EMPIEZA CON UNA PRUEBA GRATUITA DE 15 DIAS DEMO
LOG IN SIGN UP

Privacy Policy

MuseRelay (Muse Layer LLC) privacy policy. GDPR compliance, data retention, user rights, international transfers.

Inicio Privacy Policy

Last updated: 2026-04-13
Version: 2.0

1. Data Controller

The data controller responsible for personal data collected through this platform is:

  • Legal name: Muse Layer LLC
  • Principal place of business: 5203 Juan Tabo Blvd, Ste 2B, Albuquerque, NM 87111, USA
  • Mailing address: 5203 Juan Tabo Blvd, Ste 2B, Albuquerque, NM 87111, USA
  • EIN: 30-1474701
  • State of registration: New Mexico (USA)
  • Brand: MuseRelay
  • Contact email: privacy@muserelay.com
  • Technical email: webmaster@muserelay.com

1.2 EU Representative (Art. 27 GDPR)

As Muse Layer LLC is an entity established outside the EU offering services to data subjects in the European Economic Area, it has designated the following EU representative pursuant to Article 27 GDPR:

EU data subjects may contact either the controller (Muse Layer LLC) or the EU representative (Screen Art S.L.U.) for any matter related to the processing of their personal data.

2. Applicable legal framework

This policy is governed by:

  • Regulation (EU) 2016/679 — General Data Protection Regulation (GDPR)
  • Directive 2002/58/EC on privacy in electronic communications (ePrivacy)
  • US federal and state laws applicable to Muse Layer LLC
  • California Consumer Privacy Act (CCPA) for California residents where applicable

3. Data we collect

3.1 Data provided by the user

  • Registration data: name, email, encrypted password, beta access code
  • Billing data: legal name, Tax ID/EIN, billing address, payment method (processed by Stripe)
  • Communication data: messages sent to AI assistants via WhatsApp, Messenger, Instagram, web chat, email
  • Received media: images, audio, video and documents attached to conversations

3.2 Automatically collected data

  • IP address, browser, operating system
  • Pages visited, session duration
  • Strictly necessary cookies (session, CSRF, language preference)
  • Session identifiers and device fingerprints for security

3.3 Data received from third parties

When an end user contacts you via WhatsApp, Messenger or Instagram, we receive from Meta Platforms, Inc. the data necessary to process that communication (user identifier, public name, message, attachments).

4. Legal basis for processing

PurposeLegal basis (Art. 6 GDPR)
Provision of contracted serviceContract performance (Art. 6.1.b)
Billing and tax obligationsLegal obligation (Art. 6.1.c)
Sending commercial communicationsConsent (Art. 6.1.a)
Security, fraud prevention, auditsLegitimate interest (Art. 6.1.f)
Retention of consent records and audit logsLegal obligation (Art. 6.1.c)

5. Data retention

We apply the following retention periods, adjustable per client organization:

  • Media files (images, audio, video, documents): 90 days by default, configurable between 1 and 3650 days based on each organization's needs.
  • Text messages: for the duration of the commercial relationship plus the legally required period (up to 5 years for accounting obligations).
  • Consent records: while consent is active + 90 days after revocation.
  • GDPR audit logs: 5 years (Art. 5.1.e GDPR).
  • Billing data: 6 years (international tax obligation).

After these periods, data is automatically and irreversibly deleted through daily automated processes.

6. Recipients and transfers

6.1 Processors (providers)

We share strictly necessary data with the following providers, all under data processing agreements compliant with Art. 28 GDPR:

  • Meta Platforms, Inc. — Sending/receiving messages via WhatsApp Business API, Messenger and Instagram. Signs EU Standard Contractual Clauses.
  • OpenAI, L.L.C. / Anthropic, PBC — AI providers for message processing. Data is processed under instances with GDPR clauses (not used for model training unless explicit consent).
  • Stripe, Inc. — Payment processing (PCI-DSS Level 1 certification).
  • Infrastructure provider — Servers physically located in the European Union (Germany).

6.2 Media storage

Files received in conversations are downloaded and stored in our own infrastructure (servers in the European Union) or, optionally, on GDPR-compatible providers such as Cloudflare R2 (EU region) or IONOS S3 (Germany) according to the configuration chosen by each client organization.

6.3 International transfers

As Muse Layer LLC is a US entity, some processing may involve transfers to the United States. These transfers are carried out under:

  • Standard Contractual Clauses approved by the European Commission (Decision 2021/914)
  • EU-U.S. Data Privacy Framework where the provider is adhered
  • Supplementary technical measures (encryption in transit and at rest) in accordance with EDPB Recommendations 01/2020

7. User rights

Under Articles 15 to 22 of the GDPR, you have the right to:

  • Access (Art. 15): obtain confirmation and a copy of the data we process about you.
  • Rectification (Art. 16): correct inaccurate data.
  • Erasure / Right to be forgotten (Art. 17): request deletion of your data.
  • Restriction (Art. 18): restrict processing in certain cases.
  • Portability (Art. 20): receive your data in a structured format (JSON) and transmit it to another controller.
  • Objection (Art. 21): object to processing based on legitimate interest.
  • Not be subject to automated decisions (Art. 22), including those based on AI.
  • Withdraw consent at any time without retroactive effects.

To exercise any of these rights, send an email to privacy@muserelay.com identifying yourself and specifying the right you are exercising. We will respond within a maximum of 30 calendar days.

If you consider that we have not properly handled your request, you can file a complaint with the competent supervisory authority:

  • EU residents: your national data protection authority.
  • California residents: California Attorney General's Office (CCPA rights).

8. Data security

We apply appropriate technical and organizational measures in accordance with Art. 32 GDPR:

  • TLS 1.3 encryption in all communications
  • Password encryption with bcrypt
  • Role-based access control (RBAC)
  • Audit log of accesses and modifications
  • Encrypted backups
  • Multi-tenant data isolation between client organizations
  • Periodic security assessments

9. Minors

MuseRelay is not directed at children under 14 years of age. We do not knowingly collect data from children of this age. If we detect that data has been collected from a minor without verifiable parental consent, we will proceed to immediate deletion.

10. Cookies

We exclusively use strictly necessary technical cookies for the operation of the service (session, CSRF, language preference). We do not use advertising or third-party tracking cookies without explicit consent.

11. Changes to this policy

We reserve the right to modify this policy to adapt it to regulatory changes or our services. The current version is always the one published at this URL, with its last updated date. For material changes, we will notify you by email at least 30 days in advance.

12. Data Protection Officer (DPO)

For any inquiry related to personal data processing, including the rights listed in section 7, you can contact our privacy team at:

privacy@muserelay.com

Actualizado: 13 April, 2026