MuseumKitMuseum without wallsTry the demo →

Privacy Policy

Last updated: 2026-05-14

Overview

MuseumKit is a platform for museums and historical societies. We collect only the data we need to operate the platform: a museum administrator's account email when they sign in, the content they author (tours, stops, photographs, audio), and standard web analytics. We don't sell data, we don't ship third-party advertising trackers, and we don't use visitor data to build profiles.

What we collect

For museum administrators (signed-in users): your email address, your role within your museum's account, the content you upload to your tenant, and audit-log entries describing the actions you take in the admin app (creating a tour, publishing a tour, uploading a logo, etc.).

For visitors (anonymous): we record aggregate analytics via Plausible — page views, referrers, country (not city), device type. Analytics data is aggregated; we can't identify individual visitors from it.

Technical telemetry: when something errors in your browser or in our server-side code, we capture a stack trace and a request ID via Sentry. Sentry strips known-sensitive headers; we configure it to drop URL search parameters that might contain tokens.

How we use it

Account data and content keep your museum's site running — rendering the tours visitors see, gating admin features behind authentication, attributing audit-log entries to the person who took the action. Analytics tell us which tours are getting traffic and where to invest. Error telemetry tells us when something's broken so we can fix it.

We don't share content or visitor analytics with other tenants. Your museum's data is isolated by row-level security in our database; the anonymous brand-bootstrap endpoint returns only the four fields your visitors see (name, slug, brand config, logo URL).

Third parties

We run on Amazon Web Services (S3, CloudFront, Aurora, Lambda, Cognito). Authentication is handled by AWS Cognito; sign-in tokens live in your browser's session storage and never reach a database. Map tiles come from MapTiler. Routing comes from OpenRouteService. Analytics come from Plausible (a privacy- respecting analytics service that doesn't set cross-site cookies). Error telemetry goes to Sentry. We don't use Google Analytics, Facebook Pixel, or any advertising network.

Cookies + storage

The consumer site uses session-only storage for auth state (no persistent cookies). Plausible records analytics first-party (no cross-site tracking, no ad-network IDs). The admin app uses session storage for sign-in tokens; tokens clear when you close the browser tab.

Your rights

If you have an admin account, you can request a copy of your data, correct inaccurate information, or delete your account. Museum content (tours, stops, photographs, audio) is yours; you can export it at any time. Email us at the address below.

Changes to this policy

If we change anything material in this policy, we'll update the "Last updated" date above and notify museum administrators by email. Minor edits (typos, formatting) won't trigger a notification.

Contact

Questions about privacy? aarona@phillipz.me. We read every message.