Privacy Policy
Last updated: December 14, 2025 (Version 2.0)
Designed to comply with GDPR
This Privacy Policy is designed to meet transparency requirements under the EU General Data Protection Regulation (GDPR) and other applicable privacy laws.
1. Introduction
This Privacy Policy explains how KOPINFO Információtechnológiai Korlátolt Felelősségű Társaság (KOPINFO Kft.) (“KOPINFO”, “we”, “us”, “our”) collects, uses, discloses, and protects personal data when you use MagicBill (the “Service”).
2. Data Controller Information
Data Controller
Company: KOPINFO Információtechnológiai Kft.
Address: 1118 Budapest, Rétköz u. 29., Hungary
General Contact: [email protected]
Privacy Contact: [email protected]
Company Registration: 01 09 697868
Tax Number: 12673139-2-43
EU VAT: HU12673139
3. Roles (Controller vs. Processor)
MagicBill can be used by both business customers (B2B) and consumers (B2C).
- KOPINFO as Controller: We are the controller for account, authentication, billing, support, website operation, and security.
- KOPINFO as Processor (for business customers): Where a business customer uploads documents containing personal data about third parties (e.g., employees, customers, vendors), the business customer typically acts as controller and KOPINFO acts as processor.
If you are a business customer and want a formal data processing agreement, see our Data Processing Addendum (DPA).
4. Information We Collect
4.1 Account and identity data
Account Information
- Name and email address
- Google OAuth identifiers and profile information (if you sign in via Google)
- Account settings and preferences
Billing Information
- Billing details and transaction records
- Billing address
- Token/subscription usage data
Technical Information
- IP address and approximate location (inferred from IP)
- Browser type and version
- Device information
- Usage analytics and logs
- Cookies and tracking data
4.2 Customer Content and extracted data
- Invoice and receipt images/PDFs
- Extracted text and structured fields
- Categorizations, tags, and analytics outputs
- File metadata and processing logs
5. Why We Use Your Information (Legal Bases)
We process personal data based on one or more of the following legal bases:
- Contract: to provide the Service, authenticate you, and support you
- Legitimate interests: to secure the Service, prevent abuse, and improve reliability
- Consent: where required for certain cookies and marketing communications (if offered)
- Legal obligation: accounting/tax and compliance obligations
Examples: Account and billing data are processed to perform our contract with you; security logs are processed based on legitimate interests to protect the Service; and non-essential cookies are processed based on consent where required.
6. Cookies
We use cookies to keep you signed in, protect sessions, and operate the website and Service. Where required by law, we request consent before setting non-essential cookies.
See our Cookie Policy for details.
7. Data Sharing and Disclosure
7.1 Third-Party Service Providers
We share data with trusted service providers where necessary to deliver the Service:
- Provide and maintain our services
- Process payments and billing (Stripe)
- Authenticate your identity (Google OAuth)
- Deliver AI-powered processing features (AI providers)
- Provide customer support
- Send important notifications
- Comply with legal obligations
- Prevent fraud and abuse
| Service Provider | Purpose | Data Shared |
|---|---|---|
| Google (OAuth & Cloud) | Authentication and user management | Profile information, email |
| Stripe | Payment processing and billing | Payment information, billing data |
| OpenAI | Document analysis and processing | Document content, extracted data |
8. International Data Transfers
We aim to process and store data in the EU/EEA where feasible. Some providers may process data outside the EU/EEA. Where we transfer data internationally, we use appropriate safeguards such as adequacy decisions, Standard Contractual Clauses (SCCs), and (where applicable) the EU–US Data Privacy Framework.
8.1 International users (outside the EEA/UK)
If you access the Service from outside the EEA/UK, you understand that your personal data may be processed in the EEA and in other jurisdictions where we and our service providers operate. The Service may not be available in all countries, and features may vary by region (including due to local laws or third-party provider limitations).
8.2 US residents (general notice)
If you are located in the United States, your privacy rights may differ depending on your state of residence. Depending on your state, you may have rights to access/know, delete, correct, and to opt out of the sale or sharing of personal information where applicable.
We do not sell personal information in exchange for money, and we do not sell or share personal information as defined under applicable US privacy laws.
8.3 Users in China (PRC) (general notice)
If you are located in the People’s Republic of China, you understand that your personal data may be processed and stored outside China (including in the EEA and other jurisdictions where we and our service providers operate). You are responsible for ensuring that your use of the Service (including any cross-border transfer of personal data in Customer Content) complies with applicable local laws.
9. Data Storage and Security
Security Measures
We implement appropriate technical and organizational measures such as encryption in transit (TLS), access controls, monitoring, and incident response.
9.1 Data Retention
| Data Type | Retention Period |
|---|---|
| Account Data | While the account is active (and after closure as required by law) |
| Document Data | While the account is active; longer where required for legal/tax compliance or dispute resolution |
| Payment Data | As required by financial regulations |
| Analytics Data | Retained for a limited period appropriate for service improvement and security |
| Communication Data | 3 years |
10. Your Rights Under GDPR
Your Rights
You have the right to access, rectify, erase, restrict processing, data portability, object to processing, and withdraw consent for your personal data.
10.1 Individual Rights
- Right of Access: Request copies of your personal data
- Right to Rectification: Correct inaccurate or incomplete data
- Right to Erasure: Request deletion of your data
- Right to Restrict Processing: Limit how we use your data
- Right to Data Portability: Receive your data in a portable format
- Right to Object: Object to processing based on legitimate interests
- Right to Withdraw Consent: Withdraw consent for marketing or cookies
10.2 Exercising Your Rights
To exercise your rights, contact us:
- Email: [email protected]
- We will respond within the time limits required by applicable law
You also have the right to lodge a complaint with the Hungarian Data Protection Authority (NAIH) or your local supervisory authority.
11. Automated Decision-Making
MagicBill uses automation to extract and categorize information from documents. We do not use automation to make decisions that produce legal or similarly significant effects on you without meaningful human involvement.
12. AI Processing and Training
MagicBill may use AI to extract and categorize information from documents.
We do not use your uploaded documents or extracted data to train or fine-tune general-purpose AI models.
AI processing is performed solely for the purpose of providing the Service to you.
13. Children
The Service is not intended for children. You must be at least 18 years old to create an account and use MagicBill.
14. Data Breach Notification
In case of a personal data breach, we will assess the risk and notify the relevant authority and affected users where required by law.
Contact Information
Privacy Contact: [email protected]
Phone: No phone support available for privacy matters
Hungarian Data Protection Authority: NAIH - Nemzeti Adatvédelmi és Információszabadság Hatóság
NAIH Address: 1055 Budapest, Falk Miksa utca 9-11.
NAIH Website: https://www.naih.hu