Privacy Policy

Mag!c is a service of Mise (“we,” “our”), built in the Philippines for Filipino food sellers and their customers. We operate the merchant dashboard and the customer-facing storefronts at magic.mise-group.com.

This policy explains what data we collect when you create a customer account at /me/signup, order from a Mag!c restaurant, or browse the site. It is written to comply with the Philippine Data Privacy Act of 2012 (RA 10173).

• Account info — phone (required, the key that links your stamps across restaurants), name, email, password (hashed by our auth provider, Supabase).
• Optional profile — location and birthday, only if you provide them. We use these for service personalisation (e.g. birthday vouchers in the future).
• Order history — what you ordered, from which Mag!c restaurant, the amounts paid, delivery address (if any).
• Loyalty progress — stamp counts per restaurant that has loyalty enabled.
• Technical data — standard server logs (IP address, user agent) for security and abuse prevention.

• To run your account: sign-in, order placement, history.
• To award and redeem loyalty stamps with the merchants you actually order from.
• To show you other Mag!c restaurants you haven't tried — this is the “discover” section on your dashboard. We don't share your data with those restaurants until you actually order from them.
• To send transactional emails (order confirmations, refunds).
• To prevent fraud and protect the service.

• You — full access via /me.
• Restaurants you order from — they see your name, phone, your order with them, and your stamp progress with them. They do not see your activity at other Mag!c restaurants.
• Our infrastructure providers — Supabase (database + auth), Vercel (hosting), and Resend (email). Each operates under their own contractual data protections.
• We do not sell your data to third parties for advertising.

Under the Data Privacy Act you have the right to be informed, the right to access, the right to correct, the right to erase, and the right to object. To exercise any of these, email privacy@mise-group.com. We respond within 15 working days.

You can edit your profile at any time at /me/profile. Deletion is final — your stamp progress and order history attached to your account will be removed; merchants retain the minimum order records they need for tax and audit purposes (under their own legal obligations).

Active accounts are kept indefinitely. Order records are kept for at least 5 years for tax + audit compliance. Inactive accounts (no sign-in for 24 months) may be archived; we email you before doing so.

Passwords are hashed via Supabase Auth. All connections use HTTPS. Each merchant's data is isolated from others via database-level Row Level Security.

If we make material changes, we'll notify you by email and ask you to accept the updated policy before continuing to use your account.

Data Protection Officer · Mise · privacy@mise-group.com