Privacy Policy
Last updated: 24 May 2026
This Privacy Policy explains how Muld ("we", "us", "our") collects, uses, and protects personal data when you use the Muld mobile app ("the app"). We are committed to GDPR compliance and treat your data as if it were our own.
1. Data controller
The data controller is the operator of muld.dev.
For privacy inquiries, contact: hello@muld.dev.
2. What data we collect
We collect only what is necessary to operate the app.
2.1 Account data
- Email address — to create and sign you in to your account.
- Authentication tokens — managed by Supabase Auth (our auth processor) to keep you signed in.
- Subscription status — managed by RevenueCat to track whether you have a Muld+ subscription.
2.2 Location data
-
Precise GPS location — used in two ways:
- In-app while you have the app open — to centre the map on your position and to attach coordinates to finds you log.
- In the background, only while a detecting session is active — to record the path you walked. Background tracking stops the moment you end the session. We never run background location outside an active session.
- Location is stored on your device only (in the local SQLite database) unless you choose to submit a find to DIME (see 2.5).
2.3 Find data
Each find you log stores:
- Coordinates (GPS)
- Date and time
- Photos you attach
- Notes, depth, category, and other fields you fill in
- Lift recall info (toggle whether you lifted the find)
This data is stored locally on your device in SQLite. Photos attached to finds are uploaded to Supabase Storage so they survive a device change.
2.4 Protected zone data
The app displays protected archaeological zones (fortidsminder, kulturarvsarealer, beskyttede sten- og jorddiger) on the map using public data from SLKS (Slots- og Kulturstyrelsen) and the §3 nature register from Miljøportalen. Map data is fetched from these public services as you pan and zoom; no personal data or location is sent to them.
2.5 DIME submission (optional)
If you choose to submit a find to DIME (the Danish national metal-detecting register), the find data — coordinates, photos, description, finder identity — is sent to DIME's servers under their terms. This is opt-in per find; we do not submit automatically.
DIME is a non-commercial portal owned by Aarhus University (the data controller) and operated together with Moesgård Museum. By accepting DIME's terms during account creation, you agree to the following — these are DIME's terms, not ours, but you should know them before submitting:
- Find locations are shared with the responsible local museum at the time of submission. Sharing can exceptionally be postponed, but after 3 days the museum can access the exact find site if needed.
- Find images and descriptions are published on DIME under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 (CC BY-NC-SA 4.0) licence. GPS coordinates and personal data are NOT public — only approved museum staff, researchers with special access, and system administrators can see them.
- You can exceptionally hide a find from the public view for up to 6 months.
- If you delete your DIME account, your find data is anonymised — not deleted.
See metaldetektorfund.dk for DIME's full terms and privacy policy.
2.6 What we do NOT collect
- No advertising identifiers
- No analytics (no Google Analytics, no Firebase, no Mixpanel, etc.)
- No third-party SDK trackers
- No contacts, calendar, or other personal data outside what's listed above
3. Why we collect this data (legal basis under GDPR)
| Data | Purpose | Legal basis |
|---|---|---|
| Email + auth | Account creation, sign-in | Contract (Art. 6(1)(b)) |
| Location (foreground) | Map centring, find geotagging | Contract |
| Location (background, session) | Session path recording | Explicit consent (you start the session) |
| Photos + find data | Core app functionality | Contract |
| Subscription status | Muld+ feature access | Contract |
| DIME submission | Voluntary national reporting | Explicit consent (per submission) |
4. Who we share data with (sub-processors)
- Supabase (EU region) — account auth, photo storage. See Supabase's privacy policy.
- RevenueCat — subscription management. See RevenueCat's privacy policy.
- DIME / Moesgaard Museum — only when you explicitly submit a find. Their privacy policy applies to submitted data.
We do not share data with advertisers, analytics providers, or data brokers. We do not sell your data.
5. International transfers
Supabase data is stored in EU regions. RevenueCat may process data in the US under Standard Contractual Clauses (SCCs) approved by the European Commission.
6. Retention
- Account data — kept while your account is active. Deleted on request (see Your Rights below) or 12 months after sustained inactivity.
- Find data on your device — kept until you delete the find or uninstall the app.
- Photos in Supabase Storage — kept while your account is active; deleted with account.
- Subscription records — retained for as long as legally required (accounting, tax — typically 5 years in Denmark).
- DIME submissions — once submitted, data is held under DIME's terms, not ours.
7. Your rights (GDPR)
You have the right to:
- Access your data — request a copy.
- Rectify inaccurate data.
- Erase your data ("right to be forgotten"). Erasing your account removes auth data and photos in Supabase. Local SQLite data is deleted by uninstalling the app.
- Restrict processing of your data.
- Object to processing.
- Data portability — receive your data in a machine-readable format.
- Withdraw consent at any time for background tracking and DIME submissions (the data already shared with DIME is governed by DIME's policy).
- Lodge a complaint with the Danish Data Protection Authority (Datatilsynet, datatilsynet.dk).
To exercise any of these rights, email hello@muld.dev. We respond within 30 days.
8. Security
- All network traffic uses HTTPS / TLS.
- Auth tokens stored in the device's secure storage.
- Supabase encrypts data at rest.
- We do not store passwords ourselves; Supabase Auth manages hashing.
9. Children
The app is not intended for users under 13. We do not knowingly collect data from children. If you believe a child has used the app, contact us and we will delete the data.
10. Changes to this policy
We may update this policy. The "Last updated" date at the top reflects the most recent change. Material changes will be announced in-app on the next launch after the change.