Legal

Magic labs, Inc. ("Magic," "we" and "us") takes your privacy seriously. Please read this Privacy Policy (the "Privacy Policy") to learn how we treat your personal data when you access and use our website located at https://magic.link (the "Website"), and our products, services and applications (the "Services") that are made available to you through our Website and other platforms. By using or accessing our Services in any manner, you acknowledge that you accept the practices and policies outlined below, and you agree with us collecting, using and sharing your information as described in this Privacy Policy. If you do not agree to any of its terms, you may not access or use the Website and/or the Services.

Remember that your use of Magic's Services is at all times subject to our Terms of Service. In addition, if you are a developer, your access to and use of our API and/or SDK is governed by the Developer API & SDK License Agreement. Any terms we use in this Privacy Policy without defining them have the definitions given to them in the User Terms of Service.

I. What this Privacy Policy Covers

This Privacy Policy covers how we treat Personal Data that we gather when you access or use our Services. "Personal Data" means any information that identifies or makes identifiable a particular individual. It also includes information referred to as "personally identifiable information" or "personal information" under applicable data privacy laws, rules or regulations. We will refer to the personal information we obtain about you as "Your Data." We explain the steps we take to keep Your Data secure, your choices regarding our use of this information, and how you how can contact us if you have any
questions about our privacy practices.

Our Services may contain links to third-party websites ("External Sites"). We have no control over the privacy practices or the content of any such External Sites. As such, we are not responsible for their content, use or privacy practices. We strongly suggest that you review the applicable privacy policies and terms of service when visiting any External Sites.

Please be advised that your use of our payment processing partner Stripe, Inc. ("Stripe") is subject to the terms and conditions, as well as the privacy policy, of Stripe. By using the Stripe services, you accept its terms of service and its privacy policy, which can be found here: https://stripe.com/privacy.

II. Personal Data We Collect and Share

The following chart details the categories of Personal Data that we may collect and have collected over the past 12 months.

Category of Personal Data	Examples of Personal Data Collected	Categories of Third Parties With Whom We Share this Personal Data:
Profile or Contact Data	· Email address · Phone number · IP address · Device ID · Social login information (e.g. your Facebook or Google login) Please note: This includes all information that our customers have configured their Social Login with. This means that our customers can request their end-users to share email, phone numbers, account names, etc., and if their end-users agree on sharing the information that our customers requested, that information will also be collected on Magic’s side.	· Service Providers · Analytics Partners
Device/IP Data	· IP address · Device identifiers · Type of device, operating system, or web browser used to access the Services	· Service Providers · Analytics Partners
Geolocation Data	· IP-address-based location information	· Service Providers · Analytics Partners

III. Sources of Personal Data

a) Information you provide to us

We collect information you provide to us when you use the Services or otherwise communicate with us, for example:

• When you provide such information directly to us.
• When you create an account or use our interactive tools and Services.
• When you voluntarily provide information in free-form text boxes through the Services or through responses to surveys or questionnaires.
• When you send us an email or otherwise contact us.

b) Information we collect automatically

Like most online services, we automatically receive standard technical
information when you connect with the Services. We collect this
information as follows:

• Through Cookies (as further explained in the Section V. 3 below).
• If you use the software we make available to you, we may receive and collect information transmitted from your computing device for the purpose of providing you the relevant Services, such as information regarding when you are logged on, information about the device from which you are logged in, and the network used to connect to the Services (such as IP address).

c) Information obtained from third-party analytics services

We use third-party analytics services (such as Google Analytics) to evaluate your use of the Services, compile reports on activity, collect demographic data, analyze performance metrics, and collect and evaluate other information relating to the Services and mobile and internet usage. These third parties use cookies and other technologies to help analyze and provide us the data. By accessing and using the Services, you consent to the processing of data about you by these analytics providers in the manner and for the purposes set out in this Privacy Policy. The information used by such analytics services is generally at the aggregate level. To the extent any such information is at the individual level or is used for secondary marketing purposes, Canadian users may opt-out of such collection or use by sending an e-mail to privacy@magic.link.

For more information on Google Analytics, including how to opt out from certain data collection, please visit https://www.google.com/analytics. Please be advised that if you opt out of any service, you may not be ⁠able to use the full functionality of the Services.

d) Information obtained through inferences

Inferences are assumptions or extrapolations that have been drawn from any of the information identified above to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.

IV. Why we Collect, Use and Share Your Data

1. Business Purposes

We want to be able to provide you with the Services, and customize and improve them as we build our business. This includes:

• Creating and managing your account or other user profiles.
• Providing you with the products, services or information you request.
• Meeting or fulfilling the reason you provided the information to us.
• Providing support and assistance for the Services.
• Improving the Services, including testing, research, internal analytics and product development.
• Personalizing the Services, website content and communications based on your preferences.
• Evaluating and providing fraud and automated bot protection.
• Improving site security and facilitating debugging.

2. Corresponding with You

We want to be able to correspond with you, which includes:

• Responding to correspondence that we receive from you,
• Providing you with support, responding to your inquiries, and soliciting feedback;
• Contacting you when necessary or requested, and
• Sending you information about Magic or the Services.

3. Cooperation with Service Providers and Affiliates

We may engage other companies and individuals to perform certain business-related functions on our behalf. These other companies will have access to the Your Data only as necessary to perform their functions and to the extent permitted by law. We may also share Your Data with any of our parent companies, subsidiaries, or other companies under common control with us.

The above-mentioned parties help us provide the Services or perform business functions on our behalf. They include:

• Hosting, technology and communication providers.

• Security and fraud prevention consultants and vendors.

• Support and customer service vendors.

• Payment processors, like our payment processing partner Stripe, Inc.

• Analytics Partners. These parties provide analytics on web traffic or usage of the Services. They include:

  • Companies that track how users found or were referred to the Services.
  • Companies that track how users interact with the Services.
  • Companies that help identify user experience issues or service impacts.

4. Marketing

We want to send you emails and other communications according to you preferences or that display content that we think will interest you. This means:

• As permitted by applicable law, we may use Your Data for marketing purposes, such as informing you about our products and services and those of our third-party marketing partners that could be useful, relevant, valuable, or otherwise of interest to you.
• We may also share Your Data with third parties that are not service providers or vendors, so that those third parties can send you information about their products and/or service.

Where required under applicable law, we will obtain your prior opt-in consent to send you electronic marketing communications. If you do not wish to have your Information shared directly with third parties as described above (other than our service providers and vendors), please submit your request to our email at privacy@magic.link.

5. Meeting Legal Requirements and Enforcing Legal Terms

To the extent permitted by law, we may also disclose Your Data for the following purposes:

• Fulfilling our legal obligations under applicable law, regulation, court order or other legal process, such as preventing, detecting and investigating security incidents and potentially illegal or prohibited activities.
• Protecting the rights, property or safety of you, Magic or another party.
• Enforcing any agreements with you.
• Responding to claims that any posting or other content violates third-party rights.
• Resolving disputes.

6. Aggregated Information

In an ongoing effort to better understand users of our Services, we might analyze Your Data in aggregate, de-identified or anonymized form in order to operate, maintain, manage, and improve the Services. This information can no longer identify you personally. We may share this data with our affiliates, agents, and business partners, and may share and sell it to other unaffiliated third parties. We may also disclose aggregated user statistics in order to describe our Services to current and prospective business partners and to other third parties for other lawful purposes.

7. Business Transfers

As we develop our businesses, we might sell or buy businesses or assets. In the event of a corporate sale, merger, reorganization, sale of assets, dissolution, or similar event, Your Data may be part of the transferred assets.

8. Otherwise With Your Consent

We may also disclose Your Data to fulfill any purpose for which you provide it or for any other purpose disclosed by us when you provide the information.

We will not collect additional categories of Personal Data or use the Personal Data we collected for materially different, unrelated or incompatible purposes without providing you notice and, where required under applicable law, obtaining your consent.

V. Accessing and Modifying Information and Communication Preferences

1. Your Account

If you have registered for the Services, you may access, review, delete and make changes to the information you submitted by following the instructions on our Website. You may also access, remove, review, and/or make changes to the same by contacting us at privacy@magic.link.

2. Marketing Communications

You may manage your receipt of marketing and non-transactional communications by clicking on the "Unsubscribe" link located on the bottom of any Magic marketing e-mail. We will use commercially reasonable efforts to process such requests in a timely manner.

3. Cookies

The Services use cookies and similar technologies such as image loading, browser local storage, cookies, and JavaScript (collectively, "Cookies") to enable our servers to recognize your web browser, tell us how and when you visit and use our Services, analyze trends, learn about our user base and operate and improve our Services. Cookies are small pieces of data-- usually text files -- placed on your computer, tablet, phone or similar device when you use that device to access our Services. We use the following types of Cookies:

• Essential or Strictly Necessary Cookies. These Cookies are required for providing you with features or services that you have requested. For example, certain Cookies enable you to log into secure areas of our Services. Disabling these Cookies would make certain features and services unavailable.
• Functional Cookies. Functional Cookies are used to record your choices and settings regarding our Services, maintain your preferences over time and recognize you when you return to our Services. These Cookies help us to personalize our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
• Performance/Analytical Cookies. Performance/Analytical Cookies allow us to understand how visitors use our Services. They do this by collecting information about the number of visitors to the Services, what pages visitors view on our Services and how long visitors are viewing pages on the Services. Performance/Analytical Cookies also help us measure the performance of our advertising campaigns in order to help us improve our campaigns and the Services' content for those who engage with our advertising.

You can decide whether or not to accept Cookies through your internet browser's settings. Most browsers have an option for turning off the Cookie feature, which will prevent your browser from accepting new Cookies, as well as (depending on the sophistication of your browser software) allow you to decide on acceptance of each new Cookie in a variety of ways. You can also delete all Cookies that are already on your device. If you do this, however, you may have to manually adjust some preferences every time you visit our website and some of the Services and functionalities may not work.

To explore what Cookie settings are available to you, look in the "preferences" or "options" section of your browser's menu. To find out more information about Cookies, including information about how to manage and delete Cookies, visit https://www.allaboutcookies.org or https://ico.org.uk/for-the-public/online/cookies if you are located ⁠in the United Kingdom, or https://european-union.europa.eu/cookies_en ⁠if you are located in the European Union.

4. Do Not Track

As discussed above, third parties such as advertising networks and analytics providers may collect information about your online activities over time and across different websites when you access or use the Services. Currently, various browsers offer a "Do Not Track" option, but there is no standard for commercial websites. At this time, we do not monitor, recognize, or honor any opt-out or do not track mechanisms, including general web browser "Do Not Track" settings and/or signals.

VI. Data Security and Retention

We seek to protect Your Data from unauthorized access, use and disclosure using appropriate physical, technical, organizational and administrative security measures based on the type of Personal Data and how we are processing that data. You should also help protect Your Data by appropriately selecting and protecting your password and/or other sign-on mechanism; limiting access to your computer or device and browser; and signing off after you have finished accessing your account. Although we work to protect the security of your account and other data that we hold in our records, please be aware that no method of transmitting data over the internet or storing data is completely
secure.

We retain Personal Data about you for as long as you have an open account with us or as otherwise necessary to provide you with our Services. In some cases we retain Personal Data for longer, if doing so is necessary to comply with our legal obligations, resolve disputes or collect fees owed, or is otherwise permitted or required by applicable law, rule or regulation. We may further retain information in an anonymous or aggregated form where that information would not identify you personally. For additional information about our data retention
policy please contact us at privacy@magic.link.

VII. Personal Data of Children

As noted in the Terms of Use, we do not knowingly collect or solicit Personal Data about children under 16 years of age; if you are a child under the age of 16, please do not attempt to register for or otherwise use the Services or send us any Personal Data. If we learn that we have collected Personal Data from a child under 16 years of age, we will promptly take steps to delete such information and terminate the child's account. If you believe that a child under 16 years of age may have provided Personal Data to us, contact us at privacy@magic.link.

VIII. Notice to California Residents

If you are a resident of California, you have additional rights under the California Consumer Privacy Act (the "CCPA"). For more information about your rights under the CCPA, please visit our CCPA Privacy Notice to California Residents in Addendum I below.

Pursuant to Section 1798.83 of the California Civil Code, residents of California have the right to obtain certain information about the types of personal information that companies with whom they have an established business relationship (and that are not otherwise exempt) have shared with third parties for direct marketing purposes during the preceding calendar year, including the names and addresses of those third parties, and examples of the types of services or products marketed by those third parties. In order to submit such a request, please contact us at privacy@magic.link. Please note, however, that we
do not disclose Personal Data to third parties for such third parties' direct marketing purposes.

IX. Notice to Nevada Residents

If you are a resident of Nevada, you have the right to opt-out of the sale of certain Personal Data to third parties. You can exercise this right by contacting us at privacy@magic.link with the subject line "Nevada Do Not Sell Request" and providing us with your name and the email address associated with your account. Please note, however, that we do not sell Personal Data.

X. Important Notice to Non-U.S. Residents

The Website and Services are operated in the United States. If you are located outside of the United States, please be aware that any information you provide to us may be transferred to, processed, maintained, and used on computers, servers, and systems located outside of your state, province, country, or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction.

If you are a resident of the European Union ("EU"), United Kingdom, Lichtenstein, Norway, or Iceland, you may have additional rights under the EU General Data Protection Regulation (the "GDPR") with respect to your Personal Data. For more information about your rights under the GDPR, please visit our GDPR Privacy Notice to European Residents in Addendum II below.

XI. Changes to this Privacy Policy

We are constantly trying to improve our Services, so we may need to change this Privacy Policy from time to time. We will indicate at the top of the Privacy Policy when it was last updated, and alert you to this by placing a notice on our website. Please note that if you have opted not to receive legal notice emails from us (or you have not provided us with your email address), those legal notices will still govern your use of the Services, and you are still responsible for reading and understanding them. If you use the Services after any changes to the Privacy Policy have been posted, that means you agree to all of the changes. The use of information we collect is subject to the Privacy Policy in effect at the time such information is collected.

XII. Contact Information

If you have any questions or comments about this Privacy Policy, the ways in which we collect and use your Personal Data or your choices and rights regarding such collection and use, please do not hesitate to contact us at:

• Email: privacy@magic.link
• Phone: +1 (707) 653-5739
• Online Form: https://magic-fortmatic.typeform.com/privacy
• Mail: 3739 Balboa St #1088, San Francisco, CA 94121-2605

Addendum I - CCPA Privacy Notice to California Residents

Last Update: July 12, 2022

If you are a California resident, you have the rights set forth in this section. Please see the "Exercising Your Rights" section below for instructions regarding how to exercise these rights. Please note that we may process Personal Data of our customers' end users or employees in connection with our provision of certain services to our customers. If we are processing your Personal Data as a service provider, you should contact the entity that collected your Personal Data in the first instance to address your rights with respect to such data.

If there are any conflicts between this CCPA Privacy Notice to California Residents (the "CCPA Notice") and any other provision of this Privacy Policy and you are a California resident, the provision that is more protective of Personal Data shall control to the extent of such conflict. If you have any questions about this CCPA Notice or whether any of the following rights apply to you, please contact us at privacy@magic.link.

1. Information We Collect

• Categories of Personal Information: Within the twelve (12) months preceding the latest update of the Privacy Notice, we have or might have collected or otherwise obtained the categories of Personal Data from or about consumers, their households or devices, that we list in Section II of the Privacy Policy.
• Categories of Sources: We collect the categories of Personal Data listed in Section II of the Privacy Notice from the categories of sources listed in Section III of our Privacy Policy.
• Use of Personal Data: We use the Personal Data we collect for the purposes laid out in Section III of our Privacy Policy.
• Categories of Third Party Recipients: We have share or might share your Personal Data with the categories of third parties listed in Section II of our Privacy Policy.

2. Your Rights and Choices

The CCPA provides consumers with specific rights regarding their Personal Data. This section describes these rights and explains how to exercise them.

a. Right to Know About Personal Data

You have the right to request that we disclose certain information to you about our collection, disclosure, sale and use of your Personal Data. Once we receive and verify your request, we will disclose to you the following (to the extent applicable to your request):

• The specific pieces of Personal Data we collected about you in the preceding twelve (12) months;
• The categories of Personal Data that we have collected about you in the preceding 12 months;
• Categories of Personal Data that we disclosed or sold for a Business Purpose in the preceding 12 months;
• The categories of sources from which we have collected this Personal Data,
• The commercial or business reason(s) for having collected, used, disclosed, or sold that Personal Inform Data; and
• The categories of third parties to whom we have disclosed or sold your Personal Data in the preceding 12 months.

You may exercise this right up to two times in any 12-month period.

b. Right to Request Deletion

You may also have the right to request deletion of your Personal Data. We will honor such request, but might not be able to fulfill your request if we (or our service providers) are required to retain your Personal Data. Examples of such exceptions are:

• Completing a transaction or performing a contract we have with you;
• Detecting and addressing data security incidents, and repairing or upkeep of our IT systems;
• Protecting against fraud or other illegal activity;
• Complying with applicable law or a legal obligation, or to exercise rights under the law (e.g. the right to free speech); or
• Using your Personal Data internally to improve our Services.

c. Exercising Your Privacy Rights

To exercise the rights described above, please submit a verifiable consumer request to us by using the following methods:

• Call us at: +1 (707) 653-5739
• Email us at: privacy@magic.link
• Submit a form here

i. What we need to know to fulfill your request

The verifiable consumer request must: (i) provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Data or an authorized representative; and (ii) describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. We cannot respond to your request or provide you with Personal Data if we cannot verify your identity or authority to make the request and confirm the Personal Data related to you. Making a verifiable consumer request does not require you to create an account with us.

Typically, accounts associated with an email address will require verification of the email address, as well as a description of the requested user rights or regulations invoked. Magic also values those who are not covered by specific regulations, and offers to extend a good will effort towards requests originating from other jurisdictions.

ii. How you will hear back from us

We will confirm receipt of a verifiable consumer request within ten (10) business days of its receipt. We will endeavor to respond to a verifiable consumer request within forty-five (45) calendar days of its receipt. If we require more time, we will notify you of the extension and provide an explanation of the reason for the extension in writing, and we will provide you with a response no later than ninety (90) calendar days of receipt of the request. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your Personal Data that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We may charge a reasonable fee to process or respond to your verifiable consumer requests if they are excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will inform you of the reasons for this decision and provide you with a cost estimate before completing your request.

d. Right to Opt-Out of the Sale of Personal Data

We will not sell your Personal Data, and have not done so over the last 12 months.

e. Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. We will not (i) deny you products or services, (ii) charge you different prices or rates for products or services, including through granting discounts or other benefits, or imposing penalties (except for financial incentives permitted by the CCPA, see below), (iii) provide you a different level or quality of products or services, and (iv) suggest that you may receive a different price or rate for products or
services or a different level or quality of products or services.

f. Right to Designate an Authorized Agent

If you submit a request to know or delete your Personal Data through the use of an authorized agent, we may require that you (i) provide the authorized agent written permission to act on your behalf, and (ii) verify their identity directly with us. We may deny a request from an authorized agent that does not submit proof of authorization.

1. Other California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, residents of California have the right to obtain certain information about the types of personal information that companies with whom they have an established business relationship (and that are not otherwise exempt) have shared with third parties for direct marketing purposes during the preceding calendar year, including the names and addresses of those third parties, and examples of the types of services or products marketed by those third parties. In order to submit such a request, please contact us at privacy@magic.link. Please note, however, that we
do not disclose Personal Data to third parties for such third parties' direct marketing purposes.

2. Changes to Our CCPA Notice

This CCPA Notice is effective as of the date of the Last Update stated at the top of this CCPA Notice. We may change this CCPA Notice from time to time with or without notice to you. By visiting or accessing the Website or the Services, purchasing products or services from us, or otherwise engaging or interacting with us after we make any such changes to this CCPA Notice, you are deemed to have accepted such changes. Please be aware that, to the extent permitted by applicable law, and without prejudice to the foregoing, our use of your Personal Data is governed by the CCPA Notice in current effect. Please refer back to this CCPA Notice on a regular basis.

3. Contact Information

If you have any questions or comments about this CCPA Notice, the ways in which we collect and use your information, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at:

• Email: privacy@magic.link
• Phone: +1 (707) 653-5739
• Online Form: https://magic-fortmatic.typeform.com/privacy
• Mail: 3739 Balboa St #1088, San Francisco, CA 94121-2605

Addendum II -- GDPR Privacy Notice to European Residents

Effective as of: July 12, 2022

If you are a resident of the European Union ("EU"), United Kingdom, Lichtenstein, Norway, or Iceland, you may have additional rights under the EU General Data Protection Regulation (the "GDPR") with respect to your Personal Data, as outlined in this GDPR Addendum (the "GDPR Addendum").

For this GDPR Addendum, we use the terms "Personal Data" and "processing" as they are defined in the GDPR, but "Personal Data" generally means information that can be used to identify a person, and "processing" generally refers to actions that can be performed on data such as its collection, use, storage or disclosure.

Magic will usually be the controller of your Personal Data processed in connection with the Services. Note that we may also process Personal Data of our customers' end users or employees in connection with our provision of certain services to customers, in which case we may be the processor of Personal Data. If we are the processor of your Personal Data (i.e., not the controller), please contact the controller party in the first instance to address your rights with respect to such data.

Where applicable, this GDPR Addendum is intended to supplement, and not replace, our Privacy Policy. If there are any conflicts between the GDPR Addendum and the other parts of the Privacy Policy, and you are a resident of the EU, United Kingdom, Lichtenstein, Norway, or Iceland, the provision that is more protective of Personal Data shall control to the extent of such conflict. If you have any questions about this section or whether any of the following rights apply to you, please contact us at privacy@magic.link.

1. Types of Personal Data we Collect

We currently collect and otherwise process the kinds of Personal Data listed above in Section I ("Personal Data We Collect and Share") of the Privacy Policy.

2. How we Get the Personal Data and why we Have it

We receive the Personal Data in the ways and for the purposes listed above in Section III ("Sources of Personal Data") and Section IV (Why we Collect, Use and Share Your Data") of the Privacy Policy. We will only process your Personal Data if we have a lawful basis for doing so. Under the GDPR, the lawful bases we rely on for processing this information are:

a) Your Consent

In some cases, we process Personal Data based on the consent you expressly grant to us at the time we collect such data. When we process Personal Data based on your consent, it will be expressly indicated to you at the point and time of collection. You can remove your consent at any time. You can do this by contacting us via email at privacy@magic.linkwith the subject line "GDPR Request."

b) We Have a Contractual Obligation

We process certain categories of Personal Data as a matter of "contractual necessity", meaning that we need to process the data to perform under our Terms of Use with you, which enables us to provide you with the Services. When we process data due to contractual necessity, failure to provide such Personal Data will result in your inability to use some or all portions of the Services that require such data. These categories of Personal Data are:

• Profile or Contact Data
• Device/IP Data
• Geolocation Data

c) We Have a Legitimate Interest

We process the following categories of Personal Data when we believe it furthers the legitimate interest of us or third parties:

• Profile or Contact Data
• Device/IP Data
• Geolocation Data

Our legitimate interests are:

• Information Security: We process contact information, and the information collected through cookies and when you use the Services in order to maintain an audit log of activities performed. We use this information pursuant to our legitimate interests in tracking usage, combating DDOS or other attacks, and removing or defending against malicious individuals or programs.

• Operation and Improvement of our Services: We process server log information and information collected through cookies pursuant to our legitimate interest in operating and improving our Services.

• Audience Measurement and Retargeting: Pursuant to a user's consent, we use analytics cookies, and collect identifiers through such cookies, for purposes of audience measurement, analytics, audience reaction to the Services, and creating relevant user experiences.

• General Business Development and Management: We process Personal Data pursuant to our legitimate interest in creating and managing our business relationships with European Individuals, including without limitation:

  • To respond to inquiries from European Individuals;
  • To provide European Individuals with information about our products and services; and
  • To assist European Individuals with any issues while using the Services.

Direct Marketing: Generally, we send email marketing to European Individuals pursuant to their consent. When you use the Website, email marketing may be sent to you pursuant to our legitimate interest in sending marketing communications to you in the context of such engagement.

Protection of Rights: We may also disclose Personal Data to respond to claims of violation of third party rights or to enforce and protect our rights.

d) We Have a Legal Obligation

We may be required to disclose Personal Data in response to lawful requests by public authorities, including for the purpose of meeting national security or law enforcement requirements. We may also disclose Personal Data to other third parties when compelled to do so by government authorities or required by law or regulation including, but not limited to, in response to court orders and subpoenas.

3. How we Share Your Personal Data

Section I ("Personal Data We Collect and Share") and Section IV ("Why we Collect, Use and Share Your Data") of the Privacy Policy explain how we share your Personal Data with third parties.

4. How we Store and Protect Your Personal Data

We use commercially reasonable administrative, technical, and physical safeguards to protect your Personal Data from loss, misuse, and unauthorized access, disclosure, alteration, or destruction, for which we take into account the nature of the Personal Data, its processing, and the threats posed to it. Unfortunately, no data transmission or storage system can be guaranteed to be secure at all times. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us via email at privacy@magic.link.

We retain your Personal Data for as long as needed to fulfill the purposes for which we obtained it, as further described in this Privacy Policy. We will only keep your Personal Data for as long as allowed or required by law.

5. Your Data Protection Rights

You have certain rights with respect to your Personal Data, including those set forth below. For more information about these rights, or to submit a request, please email us at privacy@magic.link. You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you. Please note that in some circumstances, we may not be able to fully comply with your request, such as if it is frivolous or extremely impractical, if it jeopardizes the rights of others, or if it is not required by law, but in those circumstances, we will still respond to notify you of such a decision. In some cases, we may also need you to provide us with additional information, which may include Personal Data, if necessary to verify your identity and the nature of your request.

• Right of access: You can request more information about the Personal Data we hold about you and request a copy of such Personal Data. Users of Magic's dashboard can also access certain of your Personal Data by logging on to your account.
• Right to rectification: If you believe that any Personal Data we are holding about you is incorrect or incomplete, you can request that we correct or supplement such data. Users of Magic's dashboard can also correct some of this information (for example, email address) directly by logging on to your account.
• Right to erasure: You can request that we erase some or all of your Personal Data from our systems.
• Right to restriction of processing: You have the right to ask us to restrict the processing of your Personal Data.
• Right to object to processing: You have the right to object to the processing of your Personal Data in certain circumstances.
• Right to data portability: You can ask for a copy of your Personal Data in a machine-readable format. You can also request that we transmit the data to another controller where technically feasible.
• Right to withdraw consent: If we are processing your Personal Data based on your consent (as indicated at the time of collection of such data), you have the right to withdraw your consent at any time. Please note, however, that if you exercise this right, you may have to then provide express consent on a case-by-case basis for the use or disclosure of certain of your Personal Data, if such use or disclosure is necessary to enable you to utilize some or all of our Services.
• Objecting to Legitimate Interest/Direct Marketing: You may object to Personal Data processed pursuant to our legitimate interest. In such case, we will no longer process your Personal Data unless we can demonstrate appropriate, overriding legitimate grounds for the processing or if needed for the establishment, exercise, or defense of legal claims. You may also object at any time to processing of your Personal Data for direct marketing purposes by clicking "Unsubscribe" within an automated marketing email or by submitting your request to privacy@magic.link with the subject line "GDPR Request." In such case, your Personal Data will no longer be used for that purpose.

6. How to Complain

If you have any concerns about our use of your Personal Data, you can make a complaint to us at privacy@magic.link with the subject line "GDPR Request."

You also have the right to lodge a complaint about the processing of your personal data with a supervisory authority of the European state where you work or live or where any alleged infringement of data protection laws occurred. A list of most of the supervisory authorities can be found here.

7. Corporate Restructuring

In the event of a merger, reorganization, dissolution, or similar corporate event, or the sale of all or substantially all of our assets, the information that we have collected, including Personal Data, may be transferred to the surviving or acquiring entity. All such transfers shall be subject to our commitments with respect to the privacy and confidentiality of such Personal Data as set forth in this GDPR Addendum.

8. Transfers of Personal Data

The Services are hosted and operated in the United States ("U.S.") through Magic and its service providers, and if you do not reside in the U.S., laws in the U.S. may differ from the laws where you reside. By using the Services, you acknowledge that any Personal Data about you, regardless of whether provided by you or obtained from a third party, is being provided to Magic in the U.S. and will be hosted on U.S. servers, and you authorize Magic to transfer, store and process your information to and in the U.S., and possibly other countries. You hereby consent to the transfer of your data to the U.S. pursuant to a data processing agreement incorporating the modernized standard contractual clauses for the transfer of Personal Data to third countries promulgated by the European Commission on 4 June 2021, a copy of which can be obtained here.

9. Updates to this GDPR Addendum

If, in the future, we intend to process your Personal Data for a purpose other than that which it was collected, we will provide you with information on that purpose and any other relevant information at a reasonable time prior to such processing. After such time, the relevant information relating to such processing activity will be revised or added appropriately within this GDPR Addendum, and the "Effective Date" at the top of this page will be updated accordingly.

10. Our Contact Information

Please reach out to privacy@magic.link for any questions, complaints, or requests regarding this GDPR Addendum, and include in the subject line "GDPR Request."

If you are located in the European Union, you may use the following information to contact our European Union-Based Member Representative:

• Dr. Axel Freiherr von dem Bussche, LL.M. (L.S.E.)

  • Rechtsanwalt Fachanwalt für Informationstechnologierecht
  • Assistant: +49 40 36803-229
  • Direct: +49 40 36803-129
  • Mobile: +49 16 090169-493
  • Email: a.bussche@taylorwessing.com

With:

• Taylor Wessing Partnerschaftsgesellschaft mbB

  • Address: Hanseatic Trade Center, Am Sandtorkai 41, 20457 Hamburg
  • Tel: +49 40 36803-0
  • Fax: +49 40 36803-280
  • Site: www.taylorwessing.com