1. Who we are
Magic Photo is a South African live AI photo activation service offered at in-person events and through the website magicphoto.co.za. In this policy, Magic Photo, we, our, and us means the Magic Photo service and the team operating it.
Privacy contact: privacy@magicphoto.co.za
General enquiries: hello@magicphoto.co.za
Base of operations: Johannesburg, South Africa
2. Information we collect
When someone uses the Magic Photo experience, we may collect the following information:
| Phone number | Collected so we can deliver the finished portrait on WhatsApp. |
|---|---|
| First name | Optional, used only where a name helps personalise the guest experience or delivery message. |
| Source photo | The original image captured at the activation. |
| Generated portrait | The AI-transformed image created from the source photo. |
| Session metadata | Time of capture, preset used, delivery status, and limited operational information that helps us run and support the service. |
We do not intentionally collect ID numbers, payment details, home addresses, or special-category profile data beyond the photo itself and the limited information needed to run the experience.
3. How we use information
- To create the guest portrait.
- To deliver the finished portrait on WhatsApp.
- To run the activation smoothly during the event.
- To troubleshoot delivery, generation, or operational issues.
- To respond to guest support, deletion, or privacy requests.
- To keep limited records that help us monitor reliability and protect the service from abuse.
We do not sell personal information, and we do not use guest data for third-party advertising or unrelated profiling.
4. Event partners and client campaigns
Magic Photo is frequently run on behalf of agencies, event organisers, and brand clients. That does not mean those parties automatically receive raw guest personal information.
By default, guest data is used to create and deliver the portrait and to support the experience. If a specific activation involves something more, such as a public gallery, competition entry, opt-in marketing list, or a planned handover of guest information to the commissioning client, that will be explained clearly at the point of capture so guests can make an informed choice.
5. Consent and lawful basis
Our primary lawful basis for processing guest information is consent. We rely on the guest choosing to take part in the Magic Photo experience and providing the information needed to create and deliver the portrait.
Where an event includes additional data uses, those uses should be disclosed at the point of capture. Guests can withdraw consent by contacting privacy@magicphoto.co.za. Withdrawal does not affect processing already completed before the request was received, but we will handle deletion or restriction requests as set out below.
6. Retention
We keep personal information only for as long as it is reasonably needed to deliver the experience and support legitimate operational requirements.
| Source photo | Up to 30 days after capture. |
|---|---|
| Generated portrait | Up to 30 days after creation. |
| Phone number | Until delivery is confirmed, or within 30 days at the latest. |
| Optional first name | Up to 30 days after the session. |
| Non-identifying operational records | Up to 12 months where needed for reliability, reporting, abuse prevention, or service support. |
We may retain information for longer if we are legally required to do so, if a dispute is active, or if temporary retention is reasonably necessary to establish, exercise, or defend legal claims.
7. Service providers we use
We work with a small number of service providers that help us run Magic Photo. These providers process information only to the extent needed to deliver the service.
- Twilio, for WhatsApp message delivery.
- Cloudflare R2, for asset storage.
- OpenAI, for AI image generation.
- Render, for application hosting and delivery infrastructure.
Provider privacy information is available at Twilio, Cloudflare, OpenAI, and Render.
8. Cross-border processing
Some of the providers we use operate infrastructure outside South Africa. That means guest information may be processed or stored in other countries as part of the normal Magic Photo service flow.
- Phone numbers and delivered portraits may pass through Twilio for WhatsApp delivery.
- Source images may be sent to OpenAI for portrait generation.
- Images may be stored on Cloudflare infrastructure in the configured storage region.
- Application traffic may pass through Render-hosted infrastructure.
Where required, we use event signage, booth copy, or other point-of-capture notices so guests understand that international processing may form part of the service.
9. Security
We take reasonable technical and organisational steps to protect the information we handle. Those steps include limiting access to the systems used to run the activation, using established service providers, and removing information when it is no longer needed under our retention rules.
No system is perfectly secure, but we aim to design the service so guest information is handled carefully, accessed only where necessary, and not retained longer than required.
10. Your rights under POPIA
Subject to applicable law, guests may ask us to:
- confirm whether we hold personal information about them;
- provide access to that information;
- correct inaccurate or incomplete information;
- delete information that is no longer needed or that was processed on the basis of consent that has been withdrawn;
- object to certain processing activities; or
- withdraw consent for future processing.
Privacy requests can be sent to privacy@magicphoto.co.za. We aim to acknowledge requests within 3 business days and respond fully within 30 days where reasonably possible.
If you believe your personal information has been handled unlawfully, you may also contact the Information Regulator of South Africa:
Email: POPIAComplaints@inforegulator.org.za
Phone: 010 023 5200
Address: Woodmead North Office Park, 54 Maxwell Drive, Woodmead, Johannesburg, 2191
Website: inforegulator.org.za/contact-us/
11. Website and cookies
The public Magic Photo marketing site does not intentionally use advertising cookies or third-party analytics cookies at this stage. The site may still rely on essential technical services, hosting logs, cached assets, and other standard web infrastructure that process limited technical request data such as IP address, browser type, and timestamps.
If the site later adds analytics, lead capture tooling, or any other feature that changes the way website data is processed, this policy will be updated to reflect that change.
12. Children
Magic Photo is intended for adults. If a guest is under 18, a parent or legal guardian should be present and should consent before any photo is captured or any phone number is collected.
If we become aware that we have processed a minor's information without appropriate adult consent, we will take reasonable steps to delete that information.
13. Changes to this policy
We may update this privacy policy from time to time to reflect operational, legal, or product changes. When we do, we will publish the updated version on this page and update the date shown at the top of the policy.
14. Contact
For privacy questions, access requests, deletion requests, or complaints, contact privacy@magicphoto.co.za.
For commercial or event enquiries, contact hello@magicphoto.co.za.