Privacy Policy
Last updated: February 23, 2026
1. Data Controller
Magnowlia AB (org. nr 559452-2194), Tegnérgatan 35, 111 61 Stockholm, Sweden, is the data controller responsible for the processing of your personal data. You can reach us at hey@magnowlia.com.
2. Personal Data We Collect
Account Data
When you create an account, we collect your email address and, if provided by your identity provider, your name. Authentication is handled through AWS Cognito, and you may sign in via Google, Okta, or Azure AD if your organisation uses single sign-on (SSO).
Usage Data
We store the questions you ask the AI assistant, your research threads, saved projects, and scheduled reports. This data is necessary to provide and improve the service.
Data Source Credentials
When you connect a data source (e.g. BigQuery, Snowflake, PostgreSQL, Redshift), the connection credentials are encrypted and stored in AWS Secrets Manager. Magnowlia does not store your raw data -- queries are executed directly against your data sources and results are returned in real time.
Cookies
We use the following cookies:
| Cookie | Purpose | Duration |
|---|---|---|
| next-auth.session-token | Authentication session (JWT) | 24 hours |
| lastLoginEmail | Remembers your email for faster sign-in | 30 days |
| aichat:panel-state | Stores your preferred chat panel layout | 1 year |
| data-models:view-mode | Stores your preferred data model view (list or tree) | 1 year |
All cookies are strictly functional -- we do not use any analytics, advertising, or tracking cookies.
3. How We Use Your Data
We process your personal data for the following purposes:
- Providing and operating the Magnowlia platform
- Authenticating your identity and managing your account
- Processing your natural-language questions through AI models to generate insights
- Delivering scheduled reports via Slack (when enabled by you)
- Remembering your interface preferences
- Communicating with you about your account or the service
4. Legal Bases (GDPR Article 6)
- Contract performance (Art. 6(1)(b)): Processing your account data, AI queries, and data source connections is necessary to provide the service you have signed up for.
- Legitimate interest (Art. 6(1)(f)): Functional cookies that store your interface preferences, and retaining your email for faster sign-in, serve our legitimate interest in providing a smooth user experience.
5. Third-Party Processors
We share your personal data with the following processors, each under a data processing agreement:
| Processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Hosting, authentication (Cognito), credential storage (Secrets Manager) | EU (Frankfurt, eu-central-1) |
| OpenAI | AI query processing and insight generation | United States |
| Anthropic | AI query processing and insight generation | United States |
| Slack (Salesforce) | Scheduled report delivery (opt-in) | United States |
| SSO identity providers | Authentication via Google, Okta, or Azure AD (Enterprise plan) | Varies |
6. International Data Transfers
Your AI queries are processed by OpenAI and Anthropic, both located in the United States. Slack, if you enable report delivery, is also based in the United States. These transfers are safeguarded by the EU-U.S. Data Privacy Framework and, where applicable, Standard Contractual Clauses (SCCs) approved by the European Commission.
7. Data Retention
- Account data is retained for as long as your account is active. When you delete your account, we remove your personal data within 30 days, except where retention is required by law.
- AI queries and research threads are retained for as long as your account is active and deleted upon account closure.
- Data source credentials are deleted immediately when you remove a connection or close your account.
8. Your Rights Under GDPR
As a data subject, you have the right to:
- Access the personal data we hold about you
- Rectify inaccurate or incomplete data
- Erase your personal data ("right to be forgotten")
- Restrict processing in certain circumstances
- Data portability -- receive your data in a structured, machine-readable format
- Object to processing based on legitimate interest
To exercise any of these rights, contact us at hey@magnowlia.com. We will respond within 30 days.
You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY).
9. Security
We protect your data with industry-standard measures including TLS encryption for all connections, optional SSH tunneling for private network data sources, encrypted credential storage via AWS Secrets Manager, and JWT-based session management. Access to production systems is restricted to authorised personnel.
10. Children's Privacy
Magnowlia is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.
11. Changes to This Policy
We may update this privacy policy from time to time. If we make material changes, we will notify you by email or by placing a prominent notice on our website. The "last updated" date at the top of this page indicates when the policy was last revised.
12. Contact
If you have questions about this privacy policy or our data practices, contact us at:
Magnowlia ABOrg. nr 559452-2194
Tegnérgatan 35
111 61 Stockholm, Sweden
hey@magnowlia.com