Privacy Policy

Effective Date: February 10, 2026

1. Quick Overview

If you read nothing else, read this: We collect what we need to run the marketplace (account info, usage data, payment data via Stripe). We share data with services that help us operate (Stripe, Resend, Meta, etc.) but we never sell your personal data. You can delete your account and all your data at any time.

What we collect: Account info, usage data, payment data (via Stripe), and submission content. See Section 3.
Who touches your data: Service providers that help run the platform — Stripe, Resend, Cloudinary, Meta, and others. See Section 5.
We don't sell your data. Period. See Section 12 for California-specific details.
Your rights: Access, correct, delete, export, or opt out. See Section 10.
Questions? Email info@magicnothing.com.

2. Who We Are

We're Magic Nothing Inc, a small company based in Los Angeles that built a marketplace for indie music.

Magic Nothing Inc ("Magic Nothing," "we," "us," or "our") operates an online marketplace connecting independent artists with playlist curators at app.magicnothing.xyz (the "Platform").

For the purposes of data protection law:

Under the EU General Data Protection Regulation (GDPR), we are the data controller responsible for your personal data.
Under the California Consumer Privacy Act (CCPA/CPRA), we are a "business" as defined by the statute.

Our contact details:

Magic Nothing Inc
5101 Santa Monica Blvd, Ste 8 PMB 49
Los Angeles, CA 90029
info@magicnothing.com

3. Information We Collect

We only collect what we need to run the marketplace. Here's exactly what that means.

3.1 Information You Provide

Account information: username, email address, name, password
Profile information: bio, avatar image, location, social media links, profile role (artist/curator)
Submission content: Spotify track URLs, artist messages, uploaded audio files, ISRC codes, YouTube/Apple Music/SoundCloud URLs
Curator data: playlist URLs, curator screenshots, feedback text, playlist descriptions and genres
Financial information: Stripe Connect onboarding data (country, tax information, payout preferences) — see Section 3.4 for what we do NOT collect

3.2 Information Collected Automatically

Usage data: IP address, browser type and version, user agent, pages visited, actions taken on the Platform
Session data: authentication cookies, CSRF tokens
Advertising identifiers: Meta Pixel identifiers (fbc/fbp cookies)
Analytics data: Google Analytics identifiers, page views, user behavior patterns
Login metadata: timestamps, authentication method used

3.3 Information from Third-Party Sources

Spotify: Public playlist data, track metadata, and artist information retrieved via server credentials (client_credentials flow) — we do NOT use Spotify OAuth or access your personal Spotify account
Stripe: Payment status, payout status, and onboarding completion for curator payouts
Shopify: Course enrollment verification status (email-based lookup only)
Google: Basic profile information (name, email, avatar) if you sign up via Google OAuth

3.4 What We Do NOT Collect

Credit card numbers — Stripe handles all payment card data directly; we never see or store card numbers
Spotify OAuth tokens — We use server credentials, not your personal Spotify login
Government-issued ID — Stripe handles identity verification (KYC) for curators directly

4. How We Use Your Information

We use your data to run the marketplace, pay curators, and keep you updated. Here's the breakdown by legal basis.

4.1 Contract Performance

We process your data to fulfill our obligations under our Terms of Service:

Operating your account and authenticating your identity
Processing music submissions and delivering them to curators for review
Calculating token earnings, processing purchases, and facilitating cashouts
Delivering transactional emails (submission updates, payment confirmations, security alerts)
Syncing Spotify data to display playlist and track information on the Platform

4.2 Legitimate Interest

We process certain data based on our legitimate business interests, balanced against your privacy rights:

Fraud prevention and abuse detection
Platform analytics and performance monitoring
Playlist quality scoring based on objective performance metrics
Screenshot analysis for curator verification (OCR)
Platform improvement and feature development
Security monitoring and audit logging

4.3 Consent

We process certain data only with your consent, which you can withdraw at any time:

Marketing emails (opt-out available via unsubscribe link or by emailing us)
AI-powered features (screenshot analysis, bio generation, and other features as introduced) — these are optional and feature-flagged
Ad measurement via Meta Pixel

4.4 Legal Obligation

We process data when required by law:

Tax reporting and compliance (e.g., IRS Form 1099 for US-based curators)
Responding to valid legal requests from authorities
Payment processing regulations and anti-money laundering requirements

We share data with services that help us run the platform — including Stripe for payments, Meta for ad measurement, and AI tools for optional features. We never sell your data.

5.1 Service Providers

We share data with the following service providers, each of which processes data under their own privacy policies and our contractual agreements:

Stripe — email, name, payment amounts, payout details → payment processing and curator payouts
Resend — email address, first name → transactional and marketing email delivery
Cloudinary — uploaded files (avatars, audio, screenshots) → file storage and processing
Spotify — N/A (we query their public API with our own server credentials; we do not send your personal data to Spotify) → music and playlist data
Meta (Facebook) — SHA256-hashed email, IP address, user agent, event data (page views, registrations, purchases) → ad measurement and campaign optimization
Google Analytics — usage data, page views, user behavior → platform analytics
OpenAI / Anthropic — curator screenshots (OCR analysis), artist profile data (bio generation when available) → AI-powered features (feature-flagged, only processed when you use these features)
Shopify — email address → course customer verification
Google — OAuth tokens (if you sign up via Google) → authentication

5.2 What We Do NOT Do

We do not sell your personal information as defined under the CCPA. We do not rent, lease, or trade your data for monetary consideration.

5.3 Publicly Visible Information

The following information is visible to other users on the Platform:

Username, bio, avatar, profile role, and social media links
Curator playlist information (name, description, genres, quality tier)

Submission content (track details, artist messages, feedback) is shared only with the reviewing curator and is not publicly visible.

5.4 Discord Community

Our Discord community is a separate third-party platform operated by Discord Inc. Any information you share there is governed by Discord's Privacy Policy, not this one.

6. Cookies & Tracking

We use cookies to keep you logged in and measure ad performance. Here's what's on your device and how to control it.

6.1 Essential Cookies (Always Active)

These cookies are necessary for the Platform to function:

Session cookie — keeps you logged in
CSRF token — protects against cross-site request forgery attacks

6.2 Analytics & Advertising

Meta Pixel — tracks page views, registrations, and purchases for ad measurement. Sets fbc and fbp cookies on your device.
Google Analytics (G-FQBV9EXL2S) — tracks page views and user behavior for platform analytics. Sets _ga and _gid cookies.

6.3 How to Control Cookies

Adjust cookie settings in your browser (blocking third-party cookies will prevent Meta Pixel and Google Analytics tracking)
Use an ad blocker or privacy extension
Manage Meta ad preferences at facebook.com/adpreferences
Opt out of Google Analytics at tools.google.com/dlpage/gaoptout

7. Data Retention

We keep your data while your account is active. Delete your account and we delete your data — with a few exceptions for legal compliance.

Active account data: retained for the duration of your account
After account deletion: personal data deleted within 30 days
Financial and transaction records: retained for up to 7 years for tax compliance and legal obligations
Security audit logs: retained for up to 3 years
Uploaded files: deleted when your account is deleted
Submission audio files: also deleted 14 days after submission expiration, even while your account is active

8. Marketing Communications

We may send marketing emails. You can opt out anytime — we'll stop immediately.

8.1 Transactional Emails (Always Sent)

These are service communications you'll always receive while your account is active:

Submission updates (accepted, declined, feedback received)
Payment confirmations and cashout notifications
Security alerts (login from new device, password changes)
Changes to our Terms of Service or this Privacy Policy

8.2 Marketing Emails

We may send promotional communications including welcome series, platform digests, milestone celebrations, and newsletters. Our legal basis for sending these is legitimate interest under GDPR Recital 47 (direct marketing for our own similar services).

8.3 Opting Out

You can opt out of marketing emails at any time by:

Clicking the unsubscribe link in any marketing email
Emailing us at info@magicnothing.com

Opt-outs are honored immediately. Opting out of marketing will not affect transactional emails.

9. International Data Transfers

We're based in the US. If you're outside the US, your data crosses borders when you use the Platform.

All data processing occurs in the United States. If you are located outside the US, your personal data will be transferred to and processed in the US.

For users in the EU/EEA, we rely on:

Standard Contractual Clauses (SCCs) with our service providers
The EU-US Data Privacy Framework, where applicable

For users in the UK, similar protections apply under UK GDPR and the UK extension to the Data Privacy Framework.

10. Your Privacy Rights

You have rights over your data. Here's what you can do, depending on where you live.

10.1 All Users

Regardless of your location, you can:

Access your personal data — request a copy of what we hold about you
Correct inaccurate or incomplete information
Delete your account and all associated personal data (this is permanent and covers 20+ data categories)
Opt out of marketing communications

10.2 EU/EEA Users (GDPR)

In addition to the above, EU/EEA users have the right to:

Data portability — receive your data in a structured, machine-readable format (JSON)
Restrict processing — limit how we use your data in certain circumstances
Object to processing — object to processing based on legitimate interest
Withdraw consent — withdraw previously given consent at any time
Lodge a complaint — file a complaint with your local Data Protection Authority

10.3 California Users (CCPA)

See Section 12 for your specific rights under California law.

10.4 How to Exercise Your Rights

To exercise any of these rights, email us at info@magicnothing.com with:

Your registered email address
The specific right(s) you wish to exercise
Any relevant details about your request

Response time: We aim to respond within 30 days. For complex requests, we may need up to 90 days and will notify you of any extension.

Identity verification: We may need to verify your identity before processing certain requests to protect your privacy.

Note: Account deletion is permanent and cannot be reversed. All your data — including playlists, submissions, feedback, and uploaded files — will be permanently removed.

11. Data Security

We take security seriously, but no system is perfect. Here's what we do to protect your data.

We implement reasonable technical and organizational measures to protect your personal data, including:

Bcrypt password hashing
HTTPS encryption for all data in transit
CSRF protection on all forms and state-changing requests
Rate limiting on authentication and API endpoints
Security headers (Content Security Policy, HSTS, X-Frame-Options, X-Content-Type-Options)
Secure session management
Admin audit logging

While we implement these measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

12. California Privacy Rights (CCPA/CPRA)

California residents have specific rights under state law. Here's what applies to you.

12.1 Categories of Information Collected

In the past 12 months, we have collected the following categories of personal information (as defined by the CCPA):

Identifiers: name, email address, username, IP address, account ID
Commercial information: token purchase history, submission history, payout records
Internet or electronic network activity: browsing history on the Platform, search queries, interactions with features
Geolocation data: approximate location derived from IP address, country (for Stripe Connect)
Audio, electronic, or visual information: uploaded audio files, avatar images, curator screenshots
Professional information: artist profiles, curator credentials, playlist data
Inferences: playlist quality scores, user preferences derived from usage patterns

12.2 Sources of Information

Directly from you (account creation, submissions, profile updates)
Automatically from your device (usage data, cookies)
From third parties (Spotify public API, Stripe, Google OAuth, Shopify)

12.3 Business Purposes

We use personal information for the following business purposes:

Operating the marketplace and facilitating submissions
Processing payments and curator payouts
Providing customer support
Fraud prevention and security
Marketing and promotional communications
Platform improvement and analytics

12.4 Categories of Third Parties

We share personal information with the following categories of third parties:

Payment processors (Stripe)
Email service providers (Resend)
Cloud storage providers (Cloudinary)
AI service providers (OpenAI, Anthropic)
Advertising platforms (Meta)
Analytics providers (Google)
Verification services (Shopify)

12.5 Sale and Sharing of Personal Information

We do not sell your personal information for monetary consideration.

12.6 Your California Rights

As a California resident, you have the right to:

Know what personal information we collect, use, and disclose
Delete your personal information
Correct inaccurate personal information
Opt out of the sale or sharing of personal information
Non-discrimination — we will not discriminate against you for exercising your rights

To exercise these rights, email info@magicnothing.com. You may also designate an authorized agent to submit requests on your behalf, provided the agent can verify authorization.

13. Children's Privacy

Magic Nothing is for adults (18+). We don't knowingly collect data from minors.

Magic Nothing is intended for users aged 18 and older. We do not knowingly collect personal data from anyone under 18. If we learn that we have collected information from someone under 18, we will delete that information promptly. If you believe a minor has provided us with personal data, please contact us at info@magicnothing.com.

14. AI Features

We use AI for certain features. You're always in control of whether to use optional AI features.

Magic Nothing uses AI tools to power certain features. Current and planned AI features may include:

Screenshot OCR: Sends curator screenshots to OpenAI Vision for text extraction and analysis. Activated when curators upload screenshots during the application process.
Bio generator: May send artist profile data to OpenAI or Anthropic to generate suggested artist bios. Only activated when you use this feature.

These features are:

Feature-flagged — they can be enabled or disabled independently
Optional — you choose whether to use them; your data is only sent to AI providers when you actively use these features
Not used for automated decision-making with legal or similarly significant effects (per GDPR Article 22)

Quality scoring on the Platform is algorithmic and based on objective playlist performance metrics, not individual profiling.

15. Changes to This Policy

Important changes get 30 days' email notice. Minor changes just update the date at the top.

Material changes — including changes to what data we collect, how we share it, or your rights — will be communicated via email to your registered address at least 30 days before they take effect.

Non-material changes (clarifications, formatting, minor updates) will be reflected with an updated "Effective Date" at the top of this page.

Previous versions of this policy are available upon request by emailing info@magicnothing.com.

16. Contact

Questions about your privacy? Here's how to reach us.

If you have questions about this Privacy Policy or want to exercise your privacy rights, contact us at: