MagicDay

Privacy Policy

Last updated: March 7, 2026

1. Introduction and Data Controller

This Privacy Policy describes how MagicDay ("we", "us", or "our") collects, uses, stores, shares, and protects your personal data when you use our platform. We are committed to protecting your privacy in accordance with the Brazilian General Data Protection Law (LGPD - Lei 13.709/2018).

As the data controller, MagicDay is responsible for decisions regarding the processing of your personal data. In accordance with ANPD Resolution CD/ANPD No. 2/2022 (simplified treatment for small businesses), we designate the following communication channel for data subjects to exercise their rights:

Communication channel: [email protected] or WhatsApp +55 61 99514-0579

2. Definitions

In accordance with Article 5 of the LGPD, the following terms are used in this policy:

  • "Personal Data" - any information relating to an identified or identifiable natural person.
  • "Sensitive Personal Data" - personal data concerning racial or ethnic origin, religious beliefs, political opinions, trade union or religious, philosophical or political organization membership, health or sex life data, genetic or biometric data.
  • "Data Controller" - the natural or legal person who makes decisions regarding the processing of personal data (MagicDay).
  • "Data Processor" - the natural or legal person who processes personal data on behalf of the controller.
  • "Data Subject" - the natural person to whom the personal data relates (you, the user).
  • "ANPD" - Autoridade Nacional de Proteção de Dados, Brazil's National Data Protection Authority.
  • "Consent" - a free, informed, and unambiguous manifestation by which the data subject agrees to the processing of their personal data for a specific purpose.
  • "Processing" - any operation performed on personal data, including collection, storage, use, sharing, and deletion.

3. Data We Collect

We collect the following categories of personal data:

Account Data

Name, email address, phone number (WhatsApp), and locale/language preference. Collected during the purchase and account creation process.

Payment Data

Payments are processed by Stripe, AbacatePay, and/or Pagar.me. We store the transaction ID, amount, currency, payment method, and payment status. We do NOT store full credit card numbers or bank account details. For payments in Brazil, your CPF (tax ID), phone number, and billing address may be shared with the selected processor to satisfy antifraud, tokenization, and settlement requirements.

Trip Planning Data

Trip dates, duration, number of travelers, and any information you enter into the Platform's planning tools (itinerary entries, checklist progress, packing lists, shopping lists, and optional shopping value estimates).

Technical Data

IP address, browser type and version, device type, operating system, geolocation country (used for payment routing and locale detection), and access timestamps.

Communication Data

Messages exchanged via WhatsApp for support and onboarding purposes, and emails sent to or received from our support channels.

Analytics Data

Page views, click and navigation events, session replay data, and authenticated account usage linked to an internal user ID collected through PostHog to understand how the Platform is used and to diagnose issues.

4. Legal Bases for Processing (Art. 7 LGPD)

We process your personal data based on the following legal bases as established by Article 7 of the LGPD:

Contract Execution (Art. 7, V)

Account data, payment processing, service delivery, and trip planning data - necessary to provide the Service you purchased.

Consent (Art. 7, I)

Marketing communications via WhatsApp - only processed with your explicit, freely given consent, which can be revoked at any time.

Legal Obligation (Art. 7, II)

Tax records and fiscal documentation - retained for 5 years as required by Brazilian tax law.

Legitimate Interest (Art. 7, IX)

Security measures, fraud prevention, product analytics, session replay used to diagnose issues, and understanding authenticated usage through an internal user ID.

5. How We Use Your Data

We use your personal data for the following purposes:

  • To provide and maintain the Platform and its features.
  • To process your payment and grant access to the Platform.
  • To send transactional communications (welcome messages, password delivery, password reset links).
  • To provide customer support via email and WhatsApp.
  • To improve the Platform through product analytics and session replay used to understand usage patterns and diagnose issues.
  • To comply with legal and regulatory obligations.
  • To prevent fraud and ensure platform security.

6. Data Sharing and Third-Party Processors

We share your personal data with the following third-party processors, solely for the purposes described below:

Supabase (United States) - Database hosting and user authentication. Data shared: account data, trip planning data. Privacy: https://supabase.com/privacy

Stripe (United States) - Payment processing. Data shared: name, email, payment details. Privacy: https://stripe.com/privacy

AbacatePay (Brazil) - Hosted checkout for payments in Brazil. Data shared: name, email, CPF, payment details. Privacy: https://abacatepay.com/politica-de-privacidade

Pagar.me (Brazil) - Payment processing in Brazil via PIX and credit card. Data shared: name, email, phone number, CPF, billing address, and payment data transmitted for authorization. Privacy: https://pagar.me/privacy-policy/

Twilio (United States) - WhatsApp notifications. Data shared: phone number, message content. Privacy: https://www.twilio.com/legal/privacy

Resend (United States) - Email delivery. Data shared: email address, email content. Privacy: https://resend.com/legal/privacy-policy

PostHog (United States) - Product analytics and session replay. Data shared: usage data, page views, click and navigation events, session replay data, browser and device metadata, and internal user ID for authenticated sessions. Privacy: https://posthog.com/privacy

Vercel (United States) - Website hosting and CDN. Data shared: technical request data (IP, headers). Privacy: https://vercel.com/legal/privacy-policy

We do not sell your personal data to any third party. Data is shared with processors only to the extent necessary for the purposes described above.

7. International Data Transfers (Arts. 33-36 LGPD)

Your personal data may be transferred to and processed in the United States by our third-party processors (Supabase, Stripe, Twilio, Resend, PostHog, and Vercel). These transfers are conducted in compliance with Articles 33-36 of the LGPD and are safeguarded by Standard Contractual Clauses (SCCs) as established by ANPD Resolution CD/ANPD No. 19/2024, as well as the Data Processing Agreements (DPAs) maintained with each processor.

8. Cookies and Tracking Technologies

We use the following categories of cookies and tracking technologies:

Essential Cookies: Supabase authentication session cookies, necessary for the Platform to function. These do not require consent as they are strictly necessary for contract execution.

Analytics Cookies: PostHog cookies are loaded when analytics is enabled on the Platform. They are used for product analytics, session replay, and distinguishing anonymous and authenticated sessions.

We do NOT use advertising, marketing, or third-party tracking cookies.

9. Data Retention Periods

We retain your personal data for the following periods:

  • Account data: Duration of your active account + 6 months after account deletion request.
  • Payment and transaction records: 5 years (required by Brazilian tax law).
  • Trip planning data: Duration of your active account. Deleted upon account deletion request.
  • Analytics data: 24 months, after which it is anonymized.
  • Communication logs (emails, WhatsApp): 5 years (CDC statute of limitations for consumer disputes).
  • Technical logs (IP, access logs): 6 months.

After the applicable retention period, data is securely deleted or irreversibly anonymized.

10. Your Rights (Art. 18 LGPD)

Under Article 18 of the LGPD, you have the following rights regarding your personal data:

  1. Confirmation of the existence of processing of your data.
  2. Access to your personal data.
  3. Correction of incomplete, inaccurate, or outdated data.
  4. Anonymization, blocking, or deletion of unnecessary, excessive, or non-compliant data.
  5. Portability of your data to another service or product provider.
  6. Deletion of personal data processed based on your consent.
  7. Information about public and private entities with which we have shared your data.
  8. Information about the possibility of denying consent and the consequences of such denial.
  9. Revocation of consent at any time.
  10. Review of decisions made solely based on automated processing of your data.
  11. Right to oppose processing that does not comply with the LGPD.

To exercise any of these rights, contact us at [email protected] or WhatsApp +55 61 99514-0579. We will respond to your request within 15 (fifteen) days for simplified requests and within 30 (thirty) days for complete requests, in accordance with ANPD guidelines.

11. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • HTTPS encryption for all data in transit.
  • Row-Level Security (RLS) in our database to ensure users can only access their own data.
  • Separation of API keys: server-only keys (Stripe, Supabase service role) are never exposed to the client-side code.
  • Secure password hashing via Supabase Auth (bcrypt).
  • Regular security reviews and dependency updates.

12. Children's Privacy

The Platform is not intended for children under 18 years of age, as purchasing the Service requires legal capacity under Brazilian law. In accordance with Article 14 of the LGPD, processing of personal data of children under 16 requires specific and prominent consent from at least one parent or legal guardian. If you believe a minor has provided us with personal data without appropriate consent, please contact us at [email protected] so we can take the necessary measures.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal requirements. Changes will be reflected in the "Last updated" date at the top of this page. For material changes, we will notify you via email. We encourage you to review this policy periodically.

14. ANPD Complaint

If you believe that your personal data has been processed in violation of the LGPD, you have the right to file a complaint with the Autoridade Nacional de Proteção de Dados (ANPD), Brazil's National Data Protection Authority. You can reach the ANPD through their official website at https://www.gov.br/anpd.

15. Contact

If you have questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us:

Email: [email protected]

WhatsApp: +55 61 99514-0579