Privacy Policy
Magga AI Co., Ltd. ("Magga AI", "we", "us", or "our") builds AI Agents and business automation solutions for companies in Myanmar and internationally. Our Services include customer service automation, sales and lead management, marketing automation, operations and workflow automation, HR automation, finance automation, and custom AI-powered business solutions.
This Privacy Policy explains how we collect, use, store, share, and protect personal data when you interact with our Services, regardless of which Service tier or automation category you use.
This Policy applies to:
- Customers: Businesses and individual professionals who purchase Magga AI services.
- End Users: People who interact with AI Agents or automation workflows deployed by our Customers.
- Partners: Employees, contractors, or business partners of our Customers using our Platform.
- Visitors: Visitors to maggagenticai.com and maggaagentic.com.
- Prospects: Anyone who contacts us via web forms, social media, phone, or email.
By using our Services, you agree to this Privacy Policy. If you do not agree, please do not use our Services.
To make this Policy clear, we define the following key terms:
means a business, organization, or individual that purchases Magga AI services and deploys AI Agents or automation workflows within their own systems and channels.
means a person who interacts with an AI Agent or automation workflow operated by a Customer through any channel.
means any information relating to an identified or identifiable person, such as name, email, phone number, address, voice recording, biometric data, or content of communications.
means automated software that Magga AI provides to Customers for handling customer interactions, internal workflows, data processing, or decision support.
means any automated process we build or deploy for a Customer, including data synchronization, document processing, report generation, email/messaging automation, and integrations between systems.
means all Magga AI software, dashboards, APIs, infrastructure, and tools that power AI Agents and Automation Workflows.
means all products, services, professional services, and custom solutions provided by Magga AI.
means a third-party large language model provider whose AI models we use to generate responses or analyze data, such as OpenAI, Anthropic, Google (Gemini), DeepSeek, Mistral, or OpenRouter.
means any third-party system we integrate with on behalf of Customers, such as CRM platforms, messaging platforms, payment providers, email services, or enterprise software.
This Privacy Policy covers all Magga AI Services, including but not limited to:
3.1Current Services
- Customer Service AI Agents (Facebook Messenger, Viber, Instagram, website chat, Line)
- Sales AI Agents (lead qualification, follow-up automation, appointment booking)
- CRM integrations and data synchronization
- Internal admin and operations dashboards
3.2Planned and Future Services
- Marketing automation (campaign scheduling, content generation, audience segmentation, email marketing)
- HR automation (resume screening, interview scheduling, onboarding, employee FAQ)
- Finance automation (invoice processing, expense categorization, financial reporting, reconciliation)
- Operations automation (inventory alerts, supply chain workflows, logistics coordination)
- Voice AI agents (phone call handling, IVR, voice transcription)
- Document processing (OCR, data extraction, contract analysis, summarization)
- Enterprise integrations (ERP, accounting software, HRIS, e-commerce platforms)
- Custom AI solutions built to Customer specifications
- API access for Customers to build their own applications on our Platform
4.1 Information You Provide Directly (Customers)
- Business: Company name, industry, tax ID, registration, billing/shipping address.
- Contact: Full name, email, phone, Viber, LinkedIn, job title.
- Credentials: Username, password (encrypted with industry-standard hashing).
- Payment: Bank details, KBZ Pay / Wave Pay transaction IDs, invoice records.
- Service Config: Knowledge base, FAQs, catalogs, brand guidelines, workflow rules.
- Documents: Contracts, product info, training materials uploaded for processing.
- Support: Messages, emails, calls, and screen-sharing sessions with our team.
4.2 via Integrated Platforms
When connected, we access authorized data scopes from systems including:
Facebook Pages, Instagram, WhatsApp Business — messages, comments, Page metadata, End User profile data (name, profile picture, Page-Scoped ID).
Viber, Line, Telegram, SMS gateways — message content, sender/recipient identifiers.
Gmail, Microsoft 365, custom SMTP — email content, metadata, attachments.
HubSpot, Zoho, Salesforce, Pipedrive — contact records, deals, activity history.
Shopify, WooCommerce, custom stores — orders, customer data, product catalogs.
QuickBooks, Xero, Wave — invoices, transactions, financial records.
Applicant data, employee records (for automation use cases).
Google Drive, Dropbox, OneDrive — documents and files authorized for processing.
Google Calendar, Outlook — schedule data for appointment automation.
Campaign data, audience segments (when relevant to the Service).
We follow the principle of least privilege, accessing only needed permissions.
4.3 Information Collected Automatically
- Device: IP, browser type, OS, device identifiers, screen size.
- Usage: Pages viewed, features used, API calls, session duration.
- Performance: Response times, error rates, model latency, credits.
- Log Data: Timestamps, API requests, authentication events.
Location: Inferred from IP (country/city level); no precise GPS unless required.
4.4 Information from Third Parties
- Payment: Transaction confirmations and method metadata.
- Integration: Data shared via OAuth flows or API tokens.
- LLM Providers: Model responses, tokens, moderation flags.
- Analytics: Aggregated usage metrics (internal/external).
- Referral: Referrer name and tracking data.
- Public: Business registries and social media (with opt-out).
4.5 End User Data (Customer Interactions)
When End Users interact with AI Agents or Automation Workflows operated by our Customers, we process:
Text, voice, images, video, stickers, attachments, and transmitted content.
Name, phone, email, user IDs, social media handles, and shared info.
Order details, appointment requests, complaints, and tickets.
Complete interaction logs with the specific Customer's channels.
Response patterns, engagement metrics, and sentiment indicators.
Device type, timestamps, channel used, and delivery status.
IMPORTANT: End User data belongs to the Customer. Magga AI acts as a data processor. The Customer is responsible for informing End Users about privacy practices and obtaining necessary consents.
5.1 Service Delivery
- Operating AI Agents and Automation Workflows.
- Training AI Agents with Customer knowledge bases.
- Routing complex queries to human staff.
- Processing documents, transcribing voice, and images.
- Executing sync, reports, and scheduled tasks.
- Tracking credit usage, billing, and invoicing.
- Technical support, troubleshooting, and debugging.
5.2 Platform Improvement
- Analyzing usage patterns to improve response quality.
- Debugging errors and improving reliability.
- Developing new features based on customer feedback.
- Benchmarking model performance and cost.
- A/B testing with appropriate anonymization.
5.3 Communication
- Service notifications (low credits, downtime alerts).
- Responding to support requests and inquiries.
- Sending invoices, receipts, and renewal notices.
- Marketing with opt-in (newsletters, case studies).
- Onboarding guidance and training sessions.
5.4 Security & Compliance
- Detecting and preventing fraud, unauthorized access, and misuse.
- Content moderation for platform policy compliance (Meta, Viber, etc.).
- Enforcing Terms of Service and acceptable use policies.
- Complying with Myanmar law and international regulations.
- Protecting the rights and safety of Magga AI and the public.
5.5 Business Operations
- Managing customer relationships and renewals.
- Financial reporting, auditing, and tax compliance.
- Strategic analysis (aggregated and anonymized).
- Staff training using sanitized examples.
5.6 Legal Bases for Processing
To provide Services as agreed with Customers.
For marketing and certain optional features (can be withdrawn).
For platform security, fraud prevention, and business operations.
For tax records, regulatory compliance, and lawful authority requests.
Rare cases necessary to protect someone's life or safety.
Transparency about how we use AI is a core commitment. This section explains our AI supply chain and data practices.
6.1 LLM Providers We Use
GPT-4, GPT-4o, and successor models.
Claude family of models.
Gemini family of models, Vertex AI.
DeepSeek, Mistral AI, Meta (Llama models), OpenRouter.
Specialized providers: (embedding, speech-to-text, image generation, OCR) such as Whisper, ElevenLabs, Deepgram, AssemblyAI, Stability AI, and others as needed.
Self-hosted or Myanmar-specific models: for sensitive tasks requiring data localization.
We select providers based on quality, cost, speed, data handling practices, and suitability. The list above is indicative, not exhaustive.
6.2 What Data Is Sent to LLM Providers
- Relevant portions of the incoming message or data (e.g., the End User question).
- Relevant portions of the Customer's knowledge base (for retrieval-augmented generation).
- System prompts and configuration provided by Magga AI and the Customer.
- Conversation history needed for context.
- Metadata required for request routing (no personally identifying data unless necessary).
We minimize data sent and apply redaction where technically feasible. We do not send unrelated Customer data or full database dumps.
6.3 LLM Provider Data Handling
- We select providers that commit to not using API-submitted data to train their models, or we explicitly opt out.
- We prefer providers that retain data for no more than 30 days for abuse monitoring.
- For sensitive data, we prefer zero-retention options or enterprise agreements.
- We require appropriate security measures (encryption, access controls).
Customers with strict data residency or retention requirements should contact us to discuss Enterprise options.
6.4 Customer Data and AI Model Training
- We do NOT use Customer-specific data to train general-purpose AI models that serve other Customers.
- We do NOT share Customer conversations, knowledge bases, or workflows with other Customers.
- Aggregated and anonymized metrics may be used to improve our Platform and optimize model routing.
- With explicit consent, we may fine-tune Customer-dedicated models that only serve that Customer.
6.5 Automated Decision-Making
Some Services involve automated decision-making (e.g., lead scoring, fraud detection, content moderation, resume screening).
- Providing transparency about which decisions are automated.
- Offering human review for significant decisions upon request.
- Regular accuracy audits of automated systems.
- Not making decisions with legal effects solely through automation where prohibited by law.
6.6 AI Output Disclaimers
• AI-generated responses may contain errors, inaccuracies, or outdated information.
• Customers and End Users should verify critical information independently.
• Magga AI is not liable for decisions made solely based on AI outputs without human oversight.
• Customers are responsible for appropriate human review in high-stakes contexts (medical, legal, financial, safety-critical).
We share personal data only in the following circumstances:
7.1 With Service Providers and Sub-Processors
Google Cloud Platform, AWS, Supabase, Cloudflare, and similar providers for hosting, databases, CDN, and security.
As listed in Section 6.1.
Email delivery (SendGrid, Postmark), SMS gateways, Viber/Line business APIs.
KBZ Bank, Wave Money, Stripe (if used), bank partners.
Google Analytics, Mixpanel, Sentry, Datadog, or similar (aggregated/anonymized data where possible).
Helpdesk software, CRM.
GitHub, CI/CD platforms, error tracking services.
Accountants, auditors, legal advisors under confidentiality obligations.
All sub-processors are bound by data processing agreements requiring them to protect data consistent with this Policy. A current list of sub-processors is available on request at cs@maggagenticai.com.
7.2 With Customers
End User data collected through a Customer's channels is shared with that Customer, who owns the relationship with the End User.
7.3 With Integration Partners
When Customers authorize integrations, we share relevant data with the Integration Partner as needed to execute the integration (e.g., syncing contacts to a CRM, posting messages to Slack).
7.4 Legal Requirements
We may disclose information when required by law, such as:
- Response to lawful requests from Myanmar government authorities, courts, or regulators.
- Compliance with legal processes (subpoenas, court orders, search warrants).
- Enforcement of our Terms of Service and acceptable use policies.
- Protection against fraud, security threats, or illegal activity.
- Emergency situations involving risk to human life or safety.
We will notify affected users when legally permitted and practical to do so, and will narrowly limit disclosures to what is legally required.
7.5 Business Transfers
If Magga AI is acquired, merged, restructured, or sells assets, personal data may be transferred to the acquiring entity. We will notify Customers of any such transfer and provide options (such as data export) where legally required.
7.6 With Your Consent
We share data with other parties only with your explicit consent (for example, case studies, testimonials, or referral programs).
7.7 What We Do NOT Do
- We do NOT sell personal data to third parties under any circumstances.
- We do NOT share End User data between different Customers.
- We do NOT allow advertisers to target End Users based on their conversations or AI interactions.
- We do NOT use End User data for purposes unrelated to providing the Services the Customer engaged us for.
- We do NOT disclose Customer confidential business information (knowledge bases, workflows) to competitors or the public.
8.1 Where We Store Data
- Primary data storage: secure cloud infrastructure in Asia-Pacific region (Singapore, Tokyo, or similar)
- Some services require data processing in other regions (e.g., certain LLM Providers operate in the US or EU)
- Backups: encrypted backups stored in separate geographic regions for disaster recovery
- Logs: structured logs retained for security, compliance, and troubleshooting
8.2 Security Measures
- Encryption in transit: all data transmitted uses TLS 1.2 or higher
- Encryption at rest: sensitive data (tokens, passwords, payment info, PII) encrypted using AES-256
- Access controls: role-based access control (RBAC); least-privilege principle; only authorized staff can access Customer data
- Audit logs: all access to sensitive data is logged and reviewed
- Multi-factor authentication (MFA): required for all staff accessing production systems and Customer data
- Secret management: API keys, OAuth tokens, and credentials stored in dedicated secret vaults
- Regular security reviews: infrastructure, dependencies, and code reviewed for vulnerabilities
- Penetration testing: conducted periodically as we scale
- Incident response plan: documented procedures for security incidents
- Employee training: staff trained on data privacy, security, and confidentiality
- Vendor security assessments: sub-processors reviewed for security practices
8.3 Data Retention Schedule
- Active Customer data: retained for the duration of the subscription or engagement
- Conversation and interaction logs: retained for the duration of the subscription; Customers may configure shorter retention
- After subscription ends: retained for 90 days for potential recovery or reactivation, then deleted
- Financial and tax records: retained for 7 years as required by Myanmar law and international accounting standards
- Marketing and CRM records: retained for 3 years after last interaction, unless you opt out earlier
- Support and communication records: retained for 3 years for service quality purposes
- Audit and security logs: retained for 1-3 years depending on type
- Backup data: deleted within 30 days of primary data deletion
- Anonymized and aggregated data: may be retained indefinitely for analytical purposes
Customers may request shorter retention for specific data categories as part of Enterprise agreements.
8.4 Data Breach Notification
If a data breach occurs that compromises personal data, we will:
- Investigate and contain the breach immediately
- Notify affected Customers within 72 hours of confirmed discovery
- Provide details of affected data, scope, and remediation steps
- Report to relevant authorities as required by applicable law
- Offer remediation assistance and updated security measures
- Conduct post-incident review and update policies/procedures
Request a copy of your personal data. We respond within 30 days.
Update inaccurate data via dashboard or request.
Request data erasure (subject to legal/fraud exceptions).
Get data in structured format (JSON, CSV) for transfer.
Object to marketing or restrict processing during disputes.
Withdraw consent at any time for consent-based processing.
Request human review for significant automated results.
9.8 How to Exercise Your Rights
Email cs@maggagenticai.com with:
- Full name and registered email or account identifier.
- Nature of your request.
- Proof of identity (for sensitive requests).
9.9 Platform-Specific Rights
Facebook/Instagram: Revoke via Facebook Settings > Business Integrations.
Direct Request: maggagenticai.com/data-deletion
Magga AI Services are intended for businesses and adults aged 18 and above.
- We do not knowingly collect personal data from children under 13.
- If a child interacts with a Customer's AI Agent, we process the data only to respond to the inquiry, per the Customer's use case.
- If we learn we have collected data from a child under 13 without verifiable parental consent, we will delete it promptly.
- Customers using Magga AI for services that may reach minors must comply with applicable child protection laws (COPPA, GDPR-K, Myanmar laws).
- Parents or guardians who believe a child has provided us with personal data may contact cs@maggagenticai.com for removal.
Magga AI is based in Myanmar, but we use global cloud infrastructure and AI services. Personal data may be stored and processed in:
- Asia-Pacific (primary storage: Singapore, Tokyo, or similar regions)
- United States (some LLM Providers, analytics, infrastructure)
- European Union (some LLM Providers and cloud services)
- Other regions as required for specific Services
When data is transferred internationally, we ensure safeguards such as:
- Data Processing Agreements with all providers
- Standard Contractual Clauses where applicable
- Encryption in transit and at rest
- Compliance with provider security certifications (SOC 2, ISO 27001, etc.)
- Regular vendor assessments
Customers with strict data residency requirements should contact us to discuss Enterprise options.
12.1 Types of Cookies and Technologies We Use
Required for login, session management, security, and core functionality.
Help us understand usage patterns (Google Analytics, internal analytics).
Remember language, theme, and display preferences.
Used for retargeting and attribution (only with consent).
- Local storage: used to cache Platform data for performance.
- Web beacons and pixels: used to measure engagement in emails and on the website.
12.2 Managing Cookies
You can manage cookies through your browser settings or our cookie consent banner. Disabling essential cookies may affect site functionality. For platform-based controls, see the Privacy Preferences section in your account settings.
12.3 Do Not Track
We honor Do Not Track signals where technically feasible.
Our websites, Platform, and Services may link to or integrate with third-party sites and services. This Privacy Policy does not apply to third parties. Please review their privacy policies separately.
If you use Magga AI to deploy AI Agents or Automation Workflows, you are responsible for:
- Obtaining appropriate consent from your End Users for data processing.
- Publishing your own privacy policy that covers the use of AI Agents and automation.
- Informing End Users that they are interacting with AI (where disclosure is legally required).
- Responding to End User data rights requests promptly.
- Ensuring content you upload does not contain others' personal data without authorization.
- Complying with Myanmar's Electronic Transactions Law and other applicable laws.
- Following platform policies (Meta Messaging Policies, Viber Business Terms, etc.).
- Not using Services for prohibited activities (spam, illegal content, harassment, misinformation).
- Maintaining security of your account credentials.
- Promptly reporting security incidents or data breaches on your side that may affect End Users.
Magga AI provides tools; Customers are responsible for lawful and ethical use.
Customers may not use Magga AI Services for:
- Generating or distributing illegal content.
- Harassment, discrimination, or hate speech.
- Spam, unsolicited bulk messaging, or platform policy violations.
- Fraud, deception, or impersonation.
- Unauthorized collection of personal data.
- Processing data of individuals without appropriate legal basis.
- High-risk applications (medical diagnosis, legal advice, autonomous safety-critical decisions) without appropriate human oversight and licensing.
- Competing services built to reverse-engineer our Platform.
We may update this Privacy Policy from time to time. When we do:
- We will post the updated version at maggagenticai.com/privacy.
- We will notify Customers by email for material changes (at least 30 days before taking effect).
- Continued use after changes take effect means acceptance of the updated Policy.
- The "Last Updated" date at the top will reflect the most recent revision.
- Major version changes will be versioned (2.0, 3.0, etc.) with change logs available on request.
17.1 Governing Law
This Privacy Policy, and any matter or dispute arising out of or in connection with it, including non-contractual disputes and claims, shall be governed by and construed in accordance with the laws of the Republic of the Union of Myanmar, without regard to conflict-of-law principles. No other jurisdiction's laws, rules, or regulations shall apply to the interpretation or enforcement of this Policy.
17.2 Exclusive Jurisdiction — Myanmar Only
All disputes, claims, controversies, or legal proceedings arising out of or relating to this Privacy Policy, the Services, Magga AI, or any data processing activity — regardless of the Customer's or End User's location, residence, or citizenship — shall be resolved exclusively in Myanmar as follows:
- Primary forum: Yangon, Myanmar
- Arbitration: Binding arbitration conducted in Yangon under the Myanmar Arbitration Law (2016), with proceedings held in English or Myanmar language at the arbitrator's discretion.
- Courts: Where arbitration is not applicable or an interim remedy is required, the courts of Yangon, Myanmar shall have exclusive jurisdiction.
- No other forum: Customers, End Users, and any other party expressly waive any right to bring claims in any other jurisdiction, including but not limited to the United States, European Union, United Kingdom, Singapore, Thailand, or any other country.
- No class actions: Disputes must be resolved individually; class, collective, or representative actions are not permitted.
17.3 Waiver of Foreign Jurisdiction
By using our Services, Customers and End Users expressly and irrevocably:
- Submit to the exclusive jurisdiction of Myanmar for all disputes.
- Waive any objection to Myanmar as an inconvenient forum (forum non conveniens).
- Waive any right to file suit, arbitration, or legal action in any jurisdiction other than Myanmar.
- Waive any right to invoke foreign consumer protection statutes, data protection laws, or regulatory frameworks as the basis for legal action against Magga AI.
This waiver applies to the maximum extent permitted by Myanmar law.
17.4 Regulatory Compliance Reference Only
References in this Policy to international frameworks such as GDPR (EU), UK GDPR, CCPA/CPRA (California), PDPA (Singapore, Thailand), DPA (Philippines), or DPDPA (India) are provided for informational transparency only. Such references:
- Do NOT constitute submission to those jurisdictions or regulators.
- Do NOT grant legal standing to bring claims under those frameworks against Magga AI.
- Do NOT extend Magga AI's liability beyond what is recognized under Myanmar law.
- Reflect our good-faith effort to align with international best practices, not a legal obligation enforceable in foreign courts.
Any rights described with reference to foreign laws are honored by Magga AI voluntarily as a matter of internal policy, subject exclusively to Myanmar law and enforceable only through Myanmar dispute resolution channels described above.
17.5 Complaint Procedure
Before initiating any formal legal action, all complaints must first follow our internal resolution process:
Step 1: Contact cs@maggagenticai.com within 30 days of the incident. We will acknowledge within 5 business days and respond substantively within 14 business days.
Step 2: If unresolved, escalate in writing to cs@maggagenticai.com marking the subject line as "ESCALATION — PRIVACY". A senior member of our team will respond within 21 business days.
Step 3: If still unresolved, parties must attempt good-faith mediation in Yangon for a period of 30 days.
Step 4: Only after steps 1–3 are exhausted may a party proceed to binding arbitration in Yangon as described in Section 17.2.
Failure to follow this procedure shall bar any claim.
17.6 Limitation Period
Any claim arising under this Policy must be brought within one (1) year of the event giving rise to the claim, or it is permanently barred. This limitation applies regardless of longer limitation periods available under foreign laws.
17.7 Language of Proceedings
All legal and arbitration proceedings shall be conducted in Myanmar language or English, at Magga AI's election. Translation costs for any party wishing to use another language shall be borne by that party.
17.8 Severability
If any part of this Section 17 is found unenforceable under Myanmar law, the remaining parts shall remain in full force. No unenforceability in a foreign jurisdiction shall affect the validity of this Section under Myanmar law.
Magga AI is a Myanmar-based company. If you access our Services from outside Myanmar:
- You do so on your own initiative and at your own risk.
- You are responsible for compliance with your local laws regarding use of our Services.
- You agree that your use of Services is governed by Myanmar law, not your local law.
- You agree that any dispute will be resolved exclusively in Myanmar as set out in Section 17.
- You expressly waive protections that would otherwise be available under your local jurisdiction's laws, to the maximum extent permitted.
As a matter of good practice, Magga AI strives to align with international data protection norms (GDPR, CCPA, PDPA, etc.) described elsewhere in this Policy. However, all enforcement, dispute resolution, and legal recourse are available only through Myanmar jurisdiction as described in Section 17.
For any questions, concerns, or requests regarding this Privacy Policy or your personal data:
Purpose: Privacy questions, data requests, security issues, support — all handled through this single channel.
Formal requests for data removal can be submitted through our dedicated portal.
Sub-Processor List
Available on request at cs@maggagenticai.com
Postal Address
Magga AI Co., Ltd., Yangon, Myanmar
Business Hours
Monday–Saturday, 9 AM – 6 PM (MMT, UTC+6:30)
This section summarizes key points in plain language. It does not replace the full Policy.
Core Mission
What we do: We provide AI Agents and business automation — customer service, sales, marketing, HR, finance, operations, and custom solutions.
What we collect: Business and contact info from Customers; messages and interactions from End Users; usage and performance data.
Why: To run AI Agents and automation, bill Customers, improve Service quality, and provide support.
Who we share with: Cloud providers, LLM providers (OpenAI, Anthropic, Google, DeepSeek, Mistral, OpenRouter, and others), payment processors, integration partners, and legal authorities when required.
Our Hard "DO NOT" List
- We do NOT sell data.
- We do NOT train general AI models on your data.
- We do NOT share data between Customers.
Your Rights
Access, correction, deletion, portability, opt-out. Contact cs@maggagenticai.com.
Security
Encryption everywhere, access controls, regular audits, 72-hour breach notification.
Retention: Active data retained during subscription; deleted 90 days after cancellation; financial records kept 7 years.
GLOBAL NOTICE: We honor international data protection norms (GDPR, CCPA, PDPA) as a matter of practice — but ALL disputes, claims, and legal issues are handled EXCLUSIVELY in Myanmar under Myanmar law. No lawsuits or claims in foreign courts.