MINALYAYour field, your data
fr/en

Privacy policy

Last updated: May 13, 2026

Minalya builds a digital chain of custody for mining samples. This policy describes what data we collect, why, how long we keep it, and your rights.

1. Data controller

The data controller is Minalya, operated by MAWARABA KEITA (Canada). For any question, write to contact@useminalya.com.

2. Data we collect

Minalya collects only data strictly required for the chain of custody of mining samples and for regulatory audit (NI 43-101, JORC, KP).

  • User account: first and last name, professional email, role (geologist, project manager, etc.), bcrypt-hashed password (12 rounds).
  • Field data: GPS coordinates of samples and traces, photos taken in the field, geological observations (lithology, alteration, structures), structural measurements.
  • Continuous GPS trace: while recording an exploration trace, GPS position every 3 seconds (including screen-off, with your explicit permission). Used to document field coverage by the geologist.
  • Sensors: occasional use of the phone's magnetometer and accelerometer to compute azimuth and dip of a structural measurement. No raw sensor data is stored.
  • Audit log: for each action (creating/editing/deleting a sample, observation, etc.), we record the user, date, IP address, and user agent. This is required by 43-101 audits and a key part of Minalya's value.
  • Technical data: device type, OS version, app version, install identifier, for crash diagnostics.

3. Purposes

  • Provide the offline sample collection service and the auditable digital chain of custody.
  • Enable GIS exports (QGIS, ArcGIS, Leapfrog, Vulcan, Surpac, Micromine) requested by your organization.
  • Document the provenance of samples for buyers, the State (Mines, Customs), and auditors (PwC, KPMG under NI 43-101).
  • Detect and notify anomalies (out-of-title sample, suspect, aberrant GPS measurement).
  • Maintain the security of the service (abuse detection, throttling, login auditing).

4. Legal basis (GDPR)

Processing is based on the performance of the contract between Minalya and your organization (Article 6.1.b GDPR) and on our legitimate interest in producing an audit trail compliant with international mining standards (Article 6.1.f). Retention obligations for regulatory audit also constitute a legal obligation (Article 6.1.c) in countries where such audits are mandatory.

5. Retention periods

  • Sample data and observations: life of the project, plus 10 years after closure (standard archive duration for NI 43-101 audits).
  • Audit log: append-only, indefinite retention. This is the guarantee of audit-trail integrity (impossible to rewrite history).
  • User account: duration of the contractual relationship plus 3 years.
  • Technical logs: 90 days.
  • Field photos: life of the project plus 10 years.

6. Data sharing

Minalya does NOT sell any data to third parties. Data may be shared with:

  • Members of your organization authorized to access the project.
  • Auditors mandated by your organization (PwC, KPMG, BDO, etc.) as part of an NI 43-101 audit or equivalent.
  • Competent state authorities (Ministry of Mines, Customs) if your organization chooses to export data in a regulatory format.
  • Our technical subprocessors: Railway (database hosting, United States), Vercel (marketing site hosting, United States), Google Cloud (Firebase App Distribution if enabled).

7. Your rights

In accordance with GDPR and equivalent laws, you have the following rights:

  • Access to your personal data.
  • Rectification of inaccurate data.
  • Erasure of data not covered by a legal retention obligation (for example, technical logs).
  • Restriction and objection to processing.
  • Data portability in a structured format (GeoJSON, CSV).
  • Withdrawal of consent for consent-based processing (notably background location).

The audit log (append-only) cannot be erased because its integrity is essential to Minalya's value. If you leave an organization, your contributions remain attributed to your account for traceability, but your profile may be anonymized.

To exercise these rights, write to contact@useminalya.com. We respond within 30 days.

8. Security

  • Passwords hashed with bcrypt 12 rounds (never stored in plain text).
  • Short-lived JWT authentication tokens (15 minutes) with rotating refresh token.
  • HMAC-SHA256 signature of each sample at creation, to guarantee auditor integrity.
  • TLS 1.3 encryption in transit.
  • Secure storage of secrets on mobile (Android Keystore, iOS Keychain).
  • Append-only audit log at the database level (REVOKE UPDATE/DELETE).
  • Rate limiting (100 requests / 15 minutes / IP).

9. International transfers

Data is hosted by Railway (United States) and Vercel (United States). These subprocessors are certified compliant with the EU-US Data Privacy Framework (DPF), which guarantees an adequate level of protection.

10. Minors

Minalya is a professional tool for geologists and mining technicians. The service is not directed at persons under 18 and does not knowingly collect their data.

11. Changes to this policy

Any material change will be notified by email to active users at least 30 days before it takes effect. The latest version is always published on this page.

12. Contact

For any question, request to exercise a right, or complaint, write to contact@useminalya.com. You also have the right to lodge a complaint with the competent supervisory authority (CNIL in France, OPC in Canada).