Privacy Policy — Magna Historia

1. Introduction

MagnaHistoria ("we," "us," "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our website at magnahistoria.com, our voice guides, audio content, data visualizations, personal coaching features, and related services (collectively, the "Service").

By using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree with any part of this policy, please discontinue use of the Service immediately.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

Email address — provided via Google OAuth or magic link sign-in;
Display name — set during onboarding or profile configuration;
Profile avatar — sourced from your Google account, if applicable;
Authentication identifiers — managed by Supabase Auth.

2.2 Optional Profile Information

You may optionally provide the following, which is used to personalize your experience:

Phone number;
Birthday (date of birth);
Birth city and birth time — used for natal alignment and birth chart visualizations;
Timezone;
Agent preferences — preferred voice guides and interaction settings.

2.3 Voice & Conversation Data

When you interact with voice guides:

Voice input — your audio is transmitted in real-time to our voice processing provider for speech-to-text processing and response generation. We do not permanently store raw audio files on our servers;
Conversation transcripts — text transcripts of your conversations with voice guides are stored in association with your account;
Agent interaction metadata — which agents you interacted with, session duration, and usage counts.

2.4 Coaching Data

If you use the personal coaching features:

Personal goals — goal descriptions, categories, and target dates;
Strictness preferences — your preferred coaching intensity (scale of 1 to 5);
Session history — coaching session counts, streak data, and milestone records;
Last session summaries — brief summaries used to provide continuity across sessions.

2.5 Payment Information

Subscription payments are processed entirely by Stripe, Inc. We do not store your full credit card numbers, debit card numbers, or bank account details on our servers. We receive and store:

Stripe customer ID;
Subscription status and tier;
Payment method type (e.g., Visa ending in 4242);
Billing history and invoice references.

2.6 Activity & Usage Data

We automatically collect:

Page views — which pages and visualizations you visit;
Session duration — how long you spend on each page;
Depth progression — your journey level through the platform (surface, shallows, current, deep, floor);
Discovery tracking — interactions with content and visualizations;
Device and browser information — user agent, screen resolution, operating system;
IP address — used for approximate geolocation and security purposes.

2.7 Earth Monitoring Data

If you use earth monitoring features (seismic alerts, storm tracking), your optionally configured monitoring location is stored to deliver relevant alerts.

2.8 Biometric Data (Optional)

If you choose to enable biometric tracking during Sonic Journeys or The Mirror sessions, the Service uses your device's camera to estimate heart rate (HR) and heart rate variability (HRV) through remote photoplethysmography (rPPG). Important details about this data:

Camera processing is local. All video analysis occurs entirely within your browser using JavaScript. No video frames, images, or raw camera data are ever transmitted to our servers or any third party;
What we store: Only derived numerical values — heart rate (BPM), HRV (milliseconds), stress level estimate, session duration, and the journey/session identifier. These are stored in your account in our Supabase database;
What we do NOT store: Video, images, facial data, skin tone data, or any biometric identifiers. The data we store cannot be used to identify you biologically;
Consent: Biometric features require your active opt-in. A consent prompt is displayed on first use. You may revoke consent at any time by revoking camera permissions in your browser settings;
Your control: You may export all biometric data as a CSV file or permanently delete all biometric data from your account at any time via the Settings page;
No sharing: Your biometric data is never shared with third parties, used for advertising, or sold. It is used solely to display your personal wellness trends within the Service;
Aggregated research: We may use anonymized, aggregated biometric data (with no connection to your identity) for internal research on frequency-response patterns. Individual data is never published or shared.

3. How We Use Your Information

We use the information we collect for the following purposes:

Service delivery — to operate, maintain, and provide the features and functionality of the Service;
Personalization — to customize your experience, including voice guide interactions, coaching sessions, and content recommendations;
Authentication & security — to verify your identity, maintain account security, and prevent fraud;
Billing & subscriptions — to process payments, manage subscriptions, and enforce usage limits;
Communication — to send transactional emails (account verification, subscription confirmations, password resets) via our email provider;
Analytics & improvement — to analyze usage patterns, diagnose technical issues, and improve the Service;
Quality assurance — to review conversation transcripts for the purpose of improving voice guide quality and safety;
Legal compliance — to comply with applicable laws, regulations, and legal processes.

4. Third-Party Service Providers

We share data with the following third-party service providers, each of which processes data in accordance with their respective privacy policies:

Provider	Purpose	Data Shared
Supabase	Database hosting, authentication	Account data, transcripts, activity, goals, all stored data
Voice Processing Provider	Voice guide processing	Voice audio input (real-time), conversation context, user name, coaching variables
Stripe	Payment processing	Email, payment method details, billing address
Google Analytics	Website analytics	Page views, session data, device info, IP address (anonymized)
Microsoft Clarity	Session replay, heatmaps	User interactions, clicks, scroll behavior, device info
Netlify	Frontend hosting, CDN	IP address, request logs
Railway	Backend API hosting	API request data, IP address, server logs
Resend	Transactional email delivery	Email address, email content

5. Data Sharing & Disclosure

We do not sell, rent, or trade your personal information to third parties for marketing purposes. We may disclose your information in the following circumstances:

Service providers — as described in Section 4, to entities that assist us in operating the Service;
Legal requirements — when required by law, subpoena, court order, or other legal process;
Safety & protection — to protect the rights, property, or safety of MagnaHistoria, our users, or others;
Business transfers — in connection with a merger, acquisition, reorganization, or sale of assets, in which case your information may be transferred as part of the transaction;
With your consent — in any other circumstances where you have given explicit consent.

6. Cookies & Tracking Technologies

We use the following tracking technologies:

6.1 Essential Cookies

Supabase authentication cookies — maintain your logged-in session;
localStorage — stores user preferences (theme selection, coaching goals cache, audio mute state).

6.2 Analytics Cookies

Google Analytics (_ga, _gid, _gat) — measure website traffic and usage patterns. You can opt out via Google's opt-out browser add-on;
Microsoft Clarity (_clck, _clsk, CLID) — capture session replays and heatmaps for UX improvement. See Microsoft's Privacy Statement.

6.3 Managing Cookies

Most browsers allow you to control cookies through their settings. Note that disabling essential cookies may impair the functionality of the Service, including authentication.

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Specific retention periods:

Account data — retained until you request account deletion;
Conversation transcripts — retained for the lifetime of your account, unless you request deletion;
Coaching data — retained for the lifetime of your account;
Activity logs — retained for up to 24 months;
Payment records — retained for 7 years as required for tax and accounting purposes;
Server logs — retained for up to 90 days.

Upon account deletion, we will delete or anonymize your personal data within 30 days, except where retention is required by law or for legitimate business purposes (such as fraud prevention or financial record-keeping).

8. Data Security

We implement reasonable technical and organizational measures to protect your personal data, including:

HTTPS/TLS encryption for all data in transit;
Row-Level Security (RLS) policies in our database ensuring users can only access their own data;
Authentication via Supabase Auth with secure token management;
Stripe PCI-DSS compliance for payment processing;
Regular security reviews of our backend infrastructure.

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Access — request a copy of the personal data we hold about you;
Correction — request correction of inaccurate or incomplete data;
Deletion — request deletion of your personal data ("right to be forgotten");
Data portability — request your data in a structured, machine-readable format;
Restriction — request that we limit the processing of your data;
Objection — object to processing of your data for certain purposes;
Withdraw consent — where processing is based on consent, withdraw that consent at any time.

To exercise any of these rights, contact us at privacy@magnahistoria.com. We will respond to verified requests within 30 days.

10. GDPR Rights (EEA/UK Users)

If you are located in the European Economic Area (EEA) or the United Kingdom, the General Data Protection Regulation (GDPR) and UK GDPR provide you with additional rights. The legal bases for our processing of your personal data are:

Contract performance — processing necessary to deliver the Service you have subscribed to (Article 6(1)(b));
Legitimate interests — processing for analytics, security, and service improvement, where our interests are not overridden by your rights (Article 6(1)(f));
Consent — where you have given explicit consent, such as for voice processing and optional profile data (Article 6(1)(a));
Legal obligation — processing required to comply with applicable laws (Article 6(1)(c)).

You have the right to lodge a complaint with your local supervisory authority if you believe your data protection rights have been violated.

Data Protection Officer

For GDPR-related inquiries, contact: privacy@magnahistoria.com

11. CCPA Rights (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) grant you the following rights:

Right to Know — you may request disclosure of the categories and specific pieces of personal information we have collected about you;
Right to Delete — you may request deletion of personal information we have collected;
Right to Correct — you may request correction of inaccurate personal information;
Right to Opt-Out of Sale — we do not sell personal information. There is no need to opt out;
Right to Non-Discrimination — we will not discriminate against you for exercising your CCPA rights.

We do not sell your personal information. We do not share personal information with third parties for their direct marketing purposes.

To submit a CCPA request, contact us at privacy@magnahistoria.com or use the contact information in Section 15. We will verify your identity before processing your request and respond within 45 days.

12. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child under 18 has provided us with personal information, we will take steps to delete such information promptly. If you believe a child has provided us with personal data, please contact us at privacy@magnahistoria.com.

13. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence, including the United States. Our service providers (Supabase, Stripe, Google, Microsoft, Netlify, Railway, Resend) may process data in various jurisdictions. Where required, we rely on Standard Contractual Clauses (SCCs) or other approved transfer mechanisms to ensure adequate protection of your data in accordance with applicable data protection laws.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated through:

A notice on the Service;
An email to the address associated with your account;
An updated "Last Updated" date at the top of this page.

Your continued use of the Service after any changes indicates your acceptance of the revised Privacy Policy.

15. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, or have concerns about our data practices, please contact us:

Privacy inquiries: privacy@magnahistoria.com
General support: support@magnahistoria.com
Entity: MagnaHistoria
Website: magnahistoria.com

We aim to respond to all privacy-related inquiries within 30 days of receipt.