Privacy Policy

Effective May 10, 2026 · Contact: support@magellania.net

In short: we only collect what's needed to run the CRM. No ad trackers, no selling data to third parties, no facial recognition, no behavioral profiling.

1. About this document

Magellania CRM is a SaaS platform for travel agencies: deal pipeline, quote calculation, multi-currency support, PDF proposals. When you register an account or even just visit our site, we process some data about you. This document explains what and why — in plain language.

This Policy applies to magellania.net and related subdomains (crm.magellania.net, staging.magellania.net). The data controller is the operator of Magellania CRM.

2. What data we collect

2.1. Sign-up and login data

Email — required for login and password reset.
Name (optional) — shown in the UI.
Password — stored only as a bcrypt hash (cost 10). We never see or store the plaintext.
Organization name — needed for multi-tenant data isolation.

2.2. Data you enter into the CRM

Client cards (name, email, phone, notes) — these are your customers' details that you enter as the operator.
Supplier and contractor cards.
Quotes, calculations, prices, itineraries, file attachments.
Deal history and audit log.

For this data you are the controller and Magellania CRM is the processor. We do not use your customers' data for our own purposes.

2.3. Technical data

IP address — for security (rate-limit, fail2ban, DDoS protection).
User-Agent — browser, OS.
Auth cookies — httpOnly access_token and refresh_token.
Request logs — API paths, response statuses, timestamps.

2.4. Marketing leads

If you submit your email through a form on this site (demo, newsletter), we save your email and message. We need this to reply to you.

2.5. What we do NOT collect

Biometrics, facial recognition.
Geolocation finer than country level (we infer country from IP for UI localization only).
Behavioral profiling for advertising.
Payment card data — payment goes through an external provider, we only see the "paid" status.

3. Why we need this data

Service delivery — without email and password you cannot log in; without client data you cannot calculate a quote.
Security — we need IPs in logs to block brute-force or suspicious traffic.
Support — when you email support@magellania.net, we use your email and account history to help.
Billing — for paid tiers we need to know who is paying and until when.
Service notices — about outages, policy changes, subscription expiration.

We do not send marketing emails without your consent. Marketing newsletter is a separate opt-in.

4. Legal basis (for GDPR-relevant users)

Contract performance — processing data needed to operate the CRM is based on the agreement between you and Magellania CRM (Terms of Service).
Legitimate interest — security logs, brute-force protection.
Consent — marketing newsletter, OAuth login via Google.
Legal obligation — retaining billing records per tax requirements.

5. Subprocessors

We share a limited set of data with the following companies. Each has its own privacy policy:

Subprocessor	Purpose	Data	Policy
Hostinger (Germany, EU)	VPS hosting	All service data	Privacy
Cloudflare	CDN, DDoS, Turnstile (CAPTCHA)	IP, User-Agent, cf_clearance cookie	Privacy
Google	OAuth login (optional, opt-in)	Email, name from Google profile	Privacy
Sentry	Error monitoring (server-side stack-traces only)	Hashed IP, error text	Privacy
Mailcow (self-hosted)	Transactional email delivery	Email, subject, body	Hosted on our VPS

We do not include advertising networks (Google Ads, Facebook Pixel, Yandex.Metrica, etc.).

6. Where and how we store data

Server location: Hostinger Germany (Frankfurt) — within the EU.
Database: SQLite on VPS, disk-level encryption via LUKS.
Backups: daily on the same VPS + daily off-site backup to Cloudflare R2 (Germany). 30-day retention.
Encryption in transit: TLS 1.3 on all public endpoints.
Internal access: only engineers with SSH keys; access is logged.

If you are a non-EU user (e.g., from Russia/CIS or LatAm), your data is physically stored in Germany (EU). This reflects the international scope of our product and our infrastructure footprint in the EU.

7. Retention periods

Account data (email, organization, quotes) — while subscription is active. After cancellation, data is available for 30 days (you can restore or export), then deleted permanently.
Audit log (audit_logs table: who changed what) — 1 year.
Security logs (IP, User-Agent, request statuses) — 90 days.
Billing records — up to 4 years (tax requirement).
Marketing leads — up to 24 months or until you unsubscribe.

On request, we can delete data sooner — except records we are legally required to retain.

8. Your rights

If you are in the EU/EEA, you have GDPR rights. We extend the same rights to all users regardless of country:

Access — get a copy of your data in machine-readable format.
Rectification — correct inaccurate data.
Erasure ("right to be forgotten") — delete account and associated data.
Portability — export all your quotes and contacts as JSON.
Object — to processing based on legitimate interest.
Withdraw consent — unsubscribe from newsletter, disable OAuth.
Lodge a complaint with your national supervisory authority (DPA).

9. How to exercise your rights

Email support@magellania.net with subject "Privacy request". Include:

The email of your account.
Which right you're exercising (access / erasure / export, etc.).

We respond within 30 days. For complex cases, we may extend by another 30 days with notice.

You can also delete your account directly from the profile settings.

10. Cookies

We use a minimal set of cookies:

access_token — httpOnly, 30 minutes. Not accessible to JavaScript.
refresh_token — httpOnly, 30 days. Scoped to /api/v1/auth.
auth_present — JS-readable flag (not a token!), needed for UI.
cf_clearance — Cloudflare anti-bot, set by Cloudflare itself.

No tracking cookies, no Google Analytics, no Yandex.Metrica, no Facebook Pixel.

11. Children

The service is not intended for users under 16. We do not knowingly collect data from children. If you are a parent and believe your child registered, email support@magellania.net and we will delete the account.

12. Policy changes

If we materially change this policy (e.g., add a new subprocessor or new data category), we notify you by email at least 30 days in advance. Minor edits (typos, clarifications) we publish immediately and update the "Effective" date.

Archive of previous versions available on request.

13. Jurisdiction and complaints

For users in Russia and CIS, the applicable law is that of the Russian Federation.

For users in EU/EEA, you retain full GDPR rights, including the right to lodge a complaint with your national supervisory authority (DPA). Examples:

Germany — Bundesbeauftragte für den Datenschutz (BfDI).
France — CNIL.
Spain — AEPD.

For users in Argentina and LatAm, local data protection laws apply (e.g., Ley 25.326 in Argentina).

Before lodging a regulatory complaint, please contact us — we can resolve most issues directly and quickly.

Privacy questions — support@magellania.net.
See also: Terms of Service.