Legal

Privacy Policy

Last updated: January 2026

TL;DR

  • Your video, audio, and chat are end-to-end encrypted using AES-256-GCM — encrypted in your browser before leaving your device.
  • You can verify participants using short authentication strings (SAS) to confirm you're talking to who you think.
  • We only collect what we need: email for accounts, minimal server logs for security.
  • We NEVER sell your data. We NEVER use it for advertising.
  • We use privacy-focused analytics that don't profile you or track you across sites.
  • You can delete your account and data at any time.

1. Who we are

Magicall is operated by Symbolic Software, a company registered in Paris, France. We are a boutique applied cryptography consultancy that builds privacy-respecting software.

Contact: hello@magicall.online

2. What data we collect

2.1 Account information

When you create an account, we collect:

  • Email address — Used for account verification, login, and important service communications.
  • Password — Stored using scrypt hashing. We cannot see your actual password.
  • Room name — The URL slug you choose for your personal room.

2.2 Call data

We do not record or store your call content. Your calls are end-to-end encrypted.

Magicall implements end-to-end encryption for video, audio, and chat messages:

  • End-to-end encryption — Your media and chat are encrypted in your browser using AES-256-GCM before leaving your device. Only participants with the room key can decrypt.
  • SAS verification — Short authentication strings let you verify you're talking to the right people, protecting against man-in-the-middle attacks.
  • Browser-based cryptography — All encryption uses the WebCrypto API built into your browser. Keys are generated and stored locally.
  • Our servers relay encrypted streams between participants but cannot decrypt the content
  • We do not store recordings of your video, audio, or chat messages

Important note: Like all browser-based encryption, you trust that we serve you the correct JavaScript code. The encryption code runs in your browser, but we control what code is served. This is a fundamental limitation of web-based E2E encryption that applies to all browser apps. How it works →

2.3 Technical data

We collect minimal technical data necessary for service operation:

  • IP addresses — Temporarily logged for security and abuse prevention. Deleted within 7 days.
  • Browser type and version — For compatibility and debugging purposes.
  • Session tokens — Encrypted tokens to keep you logged in.

2.4 What we do NOT collect

  • Call recordings or transcripts (calls are end-to-end encrypted)
  • Chat message contents (chats are end-to-end encrypted)
  • Decrypted media streams (we only see encrypted data)
  • Location data beyond IP-derived country
  • Device identifiers or fingerprints
  • Social media profiles
  • Cross-site tracking data

2.5 What our servers process

To provide the video calling service, our servers necessarily process:

  • Encrypted video and audio streams (relayed in real-time, not stored, cannot be decrypted by us)
  • Encrypted chat messages (relayed in real-time, cannot be decrypted by us)
  • Participant connection information (to route streams between users)
  • Room names and session data (to manage active calls)
  • Key exchange messages (public keys and encrypted room keys, used to establish E2E encryption)

This data is processed only during active calls and is not retained afterward. The encryption keys never leave your browser in unencrypted form.

3. How we use your data

We use the data we collect to:

  • Provide and maintain the Magicall service
  • Authenticate you and protect your account
  • Send essential service communications (e.g., password resets)
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations

We do not:

  • Sell your personal data to third parties
  • Use your data for advertising or marketing profiles
  • Share your data with data brokers
  • Train AI models on your data

4. Cookies and tracking

We use only essential cookies required for the service to function:

  • Session cookie — Keeps you logged in. Expires when you log out or after 24 hours of inactivity.

We use privacy-focused analytics that:

  • Do not use cookies to track you
  • Do not track you across websites
  • Do not collect personal identifiers
  • Only collect aggregate page view data

We do not use:

  • Advertising cookies
  • Social media tracking pixels
  • Google Analytics or similar profiling tools

5. Data retention

  • Account data — Retained until you delete your account
  • Server logs — Automatically deleted after 7 days
  • Call data — Not stored. Streams are relayed in real-time and not recorded.

6. Data security

We implement strong security measures, designed by cryptographers:

  • End-to-end encryption — Video, audio, and chat are encrypted in your browser using AES-256-GCM before transmission
  • SAS verification — Short authentication strings allow you to verify participant identity and detect man-in-the-middle attacks
  • ECDH key exchange — Room keys are exchanged using Elliptic Curve Diffie-Hellman (P-256) with per-session keys
  • TLS 1.3 — All web traffic is encrypted in transit
  • SRTP — Additional transport-layer encryption for media streams
  • scrypt password hashing — We cannot see your password
  • Database access is strictly controlled and audited
  • Regular security assessments by our cryptography team

7. Your rights

Under GDPR and similar regulations, you have the right to:

  • Access — Request a copy of your personal data
  • Rectification — Correct inaccurate data
  • Erasure — Delete your account and all associated data
  • Portability — Receive your data in a machine-readable format
  • Objection — Object to certain processing activities

To exercise these rights, contact us at hello@magicall.online.

8. International transfers

Our servers are located in the European Union. If you access Magicall from outside the EU, your data may be transferred to our EU servers. We ensure appropriate safeguards are in place for any data transfers.

9. Children's privacy

Magicall is not intended for children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us.

10. Changes to this policy

We may update this policy from time to time. We will notify you of significant changes by email or through a notice on our website. The "Last updated" date at the top indicates when this policy was last revised.

11. Contact us

For privacy-related questions or concerns: