This Privacy Policy explains how Artelio recognizes artworks and provides related information while respecting your privacy. It also covers your rights and choices.
1) What we collect and why
We only collect data needed to operate the app and keep it secure. We do not use your data for advertising or cross-app tracking.
| Category | Collected? | How | Purpose | Linked? | Tracking/Ads? | Optional? |
|---|---|---|---|---|---|---|
| Photos / image content | Yes | You submit a photo via the app/API | Core functionality: artwork recognition and returning results | No (processed without identifiers; not re-linked to identity) | No | Required for recognition |
| Camera access | Yes | iOS permission (Apple frameworks) | Capture photos for recognition | No | No | You can deny; the feature won’t work |
| IP address | Yes | Transmitted with API requests | Provide the service, security, rate-limiting, abuse prevention, basic service analytics | Yes (network identifier) | No | Not optional (networking) |
| Usage data (request logs) | Yes | Generated by servers for each recognition call | First-party analytics (service quality, performance), security, fraud/abuse prevention | No (anonymized/aggregated where possible) | No | Not optional |
| Product interaction data (audio/TTS playback duration) | Yes | Sent by the app | App Functionality (quality/reliability) and first-party, non-profiling Analytics | No (collected and stored without identifiers; not linked to identity) | No | Not optional |
| Other categories | Account info, contact info, precise/approx location, health/fitness, financial, diagnostics, contacts/calendar, microphone — Not collected. | |||||
Important: For photos and product-interaction metrics, we do not store identifiers or keys that could link these items to a specific person or device. Security logs (which may include IP addresses) are kept separately and are not joined to photo or analytics data.
Sub-processors / service providers
Model provider (OpenAI). We send the content you submit (e.g., images) to OpenAI to generate recognition results. According to OpenAI’s API terms, API data is not used to train OpenAI’s models by default. OpenAI retains API inputs/outputs for up to 30 days to monitor for abuse, after which they are deleted (unless a longer retention is legally required). We do not permit OpenAI to use your content for advertising or their independent marketing purposes.
Infrastructure/logs: We store limited request logs solely to operate and secure the service.
We do not share or sell personal data to third parties for marketing.
2) How we use data
- Provide core functionality (recognize artworks and return information).
- Keep the service secure and reliable (fraud/abuse prevention, debugging).
- Measure basic service performance (e.g., uptime, request volume).
No targeted advertising. No cross-app tracking.
3) Retention
Image content sent for recognition: retained only as long as needed to process your request and keep the service secure and reliable. For operational reasons—such as abuse & fraud detection (e.g., scraping/DoS patterns) and reliability & debugging (including investigating bad outputs you report)—images may be kept for up to 7 days, after which they are automatically deleted.
Product-interaction metrics (not linked): retained up to 30 days with analytics, then deleted or aggregated.
IP addresses & request logs: kept 30 days for security/abuse prevention and troubleshooting, then deleted or anonymized.
Aggregated statistics (non-personal): may be kept for up to 12 months.
4) Legal bases (GDPR/EEA & UK GDPR)
We process personal data only where a legal basis applies:
- Performance of a contract (Art. 6(1)(b)) — to provide the service you request (e.g., processing your photo to return recognition results).
- Legitimate interests (Art. 6(1)(f)) — to keep the service secure and reliable (e.g., prevent abuse, ensure availability, and measure basic performance using first-party, non-profiling analytics). You can object to processing based on legitimate interests at any time (see “Your rights”).
- Consent (Art. 6(1)(a)) — for device-level permissions such as camera access. Consent is obtained via the iOS system prompt and can be withdrawn in Settings at any time.
5) International transfers
Primary storage is in the EU. We use the OpenAI API to process recognition requests, which may be handled outside the EEA/UK (for example, in the United States). International transfers occur under the provider’s own data transfer framework as described in their published terms and privacy documentation. We configure the service to minimize retention and limit processing to what is necessary for the app to function. We will update this section if we adopt additional contractual safeguards or regional processing options.
6) Security & Incident Response
We use technical and organizational measures to protect data, including:
- Encryption in transit (TLS) and at rest for any stored logs.
- Access controls and least-privilege for staff and systems.
- Audit logging and environment segregation (dev/staging/production kept separate).
- Vulnerability management and timely patching of systems and dependencies.
- Incident response & breach notification: we investigate and contain incidents without undue delay and, where required, notify the competent authority within 72 hours and affected users without undue delay.
7) Your rights
Subject to law, you can request:
- Access to your personal data,
- Deletion (erasure),
- Rectification,
- Portability, and
- Restriction/objection to certain processing.
Because we don’t maintain user accounts and keep minimal logs, we may need details to locate your data (e.g., the approximate date/time and timezone of a request, the public IP you used, and the device model/OS). Send requests to marcello@mulas.app. We may ask for information to verify you before acting.
8) Children
Our service is not directed to children under 13, and we don’t knowingly collect personal data from them. If you’re under the age of digital consent in your country, you must have parental permission to use the app. If we learn we’ve collected data from a child without proper consent, we’ll delete it.
9) Your choices
- Camera permission: You can enable/disable in Settings > Privacy & Security on your device.
- If you do not want your images processed, do not submit them; the app won’t function without a photo.
10) Changes to this policy
We may update this policy. We’ll post the new version at https://mulas.app/ and update the Effective date. For material changes, we’ll provide in-app notice in More → Legal & Privacy → Privacy Policy.
11) Contact
Controller: Marcello Mulas, Italy
Privacy contact: Marcello Mulas
Email: marcello@mulas.app