Last updated: May 28, 2026
Welcome to MagicPassword.io. This Privacy Policy describes how Sms Password Bv, a Besloten Vennootschap registered in the Netherlands under company number 62832123 and with its registered office at Fellinilaan 131, Almere Stad, 1325TV, The Netherlands ("MagicPassword," "we," "us," or "our"), collects, uses, stores, shares, and protects your personal information when you use our website, applications, and services (collectively, the "Services"). This Privacy Policy applies to all visitors, users, and others who access the Services ("you" or "your").
We take your privacy seriously. Protecting your personal data is not just a legal obligation for us; it is a fundamental part of our mission. As a company that builds security and secret management tools, we hold ourselves to the highest standards of data stewardship. This Privacy Policy is designed to be transparent, comprehensive, and accessible. We encourage you to read it carefully and contact us if you have any questions.
By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, use, and disclosure of your personal information in accordance with it. If you do not agree with any aspect of this Privacy Policy, you must discontinue use of the Services immediately.
Our Services are not directed to individuals under the age of 18, and we do not knowingly collect personal information from children. If you are a parent or guardian and believe that your child has provided us with personal information without your consent, please contact us immediately at hi@magicpassword.io, and we will take steps to delete such information.
This Privacy Policy is governed by the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the Dutch Implementation Act of the GDPR (Uitvoeringswet AVG), and other applicable Dutch and European Union data protection laws. As we are established in the Netherlands and offer services to individuals within the European Economic Area (EEA), the GDPR applies to all of our processing of personal data, regardless of where you are located when you use our Services.
Under the GDPR, we are required to identify a lawful basis for each category of personal data processing we undertake. The legal bases we rely upon include: (a) the necessity of processing for the performance of a contract to which you are a party (Article 6(1)(b) GDPR); (b) compliance with a legal obligation to which we are subject (Article 6(1)(c) GDPR); (c) the protection of your vital interests or those of another natural person (Article 6(1)(d) GDPR); (d) the pursuit of our legitimate interests, provided that such interests are not overridden by your interests or fundamental rights and freedoms (Article 6(1)(f) GDPR); and (e) your freely given, specific, informed, and unambiguous consent (Article 6(1)(a) GDPR).
Where we rely on legitimate interests as our legal basis, we have conducted and documented Legitimate Interest Assessments (LIAs) to ensure that our interests are balanced against your rights. These assessments are available upon request. Where we rely on consent, you have the right to withdraw your consent at any time. Withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
We collect several categories of information, which we classify into personal data (information that can directly or indirectly identify you) and non-personal data (aggregated, anonymized, or de-identified information that cannot be used to identify you).
When you register for an account, subscribe to our newsletter, participate in our waitlist, contact our support team, or otherwise interact with our Services, you may provide us with the following categories of personal data: your full name; email address; company or organization name; job title or role; billing address; payment information (which is processed by our PCI-DSS compliant payment processor and not stored on our servers); and any other information you choose to provide in free-text fields or support tickets.
When you access or use our Services, we automatically collect certain technical and usage information. This includes: your IP address; browser type and version; operating system; device type and model; screen resolution; language preferences; referring website or source; pages viewed and features used within our Services; timestamps of access; approximate geographic location derived from your IP address (at the city or country level); and unique device identifiers where applicable.
We collect this information through the use of cookies, web beacons, log files, and similar technologies. For more information about our use of cookies and similar technologies, please see our Cookie Policy.
We may receive information about you from third-party sources, such as analytics providers (e.g., Google Analytics), advertising partners, identity verification services, and publicly available sources. We combine this information with information we collect directly to improve our Services, enhance security, and verify your identity where necessary.
We use the information we collect for a variety of purposes, which we describe below. Each purpose is tied to a specific legal basis under the GDPR.
Service Provision and Contract Performance. We use your personal data to create and manage your account; authenticate your identity; provide the features and functionality you request; process payments and manage subscriptions; communicate with you about your account, transactions, and service updates; and provide customer support. The legal basis for this processing is performance of a contract (Article 6(1)(b) GDPR).
Service Improvement and Analytics. We analyze usage patterns, conduct A/B testing, monitor system performance, and use aggregated data to understand how users interact with our Services. This helps us prioritize feature development, fix bugs, and optimize user experience. The legal basis for this processing is our legitimate interest in improving our Services (Article 6(1)(f) GDPR), balanced against your privacy rights through data minimization and pseudonymization practices.
Security and Fraud Prevention. We use your information to detect, prevent, and respond to security incidents, fraud, abuse, and other harmful activities. This includes monitoring for suspicious login attempts, analyzing traffic patterns for bot or attack signatures, and investigating violations of our Terms of Service. The legal basis for this processing is our legitimate interest in protecting our Services and users (Article 6(1)(f) GDPR), as well as compliance with legal obligations (Article 6(1)(c) GDPR).
Marketing and Communications. With your consent, or where we have another lawful basis, we may use your contact information to send you promotional materials, newsletters, product announcements, event invitations, and other marketing communications. You can opt out of marketing communications at any time by clicking the "unsubscribe" link in any email or by contacting us at hi@magicpassword.io. The legal basis for this processing is consent (Article 6(1)(a) GDPR) or legitimate interest (Article 6(1)(f) GDPR) for direct marketing to existing customers.
Legal Compliance. We may use your personal data to comply with applicable laws, regulations, legal processes, and governmental requests; to enforce our Terms of Service and other agreements; and to protect our rights, property, and safety, as well as the rights, property, and safety of our users and the public. The legal basis for this processing is compliance with a legal obligation (Article 6(1)(c) GDPR) or our legitimate interests (Article 6(1)(f) GDPR).
We do not sell your personal data to third parties. We share your personal data only in the limited circumstances described below, and only with appropriate safeguards in place.
Service Providers. We engage third-party service providers to perform functions on our behalf, such as cloud hosting, data storage, payment processing, email delivery, analytics, customer support, and security monitoring. These service providers have access to personal data only to the extent necessary to perform their functions and are contractually bound to process it in accordance with our instructions and applicable data protection laws. We maintain a current list of sub-processors, which is available upon request.
Business Transfers. If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal data in accordance with applicable law.
Legal Obligations and Protection. We may disclose your personal data if required to do so by law or in response to valid requests by public authorities (such as a court or government agency). We may also disclose your personal data to enforce our agreements, to protect our rights and property, or to protect the safety of our users or the public.
With Your Consent. We may share your personal data with third parties when you have given us your explicit consent to do so. You may withdraw your consent at any time.
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. The retention periods we apply depend on the category of data and the purpose of processing.
Account information is retained for the duration of your active account and for a period of up to seven years after account closure, to comply with Dutch tax and commercial record-keeping obligations. Usage logs and technical data are generally retained for up to 90 days, unless required for security investigations or legal proceedings, in which case they may be retained for longer. Marketing preferences and communication records are retained until you opt out or for a maximum of three years from the last interaction. Backup data may be retained for up to 30 days in secure, encrypted environments before being permanently deleted.
Upon the expiry of the applicable retention period, your personal data is either permanently deleted or anonymized in a manner that makes it impossible to identify you. We regularly review our retention practices to ensure compliance with this policy.
Under the GDPR and other applicable data protection laws, you have the following rights regarding your personal data:
Right of Access (Article 15 GDPR). You have the right to obtain confirmation from us as to whether or not your personal data is being processed, and, where that is the case, access to the personal data and certain supplementary information. We will provide a copy of your personal data in a commonly used electronic format, free of charge, unless your request is manifestly unfounded or excessive.
Right to Rectification (Article 16 GDPR). You have the right to obtain the rectification of inaccurate personal data concerning you without undue delay. Taking into account the purposes of the processing, you also have the right to have incomplete personal data completed.
Right to Erasure ("Right to be Forgotten") (Article 17 GDPR). You have the right to obtain the erasure of your personal data without undue delay where one of the grounds specified in Article 17 applies, such as where the data is no longer necessary in relation to the purposes for which it was collected, or where you have withdrawn consent and there is no other legal basis for processing.
Right to Restriction of Processing (Article 18 GDPR). You have the right to obtain the restriction of processing where one of the conditions specified in Article 18 applies, such as where you contest the accuracy of your personal data or where the processing is unlawful and you oppose erasure.
Right to Data Portability (Article 20 GDPR). You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, and to transmit those data to another controller without hindrance from us.
Right to Object (Article 21 GDPR). You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on legitimate interests. You also have the right to object at any time to processing for direct marketing purposes.
Right to Withdraw Consent. Where processing is based on your consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
Right to Lodge a Complaint. You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement. The Dutch supervisory authority is the Autoriteit Persoonsgegevens (AP).
To exercise any of these rights, please contact us at hi@magicpassword.io. We will respond to your request within one month of receipt, and free of charge unless your request is manifestly unfounded or excessive. We may ask you to verify your identity before processing your request.
We are headquartered in the Netherlands and primarily process personal data within the European Economic Area (EEA). However, some of our service providers may be located outside the EEA, including in the United States. Where we transfer your personal data outside the EEA, we ensure that appropriate safeguards are in place to protect your data in accordance with Chapter V of the GDPR.
These safeguards may include: the use of Standard Contractual Clauses (SCCs) approved by the European Commission; the implementation of supplementary technical and organizational measures (such as encryption and pseudonymization); reliance on adequacy decisions adopted by the European Commission; or, where applicable, certification under recognized international frameworks.
We monitor developments in international data transfer law, including the Schrems II judgment and subsequent guidance from the European Data Protection Board (EDPB), and update our transfer mechanisms accordingly. You may request a copy of the specific safeguards we apply by contacting us at hi@magicpassword.io.
We implement a comprehensive information security program designed to protect your personal data against unauthorized access, alteration, disclosure, or destruction. Our security measures include: encryption of data in transit using TLS 1.3; encryption of data at rest using AES-256; access controls based on the principle of least privilege; multi-factor authentication for administrative access; regular security assessments and penetration testing; employee security training and background checks; and incident response procedures aligned with industry best practices.
Despite our efforts, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security. If you become aware of any security vulnerability in our Services, please contact us immediately at hi@magicpassword.io. We operate a responsible disclosure program and will investigate all credible reports promptly.
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or business operations. When we make material changes, we will notify you by email (if you have provided us with your email address) or by posting a prominent notice on our website prior to the change becoming effective. We encourage you to review this Privacy Policy periodically for the latest information on our privacy practices.
Your continued use of the Services after any changes to this Privacy Policy constitutes your acceptance of the revised policy. If you do not agree to the revised policy, you must discontinue use of the Services.
If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us using the information below:
Data Controller: Sms Password Bv
Address: Fellinilaan 131, Almere Stad, 1325TV, The Netherlands
Email: hi@magicpassword.io
Company number: 62832123
Universal Entity Code: 3120-5433-6433-0895
You may also contact the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) if you have concerns about our handling of your personal data:
Autoriteit Persoonsgegevens
Bezuidenhoutseweg 30
2594 AV Den Haag
The Netherlands
Website: autoriteitpersoonsgegevens.nl