Privacy Policy

Privacy Policy

Last updated: 13 July 2026

What This Means for You

  • Minimal data collection: Only your email address is required to register.

  • Your conversations are private: We do not read or train on your chat data. AI providers may retain inputs via OpenRouter for up to 30 days for abuse prevention, independently of any deletion you perform on Magus.

  • You are in control: You can delete your account and all associated data at any time via account settings.

  • No tracking, no ads: We use no tracking cookies and do not sell your data.

  • AI providers outside Switzerland and the EU are considered third-country providers: For data protection purposes we make no tiering between third countries (e.g., USA, China). Where no recognized safeguards are in place for a third-country provider, you are clearly informed and must actively consent before use.


This Privacy Policy informs you about how we process your personal data when you use Magus. We process personal data in accordance with Swiss data protection law (Federal Act on Data Protection, FADP) and we commit to complying with its principles: we process your data lawfully, in good faith, and proportionately, only for the purposes we communicate to you, we keep it accurate, and we protect it through adequate data security (Art. 6 and 8 FADP).


1. Controller

Responsible for the processing of your personal data within the meaning of the Swiss Federal Act on Data Protection (FADP) is:

wirdrei.digital by Milenkovic Michael Milenkovic Nellweg 11i 5018 Erlinsbach Switzerland

Email: support@magus.digital Authorized representatives: Michael Milenkovic, Daniel Milenkovic

Our offering is directed exclusively at users in Switzerland.


2. Scope

This privacy policy applies exclusively to the use of the web application Magus (hereinafter "App" or "Platform"), accessible under the domain magus.digital. Magus is available exclusively as a web application; a mobile app does not currently exist.

Minimum age: The App is intended for individuals aged 16 and over. Using Magus requires you to be at least 16 years old. This confirmation is made by completing the registration via a checkbox ("I confirm that I am at least 16 years old"). We do not collect dates of birth; the age requirement is confirmed under the user's own responsibility (self-declaration). Should we discover that data from a person under 16 has been collected, we will delete it immediately. Reports of violations can be sent to support@magus.digital.


3. Processing Activities in Detail

Below, we inform you for each processing activity which personal data we process, for what purpose, which service providers we involve, and how long the data is retained.

We only pass on personal data insofar as necessary for the operation of the platform. We do not sell your data. We are obliged to disclose data in the event of official or judicial orders.

Data processing agreements are in place with all service providers involved (processors within the meaning of Art. 9 FADP). Where personal data is disclosed to countries without an adequate level of data protection (notably the USA), the disclosure is safeguarded by standard data protection clauses (Art. 16(2)(d) FADP) or — for providers certified under the Swiss-US Data Privacy Framework — by a level of protection recognized as adequate by the Swiss Federal Council.

3.1 Registration and User Account

Registration is required to use the App.

  • Processed data: Email address

  • Purpose: Creation and management of the user account; authentication (login via email/password or magic link); communication with the user

  • Retention: Until deletion of the user account or at the user's request. After more than 24 months of inactivity, we reserve the right to delete the account and all associated data, with 30 days' advance email notice. Backup data is completely removed no later than 30 days after account deletion.

  • Account deletion: Upon deletion, your personal data is permanently removed. Anonymized usage statistics with no personal reference may be retained for billing and analysis purposes. If you are the sole administrator of a shared workspace, account deletion is only possible after you have transferred or dissolved that workspace.

3.2 Google Workspace Integration (OAuth)

You may optionally connect your Google account to access Google Drive files and Google Calendar data directly within Magus. This connection serves solely to access your Google content; there is no sign-in to Magus via Google ("Google login").

  • Processed data: OAuth access token; and, only when the integration is actively used: Google Drive file names and contents, Google Calendar events (titles, times, participants)

  • Purpose: Enabling you to access and use your Google Drive files and Calendar events within the Magus interface

  • Service provider: Google LLC / Google Ireland Limited, USA / Ireland

  • Consent: The integration is only active if you explicitly authorize it. You can disconnect it at any time in your account settings.

  • Disclosure abroad: Google LLC is based in the USA. The disclosure is safeguarded by standard data protection clauses (Art. 16(2)(d) FADP) and, where certified, the Swiss-US Data Privacy Framework. A data processing agreement is in place.

  • Retention: OAuth tokens are stored until you disconnect the integration or delete your account. Google's own privacy policy governs data processed within Google's systems: policies.google.com/privacy

This integration is entirely optional and has no effect on core platform functionality.

3.3 Optional Third-Party Integrations

You may optionally connect Magus to further third-party services (e.g., Telegram, Notion, Nextcloud, AFFiNE, RSS feeds, as well as inbound webhooks or custom interfaces).

  • Processed data: The content and access credentials required for the respective integration (e.g., messages, documents, calendar or feed content)

  • Purpose: Provision of the integration you actively set up

  • Consent: These integrations are only active if you set them up yourself. When used, the relevant data is transmitted to the respective third-party provider and is subject to that provider's own privacy terms. Your access credentials are stored by us in encrypted form.

  • Retention: Until you disconnect the integration or delete your account. You can disconnect any integration at any time in the settings.

3.4 Use of the Magus App (AI Chat Interface)

Magus is a chat interface connected to various AI models via OpenRouter. You can select different AI models and interact with them.

  • Processed data: Your text inputs, uploaded files (images, documents, videos), conversation history, selected AI model

Platform-side tools: To improve response quality, the platform may invoke the following tools on your behalf when relevant to your query:

Tool

Provider

Purpose

Data Transmitted

Web Search

Exa.ai (USA; standard data protection clauses, data processing agreement in place)

Retrieve current information from the web

Your search query

These tools are only invoked when contextually relevant. Only the minimum data necessary is transmitted.

Disclosure to AI Providers

Your inputs are transmitted via the OpenRouter API to the AI provider corresponding to your selected model. OpenRouter acts as a data processor (Art. 9 FADP; data processing agreement and standard data protection clauses in place; based in the USA).

We distinguish between two categories of AI providers:

  • Providers in Switzerland and the EU/EEA: An adequate level of data protection applies.

  • Third-country providers: All other providers — regardless of the country concerned (e.g., the USA or the People's Republic of China); we make no data-protection tiering between third countries. Personal data may only be disclosed to third-country providers if suitable safeguards are in place (standard data protection clauses, Art. 16(2)(d) FADP, or a framework recognized as adequate by the Swiss Federal Council, such as the Swiss-US Data Privacy Framework) or if you expressly consent (Art. 17(1)(a) FADP).

Category

Provider

Switzerland/EU

Mistral AI (France), Apertus (Switzerland)

Third countries — with safeguards (standard data protection clauses / Swiss-US DPF)

OpenAI (GPT, Sora), Anthropic (Claude), Google (Gemini, Veo), xAI (Grok), Perplexity (Sonar) — all USA

Third countries — without safeguards (consent required)

Alibaba Cloud / Qwen, Zhipu AI / GLM, MiniMax, ByteDance / Seedance (server location: Singapore; company headquarters: People's Republic of China)

The specific range of models offered may change; the classification above is updated accordingly.

Note on third-country providers without safeguards: The listed companies are subject to Chinese law, which may grant authorities far-reaching data access rights (National Intelligence Law). If you have concerns, we recommend using models via the Auto-Router.

Consent for models from third-country providers without safeguards: The use of these models requires your explicit consent (Art. 17(1)(a) FADP). Before you select such a model for the first time, the following notice appears in the App:

"This model is operated by a company based in the People's Republic of China (server location: Singapore). Switzerland has not recognized this country as providing an adequate level of data protection. The Chinese National Intelligence Law may grant authorities access to the transmitted data. Your inputs are not subject to the same standard of protection as with providers in Switzerland/the EU or third-country providers with recognized safeguards. You can revoke this consent at any time in the account settings."

This consent is required once and saved in your user account. You can revoke it at any time in Account Settings — use of these models will then no longer be possible. The Auto-Router exclusively routes to models from providers in Switzerland/the EU or from third-country providers with recognized safeguards; models requiring consent must be deliberately and actively selected.

Image and video generation: For the generation of images and videos, specialized infrastructure providers are used in addition to the providers named above (including Fal, USA; AIML API). Your inputs (prompts) are transmitted to the respective provider for this purpose. Standard data protection clauses apply; data processing agreements are in place.

Semantic search (embeddings): For search and retrieval functions, excerpts of your content may be transmitted to OpenAI (USA) in order to generate vector representations (embeddings). Standard data protection clauses apply; a data processing agreement is in place.

Shared use and share links: If you use a conversation in a shared workspace, other members can view the shared content. If you create a public share link, the relevant conversation becomes accessible without login to anyone who has the link. You can revoke shares at any time.

Sensitive personal data: Entering sensitive personal data of third parties within the meaning of Art. 5(c) FADP (e.g., data concerning health, the intimate sphere, or racial or ethnic origin; religious, philosophical, political, or trade-union views or activities; genetic and biometric data; data on administrative or criminal proceedings and sanctions; and data on social assistance measures) without their explicit consent (Art. 6(7)(a) FADP) or another justification (Art. 31 FADP) is prohibited (Section 6.1 of our Terms of Service). We also recommend not entering your own sensitive personal data into the chat.

Data retention by AI providers: All requests via OpenRouter use commercial APIs. By default, providers do not use API conversation data to train their AI models. To prevent abuse, OpenRouter typically stores inputs and responses in encrypted form for up to 30 days, followed by automatic deletion. This retention occurs on OpenRouter's infrastructure independently of any deletion action you take within Magus.

Our platform: Servers in the EU (Frankfurt, Germany). We do not access the content of your conversations and do not use your data for training purposes.

  • Retention: Conversation history is stored until deleted by the user or upon account closure.

3.5 Auto-Routing (Automated Model Assignment)

  • Processed data: Your prompt (text input)

  • Procedure: The prompt is analyzed by an AI model hosted in the EU and automatically assigned to a suitable model based on task type and context. Only models from providers in Switzerland/the EU or from third-country providers with recognized safeguards are considered; models requiring consent are never selected.

  • This does not constitute an automated individual decision within the meaning of Art. 21 FADP.

3.6 File Uploads and File Storage

  • Processed data: Files uploaded by you (images, documents, videos)

  • Purpose: Storage and provision of your files within your conversations

  • Service provider: Tigris (USA)

  • Disclosure abroad: USA — standard data protection clauses (Art. 16(2)(d) FADP); data processing agreement in place

  • Retention: Until deleted by you or upon account closure

3.7 Code Sandbox

  • Processed data: Code as well as files and data processed during code execution

  • Purpose: Isolated execution of AI-generated code

  • Service provider: Daytona (UK; servers Zurich/Switzerland)

  • Disclosure abroad: The United Kingdom provides an adequate level of data protection; data processing agreement in place

  • Retention: Results are stored as part of the conversation history (see Section 3.4)

3.8 Contact Form (Support)

  • Processed data: Name, email address, selected topic, request/message

  • Purpose: Handling your support request

  • Infrastructure: Own infrastructure (Fly.io, Frankfurt) — no external CRM

  • Retention: Until processed; if contract-related, up to 3 years (statute of limitations)

3.9 Transactional Emails

  • Processed data: Email address, content of the respective system email (e.g., magic link, payment and renewal notifications)

  • Purpose: Delivery of system- and contract-related emails

  • Service provider: Postmark (ActiveCampaign, LLC), USA — privacy information: postmarkapp.com/eu-privacy

  • Disclosure abroad: USA — standard data protection clauses (Art. 16(2)(d) FADP); supplementary: Swiss-US Data Privacy Framework, if certified; data processing agreement in place

3.10 Hosting & Technical Infrastructure

  • Hoster: Fly.io (Fly.io, Inc.), USA — server location: Frankfurt, Germany (EU)

  • Database: Neon (Neon, Inc., US company) — server location: Frankfurt, Germany (EU)

  • Purpose: Operating and securing the platform

  • Server log files: IP addresses are anonymized prior to storage (individual IP addresses are not retained in identifiable form); log retention: 7 days

  • Disclosure abroad: Fly.io and Neon are US companies; the disclosure is safeguarded by standard data protection clauses. Data processing agreements are in place with both providers.

  • Backups: Backup data is retained in EU infrastructure and completely removed no later than 30 days after account deletion.

3.11 Content Delivery Network (CDN)

jsDelivr CDN (Prospectone Sp. z o.o., Poland, EU) is used to deliver static resources (scripts, stylesheets). For technical reasons, the user's IP address and User-Agent are transmitted to jsDelivr. No disclosure to countries without an adequate level of data protection. Data processing agreement in place.

3.12 Payment Service Providers

  • Processed data: Payment data (card details, billing address) — transmitted directly to Stripe and not stored by us

  • Purpose: Processing payments for paid usage

  • Service provider: Stripe Payments Europe, Ltd., Ireland (EU); data processing agreement in place

  • Retention: According to statutory retention obligations under Swiss law (Art. 958f Swiss Code of Obligations / Art. 70 VAT Act — generally 10 years)

3.13 Web Analytics

We do not currently use a web analytics tool. No visitor data is collected for statistical purposes. This section will be updated before any analytics tool is deployed.

3.14 Cookies

We use exclusively technically necessary cookies. No cookie banner is required.

Cookie

Purpose

Duration

Session Cookie

Maintains your active login session

Session (deleted on browser close)

Remember-Me Cookie

Keeps you logged in across sessions if you opt in

30 days

No tracking cookies.


4. Data Security

We protect your personal data through adequate technical and organizational measures (Art. 8 FADP):

  • Encryption in transit: All data transmission is protected by SSL/TLS encryption.

  • Encryption at rest: Stored data is encrypted at the database and file-storage level.

  • Password hashing: Passwords are never stored in plain text.

  • Access controls: Only authorized personnel have access to production systems.

  • Regular security updates: All system components receive timely security patches.

  • EU backups: Backup data is retained in EU infrastructure and completely removed no later than 30 days after account deletion.


5. Your Rights

You have the following rights regarding your personal data:

Right

Description

Legal Basis

Access

Request information about whether and which personal data we process about you

Art. 25 FADP

Rectification

Have incorrect personal data corrected

Art. 32(1) FADP

Deletion or Destruction

Request deletion or destruction of your personal data (subject to statutory retention obligations)

Art. 32(2) FADP

Data Release and Portability

Receive your data in a commonly used electronic format or have it transferred to a third party

Art. 28 FADP

Objection

Object to the processing of your personal data

Art. 30(2)(b) FADP

Withdrawal of Consent

Withdraw granted consents at any time with future effect (without affecting prior processing)

Exercising your rights: Contact us at support@magus.digital or by post (see Section 1). We will respond within 30 days of receipt of your request (Art. 25(7) FADP). If, exceptionally, this deadline cannot be met, we will inform you of the extension within those 30 days.

Supervisory authority: Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern — www.edoeb.admin.ch


6. Changes to this Privacy Policy

We may update this Privacy Policy to reflect changes in our services, legal requirements, or data processing practices.

  • Material changes — such as new categories of personal data processed, new processing purposes, new third-party providers, or changes to your rights — will be communicated by email or a prominent notice at your next login, with at least 30 days' advance notice before the change takes effect.

  • Non-material changes (clarifications, corrections, formatting) may be made without prior notice.

  • If you object to a material change, you may delete your account before the change takes effect. Continued use of the platform after the effective date constitutes acceptance of the updated Privacy Policy.

  • The current version is always available at magus.digital/privacy.