Majiks Music

Legal · last updated April 24, 2026

Privacy Policy

TL;DR

We hold what we need to run the service — your Keycloak identifier, the tracks you generate, and the metadata you attach — and nothing for ad-tech or third-party profiling. Chat with Majik runs in your browser via WebGPU; those prompts never reach our servers. Custom LLM provider settings (e.g. your OpenAI key) are stored in your browser’s localStorage only.

What we collect

  • Account — your Keycloak ID, email, preferred username, and realm roles. Sourced from Unicorn Commander SSO.
  • Your generations — prompts you submit to the server-side ACE-Step pipeline, the resulting audio files, cover art, lyrics, and the parameters (BPM, key, etc.) you chose.
  • Publishing events — target platform, timestamp, and track id. Used to enforce the free-tier monthly quota and for your own publishing history.
  • Play counts on public track pages — an aggregate tally only, not per-listener identity.
  • Operational logs — server-side error traces (for debugging), load metrics. Retained 30 days.

What we do not collect

  • Browser-side chat prompts when you run Majik locally via WebGPU.
  • Your OpenAI / OpenRouter / local-model API keys — those live in your browser’s localStorage.
  • Third-party ad identifiers. We don’t run ads.
  • Cross-site tracking. We don’t embed analytics pixels.

How we use it

To operate the service: run generations, store your Library, enforce quotas, serve your public track pages, and respond to support requests. We do not sell your data.

Where it lives

Audio files, database, and Redis all run on Magic Unicorn infrastructure we operate directly (primarily “bigboy” in Charleston, SC). Sign-in identity is issued by Keycloak at auth.unicorncommander.ai. Cloudflare proxies majiks.music traffic for TLS and DDoS defense.

Your rights

Email privacy@magicunicorn.tech to export your data, correct inaccurate records, or delete your account. Account deletion removes your tracks, artist profile, publishing history, and any cached data within 30 days. We honor GDPR and CCPA requests.

Cookies

We use a single session cookie for NextAuth (stored server-side as a JWT, nothing third-party). No tracking cookies, no fingerprinting.

Changes

If we change what we collect or how we use it, we update this page and note the change date at the top.