1. Data Controller
Musaium is operated by InnovMind (Tim Moyence, Entrepreneur Individuel), acting as data controller for personal data processed through the mobile application and related support channels.
Registered address: France.
Contact: tim.moyence@gmail.com
2. Data We Collect
Account data: email address, authentication identifiers, and account status metadata.
Usage data: chat prompts, uploaded images, voice messages submitted for transcription, timestamps, device/runtime metadata, and app diagnostics required for support.
Support data: messages sent through support channels (Instagram/Telegram) may be processed by those platforms under their own privacy policies.
3. Purposes of Processing
Provide museum-focused AI assistance about artworks, monuments, museums, architecture, and cultural heritage.
Operate authentication, secure sessions, error handling, and support workflows.
Improve service quality, monitor abuse/guardrails, and maintain security and reliability.
4. Legal Bases (GDPR Art. 6)
Contract performance (Art. 6(1)(b)) for account access and core app functionality.
Legitimate interests (Art. 6(1)(f)) for security monitoring, fraud prevention, service reliability, and product diagnostics.
Consent (Art. 6(1)(a)) for device permissions such as camera/microphone when required by the platform and only when the user explicitly triggers those features.
5. Recipients & Processors
Authorized internal personnel, on a need-to-know basis.
Sub-processors: OpenAI (United States), Google Cloud (United States/EU), DeepSeek (China), OVH SAS (France, EU data), Amazon Web Services (EU, EU data), Expo/EAS (United States).
No payment processors are used at this time.
6. International Transfers
Some processors may process data outside the EEA/UK/Switzerland. Where applicable, transfers are governed by appropriate safeguards such as SCCs, adequacy decisions, or equivalent mechanisms.
Data hosted on OVH and AWS remains within the European Union.
7. Retention Periods
Account data, chat history, and images: retained for the duration of service use, deleted upon request.
Audio files (voice questions): not stored — transmitted for transcription then immediately deleted.
Authentication tokens: access tokens valid for 15 minutes, refresh tokens for 30 days.
8. Security Measures
Musaium uses technical and organizational safeguards including access controls, transport encryption (TLS), environment isolation, password hashing (bcrypt), and operational monitoring.
No system is risk-free. Users should avoid sharing unnecessary sensitive personal data in chat conversations.
9. Your GDPR Rights
You may request access, rectification, erasure, restriction, portability, and objection to processing where applicable.
Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
To exercise your rights, contact: tim.moyence@gmail.com. Include enough information to verify your request.
10. Complaints
You may lodge a complaint with your local supervisory authority.
Lead authority (if applicable): CNIL (Commission Nationale de l'Informatique et des Libertés), 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France.
11. Children & Minors
Musaium is not intended for children below the age required under applicable law without parental authorization. If you believe a minor provided data unlawfully, contact tim.moyence@gmail.com.
12. Policy Changes
We may update this policy to reflect legal, technical, or product changes. Material changes will be communicated in-app or through appropriate channels before or when they take effect.