Privacy Policy

The most important facts in a nutshell

• MuseMachine UG (limited liability) does not sell data - neither now nor in the future.
• This website does not use cookies, with the exception of a technically necessary cookie for language selection.

Personal data (usually referred to just as „data“ below) will only be processed by us to the extent necessary and for the purpose of providing a functional and user-friendly website, including its contents, and the services offered there.

Per Art. 4 No. 1 of Regulation (EU) 2016/679, i.e. the General Data Protection Regulation (hereinafter referred to as the „GDPR“), „processing“ refers to any operation or set of operations such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, or combination, restriction, erasure, or destruction performed on personal data, whether by automated means or not.

The following privacy policy is intended to inform you in particular about the type, scope, purpose, duration, and legal basis for the processing of such data either under our own control or in conjunction with others. We also inform you below about the third-party components we use to optimize our website and improve the user experience which may result in said third parties also processing data they collect and control.

Our privacy policy is structured as follows:

1. Information about us as controllers of your data
2. The rights of users and data subjects
3. Information about the data processing

The party responsible for this website (the „controller“) for purposes of data protection law is:

MuseMachine UG (limited liability)
Roehrer Weg 8
71032 Boeblingen
Germany

Email: contact@musemachine.de

With regard to the data processing to be described in more detail below, users and data subjects have the right

• to confirmation of whether data concerning them is being processed, information about the data being processed, further information about the nature of the data processing, and copies of the data (cf. also Art. 15 GDPR);
• to correct or complete incorrect or incomplete data (cf. also Art. 16 GDPR);
• to the immediate deletion of data concerning them (cf. also Art. 17 DSGVO), or, alternatively, if further processing is necessary as stipulated in Art. 17 Para. 3 GDPR, to restrict said processing per Art. 18 GDPR;
• to receive copies of the data concerning them and/or provided by them and to have the same transmitted to other providers/controllers (cf. also Art. 20 GDPR);
• to file complaints with the supervisory authority if they believe that data concerning them is being processed by the controller in breach of data protection provisions (see also Art. 77 GDPR).
• to withdraw consent at any time with effect for the future. The withdrawal does not affect the lawfulness of processing based on consent prior to withdrawal (Art. 7(3) GDPR).

In addition, the controller is obliged to inform all recipients to whom it discloses data of any such corrections, deletions, or restrictions placed on processing the same per Art. 16, 17 Para. 1, 18 GDPR. However, this obligation does not apply if such notification is impossible or involves a disproportionate effort. Nevertheless, users have a right to information about these recipients.

Likewise, under Art. 21 GDPR, users and data subjects have the right to object to the controller’s future processing of their data pursuant to Art. 6 Para. 1 lit. f) GDPR. In particular, an objection to data processing for the purpose of direct advertising is permissible.

Competent Supervisory Authority: In the event of violations of data protection law, you have the right to lodge a complaint with the competent supervisory authority. The authority responsible for us is:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (LfDI BW), Lautenschlagerstraße 20, 70173 Stuttgart, Germany.

Your data processed when using our website will be deleted or blocked as soon as the purpose for its storage ceases to apply, provided the deletion of the same is not in breach of any statutory storage obligations or unless otherwise stipulated below.

We use cookies on our website. Cookies are small text files or other storage technologies stored on your computer by your browser. These cookies process certain specific information about you, such as your browser, location data, or IP address.

This processing makes our website more user-friendly, efficient, and secure, allowing us, for example, to display our website in different languages or to offer a shopping cart function.

The legal basis for such processing is Art. 6 Para. 1 lit. b) GDPR, insofar as these cookies are used to collect data to initiate or process contractual relationships.

If the processing does not serve to initiate or process a contract, our legitimate interest lies in improving the functionality of our website. The legal basis is then Art. 6 Para. 1 lit. f) GDPR.

To ensure protection against abuse and to improve the user experience, cookies may be set. This includes the `__cf_bm` cookie for identifying suspicious bot traffic, as well as the `cf_clearance` cookie, which temporarily stores that you are a human user after a successful challenge to avoid repeated checks during your session. These cookies serve exclusively for security and functional purposes.

When you close your browser, these session cookies are deleted.

If you contact us via email or the contact form, the data you provide will be used for the purpose of processing your request. We must have this data in order to process and answer your inquiry; otherwise we will not be able to answer it in full or at all.

The legal basis for this data processing is Art. 6 Para. 1 lit. b) GDPR.

Your data will be deleted once we have fully answered your inquiry and there is no further legal obligation to store your data, such as if an order or contract resulted therefrom.

Our website is hosted by Microsoft Corporation, One Microsoft Way, 98052-6399 Redmond WA, United States of America (hereinafter “Microsoft Azure”). Access to the website is through IONOS servers, where technical data such as IP address, time of access, browser used, and operating system are automatically stored in so-called server log files. This data processing is carried out to ensure the stable, secure, and efficient operation of our website.

We have entered into a Data Processing Agreement (DPA) with Microsoft in accordance with Art. 28 GDPR. This ensures that Microsoft Azure processes personal data only on our instructions and in compliance with applicable data protection regulations.

The storage of this data is based on Art. 6(1)(f) GDPR. Our legitimate interest lies in ensuring error-free technical performance, as well as optimizing and securing our website. This data is not combined with other data sources.

For more information on data protection at Microsoft Azure, please visit: https://www.microsoft.com/en-gb/privacy/privacystatement

We use the Domain Name Service (DNS) of the provider IONOS SE, Elgendorfer Straße 57, 56410 Montabaur, Germany (hereinafter “IONOS”), to ensure the accessibility and name resolution of our website. When you visit our website, the public IP address of your device is sent to the globally distributed DNS servers used for our domain in order to resolve the request for our domain into the correct server IP address. In our case, IONOS is used exclusively as a DNS service provider.

We have entered into a Data Processing Agreement (DPA) with IONOS in accordance with Art. 28 GDPR. This ensures that IONOS processes personal data only on our instructions and in compliance with applicable data protection regulations.

The processing of this data is based on Art. 6(1)(f) GDPR. Our legitimate interest lies in the error-free technical performance, as well as the optimization and security of our website. This data is not combined with other data sources.

For more information on data protection at IONOS, please visit: https://www.ionos.com/terms-gtc/privacy-policy/

We use the Domain Name Service (DNS) of the provider Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, United States of America (hereinafter “Cloudflare”), to ensure the accessibility and name resolution of our website. When you visit our website, the public IP address of your device is sent to Cloudflare's globally distributed DNS servers to resolve the request for our domain into the correct server IP address. In our case, Cloudflare is used exclusively as a DNS service provider.

We have entered into a Data Processing Agreement (DPA) with Cloudflare in accordance with Art. 28 GDPR. This ensures that Cloudflare processes personal data only on our instructions and in compliance with applicable data protection regulations.

The processing of this data is based on Art. 6(1)(f) GDPR. Our legitimate interest lies in the error-free technical performance, as well as the optimization and security of our website. This data is not combined with other data sources.

Data processing also takes place in the USA. Cloudflare is certified under the “EU-U.S. Data Privacy Framework,” which is an agreement between the European Union and the USA intended to ensure compliance with European data protection standards for data processing in the USA.

For more information on data protection at Cloudflare, please visit: https://www.cloudflare.com/en-gb/privacypolicy

We use the 'Turnstile' service from the provider Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, United States of America (hereinafter “Cloudflare”), to protect our forms from spam and automated abuse.

Turnstile verifies whether the input on our website is made by a human. This is done by analyzing various technical characteristics of the browser and user behavior, without tracking users across different websites or using the data for advertising purposes. During this process, the user's IP address is transmitted to Cloudflare.

To ensure this protection and improve user experience, Cloudflare may set cookies. This includes the `__cf_bm` cookie for identifying suspicious bot traffic, as well as the `cf_clearance` cookie, which temporarily stores that you are a human user after a successful challenge to avoid repeated checks during your session. These cookies serve exclusively for security and functional purposes.

The use of Cloudflare Turnstile is based on our legitimate interests in securing our website against abuse and spam, as well as ensuring a smooth user experience, in accordance with Art. 6(1)(f) GDPR.

Data processing also takes place in the USA. Cloudflare is certified under the 'EU-U.S. Data Privacy Framework,' which is an agreement between the European Union and the USA intended to ensure compliance with European data protection standards for data processing in the USA.

For more information on data protection at Cloudflare, please visit: <cloudflareEN>https://www.cloudflare.com/en-gb/turnstile-privacy-policy</cloudflareEN>

For technical reasons, the following data sent by your internet browser to us or to our server provider will be collected, especially to ensure a secure and stable website: These server log files record the type and version of your browser, operating system, the website from which you came (referrer URL), the webpages on our site visited, the date and time of your visit, as well as the IP address from which you visited our site.

The data thus collected will be temporarily stored, but not in association with any other of your data.

The basis for this storage is Art. 6 Para. 1 lit. f) GDPR. Our legitimate interest lies in the improvement, stability, functionality, and security of our website.

The data will be deleted within no more than seven days, unless continued storage is required for evidentiary purposes. In which case, all or part of the data will be excluded from deletion until the investigation of the relevant incident is finally resolved.

For using MuseBoard, we use Appwrite for creating and managing user accounts. The service Appwrite, provided by Appwrite Code Ltd., 4 Heshizaf Street, Ra'anana, 4366411, Israel (hereinafter “Appwrite”). When you register with us, we process your name, email address, password (stored in encrypted form), unique user ID, IP address and login timestamps to manage your identity and secure your access.

We have entered into a Data Processing Agreement (DPA) with Appwrite in accordance with Art. 28 GDPR. This ensures that Appwrite processes personal data only on our instructions and in compliance with applicable data protection regulations.

The processing of your data is based on Art. 6(1)(b) GDPR, as it is necessary for the performance of a contract or to take steps at your request prior to entering into a contract. For further inquiries, you can contact us at contact@musemachine.de.

If you choose to register or log in using “Sign in with Google”, we use the authentication service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). In this case, Google transmits your name, email address and profile picture URL to us. We do not receive your Google password or access to any other data from your Google account.

We use this data to create and manage your user account and to authenticate you when you log in, so that we can provide you with secure access to MuseBoard. The legal basis for this processing is your consent pursuant to Art. 6(1)(a) GDPR, which you give by selecting the Google login option, and Art. 6(1)(b) GDPR, as the processing is necessary for the performance of our contract with you (account creation and management).

We store a session cookie a_session_ in your browser to maintain your authenticated session and ensure the secure operation of our service. The storage of this cookie is strictly necessary for the provision of the service and is therefore carried out in accordance with § 25 (2) No. 2 TTDSG. The subsequent processing of the associated data is based on our legitimate interest in providing a secure and functional online service pursuant to Art. 6 (1)(f) GDPR.

We use your browser’s local storage to save certain settings and states in order to make MuseBoard more user-friendly and convenient. This includes, in particular, your selected theme (light/dark), whether you have completed the MuseBoard tutorial (museboard_tutorial_completed), and the last visible section of the canvas (e.g. board_viewport_<board_id>) so that we can restore your previous view when you return. This storage serves exclusively functional purposes, is not used for tracking or marketing, and is based on § 25(2) No. 2 TTDSG as well as our legitimate interest in a user-friendly design of our service pursuant to Art. 6(1)(f) GDPR.</board_id>

For further inquiries, you can contact us at contact@musemachine.de.

Images that you upload or generate when using our services are stored using the file storage provided by Appwrite as part of our backend infrastructure. Files up to 20 MB in size are stored in encrypted form. The processing of this data is necessary to provide the contractual storage and retrieval functions of MuseBoard and is therefore based on Art. 6(1)(b) GDPR (performance of a contract).

When you use the AI features in MuseBoard, the text prompts you enter are transmitted to our AI provider in order to generate the requested images. The service is provided via Microsoft Azure AI Foundry (OpenAI Service) and is configured to run on servers located in the European Union. We apply enterprise policies which ensure that customer data (including prompts and generated content) sent via the API is not used to train, retrain, or otherwise improve the provider’s underlying foundation models. The processing of this data is necessary to provide the AI generation functions of MuseBoard and is therefore based on Art. 6(1)(b) GDPR (performance of a contract).

• Account data: Data associated with your user account is deleted 30 days after you delete your account, in order to prevent accidental loss and enable the clarification of any follow‑up questions arising directly after deletion.
• Invoices and billing data: Data relevant for accounting and tax purposes is stored for 10 years in accordance with mandatory statutory retention obligations (in particular § 147 AO).
• Server log files: Server logs are automatically deleted after 7 days, unless longer storage is required for evidentiary purposes in the event of security incidents or misuse.

For sending emails and managing our waitlist and newsletter, we use the service Resend, provided by PLUS FIVE FIVE, INC., 2261 Market Street #5039 San Francisco, CA 94114, United States of America (hereinafter “Resend”). When you register with us, the data you provide (first name, last name, email address) is stored on Resend's servers to send you the requested information (e.g., about our MVP launch or regular updates via newsletter).

We have entered into a Data Processing Agreement (DPA) with Resend in accordance with Art. 28 GDPR. This ensures that Resend processes personal data only on our instructions and in compliance with applicable data protection regulations.

The processing of your data is based on your consent in accordance with Art. 6(1)(a) GDPR, which you grant by the respective sign-up. You can revoke this consent at any time by using the unsubscribe link in every email or by contacting us directly at contact@musemachine.de.

Data processing also takes place in the USA. Resend is certified under the “EU-U.S. Data Privacy Framework,” which is an agreement between the European Union and the USA intended to ensure compliance with European data protection standards for data processing in the USA. Additionally, we have concluded the EU Standard Contractual Clauses with Resend.

For more information on data protection at Resend, please visit: https://resend.com/legal/privacy-policy

We maintain an online presence on LinkedIn to present our company and our services and to communicate with customers/prospects. LinkedIn is a service of LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Irland, a subsidiary of LinkedIn Corporation, 1000 W. Maude Avenue, Sunnyvale, CA 94085, USA.

We would like to point out that this might cause user data to be processed outside the European Union, particularly in the United States. This may increase risks for users that, for example, may make subsequent access to the user data more difficult. We also do not have access to this user data. Access is only available to LinkedIn.

The LinkedIn privacy policy can be found here: https://www.linkedin.com/legal/privacy-policy