In compliance with the Federal Law on Protection of Personal Data Held by Private Parties of Mexico (LFPDPPP) and other applicable regulations, the data controller of your personal data is:
| Corporate name | AAATMI SAS de CV |
| Trade name | Chatmu / Chatmu.io |
| Address | Prosperidad 20, Escandón, Miguel Hidalgo, Mexico City, Mexico |
| Website | https://chatmu.io |
| General and Privacy Contact | joserodriguez@aaatmi.com |
This Privacy Policy applies to all services offered through the Chatmu.io Platform, including: the website https://chatmu.io and its subdomains; the internal Chatmu AI Agent (conversations, history, and analysis within the platform); music distribution services, industry analytics, contact CRM, and email marketing; and the Chatmu API and MCP Server (see Section 12 for specific details).
When you use the AI Agent within the Chatmu.io platform, we collect and store: conversation history with the Agent (necessary to provide continuous context, personalized recommendations, and career analysis); prompts and instructions you send to the Agent within the platform; Outputs and analysis generated in response to your queries; and artist context (statistics, releases, contacts) that the Agent uses to generate responses.
Chatmu does not use identifiable user conversations or content to train its own or third-party artificial intelligence models. Chatmu only uses aggregated and anonymized interaction data (for example, which tools are used most) to analyze, operate, and improve service quality.
Create and manage your account; provide the AI Agent, analytics tools, and music career management; process the distribution of your music to DSPs; manage your CRM and email marketing campaigns; process payments, subscriptions, and royalty withdrawals (including KYC verification and tax compliance); provide technical support; and comply with applicable legal, tax, and regulatory obligations.
Send you communications about new features, updates, and Chatmu offers; and share success stories or public testimonials (only with your express and prior authorization, managed case-by-case).
You can revoke your consent for secondary purposes at any time by writing to joserodriguez@aaatmi.com, or by using the unsubscribe link included in each marketing communication.
For users subject to the EU General Data Protection Regulation, the legal bases covering our processing are: performance of a contract (account, AI Agent, distribution, CRM, payments, and support); legal obligation (tax withholdings, KYC, maintenance of accounting records, response to authority requirements); legitimate interest (platform security, fraud prevention, aggregated usage analytics, and the processing of B2B professional contact data described in Section 8); and consent (own marketing communications and testimonials, revocable at any time).
When you upload Music Content for distribution, we process the following data with the sole purpose of executing said process: WAV or MP3 audio files (stored during upload, delivery to DSPs, and the duration of the active release); cover art (PNG/JPG) (stored and associated with the release during its duration); release metadata (title, ISRC, UPC, artist, collaborators, date, genre, territories); and split and royalty information to configure revenue sharing among collaborators.
Audio files and cover art are not used to train generative AI models nor shared with third parties outside of the distribution process to DSPs selected by the user, which is carried out through our distribution partners (Section 9).
Regarding the contacts you enter into the CRM (curators, promoters, press, fans): these are third-party data that you are responsible for having collected with the appropriate legal basis; Chatmu stores them on your behalf acting as a data processor and uses them exclusively for the mailings you authorize; Chatmu does not sell, rent, or trade your CRM contacts for its own purposes; and you are solely responsible for complying with applicable anti-spam regulations (CAN-SPAM, CASL, GDPR, LGPD, LFPDPPP) in your mailings. CRM contacts are exportable in a structured format (CSV) and deletable upon request. The processing of this data will also be governed by the Data Processing Agreement (DPA) that Chatmu publishes, which will form part of the Terms and Conditions.
In addition to the data you provide us, Chatmu collects and processes, as a data controller, information about artists, playlists, curators, venues, festivals, media, and other music industry professionals, for the purposes of market analysis and discovery of professional opportunities for our users. Specifically:
Chatmu shares personal data only with the following categories of third parties and strictly to the extent necessary to provide the service:
Chatmu does not sell, rent, or trade your personal data to third parties for third-party advertising or marketing purposes. The updated list of sub-processors will be available in this Policy; material changes will be notified with reasonable notice.
Given the global nature of the Platform and its technology providers, your data may be transferred and processed in countries other than Mexico, including the United States and European Union countries. Chatmu guarantees that such transfers are carried out with appropriate safeguards under LFPDPPP, GDPR where applicable, and through standard contractual clauses or other legally recognized mechanisms.
After account termination, data is deleted in accordance with Section 15.3 of the Terms and Conditions (30-day natural notice for download), with the legal retention exceptions indicated above.
Chatmu offers an MCP server that allows connecting the platform with Anthropic's Claude and other clients compatible with the MCP protocol. This section specifically describes how privacy operates in this context.
When a user uses the Chatmu MCP connector (for example, connecting their Chatmu account to Claude.ai), the Chatmu MCP server accesses the data of their account required to execute the requested actions: data of registered artists (name, stats, releases); metadata of draft or active distributions; contacts from their industry CRM; and account settings and preferences.
Important: when you use the MCP connector from outside the platform (for example, from Claude.ai or another MCP client), Chatmu does not have access to or visibility of the content of your conversations with Claude, the prompts you send to the language model, the responses generated by Claude, or any other data that is not explicitly sent to the Chatmu MCP server endpoints to execute an action. Those conversations occur directly between you and Claude (Anthropic) and are subject to Anthropic's privacy policy: https://www.anthropic.com/privacy.
Access to the Chatmu MCP server requires OAuth 2.0 authentication with your Chatmu account. Access tokens are invalidated upon logging out or revoking access. You can revoke access to the connector at any time: (a) from the connector/integration settings of your MCP client (for example, Claude's connector settings); and/or (b) from your Chatmu account. Revocation invalidates the associated OAuth tokens.
Chatmu implements reasonable technical and organizational measures to protect your personal data, including: encryption in transit (TLS 1.2+) in all communications; encryption at rest for stored sensitive data; OAuth 2.0 authentication for external integrations (MCP and API); role-based access control (RBAC) for internal personnel; storing passwords with secure hash (bcrypt or equivalent); and periodic security reviews.
In the event of a security breach affecting your personal data, Chatmu will notify affected users and competent authorities without undue delay and within the timeframes required by applicable regulations.
In compliance with LFPDPPP (Mexico) and, where applicable, GDPR (European Union), you have the following rights: Access (know what data we have and how we process it); Rectification (correct inaccurate or incomplete data); Cancellation / Erasure (request deletion when no longer necessary); Objection (object to processing for specific purposes, such as marketing); Portability (receive your data in a structured, machine-readable format; CRM contacts are exportable in CSV from the Platform); and Limitation of processing (GDPR, in the cases provided).
To exercise them, send your request to joserodriguez@aaatmi.com indicating your full name, the email registered in Chatmu, and the right you wish to exercise. We may request additional information to verify your identity. We will respond within the applicable legal timeframes: 20 business days under LFPDPPP (Mexico), 1 month under GDPR, or 45 days under CCPA (California).
If you consider that your rights have not been addressed, you can file a claim with the competent data protection authority in your jurisdiction (in Mexico, the guarantor authority in personal data protection matters; in the EU, the supervisory authority of your member state).
If you reside in California, you have the following rights: the right to know what categories of personal data we collect, the sources, purposes, and third parties with whom they are shared (described in Sections 3, 4, 8, and 9); the right to delete your personal data, with legal exceptions; the right to correct inaccurate data; the right to opt-out of the sale or sharing of personal data — in this regard, Chatmu does not sell or share personal data as defined by CCPA/CPRA, so it is not necessary to opt-out; and the right not to be discriminated against for exercising any of these rights. You can exercise them by writing to joserodriguez@aaatmi.com; we will respond within 45 days, extendable as per law. You can designate an authorized agent to submit requests on your behalf.
Chatmu.io uses its own and third-party cookies, managed through a preference panel that allows you to accept, reject, or select by category before non-essential cookies are installed. You can modify your preferences at any time from the "Cookie Settings" link visible on the site.
Chatmu does not place its own advertising or retargeting cookies. Our product usage analytics is performed through SimpleAnalytics, which does not use cookies or track individual users. You can manage or delete all cookies from your browser settings; blocking essential cookies may prevent use of the Platform.
The Chatmu.io Platform is exclusively addressed to persons over 18 years of age and we do not knowingly collect personal data from minors as users. If we detect that a minor has created an account, we will delete their information immediately.
A different case is the management of minor artists by an adult user (for example, a manager or a parent): in that case, as per Section 2.3 of the Terms and Conditions, the user declares to have the express and written consent of the father, mother, or legal guardian of the minor for the processing of their data (artistic identity, audience metrics, and public platform data), and must prove it at Chatmu's first request.
This Policy complies with the following regulations according to user jurisdiction: LFPDPPP and its Regulations (Mexico); GDPR (European Union), to the extent that Chatmu processes data of EU residents; CCPA/CPRA (California, USA), for users residing in California; CAN-SPAM / CASL / LGPD, for email marketing communications to recipients in the USA, Canada, and Brazil respectively; and the EU AI Act, regarding the use of AI systems affecting users in the European Union.
Chatmu reserves the right to update this Policy to reflect changes in its practices, applicable regulations, or services offered. Material changes will be notified by email and/or through a prominent notice on the Platform, at least 30 days prior to their entry into force. Continued use of the Platform after that date implies acceptance of the new Policy.
For any queries, exercise of rights, report of security incidents, or complaints related to this Policy: