Our primary goals in collecting personally identifiable information are to provide you with the products and services made available through the Site, including, but not limited to, provision of Services, communicating with you, and managing your user account, if you have one. In general, amagical.net collects Personal Data when you use amagical.net services and when you visit amagical.net pages. That information is used to fulfill your requests for products and services, to conduct research, to contact you and to improve amagical.net services generally.
Categories of Information We May Process
We may Process your personal details, demographic data and your contact details. We may also Process information about you from your use of our Services (such as the type of device you are using, the internet service provider, your IP address, etc.), including your interactions with content on the Services.
We may Process the following categories of Personal Information about you:
- Personal details, including but not limited to the following: your name; your username or login details and your password.
- Demographic information, including but not limited to the following: age; date of birth; and language preferences.
- Your contact details, including but not limited to the following: postal address; telephone and/or mobile number; email address; and your public social media handles or profile(s).
- Consent records, including but not limited to the following: records of any consents you may have given, together with the date and time, means of consent and any related information (such as the subject matter of the consent).
- Purchase and payment details, including but not limited to the following: records of purchases and prices, subscription details, invoice records, payment records, billing address, payment method, cardholder or accountholder name, payment amount, and payment date.
We may also collect other kinds of information from you or other sources, which we refer to as “Other Information” in this Policy, which may include but is not limited to:
- Information about your use of the Services, such as usage data and statistical information, which may be aggregated.
- Browsing history including the websites or other services you visited before and after interacting with the Services.
- Non-precise information about the approximate physical location (for example, at the city or zip code level) of a user’s computer or device derived from the IP address of such computer or device (“GeoIP Data”).
- Internet Protocol (“IP”) address, which is a unique string of numbers automatically assigned to your device whenever you access the Internet.
- Device type, settings and software used.
- Log files, which may include IP addresses, browser type, ISP referring/exit pages, operating system, date/time stamps and/or clickstream data, including any clicks on customized links.
- Local Shared Objects, and Local Storage, such as HTML5.
- Embedded Scripts which are programming codes designed to collect information about your interactions with the Service by temporarily downloading onto your device from our web server or a third party with whom we work. Embedded scripts are only active while you are connected to the Service and are deleted or deactivated thereafter.
- Mobile analytics to understand the functionality of our mobile applications on your phone.
Under certain circumstances and depending on applicable law, some of this Other Information may constitute Personal Information. Personal Information together with Other Information is hereinafter referred to as “User Information”.
We do not seek to collect or otherwise Process your Sensitive Personal Information.
Purposes for Which We May Process Your Information
We may Process User Information for the following purposes: providing the Services to you; communicating with you; analyzing engagement with our audience; marketing our services and offerings to current and prospective customers; managing our IT systems; financial management; conducting surveys; ensuring the security of our systems; conducting investigations where necessary; compliance with applicable law; and improving our Services.
- Offering and Improving the Services: operating and managing the Services for you; providing personalized content to you; communicating and interacting with you via the Services; identifying issues with the Services and planning improvements to or creating new Services; and notifying you of changes to any of our Services.
- Surveys: engaging with you for the purposes of obtaining your views on our Services.
- Communications: communicating with you via any means (including via email or social media) regarding information in which you may be interested, subject to ensuring that such communications are provided to you in compliance with applicable law; maintaining and updating your contact information where appropriate.
- Marketing to Customers: We may market to current and prospective customers and their employees who have indicated an interest in doing business with, or have previously conducted business with, amagical.net in order to further generate and promote our business. Such efforts include sending marketing emails to drive the use of services offered by amagical.net.
- IT Administration: administration of amagical.net information technology systems; network and device administration; network and device security; implementing data security and information systems policies; compliance audits in relation to internal policies; identification and mitigation of fraudulent activity; and compliance with legal requirements.
- Security: electronic security measures (including monitoring of login records and access details) to help mitigate the risk of and provide the ability to identify and rectify a security incident.
- Financial Management: general business and financial management purposes, including: economic, financial and administrative management; planning and reporting; personnel development; sales; accounting; finance; corporate audit; and compliance with legal requirements.
- Investigations: detecting, investigating and preventing breaches of policy, and criminal offences, in accordance with applicable law.
- Legal Proceedings: establishing, exercising and defending legal rights.
- Legal Compliance: Subject to applicable law, we reserve the right to release information concerning any user of Services when we have grounds to believe that the user is in violation of our Terms and Conditions or other published guidelines or has engaged in (or we have grounds to believe is engaging in) any illegal activity, and to release information in response to court and governmental orders, other requests from government entities, civil subpoenas, discovery requests and otherwise as required by law or regulatory obligations. We also may release information about users when we believe in good faith that such release is in the interest of protecting the rights, property, safety or security of amagical.net, any of our users or the public, or to respond to an emergency.
What Information We Disclose to Third Parties
We may disclose your User Information to: legal and regulatory authorities; our external advisors; parties who Process User Information on our behalf (“Processors”); any party as necessary in connection with legal proceedings; any party as necessary for investigating, detecting or preventing criminal offences; any purchaser of our business; and any third party providers of plugins or content used on the Services.
In addition, we may disclose your User Information to:
- Legal and regulatory authorities, upon request, or for the purposes of reporting any actual or suspected breach of applicable law or regulation.
- Third party Processors (such as analytic providers, data centers, etc.), located anywhere in the world.
- Any relevant party, law enforcement agency or court, to the extent necessary for the establishment, exercise or defense of legal rights.
Certain functionalities on the Service may permit interactions that you initiate between the Service and certain third party services (“Third Party Features”). Examples of Third Party Features include “liking” or “sharing” content over social media platforms through our Service.
If we engage a third-party Processor to Process your User Information, the Processor will be subject to binding contractual obligations to: only Process the User Information in accordance with our prior written instructions; and use measures to protect the confidentiality and security of the User Information; together with any additional requirements under applicable law.
Security of the Services
We implement appropriate technical and organizational security measures to protect your User Information. Because the internet is an open system, the transmission of information via the internet is not completely secure. Although we will implement reasonable measures to protect your information, we cannot guarantee the security of your data transmitted to us using the internet. Any such transmission is at your own risk and you are responsible for ensuring that any Personal Information that you send to us is sent securely.
amagical.net operates infrastructure designed to provide state-of-the-art security through the entire information processing lifecycle.
Data in Transit
To protect data in transit between your computer and servers, amagical.net uses Secure Sockets Layer (SSL)/Transport Layer Security (TLS) for data transfer, creating a secure tunnel protected by 128-bit or higher Advanced Encryption Standard (AES) encryption. File data in transit is always encrypted via SSL/TLS, several services also now offer more advanced cipher suites that use the Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) protocol. ECDHE allows SSL/TLS clients to provide Perfect Forward Secrecy. This helps prevent the decoding of captured data by unauthorized third parties, even if the secret long-term key itself is compromised.
Data at Rest
Data at rest are encrypted using 256-bit Advanced Encryption Standard (AES). Files are primarily stored on multiple servers in discrete file blocks. Each block is fragmented and encrypted using a strong cipher.
You can connect to Services access points via HTTPS using Secure Sockets Layer (SSL), a cryptographic protocol that is designed to protect against eavesdropping, tampering, and message forgery. For services which requires additional layers of network security, a Virtual Private Network (VPN) technology is deployed.
amagical.net utilizes a wide variety of automated monitoring systems to detect unusual or unauthorized activities and conditions at ingress and egress communication points. These tools monitor server and network usage, port scanning activities, application usage, and unauthorized intrusion attempts.
The central infrastructure is located inside a secured data center located in Prague, Czech Republic. All servers are locked in a private rack cabinet with limited and monitored physical access. When a storage device has reached the end of its life, amagical.net procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals.
Data Backup & Archiving
Data backups are stored on amagical.net owned servers located within EU borders (as of May 2018). Backups and snapshots are done on a daily basis. All backups are also encrypted at rest.
We take every reasonable step to ensure that your User Information is only Processed for the minimum period necessary for the purposes set out in this Policy. Unless there is a specific legal requirement for us to keep the information, we plan to retain it for no longer than is necessary to fulfill a legitimate business need.
Controling User Information
You may decline to share certain information with us, in which case we may not be able to provide some of the features and functionality of the Services. These rights include, in accordance with applicable law, the right to object to or request the restriction of processing of your information, and to request access to, rectification, erasure and portability of your own information. Where we process your information on the basis of your consent, you have the right to withdraw that consent (noting that such withdrawal does not affect the lawfulness of any Processing performed prior to the date on which we receive notice of such withdrawal, and does not prevent the Processing of your Personal Information in reliance upon any other available legal bases). If you are an EU resident and have any unresolved privacy concern that we have not addressed satisfactorily after contacting us, you have the right to contact the appropriate EU Supervisory Authority and lodge a complaint.
Data Processing Amendment
In order to comply with obligations laid out by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the “GDPR”), the Contracting Parties (the Orderer in the position of the personal data administrator and the Supplier in the position of the personal data processor) have agreed on the following obligations for Personal Data Processing in the framework of performances according to the Agreement.
For the purposes of this article, in accordance with Art 4(7) of the GDPR, the Orderer shall be designated as the “Controller”, and in accordance with Art 4(8) of the GDPR, the Supplier shall be designated as the “Processor”.
The purpose of processing according to the Agreement is processing all personal data of third parties (Data Subjects) handed over by the Orderer to the Supplier directly or indirectly (by maintaining for the Orderer or its authorised persons into the Software) (“Personal Data”), and performance of the Controller’s obligations towards Interested Parties.
The Processor processes Personal Data based on the Controller’s instructions, especially by automatic processes in the framework of functions of the Software or possibly manually (e.g. in the framework of direct modifications or repairs of the Software at the Controller’s explicit request), in such a way that the Software could be correctly used including all its functions (the “Nature of Processing”).
The subject of processing is Personal Data in the scope handed over by the Controller (esp. identification data, photographs, other data ordinarily stated in one’s curriculum vitae, etc.).
The subject of processing is not sensitive Personal Data (except for cases when the Data Subject himself hands over such Personal Data).
The scope of Personal Data Processing is limited by the framework of mutual performance according to the Agreement (automatically in the framework of Software functions or according to the Controller’s instructions and the consent of Data Subjects).
Obligations and declarations of the Controller
The Controller declares and confirms that it obtained all Personal Data in accordance with generally binding laws, mainly in accordance with the GDPR, and for their processing (in the required scope, for the required purposes and for the essential period), a justifiable reason exists (consent, agreement, etc.);
The Controller declares that it is aware of the fact that the Processor takes over Personal Data in the condition in which it is receives it from the Controller, and that it has no option in any way of assessing their content, accuracy of the method or the right to obtain them, and therefore undertakes to hand over to the Processor only accurate Personal Data corresponding only to the determined purpose, and in a scope necessary for fulfillment of the given purpose, not to associate Personal Data, which would be gained for varying purposes or maintain Personal Data at the Processor or in the Software for a longer time than that necessary for the purpose of its processing.
Obligations and declarations of the Processor
The Processor undertakes to process Personal Data handed over to it by the Controller on behalf of the Controller and in accordance with applicable laws, the Agreement or the Controller’s instructions issued in accordance with applicable laws. If the Processor shall not be able for whatever reason to ensure compliance with obligations determined by the GDPR or by other applicable laws, the Agreement or the Controller’s instructions, it undertakes to inform the Controller of this without undue delay, which is such case is entitled to suspend the handover of data;
The Processor upholds conditions for engaging another processor, Controller generally authorizes the engagement as Subprocessors of any other third parties (information about Subprocessors is available at this page and may be updated time to time);
Controller may object to any new Subprocessor by terminating the applicable Agreement immediately upon written notice, on condition that Controller provides such notice within 3 months of being informed of the engagement of the Subprocessor. This termination right is Controller’s sole and exclusive remedy if Controller objects to any new Subprocessor.
The Processor takes into account the nature of Personal Data Processing;
The Processor shall assist the Controller through appropriate technical and organizational measures according to the Art. 32 of the GDPR;
The Processor shall provide co-operation at the Controller’s appeal for performing the Controller’s obligations based on requests for exercising the rights of Data Subjects;
The Processor shall assist the Controller and provide it with co-operation upon ensuring compliance with obligations according to Articles 32 to 36 GDPR, while taking into account the Nature of Processing and information, which the Processor has available;
In accordance with the Controller’s decision, the Processor either erases all Personal Data or returns it to the Controller upon termination of the provision of services affiliated with processing, and erases existing copies if laws of the European Union or Member State do not require maintenance of the given Personal Data;
The Processor provides to the Controller all information necessary to prove the fact that all obligations determined by this article have been fulfilled, and it enables audits, including inspections performed by the Controller or other auditor whom the Controller has mandated, and contributes to these audits.
The Processor informs the Controller without undue delay in case that in its opinion, a certain instruction breaches this regulation or other regulations of the European Union or Member State concerning data protection;
- The Processor further takes into account its obligations determined by the GDPR, according to which it is obliged, inter alia,
- to process only accurate Personal Data corresponding only to the determined purpose and in the scope necessary for fulfillment of this determined purpose,
- not to associate Personal Data obtained for varying purposes or
- it is authorized to maintain Personal Data handed over by the Controller only for a period necessary to fulfill the purpose of their processing.
Upon fulfilment of its aforementioned obligations however, it is dependent on fulfillment of the same obligations by the Controller, and is responsible for breach of its obligations in relation to Data Subjects in the scope stated hereunder;
During Personal Data Processing, the Processor is obliged to see to it that Data Subjects do not have their rights infringed upon, especially the right to preserve human dignity, but it is further obliged to care for protection from unauthorized interference into the private and personal life of Data Subjects;
The Processor further declares that prior to Personal Data Processing, it adopted the stated appropriate organizational measures and stated technical security measures. Personal Data Processing shall be performed by the Processor’s authorized persons in the Processor’s areas (or automatically by the Software in Data Centres located in EU Member States), all in automated form by means of computer technology, or by mechanical means in paper form;
The Processor further declares that all its employees and other possible representatives who elaborate Personal Data or come into contact with Personal Data at the Processor of their obligations (lasting even after termination of employment or completion of relevant works), have committed to maintain confidentiality over Personal Data, and of security measures whose disclosure could threaten the security of Personal Data;
In the framework of Personal Data Processing according to the Agreement, the Processor may not make data accessible in any manner to other persons for any processing (with the exception of persons stated in the previous paragraph), and is especially not entitled to hand over Personal Data to other persons, make it accessible, disclose or otherwise disseminate if not mandated to do so in writing by the Controller. This obligation does not apply further to relevant state authorities or other entities according to special laws, if such special laws do so determine;
The Processor is obliged to enable, based on written justification of the Controller’s request, examination of activities affiliated with processing data according to the Agreement. Control shall be performed by the Controller in a reasonable manner in the presence of the Processor’s representative;
The Processor declares that it knows of no barrier preventing fulfillment of the Controller’s instructions according to the Agreement or fulfillment of obligations determined by applicable laws;
The Processor also undertakes to notify the Controller without undue delay of all cases of obtaining random or unauthorized access to Personal Data handed over by the Controller;
The Processor undertakes to hand over the results of Personal Data Processing back to the Controller in accordance with the Agreement and according to its instructions, in a manner corresponding to the purpose of processing;
- The Controller undertakes to pay the Processor all costs and remuneration (hourly rate according to the Price Offer if not stated otherwise) relating to its aforementioned cooperation or activities essential mainly based on requests of Data Subjects (issue of records, etc.), state authorities (control, etc.), in the framework of audits, etc.
Guarantees of the Processor on security of Personal Data Protection
- Based on the GDPR, the Processor is obliged to take such measures that prevent unauthorized or random access to Personal Data, their change, destruction or loss, unauthorized transmissions, other unauthorized data processing, or any other abuse of Personal Data. This obligation applies even after termination of Personal Data Processing based on the Agreement. The Processor declares that in the framework of Personal Data Processing according to the Agreement, it has adopted measures according to Art. 32 of the GDPR, i.e. especially the following technical and organizational measures:
- Areas, in which Personal Data shall be processed shall be mechanically and electronically secured by alarm;
- Access rights to the automated system of Personal Data Processing shall only be made available to the Processor’s employees, or persons in similar position towards the Processor (further statutory bodies or partners), who shall be trained in handling Personal Data and shall directly handle Personal Data. Employees (and other stated persons) shall only have access to Personal Data corresponding to the authorisation of such persons. The Processor ensures an anti-virus protection system of equipment used for processing data, and furthermore a secure data backup system.
- The Processor shall maintain all of the aforementioned measures throughout the duration of the Agreement.
Pursuant to Art. 82(2) of the GDPR, the Processor is liable for the damage caused by Personal Data Processing only in case that it failed to fulfill obligations determined by the GDPR specifically directed to processors, or where it has acted outside or contrary to lawful instructions of the Controller. In other cases, the Controller is liable towards Data Subjects for damage caused by processing which breaches the GDPR. If the Processor finds that the Controller is in violation of responsibilities prescribed by law, it is required to immediately notify the Controller of this and terminate Personal Data Processing.
- Personal Data shall be processed over the duration of the Agreement or over the duration of the provided license, if this period is longer. To the date of termination of the Agreement, the Processor is obliged to return to the Controller all processed Personal Data.
Third Party Subprocessors
If you have an Agreement, the Subprocessors are as follows:
|Entity Name||Entity Role||Corporate Location|
|Google LLC||G Suite Service Provider||United States|
|Plausible Insights OÜ||Web analytics tool||Estonia|