Privacy Policy — MagicBlocks

1. Introduction & Scope

This Privacy Notice describes how MagicBlocks, Inc. (“MagicBlocks,” “we,” “us,” or “our”) accesses, collects, stores, uses, and shares (collectively, “processes”) personal information in connection with our Autonomous Relationship Sales Platform and related products, features, websites, APIs, and tools (the “Services”). It should be read alongside our Terms and Conditions and our Acceptable Use Policy, which together with this Notice form the full agreement governing your use of the Services. It applies when you:

Visit our website at https://magicblocks.ai, or any other website of ours that links to this Privacy Notice;
Sign up for or use the Services as a customer (an “Account Holder”) or as an authorized user of an Account Holder;
Interact with an AI agent powered by MagicBlocks that has been deployed by one of our customers — by chat, email, SMS, voice/telephony, or social messaging;
Engage with us through sales, marketing, support, or events; or
Otherwise contact us about our Services.

Two roles, one notice. MagicBlocks plays two different privacy roles, and this Notice explains both:

As a controller, we make decisions about how we process first-party data — for example, information about visitors to our website, prospects we engage with directly, applicants for jobs, and our paying customers and their authorized users.
As a processor, we handle end-user data on behalf of our customers (each, a “Customer”). When a Customer deploys a MagicBlocks AI agent to engage their leads and customers, the Customer decides why and how that end-user data is processed. We process it on their instructions, governed by our Terms and Conditions and, where applicable, a Data Processing Addendum.

If you are an end user interacting with a MagicBlocks-powered agent deployed by one of our Customers, the Customer’s own privacy notice governs that relationship and is the primary source for your privacy rights. This Notice describes what we do as the Customer’s processor. To exercise rights against the Customer-controller, you should contact the Customer directly.

Sub-processors. Our current list of sub-processors — the third parties we engage to help deliver the Services, including AI Service Providers, cloud infrastructure, payment, and telephony — is published and kept current at https://trust.magicblocks.ai. We commit to advance notice of new sub-processors, as described in Section 6.1.

Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at [email protected].

2. Summary of Key Points

This summary captures the headline points. Each one links conceptually to a fuller section below.

What we do. MagicBlocks operates an AI-powered relationship sales platform. Our AI agents engage, qualify, and nurture leads on behalf of our Customers across web chat, email, SMS and direct messages, and voice / telephony.

What personal information do we process? Depending on how you interact with us, we process identifiers (names, emails, phone numbers), account and billing data, communication content (chat, email, SMS, DMs), voice and call data (recordings and transcripts), AI conversation inputs and outputs, inferences derived from interactions (such as lead qualification scores), and technical and device data. See Section 3.

Do we process sensitive personal information? No. We do not knowingly collect or use special-category or sensitive personal information (such as racial or ethnic origin, religion, sexual orientation, precise health data, government identifiers, or biometric data). See Sections 3.6 and 12.

Do we use your information to train AI models? No — your personal information is not used to train AI Service Providers’ models. We maintain contractual commitments with Anthropic, OpenAI, Google Cloud AI, Microsoft Azure AI, and Amazon Web Services (AWS) AI that your information is not used to train their foundation models. We may use aggregated and de-identified telemetry to maintain and improve our own Services. See Section 8.3.

Who do we share information with? With sub-processors (AI Service Providers, cloud infrastructure, payment, telephony, analytics, and support) that help us deliver the Services. A current list is available at https://trust.magicblocks.ai. See Section 6.

Do we make automated decisions about people? Our AI agents perform lead qualification, scoring, and routing on behalf of our Customers. In some regulated industries (mortgage, finance, insurance), those outputs may inform decisions that significantly affect an end user. You have the right to request human review of any solely-automated decision that produces legal or similarly significant effects. See Section 11.

How long do we keep your information? We retain personal information only for as long as needed for the purposes set out in this Notice. On account termination, we offer a 30-day export window followed by a 60-day deletion timeline. See Section 13.

What rights do you have? Depending on where you live, you may have rights to access, correct, delete, port, restrict, or object to our processing of your personal information, and to opt out of certain practices. You also have the right not to be subject to a solely-automated decision with legal or similar effect without a human review path. See Section 16.

How do you exercise your rights? Submit a data request through our trust centre at https://magicblocks.eu.trust.site/your-data. If you interacted with an AI agent deployed by one of our Customers, you should contact that Customer first — they are the controller of your data. See Section 16.8.

How do you reach us for other questions? Email [email protected], call (401) 206-0436, or write to MagicBlocks, Inc., 188 Valley St, Suite 225, Providence, RI 02909, USA. See Section 20.

3. Information We Collect

3.1 Personal Information You Disclose to Us

In Short: We collect personal information that you voluntarily provide to us.

We collect personal information that you voluntarily provide when you register for the Services, request information about us or our products, participate in activities on the Services, communicate with our team, or otherwise contact us. The categories include:

Identifiers — name, email address, phone number, username, mailing or billing address
Account credentials — passwords, multi-factor authentication tokens, API keys
Contact preferences — preferred channels, language, time zone, and marketing preferences
Billing and payment data — billing contact, billing address, payment instrument data (collected and stored by our payment processor; see below)
Authentication data — information used to verify your identity (for example, when you contact support or request a data export)
Social media login data — limited profile information from third-party identity providers if you choose to sign up using one (see Section 9)

Payment data. We use Stripe to process payments. Payment instrument numbers and security codes are handled and stored by Stripe, not by MagicBlocks. You can review Stripe’s privacy notice at https://stripe.com/privacy.

No sensitive personal information. We do not knowingly collect sensitive personal information from you in connection with your account (see Section 12).

You agree that all personal information you provide must be true, complete, and accurate, and that you will notify us of any changes.

3.2 Information Automatically Collected

In Short: Some information — like your IP address, browser characteristics, and device data — is collected automatically when you use our Services.

When you visit, use, or navigate our Services, we and our service providers automatically collect technical, diagnostic, and usage information. This generally does not on its own reveal your identity, but may be associated with it when combined with other data. Categories include:

Log and usage data — server logs, IP address, timestamps, pages and features viewed, searches and actions taken, error reports and crash data
Device data — device type, operating system, browser type and version, screen resolution, language, mobile carrier, system configuration
Approximate location data — country, region, and city derived from your IP address; we do not collect precise GPS location from the website
Cookies and similar technologies — see Section 7

We use this information primarily to maintain the security and performance of our Services, to detect and prevent fraud and abuse, and for internal analytics, reporting, and product improvement.

3.3 Voice and Call Data

In Short: When our AI agents handle calls on behalf of our Customers, we process call recordings, transcripts, and call metadata.

The Services include AI-powered voice and telephony capabilities. When a Customer enables voice features and an end user calls (or is called by) a MagicBlocks-powered agent, we may process:

Call recordings — audio of the call, where the Customer has chosen to record calls and applicable disclosure / consent obligations have been satisfied. Recording disclosure (including in two-party consent states such as California, Florida, Illinois, Maryland, Massachusetts, Montana, Nevada, New Hampshire, Pennsylvania, and Washington) is the Customer’s responsibility, with tooling and prompts we make available.
Transcripts — speech-to-text transcriptions of the call audio used by the AI agent to understand and respond to the conversation.
Call metadata — caller and called phone numbers, time and duration of the call, channel, telephony provider, and basic disposition.

We do not currently generate or store voiceprints (biometric voice templates used for speaker identification or voice authentication). If we introduce voiceprint or other biometric voice processing in the future, we will provide notice and obtain consent where required by applicable law, including the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act (CUBI), and similar laws.

AI-generated voice disclosure. Some AI agents speak using synthetic (“AI-generated”) voices. Following the FCC’s February 2024 ruling that AI-generated voice calls qualify as artificial or prerecorded under the TCPA, our Customers are responsible for satisfying any applicable AI voice disclosure requirements. We provide configurable disclosure prompts; the Customer is responsible for activating them and ensuring they meet the law applicable to their use case.

3.4 AI Conversation Content

In Short: When you interact with a MagicBlocks-powered AI agent, the content of that conversation — your inputs and the agent’s outputs — is processed by our Services and by our AI Service Providers.

When you engage with a MagicBlocks-powered AI agent in any channel (web chat, email, SMS, WhatsApp, social DMs, voice), we process:

Inputs — the text, speech, files, or images you send to the AI agent
Outputs — the text or speech the AI agent generates in response
Channel metadata — the channel, thread / conversation ID, sender and recipient identifiers, and timestamps
Operational signals — tool calls, retrievals from a Customer’s knowledge base, handoff or escalation events

This content is used to deliver the agent’s functionality, to maintain the Services, to detect and prevent abuse, and — in aggregated and de-identified form — to improve our own systems. It is not used to train the foundation models of our AI Service Providers (see Section 8.3).

3.5 Inferences and Lead Qualification

In Short: Our AI agents derive inferences and qualification signals from interactions — for example, intent, urgency, fit, and lead score.

In the course of an interaction, our Services generate inferences and structured data points that summarize, score, or characterize the conversation, the lead, or the engagement. Examples include:

Lead qualification scores and bands (e.g., “high intent”)
Topic and intent classifications
Sentiment and engagement signals
Routing recommendations and next-best-action suggestions
Summaries of conversations for the Customer’s records

Inferences are processed for our Customers and used by them to route, prioritize, and personalize follow-up. They are not used to infer protected characteristics such as race, ethnicity, religion, or political opinion.

3.6 Information We Do Not Collect

We do not knowingly collect, request, or use the following categories of sensitive personal information for any commercial purpose:

Racial or ethnic origin
Religious or philosophical beliefs
Political opinions or trade union membership
Sexual orientation or sex life
Precise geolocation (we do not collect GPS-level location)
Health information protected under HIPAA
Genetic or biometric data (including voiceprints, fingerprints, retina scans, or comparable biometric identifiers)
Government identifiers such as Social Security number, driver’s license number, or passport number
Children’s data — we do not knowingly collect data from minors (see Section 15)
Financial account numbers (other than payment instrument data handled by Stripe)
Information about criminal convictions or proceedings

If a user inadvertently includes one of these categories in an AI conversation (for example, by volunteering health information to an AI agent), we treat it as conversation content under Section 3.4 and do not use it to infer protected characteristics or build sensitive profiles.

3.7 Google API Services

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

4. How We Process Your Information

In Short: We process your information to deliver and improve the Services, to engage end users on behalf of our Customers, to keep the Services secure, to communicate with you, to comply with law, and — where required — with your consent.

We process personal information for the following purposes:

To provide and operate the Services — including account creation and authentication, configuration, delivery of AI agent interactions across channels, telephony and messaging, billing, and customer support.
To deliver Services to end users on behalf of our Customers — when MagicBlocks acts as a processor, we process end-user data on our Customer’s documented instructions to deliver the AI agent experience the Customer has configured.
To respond to inquiries and provide support — both to our Customers and to end users who contact us through a Customer’s agent.
To send administrative communications — service updates, security notices, changes to terms, and other operational messages.
To maintain and improve our own systems — including testing, quality assurance, performance monitoring, debugging, and improving the accuracy and safety of our AI Services. This does not include training the foundation models of our AI Service Providers (see Section 8.3).
To secure the Services — fraud, abuse, and security monitoring; rate limiting; bot detection; investigation of suspected violations of our terms.
To deliver marketing and promotional communications — with your consent where required, and subject to your preferences. You can unsubscribe at any time.
To perform lead qualification and AI-driven analyses — as configured by our Customers. Because these analyses can inform significant decisions in regulated industries, see Section 11 on automated decision-making.
To comply with legal obligations and respond to lawful requests — including responding to subpoenas, court orders, regulatory inquiries, and other legally required disclosures.
To protect vital interests — for example, where processing is necessary to prevent harm to a person.
For other purposes with your consent — where we process your information for purposes not described above, we will obtain your consent in advance where required by law.

5. Legal Bases for Processing

In Short: We process personal information only where we have a valid legal basis under applicable law.

The legal bases on which we rely depend on where you are located.

We rely on one or more of the following bases under the EU GDPR, UK GDPR, and the Swiss Federal Act on Data Protection (FADP):

Consent (Art. 6(1)(a)) — where you have given consent to a specific purpose. You may withdraw consent at any time.
Performance of a contract (Art. 6(1)(b)) — where processing is necessary to deliver the Services to you or take steps prior to entering into a contract.
Legitimate interests (Art. 6(1)(f)) — for purposes such as Services security, fraud prevention, network and information security, product improvement, and direct marketing to existing customers — balanced against your interests and rights.
Legal obligation (Art. 6(1)(c)) — where processing is required by law, including tax, accounting, and law enforcement cooperation.
Vital interests (Art. 6(1)(d)) — to protect the vital interests of you or another person, such as preventing harm.

For special-category data (which we generally do not process), we rely on Art. 9 bases such as explicit consent where applicable.

5.2 Canada (PIPEDA and Provincial Laws, including Quebec Law 25)

Under the Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial laws including Quebec’s Law 25, we rely on express consent (and, where appropriate, implied consent) to process personal information. You can withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.

In limited cases, applicable Canadian law permits us to process personal information without consent — for example, for investigations and fraud detection, to comply with subpoenas or court orders, in connection with certain business transactions, or where collection is clearly in the individual’s interest and consent cannot be obtained in a timely way.

For Quebec residents, we conduct privacy impact assessments where required and have a designated Privacy Officer (see Section 20).

5.3 Australia and New Zealand

In Australia, we comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988, including APP 3 (collection of solicited personal information) and APP 5 (notification). We collect personal information only by lawful and fair means and for a primary purpose related to our functions or activities.

In New Zealand, we comply with the Information Privacy Principles under the Privacy Act 2020.

5.4 Singapore

In Singapore, we rely on consent (express or deemed) under the Personal Data Protection Act (PDPA), along with the permitted exceptions where applicable. We have regard to the PDPC’s guidance on agentic AI, including the Advisory Guidelines on the Use of Personal Data in AI Recommendation and Decision Systems and the January 2026 agentic AI framework, both of which we treat as voluntary best practice.

5.5 United States

In the United States, our legal bases reflect the requirements of applicable state privacy laws and federal sectoral laws. We process personal information to provide the Services, to comply with law, with consent where required, and for our legitimate business interests as permitted by law. State-specific consumer rights are described in Section 16.

In Short: We share personal information with sub-processors that help us deliver the Services, on Customer instruction, and in limited other circumstances described below.

6.1 Service Providers and Sub-Processors

We engage trusted third parties — “sub-processors” — to help us operate, deliver, and improve the Services. These sub-processors fall into the following categories:

AI Service Providers — foundation model and AI infrastructure providers (see Section 6.2)
Cloud infrastructure — hosting, compute, storage, content delivery
Telephony and messaging providers — to originate and terminate calls and SMS / messaging traffic
Payment processors — for billing (Stripe)
Analytics and product telemetry — to understand how the Services are used
Customer support tooling — to operate our help desk and incident response
Security and fraud prevention — to protect the Services

Each sub-processor is bound by contractual obligations consistent with this Privacy Notice, our customer agreements, and applicable law (including, where relevant, the Standard Contractual Clauses and the UK International Data Transfer Addendum).

Current list and change notice. We maintain a current list of our sub-processors — with names, categories, and processing locations — at https://trust.magicblocks.ai. We commit to providing advance notice (typically at least 30 days, or as set out in the applicable customer agreement or DPA) before adding or replacing a sub-processor. Customers may object to a new sub-processor for reasonable, documented privacy or security grounds, with the consequences set out in their agreement.

6.2 AI Service Providers

Our AI agents are powered by a combination of our own technology and third-party AI Service Providers, currently including:

Anthropic (Claude models)
OpenAI (GPT family)
Google Cloud AI (Gemini and related services)
Microsoft Azure AI (Azure OpenAI and related services)
Amazon Web Services (AWS) AI (Bedrock and related services)

When you interact with a MagicBlocks AI agent, the content of your interaction (inputs and outputs) and necessary metadata may be transmitted to one or more of these AI Service Providers to generate the agent’s response.

Training-data commitment. We have contractual commitments with each AI Service Provider that your information is not used to train their foundation models. We rely on the enterprise / API tiers of these providers, which contractually exclude customer data from model training. The current list and processing region of each AI Service Provider is published at https://trust.magicblocks.ai.

6.3 Business Transfers

We may share or transfer your information in connection with, or during negotiations of, any merger, financing, acquisition, reorganization, or sale of all or a portion of our business or assets. We will give notice and, where required by law, an opportunity to object before your information becomes subject to a different privacy notice.

6.4 Legal Disclosures and Safety

We may disclose personal information where we believe in good faith that disclosure is necessary to:

Comply with a legal obligation, subpoena, warrant, court order, or other lawful request from public authorities, including for national security or law enforcement requirements;
Enforce our Terms and Conditions, including investigation of potential violations;
Detect, prevent, or otherwise address fraud, security, or technical issues;
Protect against harm to the rights, property, or safety of MagicBlocks, our users, our Customers, or the public.

When we act as a processor for a Customer, we share information with third parties only on the Customer’s documented instructions — for example, to deliver messages to the channels the Customer has configured, to pass leads to the Customer’s CRM, or to integrate with other tools the Customer has connected.

6.6 Other Users and Public Areas

Where the Services include public-facing areas (for example, public content posted in a community or shared link), information you choose to make public may be visible to other users. Use those features with care.

7. Cookies and Tracking Technologies

In Short: We use cookies and similar technologies on our websites for essential functions, analytics, and (where applicable) advertising.

We and our service providers may use cookies, web beacons, pixels, and similar tracking technologies on our marketing websites (collectively, “cookies”) to gather information when you interact with our Services. Some of these technologies help us maintain security, prevent crashes, fix bugs, save your preferences, and operate basic site functions. Others support analytics and (where applicable) advertising.

To the extent any use of these technologies is treated as a “sale” or “sharing” (which can include targeted advertising under some US state laws), you can opt out as described in Section 16.

Where we publish a separate cookie notice, additional details about specific cookies and how to control them will be available there; otherwise, you can manage cookies through your browser settings and any cookie controls we surface in the website footer.

Google Analytics. We may share information with Google Analytics to analyze use of our website. You can opt out of Google Analytics by visiting https://tools.google.com/dlpage/gaoptout. For more on Google’s privacy practices, see the Google Privacy & Terms page.

8. AI Products and Personal Information

In Short: Our Services are AI-powered. We are transparent about what’s processed, what’s not, and the contractual commitments we maintain with our AI Service Providers — including that your information is not used to train their models.

8.1 Nature of MagicBlocks’ AI

MagicBlocks’ core Services use a combination of our own AI technology and third-party AI Service Providers. AI is probabilistic — outputs vary, can be wrong, and should not be relied on as the sole basis for decisions with legal or similarly significant effects without appropriate human oversight (see Section 11).

8.2 What Data Is Processed by AI

When you interact with a MagicBlocks AI agent, the following data flows through our Services and (selectively, as needed for response generation) our AI Service Providers:

Inputs — what you say or write to the agent
Outputs — what the agent says or writes back to you
Context — relevant context the agent needs to respond, such as conversation history within the session, retrieval results from the Customer’s knowledge base, and (where applicable) Customer-provided system instructions
Operational metadata — channel, timestamps, conversation identifiers, and similar information

We do not transmit unrelated personal information to AI Service Providers — only what is necessary for the response.

8.3 Training-Data Commitment

Your personal information is not used to train AI Service Provider foundation models. We maintain contractual commitments with Anthropic, OpenAI, Google Cloud AI, Microsoft Azure AI, and AWS AI to that effect, relying on the enterprise / API offerings of each provider that contractually exclude customer data from training.

We may use aggregated and de-identified telemetry — for example, anonymized counts of successful tool calls, latency distributions, or category-level error rates — to maintain and improve our own Services. This telemetry does not identify any individual.

If our AI Service Providers’ offerings change such that we can no longer support this commitment in its current form, we will update this Privacy Notice and our Customer agreements, and provide reasonable advance notice through the channels described in Section 19.

8.4 Customer Disclosure Obligation

Our Customers are responsible for informing their end users that they are interacting with AI. We provide tools and configurable disclosure prompts to help — including for jurisdictions with specific AI-interaction disclosure laws (such as California SB 243, the Colorado AI Act, the EU AI Act Article 50, and Australia’s Privacy Act 2024 reforms). We do not guarantee that any specific Customer deployment satisfies every applicable law; that responsibility rests with the Customer. Detailed AI disclosure obligations and prohibited uses of the Services — including channel-specific communications compliance requirements for SMS, voice, email, and third-party messaging platforms — are set out in our Acceptable Use Policy.

8.5 AI Accuracy

AI Outputs are probabilistic and may be inaccurate, incomplete, or contextually inappropriate. Customers are responsible for reviewing and supervising AI interactions, particularly where the output may influence a decision affecting an individual. Additional disclaimers and customer responsibilities are set out in our Terms and Conditions.

8.6 Opt-Out and Human Review

Where required by applicable law, end users have the right to opt out of, or request human review of, AI-driven processing that produces legal or similarly significant effects. Because we act as a processor in those cases, the opt-out path generally runs through the Customer. If you cannot reach the Customer or believe they have not acted on your request, submit a request through our trust centre at https://magicblocks.eu.trust.site/your-data and we will route the request appropriately or, where we have a direct controller relationship with you, act on it ourselves. See Section 11 for more on automated decision-making.

In Short: If you register or sign in to our Services using a third-party social media account, we receive limited profile information from that provider.

Our Services may offer the option to register or log in using third-party social media or identity provider accounts (for example, Google, Microsoft, Facebook, or X). If you choose to do so, we will receive profile information from that provider — typically name, email address, profile photo, and other information you choose to make available.

We use that information only for the purposes described in this Privacy Notice (such as creating and operating your account) or as made clear at the time. We do not control, and are not responsible for, other uses of your personal information by the third-party provider. Review the provider’s privacy notice and privacy settings to manage that relationship.

10. Cross-Border Data Transfers

In Short: We’re a US company. Data we process may be transferred to, stored in, and processed in the United States and other jurisdictions where our sub-processors operate. We use lawful transfer mechanisms where required.

10.1 Where Data Is Stored

MagicBlocks is headquartered in the United States, and our primary processing infrastructure is hosted in US regions of Amazon Web Services and other major cloud providers. For Customers requiring regional residency, certain sub-processors offer EU, UK, or Australia / Asia-Pacific regions; available options are described in our Customer agreements and at https://trust.magicblocks.ai.

10.2 EU / UK / Swiss Transfers to the United States

When we transfer personal data from the EEA, the United Kingdom, or Switzerland to the United States or to another country that does not provide an essentially equivalent level of protection, we rely on appropriate safeguards, including:

EU Standard Contractual Clauses (SCCs) — Module 2 (controller-to-processor) or Module 3 (processor-to-processor), as appropriate;
UK International Data Transfer Addendum (IDTA) or the UK’s IDT Addendum to the EU SCCs;
Swiss-equivalent SCCs and supplementary measures for transfers from Switzerland.

MagicBlocks does not currently self-certify under the EU-US Data Privacy Framework. Where a sub-processor self-certifies under the DPF, that may serve as an additional safeguard for the onward transfer to that sub-processor, but our primary EU/UK/Swiss transfer mechanism is the SCCs (and the IDTA for UK transfers).

We conduct transfer impact assessments for higher-risk transfers and implement supplementary technical, contractual, and organizational measures as appropriate (such as encryption in transit and at rest, access controls, and Customer-controlled retention settings).

10.3 Transfers from Australia

For Australian personal information, we comply with APP 8 (cross-border disclosure of personal information). Where a sub-processor is outside Australia, we take reasonable steps to ensure the recipient does not breach the APPs in relation to that information, including through contractual obligations.

10.4 Other Transfers

For transfers from other jurisdictions, we rely on the mechanisms permitted under local law, which may include consent, adequacy decisions, contractual safeguards, or derogations for specific situations.

11. Automated Decision-Making and Profiling

In Short: Our AI agents perform lead qualification, scoring, and routing. Where those outputs could significantly affect you, you have the right to a human review path.

11.1 What We Do

In delivering the Services for our Customers, our AI systems may:

Qualify or score a lead (for example, “high intent,” “not a fit,” “needs follow-up”)
Classify a conversation by topic, intent, urgency, or sentiment
Route a conversation or lead to a particular human team, queue, or workflow
Recommend a next best action or response

These are processor activities performed on the Customer’s instructions and configurations.

11.2 Significance

Many of these outputs are operational and do not produce legal or similarly significant effects on an individual. However, in some regulated industries that our Customers serve — including mortgage, finance, and insurance — an AI agent’s qualification or routing output may feed into a decision (made by the Customer) that does significantly affect the end user, such as eligibility for further evaluation for credit or insurance.

11.3 Your Rights

A range of laws — including the GDPR / UK GDPR (Art. 22), the Swiss FADP, California’s CPPA ADMT regulations, the Colorado AI Act, and Australia’s Privacy Act reforms on automated decision-making — provide rights in relation to solely-automated decisions that produce legal or similarly significant effects. We will support those rights as and where required by applicable law.

11.4 Human Review

If you believe an automated decision has significantly affected you and you are entitled to human review under applicable law:

If you are an end user of a Customer’s deployment, contact the Customer (the controller) first. They are in the best position to provide human review of any decision that significantly affects you.
If you cannot reach the Customer, submit your request through our trust centre at https://magicblocks.eu.trust.site/your-data and we will route it appropriately.

12. Sensitive Personal Information

In Short: We do not knowingly process sensitive personal information.

12.1 General Position

We do not knowingly collect, request, or use sensitive personal information as defined under the GDPR Art. 9 (“special category data”), the CCPA / CPRA (sensitive PI), the Australian Privacy Act 1988 (sensitive information), or comparable laws. The categories we do not process are listed in Section 3.6.

12.2 AI Conversation Content May Inadvertently Capture Sensitive Information

End users sometimes volunteer sensitive information to an AI agent (for example, mentioning health, family circumstances, or religious affiliation in the course of a sales conversation). We do not solicit that information and do not use it to infer protected characteristics or build sensitive profiles. Where a Customer’s use case warrants additional handling (for example, redaction), we offer configurable controls.

12.3 Biometric Data (Including Voiceprints)

We do not currently generate or store voiceprints or other biometric identifiers. If we introduce biometric voice or other biometric processing in the future, we will provide notice and obtain consent where required by applicable law, including the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act (CUBI), and similar laws.

13. Data Retention

In Short: We keep personal information only for as long as we need it. On account termination, we offer a 30-day export window followed by a 60-day deletion timeline, with specific carve-outs for certain data categories.

We will only keep your personal information for as long as it is necessary for the purposes set out in this Privacy Notice, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements).

Data Category	Retention
Active Customer account data	For the life of the account, plus the retention window below on termination
Post-termination Customer data	30-day export window, followed by 60-day deletion timeline, with written certification on request
End-user conversation transcripts	Retained with the account; deleted on the 60-day post-termination timeline (sooner on Customer instruction)
Call recordings	Retained per the Customer’s documented retention setting. Where the Customer has not specified a retention period, recordings are retained for a period appropriate to the purposes for which they were collected and the Customer’s operational needs, and are subject to deletion (or shorter retention) where law requires
Marketing and prospect data (we as controller)	Until you opt out, unsubscribe, or request deletion; then retained only as needed for suppression / compliance
Logs and operational telemetry	Retained for a period appropriate to security, debugging, and analytics purposes
Aggregated / de-identified data	May be retained for analytics, benchmarking, and improvement; not re-associated with identifiable individuals
Backups	Backups follow our rolling backup cycle; data in backups is isolated from further active processing and is overwritten on the cycle

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize such information, or — where deletion is not immediately possible (for example, because it is stored in backup archives) — we will securely store your information and isolate it from further processing until deletion is possible.

These retention practices are aligned with our Terms and Conditions §17 (Termination).

14. Information Security

In Short: We use reasonable technical and organizational measures to protect personal information.

We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of the personal information we process. These include access controls and least-privilege principles, encryption in transit and (for data at rest) where applicable, network segmentation, audit logging, sub-processor diligence, employee security training, and an incident response process.

No electronic transmission over the internet and no information storage system can be guaranteed to be 100% secure. Despite our safeguards, we cannot promise or guarantee that unauthorized third parties will not defeat our security and improperly collect, access, steal, or modify your information. Transmission of personal information to and from our Services is at your own risk.

If we become aware of a personal data breach affecting you, we will notify the affected Customer (where we are processor) or you directly (where we are controller) in accordance with applicable law and any agreement in place.

15. Children’s Privacy

In Short: Our Services are not directed to children. We do not knowingly collect personal information from minors.

The Services are intended for users who are at least 18 years old (or the age of majority in the user’s jurisdiction). In the EEA and the UK, we do not knowingly process the personal data of a child under 16 without parental authorization (consistent with GDPR Art. 8 and equivalent UK provisions; lower age thresholds set by Member State law may apply). Under US federal law (COPPA), we do not knowingly collect personal information from children under 13 for our own purposes.

We do not target our Services to children and we do not knowingly collect children’s personal information. By using the Services, you represent that you meet the applicable minimum age, or that you are the parent or guardian of such a minor consenting on their behalf where the law permits.

If we learn that we have collected personal information from a minor below the applicable age, we will promptly deactivate the account and delete the information, except where retention is required for legal compliance. If you believe we may have collected information about a minor, contact us at [email protected].

16. Your Privacy Rights

In Short: Depending on where you live, you have rights to access, correct, delete, port, restrict, or object to our processing — and to opt out of certain practices. Section 16.8 explains how to exercise them.

The rights described below apply primarily to processing for which MagicBlocks is the controller. Where we act as a processor for a Customer, please direct rights requests to that Customer first; we will support them in responding to you.

16.1 EEA, United Kingdom, and Switzerland

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under the GDPR, UK GDPR, and the Swiss FADP, subject to applicable conditions and exceptions:

Right of access — confirmation that we process your data and a copy of it
Right to rectification — correction of inaccurate or incomplete information
Right to erasure — deletion in certain circumstances (“right to be forgotten”)
Right to restriction — limiting how we process your information
Right to data portability — receipt of your data in a structured, commonly used, machine-readable format
Right to object — including objection to direct marketing at any time, and to processing based on legitimate interests on grounds relating to your particular situation
Right not to be subject to a solely-automated decision with legal or similarly significant effect, with the right to obtain human intervention, express your view, and contest the decision (see Section 11)
Right to withdraw consent at any time where processing is based on consent (without affecting the lawfulness of earlier processing)
Right to lodge a complaint with a supervisory authority — your local data protection authority in the EEA, the UK Information Commissioner’s Office (ICO), or the Swiss Federal Data Protection and Information Commissioner (FDPIC)

EU / UK Representative. We are evaluating the appointment of an EU and / or UK Representative under GDPR Art. 27 / UK GDPR. When appointed, the contact details will be published at https://trust.magicblocks.ai.

16.2 Canada

Under PIPEDA and provincial laws (including Quebec Law 25, Alberta PIPA, and BC PIPA), Canadian residents have rights including:

Access to your personal information
Correction of inaccurate information
Withdrawal of consent (subject to legal or contractual restrictions)
Information about our policies and practices
The right to file a complaint with the Office of the Privacy Commissioner of Canada, or the relevant provincial commissioner

For Quebec residents, additional Law 25 rights apply, including data portability and the right to information about automated decision-making. We conduct privacy impact assessments (PIAs) where required.

16.3 California (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the CPRA:

Right to know / access — categories and specific pieces of personal information we have collected; categories of sources, purposes, and categories of third parties with whom we share it
Right to delete personal information we have collected from you, subject to exceptions
Right to correct inaccurate personal information
Right to opt out of “sale” or “sharing” (including cross-context behavioral advertising)
Right to limit use and disclosure of sensitive personal information (where applicable)
Right to data portability — receipt of personal information you previously provided
Right to non-discrimination for exercising your rights
Authorized agent — you may designate an authorized agent to make requests on your behalf, with proof of authorization
Right to appeal a denial of a request

Categories of personal information. The categories we have collected in the past twelve (12) months are as follows (illustrative examples, not exhaustive):

Category	Examples	Collected
A. Identifiers	Real name, alias, address, phone, IP, email, account name	YES
B. California Customer Records categories	Name, contact details, financial details (billing)	YES
C. Protected classification characteristics	Race, religion, sexual orientation, etc.	NO
D. Commercial information	Transaction history, purchase history	YES
E. Biometric information	—	NO
F. Internet or other electronic network activity	Browsing on our sites, interactions with the Services	YES
G. Geolocation data	Approximate (IP-derived) location	YES
H. Audio, electronic, sensory information	Call recordings, transcripts, chat messages	YES
I. Professional or employment-related information	Job title and employer for business contacts	YES
J. Education information	Student records	NO
K. Inferences	Lead qualification scores, intent classifications	YES
L. Sensitive personal information	—	NO

Sale / Sharing. We do not sell personal information for monetary consideration. To the extent any use of online tracking technologies constitutes “sharing” for cross-context behavioral advertising on our marketing websites, you may opt out via the cookie banner (where available) or through our trust centre at https://magicblocks.eu.trust.site/your-data.

“Shine the Light” (Cal. Civ. Code § 1798.83). California residents may request, once per year and free of charge, information about categories of personal information (if any) we have disclosed to third parties for direct marketing purposes during the preceding calendar year. To request this, submit a request through our trust centre at https://magicblocks.eu.trust.site/your-data.

Financial incentives. We do not currently offer a financial incentive program for the retention, sale, or sharing of personal information.

Automated decision-making. California’s CPPA has issued regulations on automated decision-making technology (ADMT). To the extent those regulations apply to our processing, we will support the rights they provide as required by law.

16.4 Other US States

Residents of the following US states have privacy rights under their state laws (effective dates and specific rights vary):

Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia.

Across these laws, you generally have:

Right to confirm whether we process your personal information
Right to access a copy of your personal information
Right to correct inaccuracies
Right to delete personal information
Right to data portability for information you provided
Right to opt out of targeted advertising, sale of personal information, and certain profiling that produces legal or similarly significant effects
Right to appeal if we deny your request
Right to non-discrimination for exercising your rights

State-specific points to note:

Universal Opt-Out Mechanisms. Several states (including Colorado, Connecticut, New Jersey, and Oregon) require recognition of universal opt-out signals. We will implement recognition of such signals as and where required by applicable law. In the meantime, residents of these states may opt out through our trust centre at https://magicblocks.eu.trust.site/your-data.
Maryland (MODPA). Maryland’s law applies strict data minimization and prohibits the sale of sensitive personal data. We do not sell sensitive personal data.
Texas (TDPSA), Tennessee (TIPA), and others with notice obligations — this Notice and our DSAR process are intended to meet those requirements.
Categories of personal information by class — we will provide a list of the categories of third parties to whom we have disclosed personal data on request where state law requires (e.g., California, Delaware, Maryland, Minnesota, Oregon).

To exercise rights, see Section 16.8.

16.5 Australia

If you are in Australia, you have rights under the Privacy Act 1988 and the Australian Privacy Principles (APPs):

APP 12 — Access to personal information we hold about you
APP 13 — Correction of inaccurate or out-of-date information
The right to make a complaint to the Office of the Australian Information Commissioner (OAIC) at https://www.oaic.gov.au

Privacy Act reforms. Australia’s Privacy Act reforms include new transparency obligations for automated decision-making (ADM) that significantly affects an individual, with effect from December 10, 2026, and a new statutory tort for serious invasions of privacy (subject to implementation timing). We support our Customers’ ADM transparency obligations and have updated this Notice to provide ADM information (see Section 11).

16.6 New Zealand

If you are in New Zealand, you have rights under the Privacy Act 2020, including the right to access and correct personal information we hold about you, and to make a complaint to the Office of the Privacy Commissioner at https://www.privacy.org.nz.

16.7 Singapore

If you are in Singapore, you have rights under the Personal Data Protection Act (PDPA), including the right to access and correct personal data, and to withdraw consent for our processing (subject to legal and contractual restrictions). You may file a complaint with the Personal Data Protection Commission (PDPC) at https://www.pdpc.gov.sg.

16.8 How to Exercise Your Rights

Start with the right party. If you interacted with an AI agent deployed by one of our customers, please direct your request to that customer first — they are the controller of your data and we act as a processor on their behalf.

To submit a request to MagicBlocks (where you have a direct relationship with us, or where the Customer is unable to assist), use our trust centre at https://magicblocks.eu.trust.site/your-data. The trust centre handles identity verification and routes your request to the right team. If you cannot use the trust centre, you can email us at [email protected] as a fallback.

Verification. To protect your privacy, we will verify your identity before responding to a request involving personal information.

Authorized agents. Where applicable law permits, you may designate an authorized agent to make a request on your behalf, subject to proof of authorization.

Timing. We will respond within the timeframe required by applicable law.

Appeals. If we decline a request, you may appeal by replying to our response. You may also file a complaint with your applicable regulator or attorney general.

No discrimination. We will not discriminate against you for exercising privacy rights provided under applicable law.

17. Controls for Do-Not-Track Features

Most web browsers and some mobile operating systems and applications include a Do-Not-Track (“DNT”) feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. No uniform technology standard for recognizing and implementing DNT signals has been finalized. Accordingly, we do not currently respond to DNT browser signals.

California law requires us to let you know how we respond to web browser DNT signals. Because there is no industry or legal standard for DNT signals, we do not respond to them at this time.

18. Multi-Tenant, Agency, and White-Label Deployments

In Short: MagicBlocks supports agency and white-label deployments. In those setups, the agency is our Customer and is the controller for its sub-customers’ end-user data. Workspaces are segregated.

MagicBlocks supports multi-tenant deployments, including agency / reseller arrangements and white-label deployments. In these models:

The agency or reseller is MagicBlocks’ direct Customer. The agency in turn provides Services to its own clients (each a “sub-customer”).
Each sub-customer’s data is held in a segregated workspace. Access controls and tenancy isolation are designed to prevent cross-tenant exposure.
For end-user data processed in a sub-customer’s workspace, the agency (or sub-customer, as agreed between them) is the controller, and MagicBlocks is the processor. The agency’s own privacy notice — or the sub-customer’s — governs the end-user relationship.
The agency is responsible for flowing down applicable privacy and AI-disclosure obligations to its sub-customers. White-label deployments must still comply with the AI-interaction disclosure obligations described in Section 8.4, and the broader obligations set out in our Acceptable Use Policy (including the agency flow-down requirements in the Agency and White-Label Use section of that Policy), regardless of the brand under which the agent is presented.
This Privacy Notice is not a substitute for the agency’s or sub-customer’s own privacy notice provided to end users.

19. Updates to This Notice

In Short: We may update this Privacy Notice. Material changes will be communicated in advance.

We may update this Privacy Notice from time to time. The updated version will be indicated by the “Last updated” date at the top of this Notice. If we make material changes, we will provide a prominent notice — by posting an update banner, sending an email or in-product notification to account holders, or other reasonable means — and, where required by law, we will obtain renewed consent. We encourage you to review this Privacy Notice periodically.

Versioned copies of this Privacy Notice are maintained for reference. Customers can request a prior version by contacting [email protected].

20. How to Contact Us

If you have questions or concerns about this Privacy Notice or our privacy practices, you can reach our Data Protection Officer:

MagicBlocks, Inc. Attn: Data Protection Officer 188 Valley St, Suite 225 Providence, RI 02909 United States

Email: [email protected] Phone: (401) 206-0436 Trust Center: https://trust.magicblocks.ai Website: https://magicblocks.ai

EU / UK Representative. We are evaluating appointment of an EU Representative under GDPR Art. 27 and a UK Representative under UK GDPR. When appointed, the contact details will be published at https://trust.magicblocks.ai.

Quebec Privacy Officer. Inquiries from Quebec residents can be directed to the same email and address above, attention: Privacy Officer.

21. How to Review, Update, or Delete Your Data

You have rights to access, update, or delete the personal information we hold about you, as described in Section 16. To exercise those rights:

Use our trust centre at https://magicblocks.eu.trust.site/your-data — this is the fastest path. The trust centre handles identity verification and routes your request to the right team.
Log in to your MagicBlocks account (if you have one) and use the in-product privacy controls to view or update your information.
If you are an end user of a Customer’s deployment, contact the Customer first. The Customer is the controller. If you cannot reach the Customer or believe they have not acted on your request, submit your request through our trust centre and we will route it appropriately.
Email fallback. If you cannot use the trust centre, email [email protected].
Verification. We will verify your identity before responding (see Section 16.8).
Response. We will respond within the timeframe required by applicable law.

Upon termination of your account, we will deactivate or delete your account in accordance with the retention timelines in Section 13. We may retain limited information where required to prevent fraud, troubleshoot problems, assist with investigations, enforce our Terms and Conditions, or comply with applicable law.

22. Definitions

Where used in this Privacy Notice, the following terms have the meanings below:

AI Service Providers — Third-party providers of foundation models or AI infrastructure that we use to deliver the Services, currently including Anthropic, OpenAI, Google Cloud AI, Microsoft Azure AI, and Amazon Web Services (AWS) AI.
Controller — The entity that determines the purposes and means of processing personal information (the “business” under CCPA, the “APP entity” under the Australian Privacy Act).
Customer — A person or entity that has entered into an agreement with MagicBlocks to use the Services (also referred to in some places as an “Account Holder” or “Client”).
End user — An individual who interacts with a MagicBlocks-powered AI agent deployed by a Customer (for example, a lead or customer of the Customer).
Personal information — Any data or information that can be used to identify a natural person, as defined by applicable law (including “personal data” under the GDPR, “personal information” under the CCPA, and “personal information” under the Australian Privacy Act).
Processor — The entity that processes personal information on behalf of a controller, on the controller’s documented instructions (the “service provider” under CCPA where applicable).
Services — MagicBlocks’ Autonomous Relationship Sales Platform and related products, features, websites, APIs, and tools.
Sub-processor — A third party engaged by MagicBlocks to process personal information in connection with the Services, on our behalf and on the Customer’s instructions where applicable. Current list at https://trust.magicblocks.ai.

↓ Download raw Markdown (privacy-policy-v2-2026-05-12.md)