Privacy Policy

Privacy Policy for MuuFree

Effective Date: 2025.11.04 Last Updated: 2025.11.04 Version: 1.0

1. Introduction

This Privacy Policy explains how MuuFree (“we,” “us,” “our,” “the App”) collects, uses, discloses, and protects your personal data when you use our posture analysis application.

MuuFree is currently operated by an individual developer based in Germany. We are committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR) (EU) 2016/679.

Data Controller Contact: contact us

Location: Germany

2. Data We Collect

2.1 Personal Data You Provide

Account Information:

• Email address
• Username (if applicable)
• Password (encrypted)
• Date of birth (for age verification)
• Account preferences and settings

Profile Information:

• Height and weight (optional)
• Gender (optional)
• Physical activity level
• Injury history or physical limitations (optional)
• Pain scale feedback

2.2 Health and Biometric Data (Special Category Data)

Body Images (Temporary):

• Photographs of your body posture (front, back, lateral views)
• These images are automatically deleted within 30 seconds after AI processing completes

Anonymized Spatial Data (NPZ Format):

• Extracted anatomical keypoints and landmarks
• Spatial postural coordinates
• Body measurements and angles
• Joint positions and relationships
• This data is fully anonymized and cannot be traced back to you

Analysis Results:

• Detected postural abnormalities
• Severity classifications (10-level scale)
• Biomechanical measurements
• Exercise recommendations and history
• Progress tracking data

2.3 Automatically Collected Data

Device Information:

• Device model and operating system
• Unique device identifiers
• App version
• Camera specifications

Usage Data:

• App feature usage statistics
• Session duration and frequency
• Exercise completion rates
• Error logs and crash reports
• Performance metrics

Technical Data:

• IP address (temporarily for security)
• Time zone and locale settings
• Network connection type

2.4 Beta Testing Data

During the testing phase, we additionally collect:

• Detailed interaction logs
• Feature usage patterns
• Bug reports and feedback
• System performance data
• User behavior analytics

3. Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR Article 6:

3.1 Consent (Article 6(1)(a) and Article 9(2)(a))

• Processing body images and health data
• Marketing communications (if applicable)
• Beta testing participation

3.2 Contract Performance (Article 6(1)(b))

• Providing core App functionality
• Account management
• Customer support

3.3 Legitimate Interests (Article 6(1)(f))

• Improving App performance and features
• Ensuring security and preventing fraud
• Analyzing aggregated usage patterns
• Debugging and error resolution

3.4 Legal Obligations (Article 6(1)(c))

• Complying with applicable laws
• Responding to legal requests

4. How We Use Your Data

4.1 Primary Purposes

• Posture Analysis: Process your images to detect postural deviations (images deleted immediately after)
• Exercise Generation: Create personalized corrective exercise programs
• Progress Tracking: Monitor improvements over time using anonymized spatial data
• Service Delivery: Provide core App functionality

4.2 Secondary Purposes

• Improvement: Enhance algorithm accuracy using anonymized NPZ data
• Research: Conduct research on postural health patterns with fully anonymized data
• Support: Respond to inquiries and provide assistance
• Security: Detect and prevent fraudulent activity
• Communication: Send service updates and important notices

4.3 AI Model Training

• Only anonymized NPZ spatial data is used for model improvement
• No personally identifiable information is used in training
• Body images are never stored or used for training

5. Data Retention

We retain your data for different periods based on the type and purpose:

Deletion: Upon account deletion request, we will remove your personal data within 30 days. Anonymized NPZ data that cannot be linked to you will be retained for research purposes.

6. Data Sharing and Disclosure

6.1 No Third-Party Sharing

WE DO NOT SHARE YOUR DATA WITH ANY THIRD PARTIES.

• No data is sold, rented, or traded
• No sharing with marketing companies
• No sharing with analytics providers
• No sharing with external service providers
• All data processing is done internally

6.2 Exceptional Legal Disclosures

We may be legally required to disclose data only when compelled by:

• Valid court orders or legal proceedings
• German law enforcement with proper legal authorization
• Protection of vital interests (life-threatening situations)

Such disclosures are extremely rare and only done when legally mandatory.

6.3 Business Transfers

If we establish a formal company structure:

• Your data remains in Germany
• You will be notified of any organizational changes
• The same privacy protections will apply
• You may delete your account if you object to changes

7. Data Storage and Security

7.1 Storage Location

ALL DATA IS STORED EXCLUSIVELY IN GERMANY

• Hosting Provider: Hetzner Online GmbH
• Data Center Location: Germany
• No data leaves German territory
• No international data transfers
• Full compliance with German data protection laws

7.2 Security Measures

We implement appropriate technical and organizational measures:

Technical Safeguards:

• End-to-end encryption for data transmission (TLS 1.3)
• Encrypted storage for sensitive data (AES-256)
• Immediate deletion of body images post-processing
• Secure authentication mechanisms
• Regular security audits and updates
• Isolated processing environment

Image Processing Security:

• Images processed in isolated memory
• Automatic deletion after AI analysis (under 30 seconds)
• No image caching or temporary storage
• No image backups or archives

Organizational Safeguards:

• Single developer access only
• No external access to data
• Regular security reviews
• Incident response procedures

7.3 Data Breach Notification

In case of a data breach:

• Authorities notified within 72 hours (if required)
• Affected users notified without undue delay
• Mitigation measures immediately implemented
• Note: Image data breach risk is minimal due to immediate deletion

8. Your Rights Under GDPR

You have the following rights regarding your personal data:

8.1 Right to Access (Article 15)

Request a copy of your personal data (excluding already-deleted images).

8.2 Right to Rectification (Article 16)

Request correction of inaccurate or incomplete personal data.

8.3 Right to Erasure/Right to be Forgotten (Article 17)

Request deletion of your personal data (anonymized NPZ data cannot be deleted as it’s not identifiable).

8.4 Right to Restrict Processing (Article 18)

Request limitation of processing in specific situations.

8.5 Right to Data Portability (Article 20)

Receive your data in a structured, machine-readable format.

8.6 Right to Object (Article 21)

Object to processing based on legitimate interests.

8.7 Right to Withdraw Consent

Withdraw consent at any time without affecting prior lawful processing.

8.8 Right Not to be Subject to Automated Decision-Making (Article 22)

Request human review of automated assessments (note: we are not medical professionals).

To exercise your rights, contact: contact us

We will respond within 30 days of receiving your request.

9. International Data Transfers

9.1 No International Transfers

• All data remains in Germany at all times
• Hosted exclusively on German servers (Hetzner)
• No cross-border data transfers
• No cloud services outside Germany
• No foreign data processing

9.2 International Users

• International users’ data is still stored only in Germany
• Subject to German and EU data protection laws
• No differentiation based on user location

10. Children’s Privacy

10.1 Age Restrictions

• The App is not intended for children under 16
• We do not knowingly collect data from children under 16
• Users 16-18 should have parental consent

10.2 Parental Rights

Parents/guardians may:

• Request access to minor’s data
• Request deletion of minor’s account
• Withdraw consent for minor’s data processing

11. Cookies and Tracking Technologies

11.1 Minimal Tracking

We use minimal technical tracking:

• Session management (temporary)
• Error reporting (anonymized)
• Performance monitoring (aggregated)

11.2 No Third-Party Tracking

• No Google Analytics
• No Facebook Pixel
• No advertising trackers
• No third-party cookies

11.3 Your Choices

• Disable analytics in App settings
• Clear app cache and data
• Use device-level privacy controls

12. AI and Automated Processing

12.1 How AI Processes Your Data

• Computer vision algorithms analyze body posture in real-time
• Images are deleted immediately after processing (under 30 seconds)
• Only anonymized spatial coordinates (NPZ data) are retained
• Machine learning models classify postural deviations
• Automated systems generate exercise recommendations

12.2 Data Minimization in AI Processing

• No facial recognition or identification
• No storage of biometric identifiers
• Images converted to anonymous spatial data
• Original images never stored after processing

12.3 Human Review

• You may request human review of automated assessments
• Contact support for manual evaluation
• Note: We are not medical professionals

13. Data Protection Officer

As an individual developer, we currently do not have a designated Data Protection Officer. For all privacy-related inquiries, please contact: contact us

Upon establishing a formal business entity, we will appoint a DPO if required by law.

14. Privacy Policy Updates

14.1 Notification of Changes

We will notify you of material changes via:

• In-app notifications
• Email to your registered address
• Prominent notice upon App launch

14.2 Consent to Changes

• Continued use after changes implies acceptance
• You may delete your account if you disagree with changes

15. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights:

• Right to know what personal information is collected
• Right to know if information is sold or disclosed (we never sell or share data)
• Right to opt-out of sale (not applicable as we don’t sell data)
• Right to non-discrimination

16. Contact Information

16.1 Privacy Inquiries

Contact: contact us Response Time: Within 30 days for formal requests

16.2 Supervisory Authority

You have the right to lodge a complaint with a data protection authority:

Germany (Primary):
Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)
Graurheindorfer Str. 153
53117 Bonn
Germany

Your Local Authority:
You may also contact the data protection authority in your country of residence.

17. Special Considerations for Health Data

17.1 Sensitive Data Processing

Body images and postural assessments constitute health data under GDPR Article 9:

• Images are processed with explicit consent
• Immediate deletion after AI analysis (under 30 seconds)
• Only anonymized spatial data retained
• No biometric identification possible

17.2 Anonymization Process

• Body images → AI processing → NPZ spatial coordinates
• NPZ files contain only mathematical coordinates
• No reverse engineering to identify individuals
• Complete de-identification from source images

18. Beta Testing Specific Provisions

During the beta phase:

• Enhanced data collection for debugging
• All additional data remains in Germany
• More frequent privacy policy updates
• Potential data resets with notice
• Voluntary participation with right to withdraw

19. Technical Details of Data Processing

19.1 Image Processing Pipeline

1. Image capture on user device
2. Encrypted upload to German server (Hetzner)
3. AI processing (RTMPose/DensePose)
4. Extraction of spatial coordinates
5. Immediate image deletion (under 30 seconds)
6. Storage of anonymized NPZ data only

19.2 NPZ Data Format

• Contains only numerical coordinates
• No personal identifiers
• No facial or identifying features
• Mathematical representation of posture only
• Cannot be converted back to images

20. Our Privacy Commitments

We commit to:

• Never selling or sharing your data
• Deleting images immediately after processing
• Keeping all data within Germany
• Not using any third-party services for data processing
• Maintaining the highest standards of data protection

Last Review Date: 2025.10.01 Next Review Date: 2025.11.04

By using MuuFree, you acknowledge that you have read, understood, and agree to this Privacy Policy.