Privacy & Data Processing

Last updated: April 2026  ·  Applies to MagicAgent CRM (crm.magicday.today)

The short version: When you use MagicAgent CRM, you bring your own clients' data. You are the data controller — you decide why and how that data is used. MagicAgent is your data processor — we store and process it only on your instructions, to provide the CRM service. Your clients' data is never used for any other purpose, never shared with other agents, and never sold.

Who We Are

MagicAgent CRM is operated by Tom Halls, a sole trader based in the United Kingdom. References to "we", "us", or "MagicAgent" in this document mean Tom Halls trading as MagicDay.

Contact: hello@magicday.today

Controller and Processor Roles

The UK GDPR and EU GDPR draw a fundamental distinction between data controllers and data processors.

  • You (the travel agent) are the data controller. You determine the purposes for which your clients' personal data is collected and used — to manage bookings, send quotes, track trips, and communicate with clients.
  • MagicAgent is your data processor. We process your clients' personal data only to provide the CRM service to you, under your instructions, and for no other purpose.
  • Your clients are data subjects. They have rights under UK/EU GDPR which you, as the controller, are responsible for facilitating. MagicAgent will cooperate to help you meet those obligations.

As the data controller, you are responsible for ensuring you have a lawful basis for collecting and processing your clients' personal data, and for providing them with an appropriate privacy notice. MagicAgent does not provide legal advice on this.

What Client Data MagicAgent Processes

MagicAgent stores the following categories of data about your clients on your behalf:

Identity and contact

  • Client or family name, lead traveller name
  • Email address, phone number
  • City or region

Trip and booking details

  • Destination(s), travel dates, resort and room type
  • Party composition (number of adults, children's ages at travel)
  • Disney confirmation number, offer name
  • Ticket options, dining plan, add-ons selected
  • Budget range, occasion, flexibility preferences
  • Departure airport

Special category and sensitive data

  • Dietary requirements (collected via intake form if provided by client)
  • Accessibility needs (collected via intake form if provided by client)

Dietary and accessibility data may constitute special category data under UK/EU GDPR. You should ensure your privacy notice to clients covers the collection of this data and that you have an appropriate lawful basis (typically explicit consent or vital interests) before collecting it.

Commercial data

  • Quote values, commission amounts, payment milestone dates
  • Quote PDFs attached by the agent (stored in Cloudflare R2 object storage)

Activity and communication

  • Notes and activity log entries added by the agent
  • Intake form submission content and timestamp
  • Pipeline stage history

What We Do Not Process

  • Payment card details (handled exclusively by Stripe — agents manage their own billing; client payments are not processed through MagicAgent)
  • Passport or travel document numbers
  • Health records beyond dietary/accessibility preferences voluntarily provided
  • Biometric data of any kind

Agent Account Data

MagicAgent also processes data about you as an agent subscriber:

  • Name, email address, agency name
  • Billing information (processed by Stripe — we do not store card details)
  • MagicDay partner code and commission earnings record
  • Subscription status and history
  • Login session tokens (HTTP-only cookies, 30-day expiry)
  • Branding preferences stored in your browser's localStorage (not transmitted to our servers)

For your account data, MagicAgent acts as the data controller. You have full GDPR rights over this data — see "Your Rights" below.

Purpose and Legal Basis for Processing

Data category Purpose Legal basis (MagicAgent as processor)
Client personal data CRM features — pipeline management, intake forms, trip tracking, reminders Processing under contract (Article 6(1)(b)) — to provide the service you contracted for. Your instruction to store this data is the lawful basis as processor.
Agent account data Account management, billing, support, commission tracking Contract performance (Article 6(1)(b)) and legitimate interests (Article 6(1)(f))
Reminder emails Sending milestone reminder emails to you (the agent) Contract performance — reminder delivery is a core feature of the service

Data Residency and Storage

MagicAgent uses Cloudflare's infrastructure for all data storage and processing:

  • Database (Cloudflare D1): SQLite database hosted on Cloudflare's global network. Data is primarily stored in US data centres. Cloudflare is certified under the EU-US Data Privacy Framework and covered by UK adequacy decisions, providing lawful mechanisms for data transfers.
  • File storage (Cloudflare R2): Quote PDFs and documents are stored in Cloudflare R2 object storage (US region).
  • API (Cloudflare Workers): All API requests are handled by Cloudflare Workers at Cloudflare's edge locations globally, with encryption in transit (TLS 1.3).

If EU data residency is a hard requirement for your practice, please contact us at hello@magicday.today to discuss options — Cloudflare offers EU-jurisdiction configurations which we can enable for qualifying accounts.

Sub-Processors

MagicAgent uses the following sub-processors to deliver the service. By using MagicAgent, you authorise us to engage these sub-processors. We will notify you of any material changes to this list.

Sub-processorRoleLocationPrivacy policy
Cloudflare, Inc. Database (D1), file storage (R2), API hosting (Workers), security US (global CDN) cloudflare.com/privacypolicy
Resend Transactional email delivery (reminder emails sent to agents) US resend.com/legal/privacy-policy
Stripe, Inc. Agent subscription billing only — no client data is passed to Stripe US stripe.com/gb/privacy

Client personal data (your clients' names, emails, trip details) is processed by Cloudflare and Resend only. Stripe processes agent billing data only — your clients' data is never sent to Stripe.

Data Isolation Between Agents

Every agent's data is strictly isolated. All database queries are scoped to your agent_id — it is technically impossible for one agent's CRM data to be visible to another agent. Studio and Agency plan subscribers share a billing account but each agent's pipeline remains entirely private; agency-level reporting shows only aggregated totals, not individual client records.

Data Retention and Deletion

  • Active accounts: your clients' data is retained for as long as your subscription is active.
  • Cancelled accounts: all client data (clients, trips, quotes, activity logs, intake submissions) is permanently deleted within 30 days of account closure.
  • Export before deletion: you can request a full export of your data (JSON format) at any time by emailing hello@magicday.today. We will deliver it within 5 business days.
  • Reminder emails: email delivery logs held by Resend are subject to Resend's own retention policy (typically 30 days).
  • Agent account data: retained for 7 years for tax and accounting purposes, then deleted.

Security Measures

  • All data in transit encrypted via TLS 1.3
  • Database access restricted to authenticated Cloudflare Worker — no direct public database access
  • Session tokens are HTTP-only cookies with 30-day expiry; no persistent passwords stored
  • Magic-link authentication — no passwords to leak
  • R2 document URLs are presigned and time-limited (60-minute expiry)
  • Admin API protected by a separate secret key, not exposed in any client-facing interface
  • All agent queries scoped by agent_id at the database level

In the event of a personal data breach affecting your clients' data, we will notify you without undue delay and in any event within 72 hours of becoming aware, providing sufficient detail for you to meet your own notification obligations to the ICO (or relevant supervisory authority) and to affected data subjects where required.

Data Processing Agreement (DPA)

A formal Data Processing Agreement under Article 28 UK/EU GDPR is available to all MagicAgent subscribers. The DPA sets out our obligations as your data processor in legally binding terms, including standard contractual clauses for international transfers.

  • Agency and Group plan subscribers receive the DPA as part of their plan.
  • Solo and Studio subscribers can request the DPA by emailing hello@magicday.today.

If your agency requires a DPA before onboarding, email us and we will provide one before you create an account.

Your Rights (as an Agent/Subscriber)

As the data controller for your clients, you have rights over your own account data which MagicAgent processes as controller. Under UK GDPR you have the right to:

  • Access — request a copy of your account data
  • Erasure — request deletion of your account and all associated data
  • Portability — receive your client data in a structured, machine-readable format (JSON)
  • Rectification — correct inaccurate account information
  • Object — object to processing of your data for specific purposes
  • Restriction — request that we limit how we process your data

Exercise any of these rights by emailing hello@magicday.today. We will respond within 30 days. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ico.org.uk).

Supporting Your Clients' Rights

When your clients exercise their GDPR rights with you (access, erasure, portability), you are responsible for responding as the data controller. MagicAgent will support you:

  • Access / portability: email us and we will provide a JSON export of all data held for a specific client within 5 business days
  • Erasure: you can delete individual clients directly within the CRM. We will permanently purge deleted records from backups within 30 days.
  • Rectification: you can edit all client fields directly in the CRM at any time.

Cookies and Tracking (CRM Application)

The CRM at crm.magicday.today uses:

  • Session cookie — an HTTP-only, SameSite=Strict cookie storing your encrypted session token. Essential for login; automatically expires after 30 days or on logout.
  • localStorage — used to store your branding preferences (agency name, colours, logo) locally in your browser. This data is not transmitted to our servers.
  • No analytics, advertising, or third-party tracking cookies in the CRM application.

Changes to This Policy

We will notify active subscribers by email of any material changes to this policy at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

Contact and Complaints

Tom Halls
Email: hello@magicday.today
Address: United Kingdom

For data protection enquiries, DPA requests, or to exercise your rights, email us with the subject line "Data request — [your name]".

You have the right to lodge a complaint with the UK Information Commissioner's Office at ico.org.uk/make-a-complaint.