Skip to main content
MagicAuth
ProductsPricingDevelopersPortal
Request access
Legal

Privacy Policy

Last updated 7 July 2026 · TS Robotics Limited

This policy explains how TS Robotics Limited ("TS Robotics", "we", "us") processes personal data through the Magic Auth platform and its four products, Verify, Sign, Authenticate and Vault. It covers our website at magicauth.ai, our mobile applications, and the Magic Auth API.

1. Our two roles

Magic Auth is business-to-business infrastructure. Which role we hold depends on whose data it is.

  • Processor. When a business (a relying party) uses Magic Auth to verify, sign, authenticate or protect the data of its own customers, that business is the controller and we process the personal data on its documented instructions under a data processing agreement.
  • Controller. For our own business contacts, prospective customers, website visitors and account administrators, we are the controller and this policy governs directly.

If you are an end user who verified your identity or signed in through a business that uses Magic Auth, that business is your first point of contact and its privacy notice governs the purpose of the processing.

2. What we process

CategoryExamplesWhere it arises
Identity evidenceIdentity document images and extracted fields, date of birth, nameVerify
Biometric data (special category)A facial image and liveness signals used only to match a person to their documentVerify
Signature evidenceA document hash, the action approved, a device signature and a signed receiptSign
Authentication dataPasswordless sign-in tokens, TOTP secrets held as ciphertext, device attestationsAuthenticate
Vault contentsEnd-to-end encrypted ciphertext we cannot read; we never hold the keyVault
Account and contact dataName, work email, company, correspondenceOnboarding, support
Technical dataIP address, device and browser metadata, request logs, usage countsEvery product

3. Biometric and special category data

In Verify, a facial image and liveness signals are processed for the single purpose of confirming that the person presenting a document is its genuine holder. This is special category data. Where we act as controller, we rely on your explicit consent; where we act as processor, the relying party is responsible for the lawful basis and for obtaining any consent. Biometric evidence is used for the match and the resulting assurance decision, and is not used to build a facial-recognition database or for any secondary purpose.

4. Purposes and legal bases

PurposeLawful basis (where we are controller)
Providing and operating the platformPerformance of a contract
Identity verification and biometric matchingExplicit consent; substantial public interest (fraud prevention) where applicable
Producing signed, tamper-evident receipts and audit trailsLegal obligation and legitimate interests in evidential integrity
Security, fraud prevention and abuse monitoringLegitimate interests
Billing and account administrationPerformance of a contract; legal obligation
Service communicationsLegitimate interests; consent for marketing

5. Retention

Where we are a processor, we retain end-user data for as long as the relying party instructs and then delete or return it. Where we are a controller: verification receipts and signing receipts are tamper-evident audit records retained for the period required to evidence the transaction, typically up to six years for signatures in line with limitation periods; Vault ciphertext is retained until you delete it; account and contact data is retained for the life of the account and a reasonable period afterwards. Technical logs are retained on a rolling short-term basis for security and operations.

6. Security

Security is the product, so it is not an afterthought.

  • Data is encrypted in transit with TLS and at rest with customer-managed encryption keys.
  • Signing keys are held in a hardware security module; receipts are cryptographically signed and verifiable.
  • Every tenant is isolated at the database layer with row-level security enforced on the serving role.
  • The Vault is zero-knowledge: your data is encrypted on your device and we store only ciphertext we cannot decrypt.
  • The production API sits behind an edge firewall and is not directly reachable.

7. Sharing and sub-processors

We do not sell personal data. We share it only with the infrastructure providers that run the service:

  • Google Cloud — hosting, database and key management, London region.
  • Cloudflare — edge security, TLS termination and content delivery.
  • Stripe — payment processing for billing.
  • An identity-verification provider for document and biometric checks, engaged under contract.

8. International transfers

Primary processing takes place in the United Kingdom and the European Economic Area (Google Cloud europe-west2, London). Where a sub-processor transfers data outside the UK or EEA, we rely on adequacy decisions or the International Data Transfer Agreement and the UK Addendum to the Standard Contractual Clauses, with appropriate safeguards.

9. Your rights

Subject to the applicable law and to our role, you have the right to access, rectify, erase, restrict and object to processing, to data portability, and to withdraw consent at any time without affecting prior processing. Where a business used Magic Auth to process your data, please raise the request with that business first; we will support it as processor. To exercise a right against us as controller, contact us below.

10. Changes

We may update this policy as the platform evolves. Material changes will be reflected in the "last updated" date above and, where appropriate, notified to account administrators.

11. Contact and complaints

Contact TS Robotics Limited at admin@tsrobotic.com. If you are in the UK and are not satisfied with our response, you may complain to the Information Commissioner's Office at ico.org.uk.

Questions about this document: admin@tsrobotic.com.

Magic Auth, a TS Robotics product. © 2026.
ProductsPricingDevelopersPortalFor AI agentsPrivacyTermsCookies
IDENTITY, VERIFIED