Privacy

Privacy Policy

This Privacy Policy explains what personal information Muza collects from you, how we use it, who we share it with, how long we keep it, and what rights you have. It applies to the Muza mobile applications for iOS and Android, the marketing website at muza.beauty, and any related services we operate.

Effective date: 2026-05-28 · Data controller: Daniil Sadovskyi, NIP 5273163086, PŁOCKA 38/40, 01-152 Warszawa, Poland · Contact: support@muza.beauty

1. Overview

Muza is a mobile-first marketplace for the beauty industry. We connect three roles — Models, Masters (beauty professionals), and Studios — for discovery, communication, and bookings. To make the product work, we need to process certain personal information about you. This policy describes everything we collect and what we do with it, in plain language and in detail. If you are an EU resident, this policy also serves as the privacy notice required by Articles 13 and 14 of the General Data Protection Regulation (GDPR).

2. Information we collect

We collect only what the product needs to function. We do not collect data for advertising and we do not run third-party trackers on this website.

2.1 Information you provide directly

  • Account identity: email address, password (hashed), role (Model, Master, or Studio), display name, age, optional phone number, optional Instagram handle.
  • Profile content: avatar (profile photo), background/cover photo, bio, city, district (optional), address (optional, masters only), latitude and longitude (only if you enable location services), categories or specialties, hair color, skin type, height, weight (models only, all optional).
  • Portfolio media: photos you upload to your portfolio, services you offer (title, description, duration, price, currency, what's included).
  • Operational content: castings you post (title, date, time, location, compensation type, reference images, conditions), applications you submit (optional message), bookings you create or accept, working hours, flex and rest time settings, calendar exceptions.
  • Communications: messages you send through Muza chat (text, images, videos, voice recordings, location pins, galleries, offers), reactions, blocks, and reports you file.
  • Reviews: ratings (1–5 stars) and optional comments you leave for other users after a booking.
  • Preferences: theme (light/dark/system), accent color, preferred language, notification settings.

2.2 Information collected automatically

  • Device push tokens: a device identifier issued by Apple (APNS) or Google (FCM) that lets us deliver push notifications to your phone. Only stored if you grant the notification permission.
  • Activity timestamps: account creation date, last active timestamp, last login.
  • Authentication metadata: if you sign in with Google or Apple, the provider returns a user ID and an email address to us through Supabase Auth.
  • Reliability and rating scores: computed automatically from your bookings and reviews; used to rank your profile in discovery and to surface verification signals.

2.3 Information we do not collect

We do not collect: contacts list, calendar entries from your phone, browsing history, advertising identifiers, IP-based behavioral profiles, biometric data, health data. We do not access your camera, microphone, photo library, or location without an explicit permission prompt, and we only use those sensors for the specific in-app action (taking a profile photo, attaching a chat photo or video, recording a voice message, sharing a location pin, or matching with nearby talent). You can deny any of these permissions and most of the app continues to work.

3. Why we use your information

Each category of data has a specific purpose. The list is exhaustive.

  • To operate the marketplace: show your profile in discovery, deliver your messages, schedule your bookings, surface your reviews, run distance-aware matching using your latitude and longitude.
  • To verify identity and trust: manual review of your profile against the verification criteria; mutual review prompts after every booking.
  • To deliver notifications: push your phone when someone applies to your casting, accepts your application, books you, sends you a message, or leaves you a review. You control this per category in Settings.
  • To prevent abuse: review reports, enforce blocks, maintain the reliability score, take action on accounts that violate the Terms.
  • To improve the product: aggregate, anonymized metrics about feature usage (e.g., percentage of bookings reviewed) — never tied to your identity in any human-readable form.
  • To comply with legal obligations: tax records, lawful requests from competent authorities, accounting requirements under Polish and EU law.

If you are in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data on the following bases:

  • Contract (Art. 6(1)(b)): account creation, profile, bookings, messages, reviews — everything required to provide the service you signed up for.
  • Consent (Art. 6(1)(a)): precise location (when you enable it), push notifications, optional categories of profile data (height, weight, hair color, skin type), marketing emails (if any).
  • Legitimate interest (Art. 6(1)(f)): verification, fraud prevention, abuse moderation, network safety. We have weighed these interests against your rights and freedoms.
  • Legal obligation (Art. 6(1)(c)): tax records, retention required by accounting law, response to lawful authority requests.

5. Who we share your information with

We never sell your personal data. We share it only with the following categories of recipients, only when necessary:

5.1 Other Muza users

Profile information you choose to publish — display name, avatar, bio, city, categories, portfolio, rating, reviews, services — is visible to other Muza users in discovery, search, and casting/booking workflows. Your email address, phone number, exact location coordinates, working hours grid, and private notes are not visible to other users.

Messages you send are visible only to the other participant in the conversation. Bookings are visible only to you and the other party. Reviews are public on your profile and cannot be deleted by the reviewee.

5.2 Service providers (sub-processors)

  • Supabase, Inc. — our backend infrastructure (Postgres database, authentication, file storage, real-time messaging). Data hosted in EU regions where available. Supabase Privacy Policy.
  • Apple Inc. — Apple Push Notification service (APNS) for iOS notifications, Sign in with Apple for OAuth. Apple Privacy Policy.
  • Google LLC — Firebase Cloud Messaging (FCM) for Android notifications, Sign in with Google for OAuth. Google Privacy Policy.
  • Stripe, Inc. — payment processor (when payments roll out, currently not active). Stripe is PCI-DSS Level 1 certified. Stripe Privacy Policy.

Each sub-processor is bound by a Data Processing Agreement (DPA) that requires them to handle your data only on our documented instructions and with security measures consistent with the GDPR.

5.3 Legal authorities

We disclose information when required by a valid court order, subpoena, or legal request from a competent authority. We resist overbroad requests and notify the affected user when we are not legally prohibited from doing so.

5.4 Successors

If Muza is acquired or merges with another company, your information may be transferred to the successor under the same protections set out in this policy, and you will be notified before any change in controller.

6. Storage and security

Data is stored in PostgreSQL databases operated by Supabase. Backups are encrypted at rest. Network traffic between your device and our servers is encrypted in transit (HTTPS / WSS / TLS 1.2+). Avatars, portfolio images, and profile backgrounds are stored in public storage buckets — meaning they are accessible by URL to anyone who has the URL (because we render them on public profiles). Chat media (images, voice notes, videos, gallery uploads, location screenshots) is stored in an authenticated-only bucket and is not accessible without a valid Muza session.

We do not currently apply end-to-end encryption to messages. Messages are encrypted in transit and at rest at the database level, but Muza staff with database access can technically read message content. We use that access only to investigate reported abuse and we treat it as a privileged operation.

7. How long we keep your information

  • Active accounts: retained for as long as your account exists.
  • Deactivated accounts: if you set your account inactive, we retain your data so you can reactivate. After 24 months of inactivity, we may anonymize or delete it.
  • Deleted accounts: when you delete your account, related data (profile, portfolio, bookings, messages, reviews, services, working hours) cascade-deletes from the database within 30 days. Aggregated, anonymized metrics derived before deletion may persist.
  • Reviews: reviews you have left on others remain on those profiles even after you delete your account, because they reflect a verified booking that happened. Your display name may be anonymized.
  • Legal records: records required for accounting and tax law (Polish Civil Code, EU directives) are retained for the legally mandated period, usually five years.
  • Backups: backups containing your data are rotated and overwritten on a rolling 30-day window.

8. Your rights

If you are in the EEA, the UK, or Switzerland, you have the following rights under the GDPR (and equivalent under UK and Swiss law):

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data. Most of this is doable in the app under Settings → Profile.
  • Erasure — delete your account and the personal data tied to it.
  • Restriction — ask us to pause processing in specific circumstances (e.g. while a complaint is investigated).
  • Portability — request your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interest, including profiling for the discovery algorithm.
  • Withdraw consent — withdraw any consent you gave (location, push, optional profile fields) at any time, with effect for the future.
  • Complaint — lodge a complaint with the Polish Personal Data Protection Office (Urząd Ochrony Danych Osobowych, UODO) or the supervisory authority in your country of residence.

To exercise any of these rights, write to support@muza.beauty with the request and the email associated with your account. We will reply within 30 days. We may ask you to verify your identity before acting on certain requests.

9. Children

Muza is not directed to children under the age of 16. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided personal information to Muza, contact support@muza.beauty and we will delete the account.

Where local law sets a higher minimum age for digital consent (for example, parts of the EU set it at 14, 15, or 16 under GDPR Art. 8), the higher local minimum applies in that jurisdiction.

10. International data transfers

Our primary data hosting is in the EU. Some of our sub-processors (Apple, Google, Stripe) are headquartered in the United States and may process limited categories of data outside the EEA. Where this happens, we rely on the European Commission's Standard Contractual Clauses (SCCs) or the EU–US Data Privacy Framework (DPF) where applicable. You can request a copy of the relevant safeguards by writing to us.

11. Device permissions and sensors

The Muza mobile application may ask for the following permissions. We use each one only for the stated purpose and you can revoke any of them at any time in your phone's settings.

  • Camera — to take a profile photo, a portfolio photo, or attach a photo or video in chat. Captured media is sent to Muza storage only when you confirm the upload.
  • Photo Library — to pick an existing photo or video for your profile, portfolio, or chat attachment. We do not scan your library; we receive only the file you choose.
  • Microphone — to record a voice message in chat. Recording starts only when you hold the voice button and ends when you release.
  • Location (when in use) — to set your location on your profile, to show castings near you, and to share your location as a chat message when you choose. Location is requested only when you enable it; you can use the app by entering a city name instead.
  • Notifications — to deliver push notifications. You can turn these off entirely or per category in Settings.

12. Cookies and the website

The muza.beauty marketing website does not set cookies, does not use analytics, does not load third-party scripts, and does not have an advertising tracker. It is a static site served over HTTPS. The only network requests originating from this page are to load the page itself.

The Muza mobile application stores small amounts of data on your device (e.g., your authentication session, preferences, locally cached content). This is essential to the app's operation and is not used for advertising or analytics.

13. Security incidents

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the supervisory authority within 72 hours where required, and we will notify affected users without undue delay when the risk is high. Notifications will describe the nature of the breach, the data involved, the likely consequences, and the steps you can take to protect yourself.

14. Changes to this policy

We will update this policy as the product evolves — for example, when we add payments, two-factor authentication, or new sub-processors. We will publish the updated policy at muza.beauty/privacy with a new effective date at the top. Material changes will be announced in the app (and by email where we have one) at least 30 days before they take effect.

15. Contact

Privacy questions, data-rights requests, complaints, and breach reports — all to the same address. We read everything.

Email: support@muza.beauty
Postal: Daniil Sadovskyi, PŁOCKA 38/40, 01-152 Warszawa, Poland
NIP: 5273163086

Back to Muza