Politique de confidentialité

Version 2.1 — July 2026

1. Identification of the Data Controller

In compliance with the Federal Law on Protection of Personal Data Held by Private Parties of Mexico (LFPDPPP) and other applicable regulations, the data controller of your personal data is:

Corporate nameAAATMI SAS de CV
Trade nameChatmu / Chatmu.io
AddressProsperidad 20, Escandón, Miguel Hidalgo, Mexico City, Mexico
Websitehttps://chatmu.io
General and Privacy Contactjoserodriguez@aaatmi.com

2. Scope of this Policy

This Privacy Policy applies to all services offered through the Chatmu.io Platform, including: the website https://chatmu.io and its subdomains; the internal Chatmu AI Agent (conversations, history, and analysis within the platform); music distribution services, industry analytics, contact CRM, and email marketing; and the Chatmu API and MCP Server (see Section 12 for specific details).

3. Personal Data We Collect

3.1 Data you provide directly to us

  • Full name and artistic name.
  • Email address and password (stored with a secure hash; never in plain text).
  • Profile information: biography, musical genre, country, social media links.
  • Payment data: processed exclusively by Stripe; Chatmu does not store card numbers or bank details.
  • Identity verification data and tax documentation: to process royalty withdrawals, we collect official identification and tax forms (W-9 for U.S. persons and entities; W-8BEN / W-8BEN-E or equivalents for foreign persons), in accordance with the Terms and Conditions. This data is used exclusively for identity verification (KYC), tax compliance, and payment processing.
  • Music Content: audio files (WAV, MP3), cover art (PNG/JPG), and metadata (title, ISRC, UPC, credits, release date).
  • Music contacts entered into the CRM (name, email, industry role).
  • Email marketing campaign content created by the user.

3.2 Data automatically generated by use of the Platform

  • IP address, browser type, operating system, and pages visited.
  • Usage statistics: features used, AI Credits consumed, active tools.
  • Session data and authentication tokens.
  • Streaming metrics and audience data from DSPs (Spotify, Apple Music, etc.) linked by the user.

3.3 Chatmu Internal AI Agent Data

When you use the AI Agent within the Chatmu.io platform, we collect and store: conversation history with the Agent (necessary to provide continuous context, personalized recommendations, and career analysis); prompts and instructions you send to the Agent within the platform; Outputs and analysis generated in response to your queries; and artist context (statistics, releases, contacts) that the Agent uses to generate responses.

Chatmu does not use identifiable user conversations or content to train its own or third-party artificial intelligence models. Chatmu only uses aggregated and anonymized interaction data (for example, which tools are used most) to analyze, operate, and improve service quality.

4. Purposes of Processing

4.1 Primary Purposes (necessary for service provision)

Create and manage your account; provide the AI Agent, analytics tools, and music career management; process the distribution of your music to DSPs; manage your CRM and email marketing campaigns; process payments, subscriptions, and royalty withdrawals (including KYC verification and tax compliance); provide technical support; and comply with applicable legal, tax, and regulatory obligations.

4.2 Secondary Purposes (require your consent)

Send you communications about new features, updates, and Chatmu offers; and share success stories or public testimonials (only with your express and prior authorization, managed case-by-case).

You can revoke your consent for secondary purposes at any time by writing to joserodriguez@aaatmi.com, or by using the unsubscribe link included in each marketing communication.

5. Legal Basis for Processing (GDPR)

For users subject to the EU General Data Protection Regulation, the legal bases covering our processing are: performance of a contract (account, AI Agent, distribution, CRM, payments, and support); legal obligation (tax withholdings, KYC, maintenance of accounting records, response to authority requirements); legitimate interest (platform security, fraud prevention, aggregated usage analytics, and the processing of B2B professional contact data described in Section 8); and consent (own marketing communications and testimonials, revocable at any time).

6. Data in the Music Distribution Process

When you upload Music Content for distribution, we process the following data with the sole purpose of executing said process: WAV or MP3 audio files (stored during upload, delivery to DSPs, and the duration of the active release); cover art (PNG/JPG) (stored and associated with the release during its duration); release metadata (title, ISRC, UPC, artist, collaborators, date, genre, territories); and split and royalty information to configure revenue sharing among collaborators.

Audio files and cover art are not used to train generative AI models nor shared with third parties outside of the distribution process to DSPs selected by the user, which is carried out through our distribution partners (Section 9).

7. Contact CRM and Email Marketing

Regarding the contacts you enter into the CRM (curators, promoters, press, fans): these are third-party data that you are responsible for having collected with the appropriate legal basis; Chatmu stores them on your behalf acting as a data processor and uses them exclusively for the mailings you authorize; Chatmu does not sell, rent, or trade your CRM contacts for its own purposes; and you are solely responsible for complying with applicable anti-spam regulations (CAN-SPAM, CASL, GDPR, LGPD, LFPDPPP) in your mailings. CRM contacts are exportable in a structured format (CSV) and deletable upon request. The processing of this data will also be governed by the Data Processing Agreement (DPA) that Chatmu publishes, which will form part of the Terms and Conditions.

8. Industry Professional Data Obtained from Public Sources

In addition to the data you provide us, Chatmu collects and processes, as a data controller, information about artists, playlists, curators, venues, festivals, media, and other music industry professionals, for the purposes of market analysis and discovery of professional opportunities for our users. Specifically:

  • What data: names and artistic names, public performance metrics (listeners, followers, plays, chart positions), published professional information (role, organization, website), and publicly available professional contact data (for example, contact emails published on venue, festival, or playlist websites).
  • From what sources: public profiles and pages of streaming platforms and social networks, public industry websites, and third-party licensed databases.
  • With what legal basis: legitimate interest in facilitating professional connection within the music industry (strictly B2B context), and without processing special categories of data.
  • Predictions and analysis: trajectory projections and comparative analysis that the Platform generates about artists are statistical estimates based on historical public data; they do not constitute automated decisions with legal effects on the analyzed persons.
  • Your rights: anyone whose data appears in these tools can request information, correction, objection, or deletion by writing to joserodriguez@aaatmi.com. Deletion requests are incorporated into an exclusion list to prevent the data from being collected again.

9. Transfer and Communication of Data to Third Parties

Chatmu shares personal data only with the following categories of third parties and strictly to the extent necessary to provide the service:

  • Stripe (USA): payment processing; only billing and subscription data.
  • Third-party distribution partners and DSPs (Spotify, Apple Music, Amazon Music, Deezer, YouTube Music, among others): for the distribution of the Music Content you authorize, including metadata and tax data strictly necessary for royalty payments.
  • Royalty payment platforms (for example, Trolley, when enabled): identity, tax, and bank data necessary to execute withdrawals.
  • AI Providers — Anthropic, Google, and OpenAI, among others that Chatmu may incorporate: process real-time queries to generate AI Agent responses and analysis and content generation features; see Section 12 for the specific MCP case.
  • Infrastructure Providers — Cloudflare (hosting, CDN, and R2 storage): Platform operation.
  • Email Delivery Providers — Resend and Brevo: delivery of transactional emails, Chatmu's own marketing, and user campaigns.
  • Analytics — SimpleAnalytics: aggregated usage statistics respectful of privacy (no cookies or individual identifiers).
  • Competent authorities: when required by law, court order, or applicable regulation.

Chatmu does not sell, rent, or trade your personal data to third parties for third-party advertising or marketing purposes. The updated list of sub-processors will be available in this Policy; material changes will be notified with reasonable notice.

10. International Data Transfers

Given the global nature of the Platform and its technology providers, your data may be transferred and processed in countries other than Mexico, including the United States and European Union countries. Chatmu guarantees that such transfers are carried out with appropriate safeguards under LFPDPPP, GDPR where applicable, and through standard contractual clauses or other legally recognized mechanisms.

11. Retention Periods

  • Account and profile data: for the duration of your account and up to 3 years after its cancellation, unless otherwise required by legal obligation.
  • AI Agent conversation history: for the duration of your account; deletion can be requested at any time.
  • Music Content (audio and artwork): during the duration of active distribution; deleted or exported after takedown from DSPs.
  • Billing, payment data, and tax/KYC documentation: 5 years, in compliance with tax obligations in Mexico and tax regulations applicable to royalty payments.
  • Royalty records and balances: for the duration of the account and, after its cancellation, at least during the 12-month balance claim period provided in the Terms and Conditions, plus applicable tax periods.
  • CRM Contacts: for the duration of your account; exportable or deletable upon request.
  • System logs: maximum 12 months.

After account termination, data is deleted in accordance with Section 15.3 of the Terms and Conditions (30-day natural notice for download), with the legal retention exceptions indicated above.

12. MCP (Model Context Protocol) Connector and Claude Integration

Chatmu offers an MCP server that allows connecting the platform with Anthropic's Claude and other clients compatible with the MCP protocol. This section specifically describes how privacy operates in this context.

12.1 What data Chatmu processes through the MCP

When a user uses the Chatmu MCP connector (for example, connecting their Chatmu account to Claude.ai), the Chatmu MCP server accesses the data of their account required to execute the requested actions: data of registered artists (name, stats, releases); metadata of draft or active distributions; contacts from their industry CRM; and account settings and preferences.

12.2 What data Chatmu does NOT have through the MCP

Important: when you use the MCP connector from outside the platform (for example, from Claude.ai or another MCP client), Chatmu does not have access to or visibility of the content of your conversations with Claude, the prompts you send to the language model, the responses generated by Claude, or any other data that is not explicitly sent to the Chatmu MCP server endpoints to execute an action. Those conversations occur directly between you and Claude (Anthropic) and are subject to Anthropic's privacy policy: https://www.anthropic.com/privacy.

12.3 Authentication, security, and revocation

Access to the Chatmu MCP server requires OAuth 2.0 authentication with your Chatmu account. Access tokens are invalidated upon logging out or revoking access. You can revoke access to the connector at any time: (a) from the connector/integration settings of your MCP client (for example, Claude's connector settings); and/or (b) from your Chatmu account. Revocation invalidates the associated OAuth tokens.

13. Data Security

Chatmu implements reasonable technical and organizational measures to protect your personal data, including: encryption in transit (TLS 1.2+) in all communications; encryption at rest for stored sensitive data; OAuth 2.0 authentication for external integrations (MCP and API); role-based access control (RBAC) for internal personnel; storing passwords with secure hash (bcrypt or equivalent); and periodic security reviews.

In the event of a security breach affecting your personal data, Chatmu will notify affected users and competent authorities without undue delay and within the timeframes required by applicable regulations.

14. Your Rights Over Your Personal Data

In compliance with LFPDPPP (Mexico) and, where applicable, GDPR (European Union), you have the following rights: Access (know what data we have and how we process it); Rectification (correct inaccurate or incomplete data); Cancellation / Erasure (request deletion when no longer necessary); Objection (object to processing for specific purposes, such as marketing); Portability (receive your data in a structured, machine-readable format; CRM contacts are exportable in CSV from the Platform); and Limitation of processing (GDPR, in the cases provided).

To exercise them, send your request to joserodriguez@aaatmi.com indicating your full name, the email registered in Chatmu, and the right you wish to exercise. We may request additional information to verify your identity. We will respond within the applicable legal timeframes: 20 business days under LFPDPPP (Mexico), 1 month under GDPR, or 45 days under CCPA (California).

If you consider that your rights have not been addressed, you can file a claim with the competent data protection authority in your jurisdiction (in Mexico, the guarantor authority in personal data protection matters; in the EU, the supervisory authority of your member state).

15. California Residents' Rights (CCPA/CPRA)

If you reside in California, you have the following rights: the right to know what categories of personal data we collect, the sources, purposes, and third parties with whom they are shared (described in Sections 3, 4, 8, and 9); the right to delete your personal data, with legal exceptions; the right to correct inaccurate data; the right to opt-out of the sale or sharing of personal data — in this regard, Chatmu does not sell or share personal data as defined by CCPA/CPRA, so it is not necessary to opt-out; and the right not to be discriminated against for exercising any of these rights. You can exercise them by writing to joserodriguez@aaatmi.com; we will respond within 45 days, extendable as per law. You can designate an authorized agent to submit requests on your behalf.

16. Cookies and Tracking Technologies

Chatmu.io uses its own and third-party cookies, managed through a preference panel that allows you to accept, reject, or select by category before non-essential cookies are installed. You can modify your preferences at any time from the "Cookie Settings" link visible on the site.

  • Required (cannot be disabled because the service would not function without them): session cookie (RJ_session), which stores user ID, language and light/dark mode preferences, security CSRF token, and your cookie consent record; and _GRECAPTCHA from Google reCAPTCHA, used to prevent fraudulent or automated registrations and logins.
  • Functional: crisp-client, used by our support chat (Crisp) to function correctly and retrieve conversation history if you write to us from the site.
  • Third-party embedded content (YouTube): when a page includes a YouTube video, it may place its own cookies (CONSENT, VISITOR_INFO1_LIVE, YSC, yt-remote-device-id, yt-remote-connected-devices) for its operation, bandwidth measurement, and playback preferences. These cookies are managed by Google/YouTube under their own policy (https://policies.google.com/technologies/cookies) and not under Chatmu's control; they are installed only if you interact with embedded YouTube content and give your consent in the cookie panel.

Chatmu does not place its own advertising or retargeting cookies. Our product usage analytics is performed through SimpleAnalytics, which does not use cookies or track individual users. You can manage or delete all cookies from your browser settings; blocking essential cookies may prevent use of the Platform.

17. Minors

The Chatmu.io Platform is exclusively addressed to persons over 18 years of age and we do not knowingly collect personal data from minors as users. If we detect that a minor has created an account, we will delete their information immediately.

A different case is the management of minor artists by an adult user (for example, a manager or a parent): in that case, as per Section 2.3 of the Terms and Conditions, the user declares to have the express and written consent of the father, mother, or legal guardian of the minor for the processing of their data (artistic identity, audience metrics, and public platform data), and must prove it at Chatmu's first request.

18. Applicable Legal Framework

This Policy complies with the following regulations according to user jurisdiction: LFPDPPP and its Regulations (Mexico); GDPR (European Union), to the extent that Chatmu processes data of EU residents; CCPA/CPRA (California, USA), for users residing in California; CAN-SPAM / CASL / LGPD, for email marketing communications to recipients in the USA, Canada, and Brazil respectively; and the EU AI Act, regarding the use of AI systems affecting users in the European Union.

19. Changes to this Policy

Chatmu reserves the right to update this Policy to reflect changes in its practices, applicable regulations, or services offered. Material changes will be notified by email and/or through a prominent notice on the Platform, at least 30 days prior to their entry into force. Continued use of the Platform after that date implies acceptance of the new Policy.

20. Contact

For any queries, exercise of rights, report of security incidents, or complaints related to this Policy:

  • Email: joserodriguez@aaatmi.com
  • Address: Prosperidad 20, Escandón, Miguel Hidalgo, CDMX, Mexico
  • Website: https://chatmu.io/privacy-policy
© 2026 Chatmu.io — AAATMI SAS de CV. All rights reserved.
"AI for the industry. Humans for the music."