you choose to use the body-scan feature. You may stop using the feature at any time. To delete body-scan data already collected, contact us using the details below; we will action the deletion within the time required by applicable law.
We do not sell biometric information. We do not disclose biometric information to third parties except (a) to our processors strictly to provide the body-scan feature, (b) with your separate consent, or (c) as required by law.
5. State Privacy Rights
This section sets out additional rights for residents of US states with comprehensive consumer privacy laws.
5.1 California (CCPA / CPRA)
California residents have the right to know what personal information we collect, the right to delete personal information, the right to correct inaccurate information, the right to opt out of sale or sharing (we do not sell or share), the right to limit use of sensitive personal information, and the right to non-discrimination.
To exercise rights: above contract details
5.2 Colorado, Connecticut, Utah, Virginia
Residents of Colorado (CPA), Connecticut (CTDPA), Utah (UCPA) and Virginia (VCDPA) have rights to access, deletion, correction (where applicable), portability, and opt-out of targeted advertising, sale and certain profiling.
5.3 Texas, Oregon, Florida, Montana
Residents of Texas (TDPSA, effective July 2024), Oregon (OCPA, effective July 2024), Florida (FDBR, effective July 2024) and Montana (MCDPA, effective October 2024) have substantially similar rights. Oregon residents have the right to receive a list of specific third parties to which their personal data has been disclosed. Texas residents are notified that we may sell sensitive personal data (we do not) and that we may engage in targeted advertising (we do not).
5.4 2025 and 2026 state laws
Residents of Iowa (ICDPA), Delaware (DPDPA), New Hampshire, New Jersey (NJDPA), Tennessee (TIPA), Minnesota (MN), Maryland (MODPA), Indiana, Kentucky, Rhode Island and Nebraska have rights under their respective state laws as those laws come into effect. Maryland residents are notified that we do not sell sensitive personal data, which is prohibited under MODPA.
6. Global Privacy Control and Universal Opt-Out
Some browsers and browser extensions send a Global Privacy Control (GPC) signal, which is treated under certain US state privacy laws as a request to opt out of the sale or sharing of personal information. We do not sell personal information, and we do not share personal information for cross-context behavioural advertising or targeted advertising. Because we do not engage in these activities, no opt-out signal is required to give effect to your privacy preferences with respect to sale or sharing. If you have other privacy preferences or questions, you can contact us using the details in this Policy.
7. Children's Privacy — COPPA
The Services are not directed to children under 13 and we do not knowingly collect personal information from children under 13. Account holders must be 18 or older. Sub-accounts may not be created for children under 13.
If you believe we have inadvertently collected information from a child under 13, contact us at team@magic.fit and we will delete the information promptly.
Health & Fitness Data and Third-Party Integrations
When you use the MAGIC mobile app alongside your MAGIC mirror, the mobile app can share health and fitness information with platforms you choose to connect: Apple Health (Apple HealthKit), Google Health Connect, and the calendar app on your device.
Information we process through these integrations: completed workout sessions (type of exercise, duration, active calories burned); on iOS, where you grant permission, activity data read from Apple Health to personalise your experience; workout schedule entries you create or accept.
This information is sensitive personal information under applicable data-protection laws. For UK and EU users, we process it on the basis of your explicit consent under Article 9(2)(a) of the UK GDPR / EU GDPR. You provide this consent when you connect an integration and may withdraw it at any time.
Apple HealthKit (iOS)
Where you connect Apple Health, the MAGIC app may write completed workouts to Apple Health and, with your permission, read activity data from Apple Health to personalise your experience. Permissions are requested through the standard iOS Health prompts. Data written to Apple Health is then governed by Apple's terms and your Apple Health settings.
Google Health Connect (Android)
Where you connect Google Health Connect, the MAGIC app may write completed workout sessions and active calories burned to Health Connect. We do not read data back from Health Connect. Permissions are requested through the standard Health Connect flow. Data written to Health Connect is then governed by Google's Health Connect terms and your Health Connect settings.
Device Calendar
Where you connect your device calendar, the MAGIC app may read and write calendar events relating to your weekly workout schedule. Calendar data stays on your device unless your calendar app itself syncs with a cloud service (such as iCloud, Google Calendar or Microsoft 365), in which case events the MAGIC app writes will sync the same way. We do not directly access any cloud calendar service.
Disconnecting integrations
You can disconnect any of these integrations at any time from within the MAGIC app or from your device's system settings. When you disconnect, the MAGIC app will stop syncing further data, but data that has already been written to Apple Health, Health Connect or your calendar will not be removed automatically. To remove that data, use the Apple Health app, Health Connect app or your calendar app directly.
9. Sale, Sharing and Targeted Advertising
We do not sell personal information for monetary consideration. We do not share personal information for cross-context behavioural advertising. We do not engage in targeted advertising. We do not process personal information for profiling in furtherance of decisions that produce legal or similarly significant effects.
10. Service Providers
We use service providers to host data, process payments (Stripe Payments UK, Ltd.), deliver customer communications, analyse product usage, and operate the body-scan feature. We require all service providers to handle your information in accordance with this Policy.
International transfers. Where we use Stripe Payments UK, Ltd. to process payment information from US customers, your payment information is transferred to the United Kingdom for processing. We rely on appropriate safeguards for these transfers, including UK adequacy mechanisms and Stripe's own contractual protections.
11. Data Security and Breach Notification
We use organisational and technical measures to protect your information. If a security incident results in the unauthorised acquisition of unsecured "PHR identifiable health information" (as defined by the FTC Health Breach Notification Rule, 16 CFR Part 318), we will notify affected individuals, the Federal Trade Commission, and (for breaches affecting more than 500 residents of a state) prominent media outlets in that state, within the timeframes required by the Rule and applicable state breach-notification laws.
12. Retention
We retain personal information for as long as your account is active. Some categories (transaction records, biometric data, consumer health data) are subject to specific retention rules described elsewhere in this Policy.
13. HIPAA Note
MAGIC is not a HIPAA covered entity. The health and fitness data we process is not subject to HIPAA. It is, however, subject to consumer health data laws including the Washington My Health My Data Act, Nevada SB 370, and the FTC Health Breach Notification Rule, as described in this Policy.
14. Cookies and Tracking
We use cookies and similar technologies as described in our Cookie Notice. Where required by applicable law, we obtain your consent through our cookie banner.
15. AI and Automated Decision-Making
We use AI-driven processing to count and score workout repetitions, generate personalised workout recommendations, and analyse body-scan data to derive measurements. We do not use these processes to make decisions that produce legal or similarly significant effects on you. The outputs are not medical or diagnostic and must not be relied on for any medical purpose.
16. Changes to this Policy
We may update this Policy from time to time. We will notify you of material changes by email or through the Services. The "Last updated" date reflects the most recent revision.
17. Contact
MAGIC TECH LTD. US privacy contact: Contact Details Listed at top.
