Privacy Policy

The Migma service ("Migma", the "Service") is operated by Dissel AI B.V., a private limited company incorporated in the Netherlands and registered with the Dutch Chamber of Commerce (Kamer van Koophandel) under number 98391119 ("we", "us", "our"). For the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Dutch implementation act (Uitvoeringswet AVG), Dissel AI B.V. acts as the data controller in respect of the personal data processed through the Service, except where we act as a processor on behalf of a customer (see Section 11).

This Privacy Policy describes how we collect, use, disclose, and otherwise process personal data when you (a) visit our website, (b) create or use an account, (c) connect third-party platforms (such as Pinterest, Shopify, or other supported services), or (d) otherwise interact with us. It does not apply to third-party websites, products, or services we do not operate.

• Account & identity data: name, email address, password hash, workspace name, role, language and locale settings.
• Authentication & security data: session tokens, IP address, device and browser identifiers, login timestamps, and multi-factor or single sign-on identifiers.
• Connected platform data: OAuth access and refresh tokens, account identifiers, and the resources you authorise us to access (e.g. Pinterest boards and pins, Shopify products, files, and listings) - strictly limited to the scopes you approve.
• Content data: prompts, briefs, uploaded reference images, generated images, captions, projects, and related metadata.
• Billing data: billing name, address, VAT number, invoice history, and a tokenised reference to your payment method. Card details are processed directly by our payment processor and are never stored on our servers.
• Usage & diagnostic data: log data, feature interactions, error reports, and aggregated analytics.
• Communications data: support requests and any correspondence you send us.

We process personal data for the following purposes and on the following GDPR legal bases:

• Performance of a contract (Art. 6(1)(b) GDPR): to create and operate your account, deliver the Service, generate and store content, connect to third-party platforms at your request, and process payments.
• Legitimate interests (Art. 6(1)(f) GDPR): to secure the Service, prevent fraud and abuse, monitor performance, conduct product analytics in aggregated form, and to communicate operational updates. You may object at any time on grounds relating to your particular situation.
• Legal obligation (Art. 6(1)(c) GDPR): to comply with accounting, tax, and other statutory obligations under Dutch and EU law.
• Consent (Art. 6(1)(a) GDPR): for non-essential cookies, marketing communications, and any optional features that require consent. Consent can be withdrawn at any time without affecting the lawfulness of prior processing.

When you connect a third-party platform, we request only the OAuth scopes required to deliver the features you use. Tokens and metadata retrieved from those platforms are processed solely to operate the Service on your instruction. We do not sell connected-platform data, do not use it for advertising or to train third-party AI models for purposes unrelated to your use of the Service, and do not share it with third parties other than the sub-processors listed in Section 8.

You can disconnect a platform at any time from the Connections page in Migma. On disconnection, the associated access and refresh tokens are revoked and deleted, and we cease accessing the platform on your behalf. You can also revoke access directly in your account on the relevant third-party platform.

The Service uses machine learning models (operated by us and by vetted sub-processors) to generate images and text from your inputs. Your prompts, reference materials, and generated outputs are processed for the purpose of producing the requested output and maintaining the Service. We do not use customer content to train foundation models without your explicit consent. Sub-processors are contractually prohibited from using your content for their own training or product purposes.

We use strictly necessary cookies to authenticate sessions and secure the Service. Functional, analytics, and marketing cookies are only set after you give consent through our cookie banner, where applicable. You can change or withdraw your preferences at any time through the banner or your browser settings.

We engage carefully selected service providers to host infrastructure, process payments, deliver email, monitor errors, and provide AI model inference. Each sub-processor is bound by a written data processing agreement (DPA) compliant with Article 28 GDPR and processes personal data only on our documented instructions. A current list of sub-processors is available on request through the in-app support channel. We may also disclose personal data to competent authorities where required by applicable law, court order, or to protect our rights, property, or safety, or that of our users.

Personal data is primarily processed within the European Economic Area (EEA). Where a sub-processor is located outside the EEA, we rely on appropriate safeguards under Chapter V GDPR, including the European Commission's Standard Contractual Clauses (Decision 2021/914), supplementary measures where appropriate, and adequacy decisions where available. A copy of the relevant safeguards is available on request.

We retain personal data only for as long as necessary for the purposes for which it was collected: account and content data for the lifetime of your account and a reasonable wind-down period thereafter; billing and tax records for the periods mandated by Dutch tax law (currently seven years); log and security data for a rolling period proportionate to the security purpose. On account deletion, personal data is removed or irreversibly anonymised, except where retention is required by law or for the establishment, exercise, or defence of legal claims.

Where you use the Service as part of an organisation (for example, an employer or workspace owner), that organisation is the controller of personal data processed within its workspace, and Dissel AI B.V. acts as a processor on its behalf. Our standard Data Processing Agreement, which forms part of the Terms of Service, governs that processing. End users should direct privacy requests primarily to their organisation.

Subject to the conditions and exceptions set out in the GDPR, you have the right to (a) access your personal data, (b) request rectification of inaccurate data, (c) request erasure, (d) request restriction of processing, (e) object to processing based on legitimate interests, (f) request portability of data you provided to us, and (g) withdraw consent at any time without affecting prior processing. You may exercise these rights through your account settings or by contacting us through the in-app support channel.

You also have the right to lodge a complaint with a supervisory authority. In the Netherlands, the competent authority is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl). You may also contact the supervisory authority of your habitual residence or place of work.

We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. These include encryption in transit (TLS) and at rest, encryption of OAuth tokens using AES-256-GCM with keys held only on our infrastructure, least-privilege access controls, audit logging, secure software development practices, and regular review of our security posture. No system can be guaranteed to be entirely secure; we will notify you and the competent supervisory authority of personal data breaches in accordance with Articles 33 and 34 GDPR.

The Service is not directed to individuals under the age of 16, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

We do not use your personal data for automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR.

We may update this Privacy Policy from time to time to reflect changes to the Service or to applicable law. Material changes will be notified through the Service or by other appropriate means in advance of taking effect. The "Effective date" above indicates the date of the most recent revision.

The controller is Dissel AI B.V., registered with the Dutch Chamber of Commerce under number 98391119. You can reach us through the in-app support channel of the Service for any privacy enquiry, including to exercise your rights under the GDPR.