Privacy Policy

PRIVACY POLICY

Mushin Hub — All Applications

Effective Date: June 1, 2025 | Last Updated: May 29, 2026

1. Introduction and Scope

This Privacy Policy describes how Mushin Hub ("we," "us," "our") collects, uses, stores, and shares information when you use any of our Applications accessible at mushinhub.com and its subdomains (as defined in our Terms of Use). This Policy applies to all users globally.

By using our Services, you acknowledge that you have read this Privacy Policy. If you do not agree, please discontinue use immediately.

## 2. Information We Collect

### 2.1 Information You Provide Directly

  • Account registration data: email address, display name, and password hash (when applicable).
  • Payment information: processed exclusively by Stripe or RevenueCat; we do not store raw card numbers.
  • User-Submitted Content: screenshots and text content uploaded to the Between The Lines Application.
  • Support communications: messages you send us at our contact email.
  • ### 2.2 Information Collected Automatically

  • Device and browser information: browser type, operating system, device identifier, screen resolution.
  • Usage data: pages visited, features used, session duration, click patterns (only if you consent to analytics cookies).
  • Log data: IP address, timestamp, referring URL, error logs.
  • Analytics data (with consent): session recordings, heatmaps, and interaction events via Microsoft Clarity; page and event data via Google Analytics 4; product usage events via PostHog.
  • ### 2.3 Camera and Microphone Data (Sensitive)

    Applications that use your camera and/or microphone (Boxing, Acting, Physical Therapy) process audio-visual streams in real time, on your device or in a secure transient cloud session, for the sole purpose of generating AI analysis. Unless explicitly disclosed for a specific feature:

  • We do NOT record or store raw video or audio to persistent storage.
  • We do NOT transmit your camera feed to our servers beyond transient AI inference calls.
  • Pose and motion data extracted during inference (e.g., joint coordinates) may be logged in anonymized, aggregate form for service improvement.
  • ### 2.4 Biometric Information

    For users in jurisdictions that classify body movement, gait, facial geometry, or voiceprints as biometric identifiers (including Illinois, Texas, Washington State, and the EU), please note:

  • Purpose of collection: real-time technique analysis and coaching feedback.
  • Duration: data is processed transiently and not retained after session end, unless anonymized aggregate statistics are retained for service improvement.
  • We do not sell, trade, or profit from biometric identifiers.
  • You may withdraw consent by revoking camera/microphone permissions at any time via your browser or device settings.
  • ## 3. How We Use Your Information

    We use collected information to:

  • Provide, operate, and improve the Services;
  • Process payments and manage subscriptions;
  • Send transactional and service communications (e.g., receipts, account notices);
  • Respond to support inquiries;
  • Analyze usage patterns to optimize user experience and application performance (where permitted by law and your cookie choices);
  • Detect and prevent fraud, abuse, and security incidents;
  • Comply with legal obligations;
  • Enforce our Terms of Use.
  • We do NOT use your data for: (a) selling to third-party advertisers; (b) behavioral advertising on other platforms; (c) automated decision-making that produces legal or similarly significant effects on you without human review.

    ## 4. Legal Basis for Processing (GDPR / UK GDPR)

    For users in the European Economic Area (EEA) or United Kingdom, our legal bases for processing personal data are:

  • Contract performance: to provide the Services you requested.
  • Legitimate interests: to improve our Services, ensure security, and prevent fraud (limited to strictly necessary processing).
  • Consent: for non-essential cookies/analytics, biometric data processing, and optional marketing where applicable.
  • Legal obligation: to comply with applicable laws.
  • For special-category data (biometric, health-related), our legal basis is explicit consent (GDPR Article 9(2)(a)).

    ## 5. Third-Party Service Providers

    We share data with the following service providers, solely to the extent necessary to provide the Services:

  • Vercel, Inc. — web hosting and CDN; https://vercel.com/legal/privacy-policy
  • Clerk, Inc. — authentication and session management; https://clerk.com/legal/privacy
  • Google LLC (Gemini API, Google Analytics 4) — AI inference and analytics (with consent); https://policies.google.com/privacy
  • Supabase, Inc. — database and event logging; https://supabase.com/privacy
  • Stripe, Inc. / RevenueCat, Inc. — payment processing; https://stripe.com/privacy
  • Microsoft Corporation (Clarity) — session analytics and heatmaps (with consent); https://privacy.microsoft.com
  • PostHog, Inc. — product analytics on the marketing site (with consent); https://posthog.com/privacy
  • We require all processors to implement appropriate data protection measures and to process personal data only on our instructions.

    ## 6. Cookies and Tracking Technologies

    We use the following cookies and similar technologies:

  • Strictly necessary cookies: authentication (Clerk), session management, security, and fraud prevention. These are required for core functionality and do not require consent in the EU/UK.
  • Analytics cookies (require consent in the EU, UK, and similar jurisdictions): Google Analytics 4, Microsoft Clarity, and PostHog. These help us measure traffic and improve our products. They are not loaded until you accept them via our cookie banner.
  • You may manage preferences at any time through the cookie banner, the "Cookie settings" link in the site footer, or your browser settings. Rejecting analytics cookies does not affect core Service functionality.

    ## 7. Data Retention

  • Account data: retained for the duration of your account plus 90 days after deletion request.
  • Transaction records: retained for 7 years for legal and tax compliance.
  • Camera/audio streams: not persistently retained (see Section 2.3).
  • Analytics data: retained per provider defaults (typically up to 13–26 months); aggregated usage logs retained for 24 months.
  • User-Submitted Content (Between The Lines): deleted at end of session; not stored beyond AI inference.
  • Support communications: retained for 3 years from last interaction.
  • ## 8. Your Rights

    ### 8.1 All Users

    You have the right to: access your data; correct inaccurate data; delete your data (subject to legal retention obligations); opt out of marketing communications at any time.

    ### 8.2 EEA / UK Users (GDPR / UK GDPR)

    In addition to the above, you have rights to: data portability; restriction of processing; objection to processing based on legitimate interests; withdraw consent at any time without affecting prior lawful processing; lodge a complaint with your supervisory authority.

    ### 8.3 California Users (CCPA / CPRA)

    California residents have the right to: know what personal information we collect, use, share, or sell; delete personal information we hold; opt out of the sale or sharing of personal information (note: we do not sell personal information); non-discrimination for exercising your rights.

    To submit a CCPA request, contact us at: legal@mushinhub.com

    ### 8.4 Illinois Users (BIPA)

    Illinois residents have the right to: informed consent before biometric data collection; a written policy on biometric data retention; destruction of biometric data within 3 years or when the original purpose is fulfilled (whichever comes first); seek civil remedy for violations.

    ### 8.5 Exercising Your Rights

    Submit any data subject request to: legal@mushinhub.com. We will respond within 30 days (or as required by applicable law).

    ## 9. International Data Transfers

    Our infrastructure is primarily hosted in the United States. If you access our Services from outside the US, your data may be transferred to, stored, and processed in the US or other countries that may have different data protection laws.

    For EEA/UK users, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards for cross-border data transfers.

    ## 10. Data Security (SOC 2–aligned practices)

    We implement commercially reasonable technical and organizational measures designed to align with common SOC 2 trust principles (security, availability, and confidentiality), including:

  • TLS/HTTPS encryption for data in transit;
  • Role-based access controls and authentication on production systems;
  • API key management and rate limiting to prevent unauthorized AI API access;
  • Vendor due diligence for subprocessors listed in Section 5;
  • Periodic review of access and incident response procedures.
  • No method of transmission or storage is 100% secure. We cannot guarantee absolute security and are not responsible for unauthorized third-party access beyond our control. A formal SOC 2 Type II report, if required for your organization, may be requested at legal@mushinhub.com.

    ## 11. Children's Privacy (COPPA)

    Our Services are not directed to children under 13. We do not knowingly collect personal information from children under 13. If you become aware that a child has provided us with personal information, please contact us at legal@mushinhub.com and we will delete it promptly.

    ## 12. Changes to This Policy

    We may update this Privacy Policy from time to time. We will post the revised Policy with an updated effective date. For material changes, we will provide additional notice via in-app notification or email (if you have an account). Continued use after the effective date constitutes acceptance.

    ## 13. Contact and Data Controller

    Data Controller: Mushin Hub

    Email: legal@mushinhub.com

    Website: https://mushinhub.com

    For EU/UK GDPR inquiries or to lodge a complaint with a supervisory authority, please contact us first; if unresolved, you may contact your local data protection authority.