Privacy Policy

• · Your MagnusID subject identifier + email (issued by MagnusID, not stored as a separate password by us).
• · Sites you register: URL, scope rules, auth_config metadata (sealed credentials live in a vault, never in our DB).
• · Scan artifacts: screenshots, HTTP captures, console logs, repro steps.
• · Findings (anonymized derivative of scan artifacts, retained for KB).
• · Operational telemetry: brain events (IDs + classifications, no PII).
• · Legal trail: ToS acceptances + ownership verification attempts (with IP, timestamp, version).

• · Card numbers (handled by Stripe / QuikyPay; we store only the merchant reference).
• · Your end-users’ data. When we scan an authenticated flow, we use the credentials you provide; we never harvest user-account data.
• · PII about your customers in brain events (only IDs + categories).

• · Scan artifacts — 90 days (configurable downward).
• · Findings — indefinitely, anonymized to (category, fingerprint, severity, suggested_fix).
• · KB patterns — indefinitely.
• · Brain events — 180 days.
• · ToS / verification audit — 7 years per CFAA evidentiary norms.

Your account exposes a training_opt_out boolean. When true, your samples are excluded from /agent/v1/training-samples exports (the field is enforced server-side; opted-out samples are returned with redacted: true). Defaults to false on signup; toggle any time.

You can request access, export, correction, or deletion of your data at any time. Email privacy@magnusqa.ai. Deletion follows the 30-day flow described in the Terms.

Questions: privacy@magnusqa.ai. Security disclosures: security@magnusqa.ai.