← Back to appLast updated: 2026-04-27

Privacy Policy

This Privacy Policy describes how [COMPANY_NAME] ("we", "us") collects, uses, and protects information when you use the magnifi service (the "Service").

1. What we collect

Account information

  • Email address (for authentication)
  • Workspace name and the names of teammates you invite
  • Hashed password (managed by our auth provider, Supabase)

WhatsApp content (opt-in per chat)

We only store messages from the chats you explicitly choose. When you link a WhatsApp number, we present a list of your chats and groups and ask you to tick which ones to include. Until you confirm, nothing about those chats is written to our database — chats stream through our backend in memory and are discarded if you close the screen without saving. After you confirm, we only persist data belonging to the chats on your allowlist:

  • Phone numbers and WhatsApp identifiers (JIDs) of the numbers you link AND of contacts in chats you have added to your allowlist
  • Messages received and sent through allowed chats, including text and metadata (timestamps, group/individual flag, sender name)
  • Internal notes you add to allowed chats
  • WhatsApp session credentials from the linking step, stored on a persistent volume on our infrastructure

Messages from chats not on your allowlist are dropped at the WhatsApp connector. If an unknown number messages you, we record only the number (JID) and an optional contact-name hint so you can decide whether to allow that chat — the message body itself is never stored.

You can remove a chat from your dashboard at any time from the Privacy & chat allowlist panel. Removal hard-deletes every message, note, and ticket link associated with that chat. This action cannot be undone.

Operational data

  • Server logs (request IDs, timestamps, IP addresses, error stack traces)
  • Error reports from Sentry, if enabled

2. How we use it

We use the information above to operate, secure, and improve the Service — specifically to authenticate you, route messages to the right workspace, deliver real-time updates over WebSocket, enforce per-workspace access controls, and diagnose problems.

We do not sell your data and we do not use your message content for advertising, model training, or any purpose other than running the Service.

3. Encryption

Sensitive chat fields — chat names, last-message previews, message bodies, sender names, and internal notes — are encrypted at rest with AES-256-GCM using a per-workspace Data Encryption Key (DEK). The DEK is itself encrypted by a master Key Encryption Key (KEK) that is held in our infrastructure, separate from the database. Phone numbers, JIDs, message IDs, and timestamps are stored in plaintext because the application needs to query on them.

Data in transit is protected with TLS (HTTPS / WSS). WhatsApp's own end-to-end encryption applies between linked devices and the WhatsApp servers; we receive messages already decrypted, in the same way the WhatsApp Web client does.

4. Sub-processors

Your data is hosted by the following sub-processors. See our Terms of Service for the current list. All sub-processors are contractually required to handle data only for the purposes of operating the Service.

5. Retention

  • Account and workspace data: kept while your workspace is active. Deleted within 30 days of workspace deletion.
  • Encrypted chat content and notes: same retention as the workspace.
  • Server logs: 30 days, then automatically rotated.
  • Sentry error reports (if enabled): 30 days.

6. Your rights

Depending on where you live, you may have the right to access, correct, export, or delete the personal data we hold about you, and to object to or restrict certain processing. To exercise these rights, email privacy@superhyre.com. We will respond within 30 days.

Note that messages we hold on your behalf are also personal data of the people you have spoken to. If they contact us directly, we will route their request through you as the workspace administrator.

7. Security

We rely on a small set of well-known providers (Supabase, Railway, Vercel) to keep the underlying infrastructure secure. Application-level controls include:

  • JWT-based authentication with a short token lifetime
  • Per-workspace access control on every API call
  • Rate limits on login, mutation, and bulk-send endpoints
  • Strict CORS and Content Security Policy
  • AES-256-GCM envelope encryption of chat content (see §3)

No system is perfectly secure. If we discover a breach affecting your data, we will notify you within 72 hours of confirmation.

8. Children

The Service is not intended for users under 18. We do not knowingly collect data from children.

9. Changes

We may update this policy from time to time. Material changes will be announced in-app or by email at least 14 days before they take effect.

10. Contact

Privacy questions: privacy@superhyre.com. General support: support@superhyre.com.

Questions? Contact support@superhyre.com.