Privacy Policy

1. Google API Services User Data Policy Disclosure

This section specifically addresses how Magnura accesses, uses, stores, and shares Google user data obtained through Google APIs (including YouTube Data API v3), in accordance with the Google API Services User Data Policy, including the Limited Use requirements. The disclosures in this section supplement the general privacy policy below.

Integration overview

Magnura offers an optional integration that allows authorised users to publish video content (including AI-generated avatar videos and motion graphics created within the Magnura platform) directly to their own YouTube channel. Users enable this integration by connecting their Google Account via Google’s OAuth 2.0 consent flow.

Google user data we access

• Basic Google Account profile information (name, email address, Google user ID) to identify the connected account.
• YouTube channel identity and metadata (channel ID, channel name, thumbnail) to confirm the destination channel.
• Aggregated YouTube Analytics reports for the connected channel, including views, watch time, average view duration, audience retention, subscriber changes, and traffic sources, obtained via the YouTube Analytics API using the yt-analytics.readonly scope. We do not access monetary or revenue data.
• OAuth 2.0 access and refresh tokens issued by Google.

How we use Google user data

• To display the connected Google Account and YouTube channel so the user can verify the correct destination before publishing.
• To upload video files, titles, descriptions, tags, thumbnails, and privacy settings (public, unlisted, private) to the user’s own YouTube channel at the user’s explicit instruction.
• To surface upload status and any errors returned by the YouTube Data API back to the user inside Magnura.
• To display performance analytics for videos published through Magnura (views, watch time, engagement, retention, traffic sources, subscriber delta), so the user can evaluate how their content is performing. Analytics data is displayed only to the user who connected the channel and to authorised members of their Magnura organisation.

How we do NOT use Google user data (Limited Use compliance)

Magnura’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, Magnura does not and will not:

• Use Google user data to develop, train, fine-tune, or improve any generalised or personalised artificial intelligence or machine learning models.
• Use Google user data for advertising, retargeting, audience building, or any form of ad personalisation.
• Sell, rent, transfer, or otherwise disclose Google user data to data brokers, information resellers, or any third party for advertising or marketing purposes.
• Read, download, analyse, or repurpose any existing content, comments, watch history, or subscriber data on the user’s YouTube channel beyond what is strictly required to confirm channel identity and publish the content the user has explicitly asked us to publish.
• Allow humans to read Google user data, except (a) with the user’s affirmative consent for specific data, (b) as necessary for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data (including derivations) has been aggregated and anonymised for internal operations.

How we store Google user data

• OAuth access and refresh tokens are stored encrypted at rest in Magnura’s production database (Convex) and transmitted only over TLS.
• Uploaded video files pass through Magnura’s infrastructure during the upload process and are not retained on our servers after successful transfer to YouTube, unless the user has separately chosen to save the source file to their Magnura content library.
• Access to stored tokens is restricted to the specific Magnura services that perform uploads and to authorised Magnura personnel on a least-privilege basis for debugging and security purposes only.

How we share Google user data

Magnura does not share Google user data with third parties except where strictly necessary to deliver the integration: namely Google itself (to perform the upload via the YouTube Data API v3) and Magnura’s infrastructure sub-processors (see Section 4 below) operating under contractual confidentiality and data protection obligations.

Retention and deletion of Google user data

• OAuth tokens and Google profile data are retained only for as long as the user maintains an active Google Account connection to Magnura.
• On disconnection from within Magnura settings, revocation at the user’s Google Account permissions page, or deletion of the user’s Magnura account, Magnura deletes the stored OAuth tokens and associated Google profile data within 30 days.
• Upload event logs containing metadata (but not video content or Google user data beyond the channel ID and upload status) are retained for 90 days for debugging, audit, and dispute resolution, then deleted.
• YouTube Analytics reports are fetched from Google on demand for display in the Magnura dashboard and are cached only transiently to improve performance. Cached analytics data is deleted automatically when the Google Account is disconnected.

User controls

• Users can disconnect their Google Account from Magnura at any time from within Magnura settings, which revokes the stored tokens.
• Users can additionally revoke Magnura’s access at any time via their Google Account at https://myaccount.google.com/permissions.
• Users can request deletion of all associated data by emailing the Data Protection contact in Section 6 below.

YouTube API Services

Magnura’s YouTube publishing feature uses the YouTube API Services. By using this feature, you also agree to the YouTube Terms of Service and acknowledge the Google Privacy Policy.

2. Artificial Intelligence and Automated Processing Disclosures

Magnura is an AI-assisted outreach and content platform. This section describes how personal data is processed in connection with the artificial intelligence, machine learning, and automated systems we operate.

AI sub-processors and model providers

To deliver AI-generated content (including research summaries, personalised email drafts, landing page copy, video scripts, and avatar videos), we transmit prompts and context data to third-party AI providers acting as sub-processors. These currently include:

• Google (Gemini API) — large language model inference for research, personalisation, and content generation. Google acts as a data processor in respect of prompt and completion data and does not use our API inputs or outputs to train its foundation models.
• HeyGen — generation of AI avatar video content on the basis of a likeness, voice sample, and script explicitly provided by the user.
• Anthropic (Claude API) — supplemental large language model inference where configured. Anthropic does not train on API inputs or outputs.

A current list of sub-processors is maintained in Section 4 of these supplemental disclosures.

No training on customer content

We do not train Magnura-proprietary artificial intelligence or machine learning models on identifiable customer content, customer prospect data, Google user data, or inbox content. Where we use aggregated, de-identified statistics (for example, success rates of different email structures) to improve our product, we take reasonable measures to ensure the data cannot be associated with an identifiable individual or customer.

Human review

Humans at Magnura do not routinely read customer prompts, AI-generated outputs, prospect research, or inbox messages. Access by authorised Magnura personnel is restricted to: (a) investigation of a specific support request made by the customer, (b) investigation of suspected abuse, fraud, or security incidents, (c) compliance with legal obligations, or (d) debugging of a specific error that cannot be diagnosed without access to the relevant data. All such access is logged and subject to confidentiality obligations.

AI accuracy and hallucinations

AI-generated content may contain inaccuracies, fabricated facts (“hallucinations”), outdated information, or biased outputs. Magnura provides tools to assist users in verifying outputs, but customers are responsible for reviewing AI-generated content before sending or publishing it. See our Terms of Service for further detail.

Automated decision-making

Magnura does not make decisions that produce legal or similarly significant effects concerning an individual solely by automated means without human involvement. Internal automated classification (for example, scoring a lead against an ideal customer profile, or classifying an email reply as positive or negative) is always available for human review by the customer operating the campaign and does not by itself determine any legal, employment, financial, or similarly significant outcome for the individual.

Browser automation and authenticated research

Where a customer explicitly authorises Magnura to conduct research on their behalf using authenticated sessions on third-party platforms (for example, LinkedIn), Magnura uses a secure browser automation service (OpenClaw) operating under the customer’s own credentials, which the customer has voluntarily provided. Credentials are stored encrypted at rest, are scoped to the customer’s organisation, and are used solely to execute research tasks the customer has configured. Customers are responsible for ensuring their use of such platforms complies with the applicable platform terms of service.

3. Outbound Email and Prospect (Non-Customer) Data

Magnura enables its customers to run business-to-business outbound email campaigns. In doing so, Magnura processes a limited set of personal data relating to business contacts who have not themselves registered with Magnura (“Prospects”). This section is directed to Prospects and explains how their data is processed. It is provided in accordance with Articles 13 and 14 of the UK GDPR and EU GDPR.

Controller and processor roles

In respect of Prospect data used to contact a Prospect on behalf of a Magnura customer, the Magnura customer is the data controller, and Magnura acts as a data processor on the customer’s documented instructions. For certain shared services (for example, Magnura’s central prospect discovery pipeline, global suppression list, bounce management, and abuse monitoring), Magnura may act as an independent controller in respect of the minimum data needed to operate those services.

Sources of Prospect data

Prospect data is obtained from a combination of: (a) publicly available sources such as company websites, press releases, and publicly indexed professional profiles; (b) licensed third-party B2B data providers (including the data brokers and enrichment services listed in Section 4); (c) the customer’s own uploads of contact lists for which the customer has warranted it has a lawful basis; and (d) data returned via research tools operating on publicly accessible web pages.

Categories of Prospect data processed

• Identity and contact data: full name, business email address, business telephone number where available, job title, employer.
• Professional and firmographic data: company name, company size, industry, country, publicly visible role history, public social media handles.
• Content derived from public web pages referring to the Prospect or their employer (for example, a company blog post) used solely to personalise outreach.
• Engagement data relating to email sent to the Prospect: whether the email was delivered, bounced, replied to, or resulted in an unsubscribe request.

Purposes and legal bases

• Business-to-business outreach on behalf of a Magnura customer, based on the customer’s legitimate interest under Article 6(1)(f) UK/EU GDPR in promoting its goods and services to other businesses, balanced against the rights and interests of the Prospect. The customer is responsible for conducting and documenting the legitimate interests assessment.
• Maintenance of a global suppression list of email addresses that have requested not to be contacted, based on Magnura’s legitimate interest in preventing further contact to those individuals across all customers, and in meeting legal obligations under applicable marketing and anti-spam laws.
• Abuse, fraud, and security monitoring, based on legitimate interest and legal obligation.

Sending mechanism

Outbound email is sent from mail servers and mailboxes under the customer’s own sending domain and with the customer identified as the sender. Magnura (and its sub-processor EmailEngine on customer-leased infrastructure) acts as the technical sending service. Each outbound email includes sender identity, a valid postal address for the sender, and a functioning unsubscribe mechanism.

Unsubscribe and objection

Every marketing email sent through Magnura includes a one-click unsubscribe mechanism (in accordance with RFC 8058 “List-Unsubscribe” headers) and a functioning reply address monitored for opt-out requests. A Prospect who unsubscribes or replies requesting to opt out is added to (a) the sending customer’s suppression list, and (b) Magnura’s global suppression list, and will not receive further communications through the Magnura platform.

Prospect rights

Prospects have the rights set out in Section 10 of the general privacy policy below, including the right to request access, to request erasure, and to object to processing. Prospects may exercise these rights at any time by emailing privacy@magnura.com. Where we act as a processor on behalf of a customer, we will forward the request to the relevant customer without undue delay and assist the customer in responding.

Retention of Prospect data

• Prospect records in an active customer campaign are retained for the duration of the campaign and for up to 12 months thereafter to enable reporting and attribution, unless the customer deletes them earlier.
• Suppressed (opted-out) records are retained indefinitely as a minimal suppression entry (hashed email address) to prevent future contact. This is necessary to honour the opt-out request and is consistent with guidance from the UK ICO.
• Research findings (public content collected to personalise outreach) are retained for up to 12 months after the last outreach to the Prospect and then deleted or anonymised.

4. Magnura Sub-Processors (Supplemental)

The table below lists the sub-processors Magnura engages to provide its services, in addition to any sub-processors listed in the general privacy policy below. This list is maintained on a reasonable-efforts basis and may be updated from time to time. For the avoidance of doubt, no sub-processor is granted rights to use customer data or Google user data beyond what is strictly necessary to provide its service to Magnura.

Transfers of personal data outside the UK and EEA are made under Standard Contractual Clauses, the UK International Data Transfer Addendum, or another valid transfer mechanism under Article 46 UK GDPR.

5. Supplemental Retention Periods

In addition to the general retention principles described in the main privacy policy below, the following specific retention periods apply:

• Google OAuth tokens and Google profile data: retained while the Google Account connection is active; deleted within 30 days of disconnection, revocation, or account deletion.
• YouTube upload logs: 90 days.
• Customer account data: retained for the duration of the customer’s use of the service and for up to 12 months after termination, except where a longer period is required by law (for example, accounting records kept for 6 years in the UK).
• Active prospect records: retained while part of an active campaign and up to 12 months thereafter.
• Suppression records: retained indefinitely in hashed form to honour opt-outs.
• Inbound email (customer inbox): retained while the customer maintains a mailbox connection; deleted within 30 days of disconnection or account deletion.
• Application logs and error reports: up to 90 days.
• Backups: encrypted backups are retained for up to 35 days and then overwritten; personal data in backups is purged in the normal rotation.

6. Contact and Data Protection Queries

For any query relating to this privacy policy, the exercise of your rights, or the handling of your personal data, please contact:

MAGNETITE.AI LTD (trading as Magnura)
Attn: Data Protection
11 Mercer Avenue, Ebbsfleet Valley, DA10 1BG, United Kingdom
Email: privacy@magnura.com

You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk) or, if you are in the European Economic Area, with your local data protection supervisory authority.