Data Protection
How Magna Tracks & Stores Data
When you message us via Intercom, we automatically track and store certain standard data fields which are core to our customer service.
How we expire data
To ensure we comply with the EU General Data Protection Regulation (GDPR), we automatically expire data we don’t have a requirement or use for.
We expire data for visitors who have not been seen for 9 months. We will automatically delete the entire record and event history of visitors who have not visited your site in 9 months.
If a visitor returns after 9 months they will be treated like a new visitor.
This change only impacts visitor data – your user data is unaffected.
How we track data
Below is a full list of data we track.
Standard data tracked:
Name (a person’s full name).
Email (user’s or lead’s email address).
Phone number (a user or lead's phone number).
Web sessions (the number of times a user has visited your site or web app).
Last seen (the last day a user visited your site or app).
First seen (the first day a user visited your site or app).
Recent page views (the URLs a person has visited on your site or in your web app)
Signed up (the day a user first signed up for your product).
City and country (calculated by the lead or user’s IP address location).
Last contacted (the date you or a teammate last contacted a user).
Last heard from (the last day a user contacted you via message or email).
Last opened email (the date your user most recently opened an email).
Last clicked on link in email (the date your user most recently clicked on a link in an email).
Unsubscribed from emails (when a user unsubscribes from an email from your team).
Tag (a group a person belongs to, based on a tag you’ve applied to them).
OS (the operating system a person is using).
Browser language (the language set by the browser a person is using).
Browser version (the precise version of the browser a person is using).
Language override (a preferred language setting for a person).
Messages, comments and conversations in Intercom.
Note: For privacy and security reasons, we do not provide the IP addresses of users/visitors.
Magna and GDPR
At Magna, we work hard to maintain transparency about how we use data, to ensure that we fulfill its obligations and maintain transparency about customer messaging and how we use data.
Here’s an overview of GDPR, and how we are taking steps towards future compliance at Magna:
What’s GDPR?
The GDPR is a comprehensive data protection law that came into effect on May 25, 2018. It replaced existing EU law to strengthen the protection of “personal data” and the rights of the individual. It's a single set of rules which governs the processing and monitoring of EU data.
Does it affect me?
If you hold or process the data of an any person in the EU, the GDPR will apply to you, whether you’re based in the EU or not.
How Magna takes steps towards GDPR
Magna helps you meet your data portability requirements; you can easily export all of your data linked to an individual and permanently delete all data linked to an individual user by reaching out to [email protected].
We will automatically expire data on visitors that have not been seen in 9 months, to ensure we comply with GDPR retention requirements.
GDPR - US Surveillance Protection
Magna carefully considers all third party requests for data, including requests from law enforcement and national security agencies.
As a policy, we do not provide third parties with information that does not belong to them and we only respond to requests where we are legally required to do so. This means that Magna will only provide data in response to a court order, subpoena, warrant or other valid legal request that compels us to provide data from a customer account.
Where we are legally permitted to do so, we will always notify you of the requests we receive and work with you should you wish to challenge a request or limit disclosure.
Our Data Processing Addendum (DPA)
The DPA (incorporating the new SCCs issued by the European Commission on June 4, 2021, is incorporated into the Terms of Service under which your Magna services are governed and no separate signature is needed.
Strong data protection commitments are a key part of GDPR’s requirements. Our data processing agreement shares our privacy commitments and sets out the terms for Magna and our customers to meet GDPR requirements. This is available for customers to sign upon request.
We cannot accept any alterations to our DPA, as we are not at the scale where we can enter into bespoke DPAs with customers. If you have specific questions on the DPA, please reach out to us via Messenger.
Coordination with our Vendors
Where appropriate, we require all of our third-party vendors to enter into data processing agreements that ensure customer data will remain protected in accordance with the GDPR and our obligations to you. Below is the full list third-party vendors and each their data-processing addendums (hyperlinked):
Datadog (infrastructure logs), based in US
AWS (infrastructure), based in US
Google Workspace (email and internal docs), based in US
Intercom (customer support tickets), based in US
Linear (product and engineering tickets), based in US
Slack (internal Magna team communications), based in US
Our security measures
Security is a priority for us. We have regular external audits, pentests and bug bounties. We’ve built a robust security framework, achieving International Compliance standards and reviewed our internal access design to ensure the right people have access to the right level of customer data. We have also attained our SOC 2 Type 1 Certification and will soon have SOC 2 Type 2.
We continue to help our customers and prospective customers be compliant.
We will also continue to monitor new and emerging guidance to determine whether we need to make any additional changes to our data practices as a result of the CJEU's ruling.
Last updated