Privacy Policy

• We collect only what we need to run the Service.
• We never sell your data, never share it with advertisers, never use it to train AI models.
• Subscriber data belongs to the account holder who built the page, not to us.
• Integration API keys you connect are encrypted at rest with AES-256-GCM.
• You can delete your account and the data we hold for it at any time.

When you create a Magnets account we store:

• Your name, email address, and a hashed password (never the plaintext password).
• Account configuration: brand, sending domain, subdomain, logo, color choices.
• Integration credentials you choose to connect (Resend API key, Beehiiv API key + publication ID, Substack publication). API keys are encrypted at rest.
• The pages and email copy you create.
• Standard operational metadata: timestamps, IP addresses for rate limiting, error logs.

When someone signs up on a Magnets-hosted page, we collect the name and email address they submit, the lead-magnet page they signed up on, and the timestamp. We store this against the account that owns the page, deduplicated by email address.

We act as a data processor for the subscriber data on behalf of the account holder. The account holder is the data controller and is responsible for having a lawful basis to collect that data and for any further communication with the subscriber.

We use the data we collect to:

• Operate, maintain, and secure the Service.
• Send the lead-magnet email to the subscriber (via the account holder's connected Resend key).
• Forward the subscriber to the newsletter the account holder has chosen (Beehiiv or Substack), if any.
• Authenticate account holders and prevent abuse (rate limiting, anti-spam).
• Respond to support requests.

• We don't sell or rent your data, or your subscribers' data, to anyone.
• We don't use your content or subscriber data to train AI models.
• We don't place advertising in the Service or in the emails we send on your behalf.
• We don't email your subscribers ourselves — only via the account holder's sender setup.

To run the Service, we rely on the following sub-processors. They have their own privacy policies and process data on our behalf under data-processing agreements:

• Vercel — application hosting and CDN.
• Neon — managed Postgres database.
• Resend — email delivery (using each account holder's own key).
• Beehiiv — newsletter forwarding (optional, account holder's own key).
• Substack — newsletter forwarding (optional, account holder's own publication).

We retain account data while the account is active. If you delete your account we delete your account record, lead-magnet pages, and subscriber list within thirty (30) days, except where we need to keep specific records to comply with a legal obligation, resolve a dispute, or enforce our agreements. Backups roll off automatically within a further thirty (30) days.

We use industry-standard measures to protect data in transit (HTTPS) and at rest (AES-256-GCM for stored integration secrets, hashed passwords). No system is perfectly secure; if we ever experience a breach that affects you, we will notify you without undue delay.

Depending on where you live, you may have rights under privacy laws such as the GDPR or the UK GDPR, including the right to access, correct, port, or delete your personal data. To exercise these rights, email hello@magnets.so. If you are a subscriber, please first contact the account holder whose page you signed up on — they are the controller of your data.

Our sub-processors operate in various countries, including the United States and the European Union. Where required, transfers rely on Standard Contractual Clauses or equivalent safeguards.

The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe we have, contact us and we will delete it.

We may update this Policy from time to time. If the changes are material we will give reasonable notice before they take effect.

Email hello@magnets.so with any privacy questions.