1. Data Controller
Musaium is operated by InnovMind (Tim Moyence, Entrepreneur Individuel), acting as data controller for personal data processed through the mobile application and related support channels.
Registered address: France.
Contact: tim.moyence@gmail.com.
Pursuant to Article 37 GDPR, the designation of a Data Protection Officer (DPO) is not required for our organisation.
2. Data We Collect
Account data: email address, hashed and salted password, account creation date, user preferences (language, theme).
Conversation data: text messages exchanged during chat sessions, AI-generated responses, session metadata (timestamps, session identifiers, museum context where applicable).
Visual and audio data: photographs of artworks taken or imported by the user; audio recordings of voice questions. These are transmitted to AI services for analysis and kept only for the time required for processing.
Technical data: device type and version, operating system, app version, anonymised technical identifiers, error and performance logs.
Support data: messages sent through support channels (Instagram/Telegram) may be processed by those platforms under their own privacy policies.
3. Purposes & Legal Bases (GDPR Art. 6)
Provide museum-focused AI assistance about artworks, monuments, museums, architecture, and cultural heritage — Contract performance (Art. 6(1)(b)).
Operate authentication, secure sessions, error handling, and support workflows — Contract performance (Art. 6(1)(b)).
Security monitoring, fraud prevention, service reliability and product diagnostics — Legitimate interests (Art. 6(1)(f)).
Device permissions (camera, microphone, photo library) — Consent (Art. 6(1)(a)), only when the user explicitly triggers the feature.
Granular third-party AI consent (text/image/audio/profile × OpenAI/Google) — Consent (Art. 6(1)(a)) layered on top of contract performance.
4. Device Permissions
Camera — used to photograph artworks for AI-driven contextual information. No background capture.
Microphone — used for voice questions. Audio is transmitted for transcription, then deleted after processing.
Photo Library — used to import an existing image from the gallery. Only the selected image is accessible to the application.
No passive collection: permissions are only used when the user actively triggers the matching feature.
5. Recipients & Sub-processors
Authorised internal personnel, on a need-to-know basis.
Sub-processors are listed in §5.1 below. Each transfer outside the European Economic Area (EEA) is governed by appropriate safeguards (Standard Contractual Clauses, adequacy decision, or equivalent mechanism).
OpenAI (United States) — LLM provider for text and vision; transfer mechanism: SCC.
Google Cloud / Vertex AI (United States / EU) — alternative LLM provider; transfer mechanism: SCC.
DeepSeek (China) — alternative LLM provider, NOT enabled in EU production builds; transfer mechanism: none (not used in EU).
OVH SAS (France) — server and database hosting; data stays in the EU; transfer mechanism: internal (EU).
Amazon Web Services (EU) — object storage (S3) in EU regions; transfer mechanism: internal (EU).
Expo / EAS (United States) — mobile app distribution and over-the-air updates; transfer mechanism: SCC.
Brevo (France) — transactional email delivery (verification, password reset); transfer mechanism: internal (EU).
Sentry (United States) — error monitoring and performance telemetry; sendDefaultPii is disabled and a custom scrubber strips PII; transfer mechanism: SCC.
Apple (Sign in with Apple, United States) — federated authentication; transfer mechanism: SCC.
Tavily (United States) — web search backend for retrieval-augmented generation; transfer mechanism: SCC.
Brave (United States) — alternative web search backend; transfer mechanism: SCC.
Unsplash (United States) — public image library for cultural references; transfer mechanism: SCC.
Langfuse (Germany) — LLM observability and prompt telemetry; transfer mechanism: internal (EU).
CARTO (CartoDB tiles, United States) — map tiles for the museum map view; transfer mechanism: SCC.
Wikidata (Germany) — structured knowledge base for cultural references; transfer mechanism: internal (EU).
Wikimedia (Wikipedia REST, United States) — encyclopedic content for cultural references; transfer mechanism: SCC.
Nominatim (Germany) — reverse geocoding for museum/monument detection; transfer mechanism: internal (EU).
OpenStreetMap Foundation (United Kingdom, Overpass API) — spatial queries for monuments; transfer mechanism: adequacy.
Better-Stack (Germany) — uptime monitoring and incident alerting; transfer mechanism: internal (EU).
6. International Transfers
Where personal data is transferred outside the EEA / UK / Switzerland, transfers are governed by Standard Contractual Clauses (SCC), an adequacy decision, or an equivalent safeguard.
Data hosted on OVH and AWS stays within the European Union.
7. Retention Periods
Account data, chat history, and uploaded images: kept for the duration of service use and deleted on request.
Audio recordings (voice questions): not stored — transmitted for transcription then immediately deleted.
Authentication tokens: access tokens valid for 15 minutes; refresh tokens valid for 30 days.
8. Security Measures
Musaium uses technical and organisational safeguards including access controls, transport encryption (TLS), environment isolation, password hashing (bcrypt), and operational monitoring.
No system is risk-free. Users should avoid sharing unnecessary sensitive personal data in chat conversations.
9. Your GDPR Rights
You may request access, rectification, erasure, restriction, portability, and objection to processing where applicable.
Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
To exercise your rights, contact: tim.moyence@gmail.com. Include enough information to verify your request. Response within one month (Art. 12(3) GDPR), extendable by two months if necessary.
10. Children & Minors
Musaium is not intended for users under 15 years old. Pursuant to Article 8 GDPR and Article 45 of the French Data Protection Act (Loi Informatique et Libertés), and consistent with CNIL Délibération 2021-018 setting the French digital majority at 15 years, users under 15 require parental authorisation to create an account.
If you believe a minor under 15 years old provided personal data without parental authorisation, contact us at tim.moyence@gmail.com so we can promptly delete the relevant data.
Reference: CNIL Délibération 2021-018 (French digital majority — 15 years).
12. AI Generative Content (EU AI Act Art. 50)
When you interact with Musaium, you are interacting with a generative AI assistant powered by third-party large language models (OpenAI, Google, DeepSeek). Replies are produced automatically and may contain errors, omissions, or factual inaccuracies — please verify critical information with primary sources.
Voice messages are transcribed by a speech-to-text model; spoken replies are synthesised by a text-to-speech model. Audio buffers are not stored beyond the request lifecycle.
This disclosure is provided pursuant to Article 50 of the EU AI Act (Regulation (EU) 2024/1689).
13. Granular Third-Party AI Consent
In addition to the general AI disclosure above (§12), the Musaium mobile app captures separate, explicit consent for each combination of (data category × third-party AI provider) before transmitting personal data outside Musaium-controlled infrastructure.
Consent scopes recorded today include: text messages to OpenAI (required to use the chat) and to Google; photos / images to OpenAI and Google; audio to OpenAI and Google; profile to OpenAI and Google. DeepSeek scopes are intentionally NOT offered in the EU production build.
All grants and revocations are persisted in our backend (user_consents table) and logged in our internal audit trail (audit_logs) with timestamp, IP, and request identifier. You may view and revoke any of these grants at any time from Settings → AI Consent in the mobile app.
Revocation of location-to-LLM is enforced in real time. Other third-party AI revocations are recorded as user intent; full enforcement is account deletion.
14. Policy Changes
We may update this policy to reflect legal, technical, or product changes. Material changes will be communicated in-app or through appropriate channels before, or when, they take effect.
The last-updated date and version number appear at the top of this document.