Legal
Privacy Policy
What we collect, why we collect it, where it lives, and how to ask us to delete it. Written in plain language.
Last updated 2026-05-14
1. Who we are
Magnifyr is a social media automation and lead capture platform operated by Agilus (Pty) Ltd, a private company registered in South Africa. When this policy refers to “we”, “us”, or “Magnifyr”, it means Agilus (Pty) Ltd.
Magnifyr is the “responsible party” under POPIA for information about you, the account holder. For the lead records you capture through Magnifyr, you are the responsible party and we act as your operator/processor.
2. What we collect about you (the account holder)
2.1 Account information
- Your name and email address.
- A password (stored as a salted hash — never in plain text).
- Workspace and tenant settings you configure.
- If you sign in with Google or Microsoft, the OpenID identifier returned by that provider plus your email address. We never see your Google or Microsoft password.
2.2 Social platform credentials
- OAuth access tokens and refresh tokens for any social platform you connect (LinkedIn, X, Facebook, Instagram, TikTok). These are encrypted at rest in Azure Key Vault and only used to publish posts you schedule.
- We never see your social platform passwords. We never post on your behalf outside what you explicitly schedule.
2.3 Usage data
- Request logs (method, path, status code, timestamp). We do not log request bodies in production.
- Application telemetry collected by Azure Application Insights — includes anonymised performance metrics and error stack traces.
- Standard server-side cookies for authentication. We do not use third-party advertising cookies on the marketing site.
3. What we collect on your behalf (lead data)
When a visitor to your landing page fills in a form or fires an event via our tracking pixel, the resulting Lead record belongs to your tenant. We process it as your operator.
- Email addresses and phone numbers are encrypted at the application level using AES-256-GCM with per-tenant encryption keys managed in Azure Key Vault. They are never readable in our database backups.
- Every Lead has a recorded ConsentSource — where the contact gave consent (form submission, tracking pixel, imported file). This is a POPIA and GDPR requirement.
- Tracking pixel events (page views, button clicks, form submissions) are tied to a visitor session and stitched to the Lead on the next identifying event.
4. Why we process this data (lawful basis)
- Contract — most processing happens because we need to deliver the service you signed up for: scheduling posts, storing leads, sending you product emails.
- Legitimate interest — security logging, preventing abuse, billing reconciliation, internal analytics on aggregate usage.
- Consent — marketing emails about new features (you can opt out from any of those emails).
5. Where your data lives
All Magnifyr data is hosted on Microsoft Azure in the South Africa North region (Johannesburg) by default. Specifically:
- Azure SQL Database — primary store for accounts, tenants, leads, posts, and audit logs.
- Azure Blob Storage — uploaded media (images, videos) for posts and landing pages.
- Azure Key Vault — encryption keys, secrets, social platform OAuth tokens.
- Azure Application Insights — telemetry, request logs, performance traces.
Some platform features rely on third-party APIs (Anthropic Claude and OpenAI for AI content drafting; Stripe for billing once paid tiers launch; the social platforms themselves for publishing). When we call those APIs, the data you send through us reaches them. We minimise what we forward to what is strictly required for the feature to function.
6. How long we keep data
- Active accounts — we keep data for the lifetime of the account, plus any data-retention obligations under South African law (typically 5 years for billing records).
- Lead records — if a lead has had no activity for 24 months, we flag the record and you (the tenant admin) decide whether to archive or delete. We do not silently expire records.
- Account deletion — when you delete your account, we hard-delete tenant data within 30 days. Audit log entries confirming the deletion are retained for 12 months as a compliance record.
7. Your rights
Under POPIA and (where applicable) GDPR, you have the right to:
- Access — request a copy of the personal data we hold about you.
- Correct — fix any data that's wrong or out of date.
- Erase — ask us to delete your account, your leads, or specific records (“right to erasure”).
- Object — to processing based on legitimate interest.
- Port — receive a machine-readable export of your tenant data (available in-app as a CSV export today; full JSON export on the roadmap).
To exercise any of these rights, email sivi@magnifyr.co.za. We aim to respond within 7 business days; the regulatory deadline is 30 days.
8. Cookies
The marketing site at magnifyr.co.za uses no third-party advertising cookies and no analytics cookies as of the date above.
The application at app.magnifyr.co.za uses a small number of strictly-necessary cookies for authentication (JWT refresh-token cookie) and a session storage key for the offline draft queue. These are not used for tracking and cannot be disabled without breaking the application.
9. Children
Magnifyr is a business tool. We do not knowingly collect data from children under 18. If we discover we have done so, we will delete that data and the associated account.
10. Changes to this policy
We will update this page if our practices change. Material changes will be emailed to active account holders at least 14 days before they take effect. The version history will be published once counsel-reviewed versions exist.
11. Contact
Agilus (Pty) Ltd
Cape Town, South Africa
Email: sivi@magnifyr.co.za
Information Officer: as designated under POPIA. Until a formal designation is registered, contact the email above and we will route the request.