Magic Labs, Inc. ("Magic," "we" and "us") takes your privacy seriously. Please read this Privacy Policy (the "Privacy Policy") to learn how we treat Your Data when you access and use our website located at https://magic.link/ and all other websites and mobile applications operated by Magic from which you are accessing this Privacy Policy (the "Website"), and our products, services and applications (together with our Website, the "Services") that are made available to you through our Website and other platforms. However, please note that this Privacy Policy does not apply to the information we collect in any employment context, which is set forth in a separate privacy notice.

If you have any questions or comments about this Privacy Policy, the ways in which we collect and use Your Data or your choices and rights regarding such collection and use, please do not hesitate to contact us at:

• Email: privacy@magic.link
• Phone: +1 (707) 653-5739
• Online Form: Data Subject Request Form
• Mail: 3739 Balboa St #1088, San Francisco, CA 94121-2605

By using or accessing our Services in any manner, you acknowledge that you accept the practices and policies outlined below, and you agree with us collecting, using disclosing and retaining your information as described in this Privacy Policy. If you do not agree to any of its terms, you may not access or use the Services.

Remember that your use of Magic's Services is at all times subject to our Terms of Service. In addition, if you are a developer, your access to and use of our API and/or SDK is governed by the Developer API & SDK License Agreement. Any terms we use in this Privacy Policy without defining them have the definitions given to them in the Terms of Service.

I. What this Privacy Policy Covers

This Privacy Policy covers how we treat Personal Data that we gather when you access or use our Services. "Personal Data" means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. It also includes information referred to as "personally identifiable information" or "personal information" under applicable data privacy laws, rules or regulations. We will refer to the Personal Data we obtain about you as "Your Data." We explain the steps we take to keep Your Data secure, your choices regarding our use of this information, and how you how can contact us if you have any questions about our privacy practices.

Our Services may contain links to third-party websites or online services ("External Sites"). We have no control over the privacy practices or the content of any such External Sites. As such, we are not responsible for their content, use or privacy practices. We strongly suggest that you review the applicable privacy policies and terms of service when visiting any External Sites.

Please be advised that your use of our payment processing partner Stripe, Inc. ("Stripe") is subject to the terms and conditions, as well as the privacy policy, of Stripe. By using the Stripe services, you accept its terms of service and its privacy policy, which can be found here: https://stripe.com/privacy.

II. Personal Data We Collect and Share

The following chart details the categories of Personal Data that we may collect and have collected over the past 12 months.

Category of Personal Data	Examples of Personal Data Collected
Profile or Contact Data	· Email address · Phone number · IP address · Device ID · Public wallet address · Products (e.g., NFTs) purchased · Blockchain transaction history · Information you provide to us when you contact us or respond to our surveys or questionnaires · Social login information (e.g. your Facebook or Google login) Please note: This includes all information that our customers have configured their Social Login with. This means that our customers can request their end-users to share email, phone numbers, account names, etc., and if their end-users agree on sharing the information that our customers requested, that information will also be collected on Magic’s side.
Billing Data	· Credit/debit card number · Billing address · Card expiration date · Security code
Financial Data	· Information such as your Virtual Currency or wallet account balances and other associated information
Device/IP Data	· IP address · Device identifiers · Type of device, operating system, or web browser used to access the Services
Geolocation Data	· IP-address-based location information

III. Sources of Personal Data

1. Information you provide to us

We collect information you provide to us when you use the Services or otherwise communicate with us, for example:

• When you provide such information directly to us.
• When you create an account or use our interactive tools and Services.
• When you voluntarily provide information in free-form text boxes through the Services or through responses to surveys or questionnaires.
• When you send us an email or otherwise contact us.

2. Information we collect automatically

Like most online services, we automatically receive standard technical information when you connect with the Services. We collect this information as follows:

• Through Cookies (as further explained in Section V. 3 (“Tracking Technologies”) below).
• If you use the software we make available to you, we may receive and collect information transmitted from your computing device for the purpose of providing you the relevant Services, such as information regarding when you are logged on, information about the device from which you are logged in, and the network used to connect to the Services (such as IP address).

3. Information obtained from third-party analytics services

We use third-party analytics services (such as Google Analytics and X) to evaluate your use of the Services, compile reports on activity, collect demographic data, analyze performance metrics, and collect and evaluate other information relating to the Services and mobile and internet usage. These third parties use Cookies and other technologies (such as pixels) to help analyze and provide us the data. By accessing and using the Services, you consent to the processing of data about you by these analytics providers in the manner and for the purposes set out in this Privacy Policy. The information used by such analytics services is generally at the aggregate level. To the extent any such information is at the individual level or is used for secondary marketing purposes, you may opt-out of such collection or use by clicking the “Do Not Sell or Share My Personal Information” hyperlink at the footer of our Website.

If you would like to opt-out from the use of your information by Google Analytics, you may use Google Analytics’ opt-out browser add-on designed for this purpose. For more information on Google Analytics, please visit https://www.google.com/analytics.

4. Information obtained through inferences

Inferences are assumptions or extrapolations that have been drawn from any of the information identified above to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.

5. Information obtained from other sources

We may obtain information about you from other sources, including through third-party services, marketplaces, business partners and organizations. For example, if you access our Services through a third-party application, such as an app store or a social networking site, we may collect information about you from that third-party application that you have made available via your privacy settings in order to provide our Services.

IV. Why we Collect, Use and Share Your Data

1. Business Purposes

We may use the information we collect about you for our business purposes, including but not limited to:

• Creating and managing your account or other user profiles, including to connect a cryptocurrency wallet and authenticate your user credentials. Please note that we may also associate your personal information with other accounts you may already have with us to better provide the Services and personalize the Services.
• Providing you with the Services or information you request.
• Meeting or fulfilling the reason you provided the information to us.
• Providing support and assistance for the Services.
• Improving the Services, including testing, research, internal analytics and product development.
• Personalizing the Services, Website content and communications based on your preferences.
• Evaluating and providing fraud and automated bot protection.
• Improving site security, preventing and detecting security incidents and facilitating debugging.
• Developing new Services.
• Identifying Service usage trends.

2. Corresponding with You

We want to be able to correspond with you, which includes:

• Responding to correspondence that we receive from you.
• Providing you with support, responding to your inquiries, and soliciting feedback.
• Contacting you when necessary or requested.
• Sending you information about Magic or the Services.

3. Cooperation with Service Providers and Other Related Companies

We may engage other companies and individuals to perform certain business-related functions for which we engage them. These other companies will have access to Your Data as necessary to perform their functions and to the extent permitted by law. We may also share Your Data with any of our parent companies, affiliates, subsidiaries, or other related companies such as a third party entity formed to develop and promote the blockchain based protocol currently under development by Magic.

The above-mentioned parties help us provide the Services or perform business functions on our behalf. They include:

• Hosting, technology and communication providers.

• Security and fraud prevention consultants and vendors.

• Support and customer service vendors.

• Payment processors, like our payment processing partner Stripe, Inc.

• Analytics and Digital Advertising Partners. These parties provide data analytics and digital advertising services to us. They include:

  • Companies that track how users found or were referred to the Services.
  • Companies that track how users interact with the Services.
  • Companies that help identify user experience issues or service impacts.

4. Marketing

We want to send you emails and other communications according to you preferences or that display content that we think will interest you. This means, as permitted by applicable law, we may use Your Data for marketing purposes, such as informing you about our products and services that could be useful, relevant, valuable, or otherwise of interest to you.

Where required under applicable law, we will obtain your prior opt-in consent to send you electronic marketing communications. For information on how to opt-out of such electronic marketing communications, please see Section V.2 (“Marketing Communications”) below.

We may collect information about your online activities on our Services to provide you with advertising about products and services tailored to your individual interests. We also may obtain information for this purpose from External Sites on which our advertisements are served.

You may see certain advertisements on External Sites because we work with advertising partners (including advertising networks) to engage in remarketing and retargeting activities. Our advertising partners allow us to target our messaging to users through demographic, interest-based and contextual means. These partners track your online activities over time and across websites and online services, including our Services, by collecting information through automated means, including through the use of Cookies and other tracking technologies. They use this information to show you advertisements that may be tailored to your individual interests. The information our advertising partners may collect includes data about your visits to External Sites that participate in the relevant advertising networks, such as the pages or advertisements you view and the actions you take on the External Sites. This data collection takes place both on our Services, including our Websites and online services, and on External Sites that participate in the advertisement networks. This process also helps us track the effectiveness of our marketing efforts. For example, we utilize certain of our advertising partners’ targeted advertising services to show you our advertisements on External Sites based on your prior visits to our Website and Services and other online activity.

Provided that a company participates in industry-developed programs designed to provide consumers choices about whether to receive targeted advertising, you may opt out of interest-based advertising generally through the Network Advertising Initiative website or by visiting http://www.aboutads.info/choices/ (web-based advertising) or http://www.aboutads.info/appchoices (for mobile advertising). To learn more, please visit the websites operated by the Network Advertising Initiative and Digital Advertising Alliance at www.networkadvertising.org/choices. Opting-out does not mean that you will stop receiving advertisements from us. It means that you still stop receiving advertisements from us that have been targeted to you based on your visits and browsing activity across websites and online services over time.

Please note that we do not disclose Your Data to third parties for such third parties' direct marketing purposes.

5. Developers

If you are an end user of our Services and are accessing our Services through a third-party mobile application or online service, we may disclose Your Data to the developers of such mobile application or online service that integrates our Services so that you may complete your transaction on such mobile application or online service.

6. Blockchain Purposes

Notwithstanding anything to the contrary in this Privacy Policy, Your Data may be disclosed to third parties, made publicly visible and/or appear as part of any applicable blockchain network when you engage in Virtual Currency sales, activities and/or transactions through the Services. The foregoing disclosure may be made for purposes related to facilitating those activities and/or transactions. To the fullest extent allowed by law: (i) you assume all risk related to your Virtual Currency activities and/or transactions; and (ii) we will not be liable to you for any losses or liabilities related to the foregoing use and disclosures.

7. Meeting Legal Requirements and Enforcing Legal Terms

To the extent permitted by law, we may also disclose Your Data for the following purposes:

• Fulfilling our legal obligations under applicable law, regulation, court order or other legal process, such as preventing, detecting and investigating security incidents and potentially illegal or prohibited activities, and responding to a subpoena, regulation, binding order of a data protection agency, legal process, governmental request or other legal or regulatory process.
• Protecting the rights, property or safety of you, Magic or another party.
• Enforcing any agreements with you.
• Responding to claims that any posting or other content violates third-party rights.
• Resolving disputes.
• Pursuing available remedies or limit damages we may sustain.
• As needed to support external auditing, compliance and corporate governance functions.

8. Aggregated Information

In an ongoing effort to better understand users of our Services, we might analyze Your Data in aggregate, de-identified or anonymized form in order to operate, maintain, manage, and improve the Services or generate insights. This information can no longer identify you personally. We may share this data with our affiliates, agents, and business partners, and may share and sell it to other unaffiliated third parties. We may also disclose aggregated user statistics in order to describe our Services to current and prospective business partners and to other third parties for other lawful purposes.

9. Business Transfers

As we develop our businesses, we might sell or buy businesses or assets. In the event of a corporate sale, merger, reorganization, sale of assets, dissolution, divestiture, consolidation, in the unlikely event of bankruptcy or similar event, Your Data may be part of the transferred assets.

10. Otherwise With Your Consent

We may also disclose Your Data to fulfill any purpose for which you provide it or for any other purpose disclosed by us when you provide the information.

We will not collect additional categories of Personal Data or use the Personal Data we collected for materially different, unrelated or incompatible purposes without providing you notice and, where required under applicable law, obtaining your consent.

V. Accessing and Modifying Information and Communication Preferences

1. Your Account

If you have registered for the Services, you may access, review, delete and make changes to the information you submitted by following the instructions on our Data Subject Request Form. You may also access, remove, review, and/or make changes to the same by contacting us at privacy@magic.link.

2. Marketing Communications

You may manage your receipt of marketing and non-transactional communications by clicking on the "Unsubscribe" link located on the bottom of any Magic marketing e-mail. We will use commercially reasonable efforts to process such requests in a timely manner.

3. Tracking Technologies

Cookies

The Services use cookies and similar technologies such as image loading, browser local storage, cookies, and JavaScript (collectively, "Cookies") to enable our servers to recognize your web browser, tell us how and when you visit and use our Services, analyze trends, learn about our user base and operate and improve our Services. Cookies are small pieces of data-- usually text files -- placed on your computer, tablet, phone or similar device when you use that device to access our Services. We use the following types of Cookies:

• Strictly Necessary Cookies. These Cookies are necessary for the Services to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these Cookies, but some parts of the Services will not then work. These Cookies do not store any Personal Data.
• Targeting Cookies.These Cookies may be set through our Services by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant advertisements on External Sites. These Cookies collect information uniquely identifying your browser and internet device. If you do not allow these Cookies, you will experience less targeted advertising.
• Performance Cookies.These Cookies allow us to count visits and traffic sources so we can measure and improve the performance of our Services. They help us to know which pages are the most and least popular and see how visitors move around the Services. All information these Cookies collect is aggregated and therefore anonymous. If you do not allow these Cookies we will not know when you have visited our Services, and will not be able to monitor its performance.

You can decide whether or not to accept Cookies through your internet browser's settings. Most browsers have an option for turning off the Cookie feature, which will prevent your browser from accepting new Cookies, as well as (depending on the sophistication of your browser software) allow you to decide on acceptance of each new Cookie in a variety of ways. You can also delete all Cookies that are already on your device. If you do this, however, you may have to manually adjust some preferences every time you visit our Website and some of the Services and functionalities may not work.

To explore what Cookie settings are available to you, look in the "preferences" or "options" section of your browser's menu. To find out more information about Cookies, including information about how to manage and delete Cookies, visit https://www.allaboutcookies.org or https://ico.org.uk/for-the-public/online/cookies if you are located ⁠in the United Kingdom, or https://european-union.europa.eu/cookies_en ⁠if you are located in the European Union.

You may also manage your Cookie preferences by clicking the “Do Not Sell or Share My Personal Information” hyperlink at the footer of our Website.

Web Beacons and Pixels

A pixel is an HTML code snippet embedded in a website or email that collects information about user behaviors and interactions with the website or email.

We may utilize pixels both on certain aspects of the Services and in HTML-formatted email messages to you. Pixels may be used for the purpose of, among other things, measuring the success of our marketing campaigns, compiling statistics about Service usage and tracking the activities of users of the Services and email recipients. For instance, we may use pixels on the Services to enable us to create targeted advertisements and measure the effectiveness of our advertisements. For additional information on interest-based advertising, please see Section IV.4 (“Marketing”).

4. Do Not Track

As discussed above, third parties such as advertising networks and analytics providers may collect information about your online activities over time and across different websites when you access or use the Services. Currently, various browsers offer a "Do Not Track" option, but there is no standard for commercial websites. At this time, we do not monitor, recognize, or honor any opt-out or do not track mechanisms, including general web browser "Do Not Track" settings and/or signals.

VI. Data Security and Retention

We seek to protect Your Data from unauthorized access, use and disclosure using appropriate physical, technical, organizational and administrative security measures based on the type of Personal Data and how we are processing that data. You should also help protect Your Data by appropriately selecting and protecting your password and/or other sign-on mechanism; limiting access to your computer or device and browser; and signing off after you have finished accessing your account. Although we work to protect the security of your account and other data that we hold in our records, please be aware that no method of transmitting data over the internet or storing data is completely secure.

We retain Your Data for as long as you have an open account with us or as otherwise necessary to provide you with our Services. In some cases we retain Your Data for longer, if doing so is necessary to comply with our legal obligations, resolve disputes or collect fees owed, or is otherwise permitted or required by applicable law, rule or regulation. We may further retain information in an anonymous or aggregated form where that information would not identify you personally. For additional information about our data retention policy please contact us at privacy@magic.link.

VII. Personal Data of Children

As noted in the Terms of Use, we do not knowingly collect or solicit Personal Data about children under 16 years of age; if you are a child under the age of 16, please do not attempt to register for or otherwise use the Services or send us any Personal Data. If we learn that we have collected Personal Data from a child under 16 years of age, we will promptly take steps to delete such information and terminate the child's account. If you believe that a child under 16 years of age may have provided Personal Data to us, contact us at privacy@magic.link.

VIII. Notice to California Residents

If you are a resident of California, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and its implementing regulations (the "CCPA"). For more information about your rights under the CCPA, please visit our CCPA Privacy Notice to California Residents in Addendum I below.

IX. Notice to Texas Residents

The categories of Your Data we process set forth in Section II (“Personal Data We Collect and Share”) above. The purposes for processing Your Data are set forth in Section IV (“Why We Collect, Use and Share Your Data”). We disclose Your Data with the third parties as set forth in Section IV (“Why We Collect, Use and Share Your Data”).

As a Texas resident, you have the rights to:

• Confirm whether or not we are processing Your Data and access such data;
• Correct inaccuracies in Your Data, taking into account the nature of the Personal Data and the purposes of the processing of Your Data;
• Delete Your Data;
• Obtain a copy of Your Data we process, in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the data to another entity without hindrance, where the processing is carried out by automated means; and
• Opt out of the processing of Your Data for purposes of:
• • Targeted advertising;
  • The sale of Your Data; or
  • Profiling in furtherance of decisions that produce legal or similarly significant effects concerning you. Please note that we do not engage in profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

You may exercise these rights by contacting us at:

• Email: privacy@magic.link
• Phone: +1 (707) 653-5739
• Online Form: Data Subject Request Form
• Mail: 3739 Balboa St #1088, San Francisco, CA 94121-2605

The verifiable consumer request must:

• Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Data; and
• Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We reserve the right to verify your identity in connection with any requests regarding Personal Data to help ensure that we provide the information we maintain to the individuals to whom it pertains and allow only those individuals to exercise rights with respect to that information. We cannot respond to your request or provide you with Personal Data if we cannot verify your identity or authority to make the request and confirm the Personal Data relates to you.

In the event we deny your request, you may appeal our denial by contacting us in the same manner by which you submitted your request.

We process Your Data for the purposes of targeted advertising, and under Texas law, our processing may qualify as a “sale”. We share the information set forth in Section V.3 (“Tracking Technologies”) with our third-party website analytics and digital advertising service providers. To opt-out of such sharing of information with our third-party website analytics and digital advertising service providers, please click on the “Do Not Sell or Share My Personal Information” hyperlink at the footer of our Website.

If you are an authorized agent making a request to opt-out on behalf of a consumer, we may require and request that you provide us with written permission signed by the consumer to verify that you are authorized to make such request.

X. Notice to Nevada Residents

If you are a resident of Nevada, you have the right to opt-out of the sale of certain Personal Data to third parties. You can exercise this right by contacting us at privacy@magic.link with the subject line "Nevada Do Not Sell Request" and providing us with your name and the email address associated with your account. Please note, however, that we do not sell Personal Data as defined under Nevada law.

XI. Important Notice to Non-U.S. Residents

The Services are operated in the United States. If you are located outside of the United States, please be aware that any information you provide to us may be transferred to, processed, maintained, and used on computers, servers, and systems located outside of your state, province, country, or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction.

If you are a resident of the European Union ("EU"), United Kingdom, Lichtenstein, Norway, Iceland, or Switzerland, you may have additional rights under the data privacy laws of such countries (collectively, “European Data Protection Laws”) with respect to your Personal Data. For more information about your rights under European Data Protection Laws, please visit our Privacy Notice to European Residents in Addendum II below.

XII. Changes to this Privacy Policy

We may need to change this Privacy Policy from time to time. We will indicate at the top of the Privacy Policy when it was last updated. Please note that if you have opted not to receive legal notice emails from us (or you have not provided us with your email address), those legal notices will still govern your use of the Services, and you are still responsible for reading and understanding them. If you use the Services after any changes to the Privacy Policy have been posted, that means you agree to all of the changes. The use of information we collect is subject to the Privacy Policy in effect at the time such information is collected.

XIII. Contact Information

If you have any questions or comments about this Privacy Policy, the ways in which we collect and use Your Data or your choices and rights regarding such collection and use, please do not hesitate to contact us at:

• Email: privacy@magic.link
• Phone: +1 (707) 653-5739
• Online Form: Data Subject Request Form
• Mail: 3739 Balboa St #1088, San Francisco, CA 94121-2605

---

Addendum I - CCPA Privacy Notice to California Residents

Last Update: October 1, 2024

If you are a California resident, you have the rights set forth in this CCPA Privacy Notice to California Residents (the "CCPA Notice"). Please see the "Exercising Your Rights" section below for instructions regarding how to exercise these rights. Please note that we may process Personal Data of our customers' end users or employees in connection with our provision of certain services to our customers. If we are processing your Personal Data as a service provider, you should contact the entity that collected your Personal Data in the first instance to address your rights with respect to such data.

If there are any conflicts between this CCPA Notice and any other provision of this Privacy Policy and you are a California resident, the provision that is more protective of Personal Data shall control to the extent of such conflict. If you have any questions about this CCPA Notice or whether any of the following rights apply to you, please contact us at privacy@magic.link.

1. Information We Collect

• Categories of Personal Data: Within the twelve (12) months preceding the latest update of the CCPA Notice, we have collected or otherwise obtained the following categories of Personal Data from or about consumers, their households or devices, which are further described in Section II (“Personal Data We Collect and Share”) of the Privacy Policy.

  • Identifiers
  • Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e))
  • Commercial information
  • Internet or other electronic network activity information
  • Geolocation data
  • Sensitive Personal Data, i.e., account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.

• Categories of Sources: We collect the categories of Personal Data above from the categories of sources listed in Section III (“Sources of Personal Data”) of our Privacy Policy.

• Purposes of Disclosure of Personal Data: Each of the categories of Personal Data above are disclosed for the business or commercial purposes laid out in Section IV (“Why We Collect, Use and Share Your Data”) of our Privacy Policy.

• Categories of Third Party Recipients: We disclose each of the categories of Personal Data above with the categories of third parties listed in Section IV (“Why We Collect, Use and Share Your Data”) of our Privacy Policy.

• Categories of Personal Data Sold or Shared: The following categories of Personal Data were sold or shared in the twelve (12) months prior to the effective date of this CCPA Notice:

  • Identifiers
  • Internet or other electronic network activity information
  • Geolocation data.

• Categories of Third Parties to whom Personal Data is Sold or Shared: The categories of Personal Data sold and shared listed above are sold to or shared with our third-party website analytics and digital advertising service providers.

• Purposes for Selling or Sharing:We may sell or share Personal Data to:

  • Provide you with the Services;
  • Improve and personalize the Services;
  • Evaluate your use of the Services, compile reports on activity, collect demographic data, analyze performance metrics;
  • Evaluate and provide fraud and automated bot protection;
  • Improve site security, prevent and detect security incidents and facilitate debugging;
  • Develop new Services;
  • Identify Service usage trends;
  • Inform you about our products and services that could be useful, relevant, valuable, or otherwise of interest to you;
  • Provide you with advertising about products and services tailored to your individual interests;
  • Determine the effectiveness of our promotional campaigns;
  • Fulfill our legal obligations under applicable law, regulation, court order or other legal process, such as preventing, detecting and investigating security incidents and potentially illegal or prohibited activities, and responding to a subpoena, regulation, binding order of a data protection agency, legal process, governmental request or other legal or regulatory process.
  • Protect the rights, property or safety of you, Magic or another party.
  • Enforce any agreements with you.
  • Respond to claims that any posting or other content violates third-party rights.
  • Resolve disputes.
  • Pursue available remedies or limit damages we may sustain.
  • As needed to support external auditing, compliance and corporate governance functions.

• Retention of Personal Data:We retain Personal Data for as long as you have an open account with us or as otherwise necessary to provide you with our Services. In some cases we retain Personal Data for longer, if doing so is necessary to comply with our legal obligations, resolve disputes or collect fees owed, or is otherwise permitted or required by applicable law, rule or regulation. We may further retain information in an anonymous or aggregated form where that information would not identify you personally. For additional information about our data retention policy please contact us at privacy@magic.link.

2. Your Rights and Choices

The CCPA provides consumers with specific rights regarding their Personal Data. This section describes these rights and explains how to exercise them.

a. Right to Know About Personal Data

You have the right to request that we disclose certain information to you about our collection, disclosure, sale, sharing and use of your Personal Data. Once we receive and verify your request, we will disclose to you the following (to the extent applicable to your request):

• The specific pieces of Personal Data we collected about you;
• The categories of Personal Data that we have collected about you;
• The categories of Personal Data that we disclosed about you for a business purpose and the categories of persons to whom it was disclosed for a business purpose;
• The categories of Personal Data that we have sold or shared about you and the categories of third parties to whom the Personal Data was sold or shared, by category or categories of Personal Data for each third party to whom the Personal Data was sold or shared;
• The categories of sources from which we have collected this Personal Data; and
• The commercial or business reason(s) for having collected, used, disclosed, sold or shared that Personal Data.

You may exercise this right up to two times in any 12-month period.

b. Right to Request Deletion

You have the right to request deletion of your Personal Data. We will honor such request, but might not be able to fulfill your request if we (or our service providers) are required to retain your Personal Data. Examples of such exceptions are:

• Completing a transaction or performing a contract we have with you;
• Helping to ensure security and integrity to the extent the use of the Personal Data is reasonably necessary and proportionate for those purposes;
• Debugging to identify and repair errors that impair existing intended functionality; or
• Complying with applicable law or a legal obligation, or to exercise rights under the law (e.g. the right to free speech).

c. Right to Opt-Out of the Sale of Personal Data

You have the right to direct a business that sells or shares Personal Data about you to third parties not to sell or share your Personal Data. We do not sell your Personal Data for monetary consideration. However, we do use Cookies and other tracking technologies for targeted advertising purposes. The collection of data through certain tracking technologies for our targeting advertising purposes may be considered a “sale” and is considered “sharing” under the CCPA. To opt-out of having your information sold and shared with third-party website analytics and digital advertising service providers for this purpose, please click on the “Do Not Sell or Share My Personal Information” hyperlink at the footer of our Website.

We do not have actual knowledge that we sell or share Personal Data about minors under the age of 16.

d. Right to Correct Inaccurate Personal Data

You have the right to request a business that maintains inaccurate Personal Data about you to correct that inaccurate Personal Data, taking into account the nature of the Personal Data and the purposes of the processing of the Personal Data.

e. Right to Limit Use and Disclosure of Sensitive Personal Data

You have the right to direct a business that collects sensitive Personal Data about you to limit its use of your sensitive Personal Data (i) to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services; (ii) for certain business purposes; and (iii) as authorized by the implementing regulations of the CCPA. We do not use or disclose your sensitive Personal Data for purposes other than the aforementioned purposes.

f. Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. We will not (i) deny you products or services, (ii) charge you different prices or rates for products or services, including through granting discounts or other benefits, or imposing penalties (except for financial incentives permitted by the CCPA, see below), (iii) provide you a different level or quality of products or services, and (iv) suggest that you may receive a different price or rate for products or services or a different level or quality of products or services.

g. Exercising Your Privacy Rights

To exercise the rights described above, please submit a verifiable consumer request to us by using the following methods:

• Call us at: +1 (707) 653-5739
• Email us at: privacy@magic.link
• Submit a form here: Data Subject Request Form

i) What we need to know to fulfill your request

The verifiable consumer request must: (i) provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Data or an authorized representative; and (ii) describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. We cannot respond to your request or provide you with Personal Data if we cannot verify your identity or authority to make the request and confirm the Personal Data related to you. Making a verifiable consumer request does not require you to create an account with us.

Typically, accounts associated with an email address will require verification of the email address, as well as a description of the requested user rights or regulations invoked. Magic also values those who are not covered by specific regulations, and offers to extend a good will effort towards requests originating from other jurisdictions.

ii) How you will hear back from us

We will confirm receipt of a verifiable consumer request within ten (10) business days of its receipt. We will endeavor to respond to a verifiable consumer request within forty-five (45) calendar days of its receipt. If we require more time, we will notify you of the extension and provide an explanation of the reason for the extension in writing, and we will provide you with a response no later than ninety (90) calendar days of receipt of the request. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your Personal Data that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We may charge a reasonable fee to process or respond to your verifiable consumer requests if they are excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will inform you of the reasons for this decision and provide you with a cost estimate before completing your request.

h. Right to Designate an Authorized Agent

You may designate an authorized agent to make a request on your behalf by providing the agent with signed written permission to do so.

2. Changes to Our CCPA Notice

This CCPA Notice is effective as of the date of the Last Update stated at the top of this CCPA Notice. We may change this CCPA Notice from time to time. By visiting or accessing the Website or the Services, purchasing products or services from us, or otherwise engaging or interacting with us after we make any such changes to this CCPA Notice, you are deemed to have accepted such changes. Please be aware that, to the extent permitted by applicable law, and without prejudice to the foregoing, our use of your Personal Data is governed by the CCPA Notice in current effect. Please refer back to this CCPA Notice on a regular basis.

3. Contact Information

If you have any questions or comments about this CCPA Notice, the ways in which we collect and use your information, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at:

• Email: privacy@magic.link
• Phone: +1 (707) 653-5739
• Online Form: Data Subject Request Form
• Mail: 3739 Balboa St #1088, San Francisco, CA 94121-2605

Addendum II -- Privacy Notice to European Residents

Effective as of: October 1, 2024

If you are a resident of the European Union ("EU"), United Kingdom, Lichtenstein, Norway, Iceland, or Switzerland, you may have additional rights under European Data Protection Laws with respect to your Personal Data, as outlined in this Privacy Notice to European Residents (the "European Addendum").

For this European Addendum, we use the terms "Personal Data" and "processing" as they are defined under European Data Protection Laws, but "Personal Data" generally means any information relating to an identified or identifiable natural person, and "processing" generally refers to any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Magic will usually be the controller of your Personal Data processed in connection with the Services. Note that we may also process Personal Data of our customers' end users or employees in connection with our provision of certain services to customers, in which case we may be the processor of Personal Data. If we are the processor of your Personal Data (i.e., not the controller), please contact the controller party in the first instance to address your rights with respect to such data.

Where applicable, this European Addendum is intended to supplement, and not replace, our Privacy Policy. If there are any conflicts between this European Addendum and the other parts of the Privacy Policy, and you are a resident of the EU, United Kingdom, Lichtenstein, Norway, Iceland, or Switzerland, the provision that is more protective of Personal Data shall control to the extent of such conflict. If you have any questions about this section or whether any of the following rights apply to you, please contact us at privacy@magic.link.

1. Types of Personal Data we Collect

We currently collect and otherwise process the kinds of Personal Data listed above in Section I ("Personal Data We Collect and Share") of the Privacy Policy.

2. How we Get the Personal Data and why we Have it

We receive the Personal Data in the ways and for the purposes listed above in Section III ("Sources of Personal Data") and Section IV (“Why we Collect, Use and Share Your Data") of the Privacy Policy. We will only process your Personal Data if we have a lawful basis for doing so. Under European Data Protection Laws, the lawful bases we rely on for processing this information are:

a) Your Consent

In some cases, we process Personal Data based on the consent you expressly grant to us at the time we collect such data. When we process Personal Data based on your consent, it will be expressly indicated to you at the point and time of collection. You can remove your consent at any time. You can do this by contacting us via email at privacy@magic.link with the subject line "European Data Protection Request." Please note that a withdrawal of consent will not affect processing that has been completed during the time in which the consent was valid.

b) We Have a Contractual Obligation

We process certain categories of Personal Data as a matter of "contractual necessity", meaning that we need to process the data to perform under our agreements with you, including but not limited to our Terms of Use, which enables us to provide you with the Services. When we process data due to contractual necessity, failure to provide such Personal Data will result in your inability to use some or all portions of the Services that require such data. These categories of Personal Data may include:

• Profile or Contact Data
• Billing Data
• Financial Data
• Device/IP Data
• Geolocation Data

c) We Have a Legitimate Interest

We process the following categories of Personal Data when we believe it furthers the legitimate interest of us or third parties, except where such interests are overridden by your interests or fundamental rights and freedoms:

• Profile or Contact Data
• Billing Data
• Financial Data
• Device/IP Data
• Geolocation Data

Our legitimate interests include, but are not limited to:

• Information Security: We process Profile or Contact Data, and the information collected through Cookies and other tracking technologies and when you use the Services in order to maintain an audit log of activities performed. We use this information pursuant to our legitimate interests in tracking usage, combating DDOS or other attacks, and removing or defending against malicious individuals or programs.

• Operation and Improvement of our Services: We process server log information and information collected through Cookies and other tracking technologies pursuant to our legitimate interest in operating and improving our Services.

• Audience Measurement and Retargeting: Pursuant to a user's consent, we use analytics Cookies and other tracking technologies, and collect identifiers through such Cookies and other tracking technologies, for purposes of audience measurement, analytics, audience reaction to the Services, and creating relevant user experiences.

• General Business Development and Management: We process Personal Data pursuant to our legitimate interest, including without limitation:

• • To respond to inquiries from European individuals;

• To provide European individuals with information about our products and services;

• To assist European individuals with any issues while using the Services;

• To improve our Services including testing, research, internal analytics and product development;

• To develop new products and services;

• As needed to support external auditing, compliance and corporate governance functions;

• In connection with a corporate sale, merger, reorganization, sale of assets, dissolution, divestiture, consolidation, in the unlikely event of bankruptcy or similar event, where Personal Data may be part of the transferred assets.

• Direct Marketing: Generally, we send email marketing to European individuals pursuant to their consent. When you use the Services, email marketing may be sent to you pursuant to our legitimate interest in sending marketing communications to you in the context of such engagement.

• Protection of Rights: We may also disclose Personal Data to:

• Protect the rights, property or safety of you, Magic or another party;

• Enforce any agreements with you;

• Resolve disputes;

• Pursue available remedies or limit damages we may sustain;

• Respond to claims of violation of third party rights or to enforce and protect our rights.

d) We Have a Legal Obligation

We may be required to disclose Personal Data to fulfill our legal obligations under applicable law, regulation, court order or other legal process, and in response to lawful requests by public authorities, including for the purpose of meeting national security or law enforcement requirements. We may also disclose Personal Data to other third parties when compelled to do so by government authorities or required by law or regulation including, but not limited to, in response to court orders and subpoenas.

3. How we Share Your Personal Data

Section I ("Personal Data We Collect and Share") and Section IV ("Why we Collect, Use and Share Your Data") of the Privacy Policy explain how we share your Personal Data with third parties.

4. How we Store and Protect Your Personal Data

We use commercially reasonable administrative, technical, and physical safeguards to protect your Personal Data from loss, misuse, and unauthorized access, disclosure, alteration, or destruction, for which we take into account the nature of the Personal Data, its processing, and the threats posed to it. Unfortunately, no data transmission or storage system can be guaranteed to be secure at all times. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us via email at privacy@magic.link.

We retain your Personal Data for as long as needed to fulfill the purposes for which we obtained it, as further described in this Privacy Policy. We will also keep your Personal Data for as long as allowed or required by law.

5. Your Data Protection Rights

You have certain rights with respect to your Personal Data, including those set forth below. For more information about these rights, or to submit a request, please email us at privacy@magic.link. You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you. Please note that in some circumstances, we may not be able to fully comply with your request, such as if it is frivolous or extremely impractical, if it jeopardizes the rights of others, or if it is not required by law, but in those circumstances, we will still respond to notify you of such a decision. In some cases, we may also need you to provide us with additional information, which may include Personal Data, if necessary to verify your identity and the nature of your request.

• Right of access: You can request more information about the Personal Data we process about you and request a copy of such Personal Data. Users of Magic's dashboard can also access certain of your Personal Data by logging on to your account.
• Right to rectification: If you believe that any Personal Data we are holding about you is incorrect or incomplete, you can request that we correct or supplement such data. Users of Magic's dashboard can also correct some of this information (for example, email address) directly by logging on to your account.
• Right to erasure: You can request that we erase some or all of your Personal Data from our systems under certain circumstances.
• Right to restriction of processing: You have the right to ask us to restrict the processing of your Personal Data under certain circumstances.
• Right to object to processing: You have the right to object to the processing of your Personal Data, which is based on public interest or our legitimate interests, including the profiling of data. In this case, we will stop processing your data, except for where we have compelling legal grounds for the processing which override your interests, rights and freedoms, or for the exercise or defense of possible legal claims. You also have a right to object to the processing of your personal data for direct marketing purposes. You may object at any time to processing of your Personal Data for direct marketing purposes by clicking "Unsubscribe" within an automated marketing email or by submitting your request to privacy@magic.link with the subject line "European Data Protection Request." In such case, your Personal Data will no longer be used for that purpose.
• Right to data portability: You can ask for a copy of your Personal Data in a structured, commonly used and machine-readable format. You can also request that we transmit the data to another controller where technically feasible without hindrance from us.
• Right to withdraw consent: If we are processing your Personal Data based on your consent (as indicated at the time of collection of such data), you have the right to withdraw your consent at any time. Please note, however, that if you exercise this right, you may have to then provide express consent on a case-by-case basis for the use or disclosure of certain of your Personal Data, if such use or disclosure is necessary to enable you to utilize some or all of our Services.

6. How to Complain

If you have any concerns about our use of your Personal Data, you can make a complaint to us at privacy@magic.link with the subject line "European Data Protection Request."

You also have the right to lodge a complaint about the processing of your personal data with a supervisory authority of the European state where you work or live or where any alleged infringement of data protection laws occurred. A list of most of the supervisory authorities can be found here.

7. Transfers of Personal Data

The Services are hosted and operated in the United States ("U.S.") through Magic and its service providers, and if you do not reside in the U.S., laws in the U.S. may differ from the laws where you reside. By using the Services, you acknowledge that any Personal Data about you, regardless of whether provided by you or obtained from a third party, is being provided to Magic in the U.S. and will be hosted on U.S. servers, and you authorize Magic to transfer, store and process your information to and in the U.S., and possibly other countries. In these cases, we transfer your Personal Data through the use of appropriate safeguards as required by European Data Protection Laws..

8. Updates to this European Addendum

If, in the future, we intend to process your Personal Data for a purpose other than that which it was collected, we will provide you with information on that purpose and any other relevant information at a reasonable time prior to such processing. After such time, the relevant information relating to such processing activity will be revised or added appropriately within this European Addendum, and the "Effective Date" at the top of this page will be updated accordingly.

9. Our Contact Information

Please reach out to privacy@magic.link for any questions, complaints, or requests regarding this European Addendum, and include in the subject line "European Data Protection Request."

If you are located in the EU, United Kingdom, Lichtenstein, Norway, Iceland, or Switzerland, you may use the following information to contact our representative:

• Dr. Axel Freiherr von dem Bussche, LL.M. (L.S.E.)

  • Rechtsanwalt Fachanwalt für Informationstechnologierecht
  • Assistant: +49 40 36803-229
  • Direct: +49 40 36803-129
  • Mobile: +49 16 090169-493
  • Email: a.bussche@taylorwessing.com

With:

• Taylor Wessing Partnerschaftsgesellschaft mbB

  • Address: Hanseatic Trade Center, Am Sandtorkai 41, 20457 Hamburg
  • Tel: +49 40 36803-0
  • Fax: +49 40 36803-280
  • Site: https://www.taylorwessing.com/