Mugshot Privacy Notice
Last Updated : March 25, 2025
This Privacy Notice describes how Mugshot (“we”, “us”, or “our”), an independent project and not a registered business entity [If this status changes, we will update this Privacy Notice accordingly], might access, collect, store, use, and/or share (“process”) your personal information when you download our digital Application Mugshot (herein referred to as “Mugshot” or “Mugshot dApp” or also “dApp”). This includes when you:
● Use Mugshot on your mobile device.
● Engage with us in other ways, including but not limited to marketing or events.
About Mugshot
Mugshot is a decentralized Application (dApp) compatible with the VeChainThor Blockchain or other authorized blockchains by VeChain (the “Blockchain”), revolutionizing how coffee and tea lovers engage with sustainability. By simply snapping a photo of their reusable mug, users earn $B3TR tokens within the VeChain ecosystem, turning everyday habits into a rewarding and impactful experience.
Powered by OpenAI’s artificial intelligence (AI) technology for image verification and the VeChainThor Blockchain for secure, transparent reward distribution, Mugshot seamlessly verifies reusable cup usage and provides real-time rewards, incentivizing sustainable choices at scale. With an easy-to-use platform, Mugshot empowers individuals and businesses to reduce waste, promote circular economy practices, and drive real-world environmental change—one mug at a time.
Questions or Concerns?
Reading this Privacy Notice will help you understand your privacy rights and choices. We are responsible for making decisions about how your personal information is processed. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at support@mugshot.freshdesk.com.
SUMMARY OF KEY POINTS
This summary provides key points from our Privacy Notice, but you can find more details about any of these topics by using our table of contents below to find the section you are looking for.
What personal information do we process?
When you visit, use, or navigate our dApp, we may process personal information depending on how you interact with us and the dApp, the choices you make, and the products and features you use. Learn more about personal information you disclose to us.
Do we process any sensitive personal information?
We do not process sensitive personal information.
Do we collect any information from third parties?
We do not purchase or collect third-party marketing data. However, we integrate with third-party services (e.g., Privy.io for social login and OpenAI for image verification) to operate the platform.
How do we process your information?
We process your information to provide, improve, and administer our dApp, communicate with you, for security and fraud prevention, and to comply with law. We may also process your information for other purposes with your consent. We process your information only when we have a valid legal reason to do so. Learn more about how we process your information.
In what situations and with which third parties do we share personal information?
We may share information in specific situations and with specific third parties. Learn more about when and with whom we share your personal information.
How do we keep your information safe?
We have adequate organizational and technical processes and procedures in place to protect your personal information. However, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Learn more about how we keep your information safe.
What are your rights?
Depending on where you are located geographically, the applicable privacy law may mean you have certain rights regarding your personal information. Learn more about your privacy rights.
How do you exercise your rights?
The easiest way to exercise your rights is by contacting us. We will consider and act upon any request in accordance with applicable data protection laws.
Want to learn more about what we do with any information we collect? Review the Privacy Notice in Full.
Table of Contents
1. WHAT INFORMATION DO WE COLLECT?
2. HOW DO WE PROCESS YOUR INFORMATION?
3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR INFORMATION?
4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?
5. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?
6. DO WE OFFER ARTIFICIAL INTELLIGENCE-BASED PRODUCTS?
7. HOW LONG DO WE KEEP YOUR INFORMATION?
8. HOW DO WE KEEP YOUR INFORMATION SAFE?
9. DO WE COLLECT INFORMATION FROM MINORS?
10. WHAT ARE YOUR PRIVACY RIGHTS?
11. DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?
12. DO EU / UK RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?
1. WHAT INFORMATION DO WE COLLECT?
Personal information you disclose to us
In Short: We collect personal information that you provide to us.
We collect personal information that you voluntarily provide to us when you register on the dApp, express an interest in obtaining information about us or our dApp, when you participate in activities on the dApp, or otherwise when you contact us.
Personal Information Provided by You. The personal information that we collect depends on the context of your interactions with us and the dApp, the choices you make, and the products and features you use. The personal information we collect may include the following:
● Photographs
● Public wallet addresses
● Email addresses
● Usernames
● Geographical location (i.e., gps location)
Sensitive Information. Mugshot does not process sensitive personal information, such as biometric identifiers, financial details, or government-issued IDs. While images are analyzed to verify reusable cup usage, we do not extract or store facial recognition data or other biometric information.
Information Stored on the Blockchain. Mugshot leverages the VeChainThor Blockchain to record certain data as part of our reward system. Specifically, we store:
● Blurred photographs of reusable mugs, processed to remove identifiable details, to verify sustainability efforts.
● Transaction data related to the distribution of $B3TR tokens to your public wallet address.
Blockchain transactions are permanent and immutable by design, meaning once recorded, this data cannot be altered or deleted. Other personal information, such as your email address or precise geolocation, is stored securely off-chain in our systems (e.g., databases and cloud storage) and is subject to the retention and security practices outlined in Sections 7 and 8 below.
Social Media Login Data. We may provide you with the option to register with us using your existing social media account details, like your Google Account, Telegram, X, or other social media account. If you choose to register in this way, we will collect certain profile information about you from the social media provider, as described in the section called "HOW DO WE HANDLE YOUR SOCIAL LOGINS?" below.
Application Data. If you use our application(s), we also may collect the following information if you choose to provide us with access or permission:
● Geolocation Information. We may request access or permission to track location-based information from your mobile device, either continuously or while you are using our mobile application(s), to provide certain location-based services. If you wish to change our access or permissions, you may do so in your device's settings.
● Mobile Device Data. We automatically collect device information (such as your device model and manufacturer (e.g., Android, iPhone)).
● Push Notifications. We may request to send you push notifications regarding your account or certain features of the application(s). If you wish to opt out from receiving these types of communications, you may turn them off in your device's settings.
This information is primarily needed to maintain the security and operation of our application(s), for troubleshooting, and for our internal analytics and reporting purposes.
All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information.
Information automatically collected
In Short: Some information — such as your Internet Protocol (IP) address and/or browser and device characteristics — is collected automatically when you visit our dApp.
We automatically collect certain information when you visit, use, or navigate the dApp. This information does not reveal your specific identity (like your name or contact information) but may
include device and usage information. This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes.
Like many businesses, we also collect information through cookies and similar technologies.
The information we collect includes:
● Log and Usage Data. Log and usage data is dApp-related, diagnostic, usage, and performance information our servers automatically collect when you access or use our dApp and which we record in log files.
● Device Data. We collect device data such as information about your phone, tablet, or other device you use to access the dApp.
● Location Data. We collect location data, which may be either precise (e.g., GPS-based) or imprecise (e.g., inferred from IP address), depending on your device settings. This data helps us enhance your experience by: ○ Displaying nearby cafes that accept Mugshot, allowing you to easily find participating locations.
How much location information we collect depends on your device settings and permissions. If enabled, we may use GPS and other geolocation technologies to determine your current location. You can opt out by disabling location access in your device settings; however, doing so may limit features such as discovering nearby participating cafes.
Google API
Our use of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.
2. HOW DO WE PROCESS YOUR INFORMATION?
In Short: We process your information to provide, improve, and administer our dApp, reward users, verify sustainability efforts, and enhance overall functionality. We also process data for security, fraud prevention, and compliance with legal obligations.
We process your personal information for a variety of reasons, depending on how you interact with our Services, including:
● To facilitate account creation and authentication. We process your information to enable secure logins and account management through Privy.io.
● To deliver and facilitate the delivery of rewards. We process your mugshot submissions and linked wallet addresses to verify reusable cup usage and distribute $B3TR token rewards.
● To verify sustainability practices. Submitted images are analyzed by OpenAI to confirm the use of reusable cups, supporting environmental impact tracking.
● To improve app functionality and user experience. We process analytics data to understand user engagement and enhance platform performance.
● To respond to user inquiries and support requests. We may process your information to assist with troubleshooting issues and provide customer support.
● To protect our Services. We process data for fraud monitoring, security enforcement, and to prevent misuse of the platform.
● To identify usage trends and optimize features. We analyze anonymized user behavior to improve engagement, refine reward mechanisms, and scale sustainability initiatives.
We do not sell your personal data, and all processing is conducted in alignment with privacy best practices and applicable regulations.
3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR INFORMATION?
In Short: We only process your personal information when we believe it is necessary and we have a valid legal reason (i.e., legal basis) to do so under applicable law, like with your consent, to comply with laws, to provide you with services to enter into or fulfill our contractual obligations, to protect your rights, or to fulfill our legitimate business interests.
If you are located in the EU or UK, this section applies to you.
The General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases we rely on in order to process your personal information. As such, we may rely on the following legal bases to process your personal information:
● Consent. We may process your information if you have given us permission (i.e., consent) to use your personal information for a specific purpose.
● Performance of a Contract. We may process your personal information when we believe it is necessary to fulfill our contractual obligations to you, including providing our dApp or at your request prior to entering into a contract with you.
● Legitimate Interests. We may process your information when we believe it is reasonably necessary to achieve our legitimate business interests and those interests do not outweigh your interests and fundamental rights and freedoms. For example, we may process your personal information for some of the purposes described in order to:
● Analyze how our dApp is used so we can improve them to engage and retain users
● Diagnose problems and/or prevent fraudulent activities
● Understand how our users use our dApp so we can improve user experience
● Legal Obligations. We may process your information where we believe it is necessary for compliance with our legal obligations, such as to cooperate with a law enforcement body or regulatory agency, exercise or defend our legal rights, or disclose your information as evidence in litigation in which we are involved.
If you are located in Canada, this section applies to you.
We adhere to the regulations applicable under Canadian law, including the Personal Information Protection and Electronic Documents Act (PIPEDA). By using our dApp, you acknowledge that we may process your personal information in accordance with this Privacy Notice.
In limited circumstances, we may process certain information without explicit consent when required by law, such as for fraud prevention, security purposes, or to comply with legal obligations.
4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?
In Short: We share personal information only when necessary to provide our services, improve user experience, and maintain platform security.
Third-Party Service Providers. To provide various features, services, and materials within the dApp, we may share certain user information with third-party providers that assist with authentication, hosting, analytics, security, and fraud prevention. These third parties process data as part of their respective functions, and we encourage you to review their privacy policies for details on how they handle your information. We do not sell or share personal information with advertisers or third parties for marketing purposes. All data shared with third-party services is handled in accordance with their privacy policies and industry security standards.
Third-party services we use include:
● Privy.io (Social Login): We use Privy.io to facilitate the following: ○ Authentication: Privy.io may collect and store login credentials (e.g., email addresses) to enable secure sign-ins.
○ Social Logins: If you choose to register or log in using your third-party social media account details (such as Google, Telegram, or X), Privy.io collects certain profile information from your social media provider on our behalf. This may include your name, email address, friends list, profile picture, and other information you’ve made public on that platform, depending on the provider. We use this information only for purposes described in this Privacy Notice, such as account creation and authentication. Privy.io’s use of this data, including any additional processing (e.g., session cookies), is governed by their policies, and we do not control other uses of your information by social media providers. For more details, please review Privy.io’s privacy policy at https://www.privy.io/privacy-policy and the privacy notice of your chosen social media provider.
● OpenAI (Image Processing): When you submit a photo, OpenAI processes the image to verify sustainability efforts. No personally identifiable information (PII) is included in these submissions. For OpenAI’s privacy policy, please visit https://openai.com/policies/row-privacy-policy/.
● Mixpanel (Analytics): We use Mixpanel to collect anonymized usage data and performance metrics, helping us improve user engagement and enhance the app experience. For Mixpanel’s privacy policy, please visit https://mixpanel.com/legal/privacy-policy/.
● Fingerprint Pro (Fraud Prevention & Security): Fingerprint Pro is used to detect and prevent fraudulent activities on our platform. For Fingerprint Pro’s privacy policy, please visit https://dev.fingerprint.com/docs/privacy-policy.
Blockchain Platform. When you engage in a transaction that is recorded on the VeChainThor Blockchain, certain information related to that transaction—such as blurred photographs of reusable mugs and $B3TR token reward data linked to your public wallet address—will be published on the blockchain. This data becomes accessible to third parties not controlled by Mugshot or VeChain and is recorded permanently across a wide network of computer systems, making it incapable of deletion. Many blockchains, including VeChainThor, are open to forensic analysis, which could potentially lead to deanonymization or the revelation of personal data when combined with other information. For more details on what is stored on the blockchain, see Section 1 above.
Business Transfers. We may share information in connection with, or during negotiations of, any proposed or actual merger, purchase, sale, or any other type of acquisition, business combination of all or any portion of our business or assets, change of control, or a transfer of all or a portion of our business or assets to another third party (including in the case of any bankruptcy proceeding).
Legal Disclosure. Under certain circumstances, we may be required to disclose information collected through the dApp to cooperate with legal investigations or comply with legal requirements, such as those imposed by a court or governmental agency. We may also disclose personal data to investigate any violation or potential violation of the law, this Privacy Notice, or applicable Mugshot Terms of Use, or to protect or defend the rights and property of Mugshot. If GDPR applies to you, you can contact us at support@mugshot.freshdesk.com for additional information about the entities with whom we share your personal data.
5. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?
In Short: Mugshot does not directly use cookies or similar tracking technologies, but a third-party service we rely on may use cookies for authentication purposes.
Mugshot itself does not use first-party cookies, web beacons, pixels, or similar tracking technologies to collect or store your information. However, we integrate with Privy.io for social login (see Section 4), which uses cookies to manage user sessions and ensure secure authentication. For example, Privy.io may use cookies to keep you logged in or to maintain session continuity. We do not control or manage these cookies, and their use is governed by Privy.io’s policies. For more details on how Privy.io uses cookies, please review their privacy policy at https://www.privy.io/privacy-policy.
Other than this third-party integration, we do not employ tracking technologies for purposes such as analytics or advertising within the Mugshot dApp.
Do-Not-Track (DNT) Features. Most web browsers and some mobile operating systems include a Do-Not-Track ("DNT") feature or setting you can activate to signal your preference not to have your online browsing activities monitored and collected. Because Mugshot does not use first-party tracking technologies, DNT signals do not apply to our direct operations. Privy.io’s use of cookies for authentication may not respond to DNT signals, as no uniform industry or legal standard for recognizing and implementing them has been finalized. As such, we do not currently override or alter Privy.io’s practices based on DNT settings. If a standard for online tracking is adopted in the future that we must follow, we will update this Privacy Notice to reflect those changes. California law requires us to disclose our response to DNT signals: since we do not engage in first-party tracking and rely on Privy.io for session cookies, we do not respond to DNT signals at this time.
6. DO WE OFFER ARTIFICIAL INTELLIGENCE-BASED PRODUCTS?
In Short: We use artificial intelligence (AI) to enhance the Mugshot experience, specifically for image analysis and reward verification.
Mugshot uses AI for image analysis to verify reusable cup submissions and determine eligibility for $B3TR rewards. We use third-party AI service providers, including OpenAI, to process submitted images. No personally identifiable information (PII) is included in these submissions.
How AI is Used in Mugshot
● Image Analysis: AI reviews mugshot submissions to determine if they meet the criteria for earning $B3TR rewards.
● Blockchain Integration: AI-powered verification supports transparency within the VeChain ecosystem.
All personal information processed through AI is handled securely and in accordance with this Privacy Notice and third-party provider agreements.
7. HOW LONG DO WE KEEP YOUR INFORMATION?
In Short: We retain off-chain personal information for up to 12 months after account inactivity, while data recorded on the blockchain remains permanent and cannot be deleted.
We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Notice, unless a longer period is required or permitted by law (e.g., for tax, accounting, or legal obligations). Specifically:
● Off-Chain Data: Personal information stored in our systems (e.g., email addresses, geolocation data, or original photographs in our databases and cloud storage) is retained for up to 12 months following account inactivity—defined as no logins or interactions with the Mugshot dApp. After this period, we will delete this data, unless it’s held in backup archives, in which case we will securely isolate it until deletion is possible.
● Blockchain Data: Information recorded on the VeChainThor Blockchain, such as blurred photographs of reusable mugs and $B3TR transaction data linked to your public wallet address (see Section 1), is permanent and immutable by design. Blockchains are distributed across a wide network of computer systems, and once data is recorded, it cannot be altered or deleted. While we do not store immediately identifiable personal data on the blockchain, pseudonymized information like transaction records will persist indefinitely.
When we no longer have a legitimate business need to process your off-chain personal information, we will take steps to delete it, subject to the exceptions noted above.
8. HOW DO WE KEEP YOUR INFORMATION SAFE?
In Short: We protect your personal information using industry-standard encryption and security measures, though no system can be guaranteed 100% secure.
We have implemented appropriate technical and organizational security measures to safeguard your personal information and prevent unauthorized access, alteration, or misuse. For example:
● We use HTTPS to secure all data transmissions between your device and the Mugshot dApp, ensuring that information is encrypted in transit.
● We apply encryption to data both in transit and at rest (e.g., in our databases and cloud storage), protecting sensitive information such as email addresses or geolocation data when stored in our systems.
These measures align with industry standards to maintain the confidentiality and integrity of your data. However, no electronic transmission over the internet or storage technology can be guaranteed to be 100% secure. While we strive to protect your information, we cannot promise that hackers, cybercriminals, or other unauthorized third parties will not defeat our security and improperly collect, access, steal, or modify your data. Transmission of personal information to and from the Mugshot dApp is at your own risk, and we encourage you to follow best security practices—such as using strong passwords and keeping your device software updated—to enhance your protection.
If we detect a security breach that impacts user information, we will notify affected users via in-app notifications and take necessary steps to mitigate risks and protect your data.
Note that data recorded on the VeChainThor Blockchain (e.g., blurred photographs and transaction data) is secured by the blockchain’s distributed architecture, but its permanence and public nature mean it is not controlled by Mugshot once published (see Sections 1 and 4).
9. DO WE COLLECT INFORMATION FROM MINORS?
In Short: We do not knowingly collect data from or market to children under 18 years of age.
If you become aware of any data we may have collected from children under age 18, please contact us at support@mugshot.freshdesk.com.
10. WHAT ARE YOUR PRIVACY RIGHTS?
In Short: Your privacy rights depend on where you live, with additional rights for certain regions outlined in Sections 12 and 13 below.
Depending on your location, you may have the right to:
● Access, update, or delete your personal information.
● Restrict or object to how we process your data.
● Request a copy of your data.
● Withdraw your consent at any time (where applicable).
To exercise your rights, contact us at support@mugshot.freshdesk.com. We will review and process your request in line with applicable laws.
If you believe we are processing your data unlawfully, you may file a complaint with your local data protection authority.
11. DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?
In Short: If you live in certain U.S. states, you may have specific rights regarding your personal data.
Residents of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia may have the right to:
● Access, update, or delete your personal information.
● Request details on how we process your data.
● Restrict or object to certain uses of your data.
● Obtain a copy of your data in a portable format.
● Opt out of targeted advertising or data sales (if applicable—note that Mugshot does not sell data or use it for advertising).
We do not sell or share your personal data for advertising purposes, but we may share necessary data with service providers to operate the Mugshot DApp (see Section 4). To exercise these rights, email us at support@mugshot.freshdesk.com. You may need to verify your identity before we process your request. If we deny your request, you may appeal by contacting us at the same email.
California Residents: Under California’s “Shine the Light” law, you can request information about data shared for direct marketing (we do not share for this purpose). Email support@mugshot.freshdesk.com to submit a request.
12. DO EU / UK RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?
In Short: If you are in the European Union (EU) or United Kingdom (UK), GDPR grants you specific rights and protections for your personal data.
If you are located in the European Union (EU) or United Kingdom (UK), the General Data Protection Regulation (GDPR) or UK GDPR applies to your personal data. Below are additional disclosures relevant to you:
Our Role: Mugshot acts as a data controller for personal data collected as you interact with our dApp, meaning we determine the purposes and means of processing this data.
Lawful Basis for Processing: We process your data based on:
● Contract: To fulfill our obligations under the agreement you enter when downloading and using Mugshot, such as processing photographs and transaction data to provide rewards and functionality (see Section 2).
● Legal Obligations: In limited cases, to comply with laws, though we aim to minimize disclosures unless legally required (see Section 4(d)).
● Additional bases, like consent or legitimate interests, are detailed in Section 3.
Retention: We retain off-chain personal data for up to 12 months after account inactivity (no logins or interactions). Blockchain data (e.g., pseudonymized transaction records) is permanent and cannot be deleted, though you may create new wallets to dissociate past activity (see Section 7).
Data Transfers: If your data is transferred outside the EU/UK (e.g., to the U.S. for storage or processing), we use safeguards like Standard Contractual Clauses or rely on adequacy decisions under GDPR Article 45. Contact us at support@mugshot.freshdesk.com for details on transfers and safeguards.
Your Rights: Subject to conditions, you may:
● Access, rectify, or erase your personal data.
● Request data portability to transfer it to another party.
● Restrict or object to processing.
● Withdraw consent (if applicable) at any time.
To exercise these rights, email support@mugshot.freshdesk.com. We’ll respond within 30 days, possibly requiring identity verification. We may retain data to fulfill contracts, comply with laws, resolve disputes, or prevent fraud, even after a request (see Section 7).
Complaints: If dissatisfied with our data handling, you may contact your local Data Protection Authority. We’d appreciate a chance to address your concerns first—reach out to us at support@mugshot.freshdesk.com.
13. DO WE MAKE UPDATES TO THIS NOTICE?
In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws.
We may update this Privacy Notice from time to time. The updated version will be indicated by an updated "Revised" date at the top of this Privacy Notice. If we make material changes to this Privacy Notice, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this Privacy Notice frequently to be informed of how we are protecting your information.
14. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?
If you have questions or comments about this notice, you may email us at support@mugshot.freshdesk.com.
© 2025 Mugshot — All Rights Reserved.