Privacy Policy

Museo — Mobile Application & Platform

Last updated: December 16, 2025 · Version 2.0

This Privacy Policy explains how MUSEO Sp. z o.o. collects, uses, stores, and protects your personal data in compliance with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and other applicable data protection laws.

1. Data Controller

MUSEO Spółka z ograniczoną odpowiedzialnością
ul. Marynarska 14, 02-674 Warszawa, Poland

KRS: 0001211166 · NIP: 5214144710 · REGON: 543493775
Data Protection Contact: contact@themuseo.ai

2. Categories of Personal Data We Process

2.1 Data You Provide Directly

  • Account data: email address, username, password (hashed)
  • Profile data: display name, profile picture, language preferences
  • User Content: photographs, images, text, metadata, descriptions you upload
  • Communications: support requests, feedback, correspondence with us

2.2 Data Collected Automatically

  • Device data: device type, operating system, unique device identifiers
  • Usage data: features used, pages viewed, interactions, timestamps
  • Location data: approximate location based on IP address (not precise GPS unless consented)
  • Log data: IP address, browser type, access times, error logs

2.3 Data from Third Parties

  • Social login providers: email, name, profile picture (if you use social login)
  • Payment providers: transaction confirmation (we do not receive full payment card details)

3. Purposes of Processing

PurposeLegal Basis (GDPR Art. 6)
Providing and maintaining the ServiceContract performance (Art. 6(1)(b))
Creating and managing your accountContract performance (Art. 6(1)(b))
Processing User Content under licenseContract performance (Art. 6(1)(b))
AI processing and model improvementLegitimate interest (Art. 6(1)(f))
Security, fraud prevention, abuse detectionLegitimate interest (Art. 6(1)(f))
Analytics and service improvementLegitimate interest (Art. 6(1)(f))
Legal complianceLegal obligation (Art. 6(1)(c))
Marketing communications (if opted in)Consent (Art. 6(1)(a))

4. AI Processing & Automated Decision-Making

4.1 AI Processing of User Content

User Content (images, metadata) may be processed by AI systems for:

  • image recognition and artwork identification,
  • generating descriptions and audio guides,
  • improving search and recommendation features,
  • training and improving AI models.

Legal basis: Contract performance and legitimate interest in improving the Service.

4.2 Automated Decision-Making

Museo does not use automated decision-making that produces legal effects or similarly significant effects on Users. Content moderation decisions are reviewed by humans.

5. Data Retention Periods

Data CategoryRetention Period
Account dataUntil account deletion + 30 days
User ContentRetained indefinitely under license
Usage/analytics data26 months from collection
Support communications3 years from resolution
Legal/compliance recordsAs required by law (5-10 years)
Marketing consent recordsDuration of consent + 3 years

After account deletion, we may retain anonymized or aggregated data that cannot identify you.

6. Your Rights Under GDPR

You have the following rights regarding your personal data:

RightDescription
Access (Art. 15)Request a copy of your personal data
Rectification (Art. 16)Correct inaccurate or incomplete data
Erasure (Art. 17)Request deletion ("right to be forgotten")*
Restriction (Art. 18)Limit processing in certain circumstances
Data Portability (Art. 20)Receive data in machine-readable format
Object (Art. 21)Object to processing based on legitimate interest
Withdraw Consent (Art. 7)Withdraw consent at any time

6.1 How to Exercise Your Rights

Email: contact@themuseo.ai
Subject line: "GDPR Request — [Your Right]"

We will respond within 30 days. Complex requests may be extended by an additional 60 days with notification.

6.2 Limitations on Erasure

The right to erasure does not apply where we have:

  • a legal obligation to retain data,
  • a legitimate interest in retaining User Content under the license granted,
  • need to establish, exercise, or defend legal claims.

7. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority.

For Poland:
Urząd Ochrony Danych Osobowych (UODO)
ul. Stawki 2, 00-193 Warszawa
Website: uodo.gov.pl

EU residents may also contact the supervisory authority in their country of residence.

8. Data Sharing & Recipients

We may share your data with:

RecipientPurposeSafeguards
Cloud hosting providersInfrastructureDPA
Analytics providersService improvementAnonymization, DPA
AI service providersContent processingDPA, technical safeguards
Payment processorsTransactionsPCI-DSS compliance

We do not sell your personal data to third parties.

9. International Data Transfers

Your data may be transferred outside the European Economic Area (EEA) to cloud service providers and AI processing services.

Safeguards for international transfers:

  • Standard Contractual Clauses (SCCs) approved by the European Commission,
  • Adequacy decisions where applicable,
  • Supplementary technical and organizational measures.

10. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

  • encryption in transit (TLS) and at rest,
  • access controls and authentication,
  • regular security assessments,
  • employee training on data protection,
  • incident response procedures.

No system is 100% secure. In the event of a data breach affecting your rights, we will notify you and the relevant supervisory authority as required by GDPR.

11. Cookies & Tracking Technologies

11.1 Types of Technologies Used

TypePurposeDuration
Essential cookiesAuthentication, securitySession
AnalyticsUsage patternsUp to 26 months
PreferencesYour settingsUp to 12 months

11.2 Your Choices

  • In-app settings: Manage preferences in the application settings.
  • Device settings: Control permissions via your device settings.
  • Opt-out: You may disable non-essential analytics in settings.

12. Children's Privacy

Museo is not intended for children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us at contact@themuseo.ai and we will delete it.

13. Third-Party Links & Services

The Service may contain links to third-party websites or services. We are not responsible for their privacy practices. Please review their privacy policies before providing personal data.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be communicated via in-app notification, email to registered users, or updated "Last updated" date. Material changes take effect 30 days after notification. Continued use constitutes acceptance.

15. Contact Us

For any questions, requests, or concerns about this Privacy Policy or your personal data:

Email: contact@themuseo.ai
Subject: "Privacy Inquiry"
Address: MUSEO Sp. z o.o., ul. Marynarska 14, 02-674 Warszawa, Poland

Summary of Key Points

Minimum age16 years
User Content licensePerpetual, worldwide, irrevocable, royalty-free
AI processingUser Content may be used for AI training
Data controllerMUSEO Sp. z o.o., Warsaw, Poland
GDPR rightsAccess, rectification, erasure*, portability, objection
Response time30 days (GDPR requests)
Supervisory authorityUODO (Poland) or your local DPA

*Erasure subject to limitations for licensed User Content.