Privacy Policy — Federated Community Platform

Our Commitment to Privacy

At MAGENTA, we believe privacy is a fundamental right. Our federated community platform is designed with privacy-first principles, ensuring that your data remains under your control while enabling powerful analytics and marketing capabilities.

This Privacy Policy explains how we collect, use, protect, and share information when you use the MAGENTA platform and any of our federated services within the CMYK ecosystem.

Data Collection Philosophy

        First-Party Focus: We prioritize first-party data collection, meaning you maintain direct relationships 
        with your users, and data flows through infrastructure you control.
    

Information We Collect

Account Information: Phone number (for OTP authentication), email address (optional), and display name
Analytics Data: Page views, interactions, and engagement metrics through our privacy-focused tracking
Device Information: Browser type, operating system, screen resolution, and P3 color space support
QR Code Scans: Location (approximate), device type, and scan timestamp
Workflow Data: Webhook events, API calls, and automation triggers you configure

Information We Don't Collect

Third-party cookies or cross-site tracking
Personally identifiable information without explicit consent
Biometric data or facial recognition
Unnecessary background location tracking

How We Use Your Information

Purpose	Data Used	Legal Basis
Authentication	Phone number, session tokens	Legitimate interest
Analytics Services	Aggregated interaction data	Consent / Contract
QR Code Generation	Brand preferences, URLs	Contract performance
Workflow Automation	Event data, API configurations	Contract performance
Service Improvement	Anonymous usage patterns	Legitimate interest

Data Federation & Isolation

Our federated architecture ensures complete data isolation between different clients and organizations:

        Client Isolation: Each federated client's data is completely separated at the database level. 
        Data from one client is never accessible to another client, even within the same CMYK ecosystem.
    

CMYK Ecosystem Data Flow

CYAN: Receives analytics events but stores them in isolated tenant spaces
MAGENTA: Provides APIs and infrastructure without storing sensitive user data
YELO: Content management with separate data stores per publisher
KEY: Authentication and core services with strict access controls

Your Privacy Rights

You have the following rights regarding your personal information:

Access & Portability

Request a copy of all data we have about you in a portable format (JSON/CSV)

Correction

Update or correct any inaccurate information in your profile

Deletion

Request complete deletion of your account and associated data

Restriction

Limit how we process your data for specific purposes

Objection

Opt-out of certain data processing activities

        To exercise any of these rights, contact our Data Protection Officer at privacy@comma.cm
    

Security Measures

We implement industry-standard security measures to protect your data:

End-to-end encryption for sensitive data transmission
Regular security audits and penetration testing
Role-based access controls (RBAC) for all systems
Automated threat detection and response
Secure session management with automatic timeouts
Infrastructure hosted on AWS with SOC 2 compliance

Data Retention

We retain different types of data for different periods:

Data Type	Retention Period	Reason
Account Data	Until deletion requested	Service provision
Analytics Events	90 days (detailed), 2 years (aggregated)	Performance analysis
QR Code Scans	30 days (individual), indefinite (aggregated)	Campaign tracking
API Logs	30 days	Security & debugging
Session Data	30 days after last activity	User convenience

Cookie Policy

We use minimal cookies, all first-party:

Essential Cookies

sessionid - Maintains your login session
csrftoken - Prevents cross-site request forgery
magenta_device_id - Anonymous device identifier for analytics

Functional Cookies

theme_preference - Remembers your UI preferences
locale - Stores your language preference

        We do not use third-party tracking cookies or participate in cross-site tracking networks.
    

International Data Transfers

Your data may be processed in different regions based on our infrastructure needs. We ensure appropriate safeguards are in place for any international transfers:

Primary processing: United States (AWS us-west-2)
Backup storage: European Union (AWS eu-west-1)
CDN endpoints: Global (CloudFront)

All transfers comply with applicable data protection laws, including GDPR, CCPA, and other regional regulations.

Children's Privacy

MAGENTA is not intended for users under 16 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16, we will promptly delete it.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

Posting the new policy on this page
Updating the "Last Updated" date
Sending an email notification for significant changes

Contact Information

Data Protection Officer

Scott Derozic
Email: privacy@comma.cm
Phone: +1 (310) 907-6310
Address: Comma Connect, Inc.
Los Angeles, CA 90066

For general inquiries: support@comma.cm
For security concerns: security@comma.cm

Regulatory Compliance

MAGENTA complies with the following regulations and frameworks:

General Data Protection Regulation (GDPR) - European Union
California Consumer Privacy Act (CCPA) - California, USA
Personal Information Protection and Electronic Documents Act (PIPEDA) - Canada
SOC 2 Type II Compliance
ISO 27001 Information Security Management (in progress)