Sign in

Privacy Policy

Last updated: 25 February 2026

1. Data Controller

Responsible for processing your personal data within the meaning of the EU General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (nFADP) is:

wirdrei.digital by Milenkovic

Michael Milenkovic
Nellweg 11i
5018 Erlinsbach
Switzerland

Email: support@magus.digital

Authorized representatives: Michael Milenkovic, Daniel Milenkovic

Due to the size of the company, a Data Protection Officer has not been appointed.

Since the offering is currently directed exclusively at users in Switzerland and no personal data of individuals in the EU is systematically processed, there is currently no requirement to appoint an EU representative under Art. 27 GDPR. This assessment will be reviewed immediately, and a representative appointed, should the offering be expanded to EU users.

2. Scope

This privacy policy applies exclusively to the use of the web application Magus (hereinafter "App" or "Platform"), accessible under the domain magus.digital. Magus is available exclusively as a web application; a mobile app does not currently exist.

Minimum age: The App is intended for individuals aged 16 and over. Using Magus requires you to be at least 16 years old. This confirmation is made by completing the registration via a checkbox ("I confirm that I am at least 16 years old"). We do not collect dates of birth; the age requirement is confirmed under the user's own responsibility (Self-Declaration). Should we discover that data from a person under 16 has been collected, we will delete it immediately.

Reports of violations can be sent to support@magus.digital.

3. Principles of Data Processing

We process personal data exclusively according to the following principles – as defined by the GDPR (Art. 5) and the Swiss nFADP (Art. 6):

Principle

Explanation

Lawfulness, Fairness, Transparency

Data is only processed if there is a legal basis (consent, performance of a contract, legitimate interest). You are always clearly informed.

Purpose Limitation

Data is collected exclusively for the purpose for which it was provided. Further processing for incompatible purposes does not take place.

Data Minimization & Proportionality

We only collect the data that is actually necessary for the respective purpose – no more.

Accuracy

We keep your data up to date and accurate. Incorrect information is immediately corrected or deleted. See Section 15.

Storage Limitation

Data is only stored as long as necessary for the respective purpose or as required by statutory retention obligations. Specific periods can be found in Section 4.

Integrity and Confidentiality

Technical and organizational measures (encryption, access controls, security updates) protect your data from unauthorized access.

Accountability

We maintain internal documentation and can demonstrate compliance with these principles at any time.

4. Type, Scope, and Purpose of Data Processing

4.1 Registration and User Account

Registration is required to use the App.

  • Processed data: Email address

  • Purpose: Creation and management of the user account, authentication (login via email/password or magic link via email), communication with the user

  • Legal basis: Art. 6 Para. 1 lit. b GDPR (Performance of a contract); nFADP: Art. 6 nFADP, Art. 19 nFADP

  • Storage duration: Until the deletion of the user account or at the user's request. After more than 24 months of inactivity, we reserve the right to delete the account and all associated data, notifying you in advance via email. Backup data is completely removed no later than 30 days after account deletion.

4.2 Use of the Magus App (AI Chat Interface)

Purpose of the App: Magus is a chat interface connected to various AI providers via OpenRouter. Users can select different AI models and interact with them. The App has its own tool calls to improve the user experience.

  • Processed data: User inputs (texts, uploaded files, images, videos), conversation history, selection of the AI model

Disclosure to AI Providers

The inputted data is transmitted via the OpenRouter API to the respective AI providers based on the user's selection. OpenRouter acts as a data processor in accordance with Art. 28 GDPR (Data Processing Agreement concluded).

Region

Provider

EU / Europe

Mistral AI (France), Apertus (Switzerland)

USA

OpenAI (GPT, DALL-E, Sora), Anthropic (Claude), Google (Gemini, Veo), xAI (Grok), Perplexity (Sonar), Black Forest Labs (FLUX)

Third countries without EU adequacy decision

DeepSeek, Alibaba Cloud / Qwen, Zhipu AI / GLM, Moonshot AI / Kimi, MiniMax, ByteDance / Seedance (Server location Singapore, Company headquarters People's Republic of China)

Note on China models: These companies are subject to Chinese law, which can grant authorities far-reaching data access rights (National Intelligence Law). If you have concerns, we recommend using EU/USA models via the Auto-Router. The use of these models requires explicit, prior consent (see Section 11).

The currently available models can be found in the current model list within the App.

Note on sensitive data: Please refrain from entering special categories of personal data within the meaning of Art. 9 GDPR (e.g., health data, political opinions, religious beliefs, biometric data) into the chat.

Data Privacy during AI Training

  • All requests via OpenRouter are made using commercial APIs. By default, the providers do not use API conversation data to train their AI models.

  • To prevent abuse, OpenRouter typically stores inputs and responses encrypted for a maximum of 30 days, followed by automatic deletion.

  • Our platform: Servers in the EU (Frankfurt, Germany). We do not view the content of conversation data and do not use your data for training purposes.

  • The Auto-Router exclusively contains models from providers based in the EU or the USA. China models must be deliberately and actively selected – tied to prior consent.

  • Legal basis: Art. 6 Para. 1 lit. b GDPR (Performance of a contract); Art. 6 Para. 1 lit. a GDPR (Consent for China models); nFADP: Art. 6, Art. 17 nFADP

  • Storage duration: Until deleted by the user or upon account closure

4.3 Auto-Routing (Automated Model Assignment)

  • Processed data: Your prompt (text input)

  • Procedure: The prompt is analyzed with an AI model hosted in the EU and automatically assigned to a suitable model based on task type and context. Only models from providers in the EU or the USA are considered.

  • This does not constitute an automated decision with legal effect within the meaning of Art. 22 GDPR.

  • Legal basis: Art. 6 Para. 1 lit. b GDPR; nFADP: Art. 6 nFADP

4.4 Contact Form (Support)

  • Processed data: Name, email address, request/message

  • Service provider: Own infrastructure (Fly.io, Frankfurt) – no external third-party provider

  • Legal basis: Art. 6 Para. 1 lit. b GDPR; if no contract context: Art. 6 Para. 1 lit. a GDPR

  • Storage duration: Until processed; if contract-related up to 3 years (statute of limitations)

4.5 Transactional Emails

  • Service provider: Postmark (ActiveCampaign, LLC), USA

  • Data privacy: https://postmarkapp.com/eu-privacy

  • Legal basis: Art. 6 Para. 1 lit. b GDPR

  • Guarantees: SCCs pursuant to Art. 46 Para. 2 lit. c GDPR; additionally EU-US Data Privacy Framework, if certified

5. Hosting & Technical Infrastructure

  • Hoster: Fly.io (Fly.io, Inc.), USA

  • Server location: Frankfurt, Germany (EU)

  • Data privacy: https://fly.io/legal/privacy-policy/

  • DPA: Art. 28 GDPR incl. SCCs concluded

  • Server log files: Anonymized (no storage of individual IP addresses); storage duration 7 days

  • Legal basis: Art. 6 Para. 1 lit. f GDPR

6. Content Delivery Networks (CDNs)

jsDelivr CDN (Prospectone Sp. z o.o., Poland, EU) – used to deliver static resources (scripts, stylesheets). For technical reasons, the user's IP address and User-Agent are transmitted to jsDelivr. No third-country transfer. DPA in place.

7. Payment Service Providers

  • Provider: Stripe Payments Europe, Ltd., Ireland (EU)

  • Transmitted data: Payment data (card details, billing address) are transmitted directly to Stripe and are not stored by us.

  • Legal basis: Art. 6 Para. 1 lit. b GDPR

  • Storage duration: According to statutory retention obligations (generally 10 years according to Swiss CO/German HGB)

8. Web Analytics

  • Tool: GoatCounter – no cookies, no storage of IP addresses, no cross-site tracking. GoatCounter is operated on our own infrastructure (Fly.io, Frankfurt, EU).

  • Legal basis: Art. 6 Para. 1 lit. f GDPR (legitimate interest in anonymous usage statistics)

9. Cookies

Exclusively technically necessary cookies:

  • Session Cookie

  • Remember-Me Cookie (30 days)

No tracking cookies. No cookie banner required.

10. Disclosure of Data to Third Parties

We only pass on personal data insofar as this is technically necessary for the provision of the platform:

  • AI Providers: Inputs and conversations are only transmitted to the model selected by the user via OpenRouter (Data Processor, USA, DPA + SCCs).

  • Technical Service Providers (Data Processors):

Service Provider

Function

Location

Guarantees

Fly.io

Hosting

USA (Server Frankfurt/EU)

DPA + SCCs

OpenRouter

AI API Gateway

USA

DPA + SCCs

Postmark

Transactional Emails

USA

DPA + SCCs

Stripe

Payment Processing

Ireland/EU

DPA + SCCs

jsDelivr

CDN for static resources

Poland/EU

DPA

Tigris

File Storage

USA

DPA + SCCs

Northflank

Sandbox Enviroment

UK (Server Zurich/CH)

DPA

  • Legal obligations: We are obliged to disclose data in the event of official or judicial orders.

We do not sell your data.

11. Data Transfer to Third Countries

Principle: The platform is hosted in the EU (Frankfurt).

Provider / Region

Legal Basis & Guarantees

OpenRouter (USA)

SCCs pursuant to Art. 46 Para. 2 lit. c GDPR (primary); EU-US DPF supplementary. DPA in place.

EU Models (Mistral AI, Apertus)

GDPR fully applicable. No third-country transfer.

USA Models (OpenAI, Anthropic, Google, xAI, Perplexity, Black Forest Labs)

Primary: SCCs pursuant to Art. 46 Para. 2 lit. c GDPR. Supplementary: EU-US DPF if certified.

China Models (DeepSeek, Alibaba/Qwen, Zhipu/GLM, Moonshot/Kimi, MiniMax, ByteDance/Seedance)

No EU adequacy decision. National Intelligence Law may grant authorities data access. SCCs where available. Legal basis: Explicit consent pursuant to Art. 49 Para. 1 lit. a GDPR.

Consent Process for China Models

Before you select a model from a Chinese provider for the first time, the following notice dialog appears in the App:

"This model is operated by a company based in the People's Republic of China (Server location: Singapore). There is no EU adequacy decision. The Chinese National Intelligence Law may grant authorities access to the transmitted data. Your inputs are not subject to the same standard of protection as with EU or USA models. You can revoke this consent at any time in the account settings."

This consent is required once and is saved in your user account. You can revoke your consent at any time in the Account Settings – the use of these models will then no longer be possible.

12. Data Processing Agreements (Art. 28 GDPR)

DPAs have been concluded with all relevant service providers: Fly.io, OpenRouter, Postmark, Stripe, jsDelivr. Contracts with US providers include SCCs according to Art. 46 Para. 2 lit. c GDPR.

13. Data Security

Technical and Organizational Measures (TOMs):

  • SSL/TLS Encryption during data transmission (encryption in transit)

  • Password Hashing: Passwords are never stored in plain text

  • Access Controls: Only authorized personnel have access to production systems

  • Regular Security Updates of all system components

  • EU Backups: Retention max. 30 days after account deletion

14. Transparency in the Use of AI Systems (EU AI Act)

According to Art. 50 AI Act (EU) 2024/1689:

  • AI Interaction: You are interacting with AI systems (LLMs), not with humans from our company.

  • AI-generated content: Texts, images (DALL-E, FLUX), videos (Sora, Veo, Seedance) are generated by AI.

  • No High-Risk AI System according to Annex III AI Act.

  • Auto-Router: No prohibited AI practice (Art. 5 AI Act), no legal implications for users.

15. Your Rights as a Data Subject

Right

Legal Basis

15.1 Right of Access: Request information about stored data

Art. 15 GDPR / Art. 25 et seq. nFADP

15.2 Rectification: Have incorrect data corrected

Art. 16 GDPR / Art. 32 Para. 1 nFADP

15.3 Erasure: Request deletion of data (provided no statutory obligations oppose this)

Art. 17 GDPR / Art. 32 Para. 2 a nFADP

15.4 Restriction: Have the processing of your data restricted

Art. 18 GDPR

15.5 Data Portability: Receive data in a structured, machine-readable format

Art. 20 GDPR / Art. 28 nFADP

15.6 Objection: Object to processing based on legitimate interest

Art. 21 GDPR / Art. 32 Para. 2 b nFADP

15.7 Withdrawal: Withdraw granted consents at any time for the future (without affecting prior processing)

Art. 7 Para. 3 GDPR

15.8 Right to lodge a complaint

  • Switzerland: FDPIC, Feldeggweg 1, 3003 Bern – www.edoeb.admin.ch

  • EU: The data protection authority at your place of residence, workplace, or the place of the violation is responsible. Example Germany: Federal Commissioner for Data Protection and Freedom of Information (BfDI) – www.bfdi.bund.de

  • All EU Authorities: www.edpb.europa.eu

16. Exercising Your Rights

  • Contact: support@magus.digital or by post (see Section 1).

  • Response generally within 30 days (Art. 12 Para. 3 GDPR).

17. No Obligation to Provide Data

Providing an email address is technically mandatory for registration.

18. Changes to this Privacy Policy

  • In the event of material changes: Information via email or at the next login.

Contact

wirdrei.digital by Milenkovic

Michael Milenkovic
Nellweg 11i
5018 Erlinsbach
Switzerland

Email: support@magus.digital