Privacy Policy

Effective date: April 27, 2026

This Privacy Policy explains how Dreamsmyth LLC ("MuseMark", "we", "us", or "our") collects, uses, shares, and protects information when you use musemark.uk and related services (the "Service"). MuseMark is a QR-code metal-tag platform. Users create Profiles linked to the Tags they own, and we have built the Service with privacy and user control in mind.

1. What We Collect

Account data

• Email address (used for sign-in and transactional email)
• Password, stored as a bcrypt hash — we never see or store your plaintext password
• Chosen username or display handle
• Account creation timestamp and basic account status flags

Profile content

Anything you voluntarily add to your Profiles: display names (real or pseudonymous), photos, free-text fields, links, item descriptions, and similar. Profile content is public by design, because the purpose of a Tag is to resolve to a page anyone can read after scanning it.

Payment data

All payment information is processed by our payment processors. Card details and cryptocurrency wallet details never touch our servers. From the processor we receive only: a processor-side reference ID, Subscription status (active, canceled, lapsed), the current billing period, and the amount and currency of each transaction. We use this information for receipts, access control, and tax reporting.

Technical data

• IP address at the time of each request
• User agent string (browser and device type)
• Timestamps for logins, scans, and material account events
• Basic error and security logs

Scan logs

When someone scans a Tag, we log the Tag identifier, the scan timestamp, the IP address of the scanner, and the user agent. These logs are used to show aggregate scan analytics to the Tag owner and to detect abuse. If the scanner is not logged in, the scan is not personally linked to an individual beyond the IP address. If the scanner is logged in, the scan may be associated with their account for abuse-detection and analytics purposes.

2. How We Use It

• To provide, maintain, and improve the Service (account access, Profile hosting, Tag resolution, scan analytics).
• To process payments, renewals, and refunds through our payment processors.
• To send transactional email (password resets, receipts, Subscription reminders, security alerts, material policy updates).
• To detect, prevent, and respond to fraud, abuse, content violations, and security incidents.
• To comply with legal obligations and valid legal process.

We rely on the following legal bases under GDPR, where applicable: performance of a contract (to provide the Service you signed up for), our legitimate interests (to secure the Service and prevent abuse), compliance with legal obligations, and your consent (for anything outside the above, which we will ask for separately).

3. What We Don't Do

• We do not sell your personal data.
• We do not share your Profile content with advertisers, data brokers, or marketing networks.
• We do not use your Profile content, photos, or free-text fields to train artificial-intelligence or machine-learning models, whether ours or a third party's.
• We do not run third-party advertising trackers, analytics pixels, or behavioral-ad cookies on the Service.

4. Who We Share With

We share the minimum information necessary with a small number of service providers:

• Payment processors — to process Subscription payments and Tag purchases, and to issue refunds. They receive the billing information you enter with them directly.
• Hosting provider — the infrastructure that runs the Service. Our servers are hosted in Germany.
• Email provider — to deliver transactional email such as password resets and receipts.
• Law enforcement or courts — only in response to a valid subpoena, warrant, court order, or other lawful process, and where feasible and lawful we will attempt to narrow overbroad requests.

Each provider is bound by confidentiality and data-protection obligations. We do not authorize them to use your data for their own purposes.

5. Cookies and Tracking

We use a single session cookie to keep you logged in after you sign in. We do not use advertising cookies, cross-site tracking pixels, or third-party analytics. Clearing your cookies will log you out but will not otherwise affect your account.

6. Data Retention

• Account data and Profile content: retained while your account is active, and for up to ninety (90) days after account deletion to allow for recovery and fraud investigation, after which it is deleted or irreversibly anonymized.
• Scan logs: retained for twelve (12) months, then deleted or aggregated.
• Financial records (invoices, receipts, tax-relevant transaction records): retained for seven (7) years as required by U.S. tax law.
• Security and abuse records: retained only as long as necessary for the investigation and for a reasonable post-investigation period.

7. Your Rights

Regardless of where you live, you may:

• Access the personal data we hold about you.
• Correct data that is inaccurate or incomplete.
• Delete your account and associated personal data, subject to the retention rules above.
• Export your Profile content in a portable format.

UK and EU users (GDPR)

If you are in the United Kingdom or European Economic Area, you also have the right to rectification, erasure, data portability, objection to processing, and restriction of processing. You have the right to lodge a complaint with your local supervisory authority (in the UK, the Information Commissioner's Office, ico.org.uk) if you believe our processing violates the law. To exercise any of these rights, contact privacy@musemark.uk.

California users (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect, how we use it, and with whom we share it; the right to delete personal information we hold about you; and the right to opt out of the sale or sharing of personal information. As stated above, we do not sell personal information, so there is nothing to opt out of in that sense. We will not discriminate against you for exercising your rights.

8. International Transfers

MuseMark is operated from the United States, our servers are located in Germany (EU), and our payment processors may operate in the United States and elsewhere. By using the Service you understand that your personal data may be transferred to, stored in, and processed in these jurisdictions. Where required by law, transfers out of the UK or EEA are protected by Standard Contractual Clauses (SCCs) or an equivalent approved mechanism.

9. Security

We protect the Service with industry-standard measures including bcrypt password hashing, HTTPS on all connections, encryption of data at rest on the hosting provider's storage, least-privilege access for personnel, and routine monitoring. Payment card and cryptocurrency wallet data never touch our servers, reducing exposure in the event of a breach. No system is perfectly secure; you play a role in your own security, and you should use a strong, unique password and enable any additional safeguards we offer.

10. Children

The Service is intended for adults aged eighteen (18) and older. We do not knowingly collect personal data from anyone under 18. If we become aware that an account belongs to a minor, we will terminate the account and delete the associated data promptly. If you are a parent or guardian and believe your child has created an account, contact privacy@musemark.uk.

11. Sensitive Content Notice

Profiles on MuseMark are public by design: anyone who scans a Tag sees the linked Profile. Even when you use a pseudonym, information you publish can in some circumstances be linked back to you if your account credentials are compromised or if you voluntarily share identifying details on your Profile. You should think carefully about what you publish, use a strong and unique password, avoid reusing passwords across sites, and consider broader operational-security practices (separate email address, no real-name photos, no identifying background details in images) if discretion matters to you. MuseMark cannot guarantee anonymity; we can only provide the tools and the environment.

Medical information. If you choose to add medical information to your profile, you are deliberately making that data public so that emergency responders can access it without barriers. We do not encrypt, restrict, or verify access to medical fields. We record the version of the medical disclosure you agreed to and the date you agreed to it, so we can prove what you accepted in case of dispute. Removing your medical information also clears that record. See the Medical Information section of our Terms of Service for the full risk disclosure.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will give you at least thirty (30) days' advance notice by email or through an in-service notice before they take effect. Non-material changes take effect on posting. We keep a changelog of material revisions available on request.

13. Contact

Questions, requests, or complaints about privacy: privacy@musemark.uk

14. Data Controller

The data controller responsible for your personal data under this Policy is:

Dreamsmyth LLC
Allentown, Pennsylvania, USA
Contact: privacy@musemark.uk

This document was last updated on April 27, 2026. It does not constitute legal advice.