Terms of Service & Privacy Policy

Effective date: 10 August 2025
Last updated: 10 August 2025

A. Who we are

ChillWiz Limited (trading as Pathoura) (“Pathoura”, “we”, “us”, or “our”) provides software and infrastructure for museums and heritage organisations to publish multilingual, mobile‑friendly audio experiences and manage related content (the Service). Our stack includes a Node.js server, a React/MUI web client, and a PostgreSQL database.

Registered office: 10 Pampas Close, Haywards Health, RH16 4FA, UK

B. Scope at a glance

  • Operator Terms – apply to museums and heritage organisations that create an account and use the CMS (“Operators“).
  • Visitor Terms – apply to individuals who access audio experiences via QR codes, links, or on‑site numbers (“Visitors“).
  • Acceptable Use Policy – applies to all users.
  • Privacy Policy – explains how we process personal data under UK GDPR and EU GDPR.
  • Cookie & Local Storage Notice – explains cookies, analytics, and offline caching (e.g., IndexedDB).
  • Data Processing Addendum (DPA) – governs Pathoura’s processing when we act as a processor for Operators.

C. Operator Terms of Service

1. The Service

1.1. Pathoura provides a hosted CMS to create, translate, and publish audio content; generate QR codes; manage exhibit numbers; and deliver mobile playback with optional offline caching.
1.2. Beta and experimental features may be labelled as such and may change or be withdrawn at any time.

2. Accounts & Eligibility

2.1. You must be at least 18 years old and authorised to contract on behalf of your organisation.
2.2. You are responsible for safeguarding your login credentials and for all activities under your account.
2.3. You must provide accurate account, billing, and contact information and keep it up to date.

3. Subscriptions, Trials & Taxes

3.1. Plans may include free, standard, and enterprise tiers. Features, limits, and pricing are described on the pricing page and may change upon renewal.
3.2. Fees are payable in advance and are non‑refundable except where required by law.
3.3. Taxes (including VAT) are additional if applicable. You are responsible for all bank/transfer charges.
3.4. We may offer trials or promotional credits with specific terms. After a trial ends, continued use requires a paid plan.

4. Content & Intellectual Property

4.1. Your Content. You (or your licensors) retain all rights in text, images, audio, metadata, translations, and other materials you upload (“Operator Content”). You grant Pathoura a worldwide, non‑exclusive licence to host, reproduce, modify (solely for technical formatting and processing), and distribute Operator Content to provide the Service and display it to Visitors.
4.2. Pathoura IP. We retain all rights in the Service, documentation, logos, and underlying software. No rights are granted except as expressly stated.
4.3. Third‑Party Rights. You are responsible for obtaining all rights, permissions, and licences for Operator Content, including performer’s rights, sound recordings, musical works, images, trademarks, and moral rights.
4.4. Takedowns. We may remove content that allegedly infringes rights or violates this Agreement. See Section H (Takedown Procedure).

5. Service Commitments & Support

5.1. Uptime. For paid plans we target 99.5% monthly uptime excluding planned maintenance and circumstances beyond our reasonable control (see Force Majeure). This is a target, not a guarantee.
5.2. Support. Email support during business hours [Mon–Fri, 09:00–17:00 UK time], response targets only. Enhanced support/SLA may be available on Enterprise.
5.3. Changes. We may modify features to improve performance, security, or usability. Material changes will be communicated via email or dashboard notices.

6. Acceptable Use & Prohibited Conduct

Operators may not use the Service to: (i) store or transmit unlawful, defamatory, or infringing content; (ii) upload malware or attempt to bypass security; (iii) perform excessive, abusive, or automated requests; (iv) collect or process special category data without a lawful basis and safeguards; (v) misrepresent affiliation; (vi) resell the Service without written consent. See Section D for the full Acceptable Use Policy.

7. Data Protection

7.1. Roles. For Operator admin accounts and our own websites, Pathoura acts as controller. For Visitor analytics and playback data collected on behalf of an Operator, Pathoura acts as processor and the Operator is the controller.
7.2. DPA. The Data Processing Addendum in Section K applies to processing of personal data by Pathoura on behalf of Operators.
7.3. Security. We maintain appropriate technical and organisational measures suitable for a service of this nature (see Section E.10).

8. Term, Renewal & Termination

8.1. The Agreement starts when you create an account or first use the Service and continues for the subscription term.
8.2. Subscriptions renew automatically unless cancelled before the renewal date.
8.3. Either party may terminate for material breach not cured within 30 days of notice. We may suspend the Service for non‑payment or if your use poses a security or legal risk.
8.4. Upon termination, your account will be deactivated; you may export content where available. We may delete data after a retention period (see Privacy Policy and DPA).

9. Warranties & Disclaimers

9.1. You warrant that you have all permissions to use and publish Operator Content and that your use complies with laws and third‑party rights.
9.2. The Service is provided “as is” without warranties of merchantability, fitness for a particular purpose, or non‑infringement. Audio may depend on network conditions and device capabilities; offline caching availability may vary by browser/OS.

10. Liability

10.1. To the maximum extent permitted by law, neither party is liable for indirect, incidental, special, or consequential damages, loss of profits, or loss of data.
10.2. Each party’s aggregate liability under this Agreement is limited to the amounts paid by you to Pathoura in the 12 months preceding the event giving rise to the claim (or £100 for free plans).
10.3. Nothing limits liability for death or personal injury caused by negligence, fraud, or other liability that cannot be excluded by law.

11. Publicity & Feedback

11.1. We may use your name and logo to identify you as a customer unless you opt out in writing.
11.2. You grant us a royalty‑free licence to use feedback for product improvement.

12. Governing Law; Disputes

12.1. This Agreement is governed by the laws of England and Wales.
12.2. Courts of England and Wales have exclusive jurisdiction, except that either party may seek injunctive relief in any jurisdiction.

D. Acceptable Use Policy (AUP)

You agree not to use the Service to:

  • Break laws, infringe IP, or violate privacy rights.
  • Upload malicious code, attempt unauthorised access, or probe, scan, or test the vulnerability of systems.
  • Publish hate speech, harassment, or content that is obscene, exploitative, or incites violence.
  • Share personal data of Visitors without a lawful basis and transparency.
  • Circumvent quotas, copy, scrape, or systematically download content, except as permitted by product features.
  • Misuse QR codes or exhibit numbers to mislead Visitors.
    We may remove content or suspend accounts that breach this AUP.

E. Privacy Policy (UK/EU)

1. Summary

  • We process personal data to operate the Service for Operators and to deliver exhibit audio to Visitors.
  • For Operator admin accounts, Pathoura is controller. For Visitor playback/analytics collected for an Operator, the Operator is controller and Pathoura is processor.
  • We use cookies and local storage to remember preferences and enable offline audio.
  • You have rights under UK/EU data protection laws (see Section E.9).

2. Data We Collect

From Operators (admin users): name, email, role, organisation details, billing details, authentication logs, support correspondence, product usage events.
From Visitors: device and browser information, IP address (truncated or geo‑resolved to region where feasible), language and accessibility settings, exhibit/track interactions (e.g., start/stop timestamps), and optional feedback forms. We do not require account creation for Visitors.
Content Data: exhibits, audio, images, translations, and metadata provided by Operators.
Automatically collected: diagnostic logs, error reports, performance metrics.
No special category data is intentionally collected. Operators must not upload such data without a lawful basis and safeguards.

3. Purposes & Legal Bases

  • Provide the Service (contract – Operators; legitimate interests – Visitors’ access to museum content).
  • Security and fraud prevention (legitimate interests).
  • Analytics and product improvement (legitimate interests; where required, consent via banner controls).
  • Communications such as service notices and support (contract/legitimate interests).
  • Compliance with legal obligations.

4. Cookies, Local Storage & Offline Caching

  • Cookies: small files used for session management, security, and analytics.
  • Local storage / IndexedDB: used to cache audio files and translations for offline playback; these items stay on the device and can be cleared via browser settings.
  • We present a consent mechanism where required by law and honour “Do Not Track/Preference Signals” where legally mandated and technically feasible.
  • If you disable storage, some features (e.g., offline playback) may not work.

5. Disclosures & Sub‑processors

We share personal data with trusted providers that help us operate the Service (hosting, CDN, error monitoring, analytics, email). We require appropriate data processing agreements and, for transfers outside the UK/EU, approved mechanisms (e.g., Standard Contractual Clauses plus UK Addendum). A current list of sub‑processors will be maintained at [link or appendix].

6. International Transfers

Where data is transferred outside the UK/EEA, we use appropriate safeguards such as SCCs/UK Addendum and assess local laws that may affect data protection.

7. Retention

  • Operator account data: retained for the life of the account and for up to 12 months after closure unless longer retention is required by law.
  • Visitor playback analytics: retained for the shorter of 13 months or the period specified by the Operator.
  • Device‑cached audio: remains on the device until cleared by the user or until we expire/replace the cache.

8. Security

We implement technical and organisational measures appropriate to the risk, including encryption in transit, access controls, audit logging, network segregation, and regular backups. No system is perfectly secure; please notify us promptly of any suspected incident at pathoura.app@gmail.com.

9. Your Rights (UK/EU)

You may have the rights to access, rectify, erase, restrict or object to processing, and data portability. Where we act as processor for an Operator, please direct requests to the Operator; we will assist them. You can also lodge a complaint with the UK Information Commissioner’s Office (ICO) or your local supervisory authority.

10. Children

The Visitor experience is intended for a general audience and not directed to children under 13. Operators must not collect children’s personal data through custom forms without appropriate consents and safeguards.

F. Visitor Terms (End Users)

By accessing an exhibit page or playing audio, you agree to: (i) use content for personal, non‑commercial purposes; (ii) not copy, rehost, or redistribute audio or images; (iii) follow site and venue rules. Content is provided by the museum and may change. Network coverage can affect streaming; offline caching is optional and can be cleared in your browser settings.

G. Brand & White‑Labeling

Subject to your plan, we may offer custom domains, theming, and branded experiences. White‑label use must not mislead Visitors about who operates the Service or processes their data. You must provide a privacy notice to Visitors identifying you as controller where applicable.

H. Notice & Takedown Procedure (IP/Content)

If you believe content on the Service infringes your rights, please email pathoura.app@gmail.com with: (i) identification of the work claimed to be infringed, (ii) the specific URL(s), (iii) your contact details, and (iv) a good‑faith statement of rights and accuracy. We may notify the Operator and remove or disable access while investigating.

I. Changes to These Terms & Policies

We may update these terms and policies from time to time. Material changes will be notified via email or dashboard notices and take effect on the stated date. Continued use after the effective date constitutes acceptance.

J. Contact & Notices

Legal notices should be sent to pathoura.app@gmail.com and by post to Registered Address.

K. Data Processing Addendum (Processor Terms)

1. Subject matter and duration. Pathoura processes personal data on behalf of the Operator for the provision of audio experiences and related analytics for the term of the Agreement and any post‑termination retention period.
2. Nature and purpose of processing. Hosting, caching, transmission, storage, analytics, support, security monitoring, and product improvement (as permitted).
3. Types of personal data. Operator admin data (names, emails), Visitor technical data (IP, user‑agent, language), interaction events (playback times, exhibit IDs), and any data submitted via optional forms. No special category data intended.
4. Categories of data subjects. Operator personnel and Visitors.
5. Roles and instructions. Operator is controller; Pathoura is processor and will only process on documented instructions from the Operator, including with respect to international transfers, retention, and sub‑processors.
6. Confidentiality. Pathoura ensures personnel are bound by confidentiality obligations.
7. Security measures. See Section E.8; additional details available upon request.
8. Sub‑processing. Operator authorises Pathoura to engage sub‑processors listed at [link/appendix], with the right to object on reasonable grounds. We will impose written data protection terms on sub‑processors.
9. Assistance. We will assist the Operator with data subject requests, security incidents, DPIAs, and consultations with supervisory authorities where appropriate.
10. Breach notification. We will notify the Operator without undue delay upon becoming aware of a personal data breach affecting Operator data, and provide information as it becomes available.
11. Audit. Upon reasonable notice and subject to confidentiality and security policies, we will make available information to demonstrate compliance and allow audits once per year or following a verified incident.
12. Return/Deletion. Upon termination or on request, we will delete or return personal data after any agreed retention period unless law requires storage.
13. Transfers. For transfers outside the UK/EEA, we will rely on SCCs/UK Addendum or other lawful mechanisms.
14. Liability. The limitation of liability in the Operator Terms applies to this DPA.
15. Order of precedence. If there is a conflict, the DPA prevails over the Terms with respect to processing of personal data.

L. Cookie & Local Storage Notice

Strictly necessary – login/session cookies for admin users; security and load balancing.
Functional – remember language and accessibility preferences.
Analytics – measure usage to improve features; where required, used only with consent.
Local storage / IndexedDB – cache audio files and exhibit data so playback works through thick walls, basements, or weak signal. You can clear these in your browser. Disabling them may limit functionality.

M. Definitions

  • Operator – a museum, gallery, heritage site, or partner using the CMS.
  • Visitor – an individual accessing content published by an Operator.
  • Personal data – information relating to an identified or identifiable person.
  • Controller / Processor – as defined by UK/EU GDPR.
  • Service – Pathoura’s hosted software, APIs, web apps, and related services.