Privacy Policy

1. Who we are

Donna is an AI-powered personal assistant operated by Magic Labs ("we", "us", "our"). We help individuals and teams manage email, calendar, documents, and tasks through natural language conversations. Our service is accessible at donna.magiclabs.studio.

2. What data we collect

Account information

When you sign in with Google, we receive your name, email address, and profile photo from Google. We store these to identify your account.

Integration tokens

To connect your Google Workspace (Gmail, Calendar, Drive), Notion, or WhatsApp, we store OAuth access and refresh tokens. All tokens are encrypted at rest using AES-256 (Fernet). We never store your Google password.

Conversation data

We store the messages you send to Donna and Donna's responses. This is necessary to provide context across conversations and improve response quality.

Profile and memory

We store facts Donna learns about you — such as your job title, timezone, and preferences — so she can personalise responses. You can view and delete this data at any time from Settings.

Usage data

We record anonymised usage metrics (e.g. number of messages, agent tool calls, and approximate cost per run) for billing and service improvement. We do not sell this data.

3. How we use your data

To operate and deliver the Donna service
To remember your preferences and context across sessions
To call third-party APIs (Google, Notion) on your behalf when you ask Donna to
To monitor service health, prevent abuse, and fix bugs
To calculate and enforce your usage budget

We do not use your data to train AI models, sell to advertisers, or share with third parties except as required to deliver the service (e.g. sending your message to Anthropic's Claude API for a response).

4. Third-party services

Donna integrates with the following third-party services. Your use of those services is governed by their own privacy policies:

Service	Purpose
Anthropic (Claude)	AI response generation
Google APIs	Gmail, Calendar, Drive access on your behalf
Notion API	Reading and writing Notion pages on your behalf
Twilio	Sending and receiving WhatsApp messages
Neon (PostgreSQL)	Encrypted database storage
Railway	Cloud infrastructure hosting

5. Data retention

We retain your data for as long as your account is active. If you delete your account, we will permanently delete all your personal data, conversation history, integration tokens, and extracted memories within 30 days.

6. Your rights

Depending on your location, you may have the right to:

Access the personal data we hold about you
Correct inaccurate data
Request deletion of your data ("right to be forgotten")
Withdraw consent for data processing
Receive a copy of your data in a portable format

To exercise any of these rights, email us at privacy@magiclabs.studio.

7. Security

We encrypt all OAuth tokens at rest and in transit. Our database uses TLS connections. Access to production systems is restricted. While we work hard to protect your data, no system is perfectly secure — please use strong, unique credentials on connected services and report any suspected vulnerabilities to security@magiclabs.studio.

8. Cookies

Donna uses localStorage in your browser to store your authentication token. We do not use third-party tracking cookies or advertising pixels.

9. Children

Donna is not intended for children under 13. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

10. Changes to this policy

We may update this privacy policy from time to time. When we do, we will update the "Last updated" date at the top of this page and, for material changes, notify you by email.

11. Contact

Questions about this policy? Reach us at privacy@magiclabs.studio.