Privacy Policy
Effective Date
Section titled “Effective Date”Effective Date: [DATE]
Last Updated: [DATE]
1. Introduction
Section titled “1. Introduction”Welcome to Honeycomb (the “Platform,” “Service,” “we,” “us,” or “our”), operated by Mindhyv, LLC (“Mindhyv,” the “Company”). This Privacy Policy (“Policy”) describes how we collect, use, disclose, retain, and protect your personal data when you access or use the Honeycomb platform, including our website, mobile applications, APIs, and all related services (collectively, the “Services”).
Mindhyv, LLC is the data controller responsible for the processing of your personal data under this Policy. Our contact details are set forth in Section 15 below.
This Policy applies to all users of the Services worldwide, including users located in the European Economic Area (“EEA”), the United Kingdom (“UK”), the State of California, and all other jurisdictions. Where specific rights apply only to users in certain jurisdictions, we identify those rights expressly.
By creating an account, accessing, or using the Services, you acknowledge that you have read, understood, and agree to the practices described in this Policy. If you do not agree with this Policy, you must not use the Services.
2. Data We Collect
Section titled “2. Data We Collect”We collect and process the following categories of personal data:
2.1 Account Data
Section titled “2.1 Account Data”When you register for an account, we collect:
- Email address (required)
- Password (hashed; or authentication token if using OAuth)
- Phone number (if provided for two-factor authentication or account recovery)
- Date of birth (required; used to verify you are 18 years of age or older)
- Account creation date and time
- Account status (active, suspended, deactivated)
2.2 Profile Data
Section titled “2.2 Profile Data”When you create or update your profile, we collect:
- Display name / username
- Full legal name (first name and last name, if provided)
- Gender (if provided)
- Location (city, state/province, country, if provided)
- Biography / “about me” text
- Profile avatar / photo
- Cover photo or banner image
- Profile links (website, social media handles, if provided)
- Language and locale preferences
2.3 Content Data
Section titled “2.3 Content Data”When you create, upload, or interact with content on the Platform, we collect:
- Posts (text, images, videos, links, and associated metadata such as timestamps, hashtags, and mentions)
- Stories (ephemeral content, including images, videos, text overlays, and associated metadata; automatically deleted after 24 hours)
- Comments and replies
- Reactions and likes
- Media uploads (photos, videos, audio files, and documents, including EXIF metadata if present in files you upload)
- Saved or bookmarked content
- Shared or reposted content
2.4 Communication Data
Section titled “2.4 Communication Data”When you communicate through the Platform, we collect:
- Direct messages (DMs) (text, images, videos, audio, files, and metadata)
- Group message content
- Message read receipts and delivery status
- Blocked and muted user lists
- Reported content and associated context
2.5 Transaction Data
Section titled “2.5 Transaction Data”When you engage in financial transactions on the Platform, we collect:
- Stripe customer ID
- Payment method type (e.g., credit card brand, last four digits; we do not store full card numbers)
- Transaction amounts, currency, and timestamps
- Billing address
- Purchase history (items purchased, subscriptions, tips, and other commerce transactions)
- Wallet balance and transaction history
- Payout and withdrawal information
- Refund and dispute records
- Tax-related identifiers (where required by applicable law)
2.6 Usage Data
Section titled “2.6 Usage Data”We automatically collect data about how you interact with the Services:
- IP address
- Device type, operating system, and browser type/version
- Device identifiers (advertising ID, device ID)
- Pages and features accessed, and time spent
- Clickstream data and navigation paths
- Referring and exit URLs
- Search queries within the Platform
- Interaction data (likes, follows, shares, blocks, reports)
- Notification interaction data (opens, dismissals)
- Session duration and frequency
- Geolocation data (derived from IP address; precise location only if you grant permission)
- Crash logs and performance diagnostics
2.7 AI Interaction Data
Section titled “2.7 AI Interaction Data”When you use AI-powered features on the Platform, we collect:
- Prompts and inputs submitted to AI features
- AI-generated outputs and responses
- Feature usage context (which AI feature was invoked, timestamp, associated content)
- Feedback on AI outputs (ratings, corrections, reports)
2.8 Third-Party OAuth Data
Section titled “2.8 Third-Party OAuth Data”When you authenticate using a third-party OAuth provider, we receive certain data from that provider depending on the permissions you grant. We support the following OAuth providers:
| OAuth Provider | Data We May Receive |
|---|---|
| Name, email address, profile photo, locale | |
| Apple | Name, email address (or private relay email) |
| Twitter (X) | Name, username, email address, profile photo |
| Facebook (Meta) | Name, email address, profile photo |
| Discord | Username, email address, avatar |
| Name, email address, profile photo | |
| TikTok | Display name, avatar, username |
| VK | Name, email address, profile photo |
| Telegram | Name, username, profile photo |
| Microsoft | Name, email address, profile photo |
| GitHub | Username, email address, avatar, name |
We only request the minimum scopes necessary for authentication and account creation. We do not access your contacts, friend lists, or post on your behalf through OAuth unless you explicitly authorize such actions.
2.9 Cookies and Similar Technologies
Section titled “2.9 Cookies and Similar Technologies”We use cookies, local storage, and similar tracking technologies to collect certain data. For full details, please refer to our Cookie Policy.
3. How We Use Your Data
Section titled “3. How We Use Your Data”We process your personal data for the following purposes:
3.1 Service Operation and Delivery
Section titled “3.1 Service Operation and Delivery”- To create and maintain your account
- To authenticate your identity and manage sessions
- To display your profile to other users
- To enable you to create, publish, and interact with content
- To facilitate direct and group messaging
- To deliver Stories and enforce 24-hour auto-deletion
- To enable social commerce features (buying, selling, tipping, wallet)
- To process transactions via Stripe
- To provide search and discovery functionality
3.2 Personalization
Section titled “3.2 Personalization”- To personalize your content feed and recommendations
- To suggest accounts and content based on your interests and behavior
- To display content in your preferred language and locale
3.3 Payments and Financial Services
Section titled “3.3 Payments and Financial Services”- To process payments, payouts, and refunds via Stripe
- To maintain wallet balances and transaction records
- To comply with tax reporting obligations
- To detect and prevent payment fraud
3.4 Communications
Section titled “3.4 Communications”- To send transactional notifications (account verification, password resets, transaction receipts)
- To send service-related announcements (platform updates, policy changes, security alerts)
- To send promotional communications (where you have opted in or where permitted by applicable law)
3.5 Analytics and Improvement
Section titled “3.5 Analytics and Improvement”- To analyze usage trends and feature adoption
- To conduct A/B testing and product experiments
- To measure the effectiveness of our features and services
- To identify and fix bugs, errors, and performance issues
3.6 AI Features
Section titled “3.6 AI Features”- To process your prompts and generate AI-powered outputs
- To improve the quality and accuracy of AI features
- To monitor AI outputs for safety, policy compliance, and harmful content
- To aggregate and anonymize AI interaction data for model evaluation
3.7 Fraud Prevention and Safety
Section titled “3.7 Fraud Prevention and Safety”- To detect, investigate, and prevent fraud, abuse, spam, and unauthorized access
- To enforce our Terms of Service and Community Guidelines
- To protect the safety and security of our users and the Platform
- To identify and remove accounts operated by minors (under 18)
3.8 Legal Compliance
Section titled “3.8 Legal Compliance”- To comply with applicable laws, regulations, and legal processes
- To respond to lawful requests from law enforcement and government authorities
- To establish, exercise, or defend legal claims
- To fulfill tax, accounting, and financial reporting obligations
4. Legal Bases for Processing (GDPR)
Section titled “4. Legal Bases for Processing (GDPR)”For users in the European Economic Area (EEA) and the United Kingdom (UK), we process personal data only where we have a valid legal basis under the General Data Protection Regulation (GDPR). The following table maps each processing purpose to its corresponding legal basis:
| Processing Purpose | Legal Basis | GDPR Article |
|---|---|---|
| Account creation and authentication | Performance of a contract (Terms of Service) | Art. 6(1)(b) |
| Profile display and social features | Performance of a contract | Art. 6(1)(b) |
| Content creation, publishing, and interaction | Performance of a contract | Art. 6(1)(b) |
| Direct messaging and communications | Performance of a contract | Art. 6(1)(b) |
| Stories delivery and 24-hour auto-deletion | Performance of a contract | Art. 6(1)(b) |
| Payment processing and wallet services | Performance of a contract | Art. 6(1)(b) |
| Transaction record-keeping and tax compliance | Legal obligation | Art. 6(1)(c) |
| Transactional notifications (receipts, alerts) | Performance of a contract | Art. 6(1)(b) |
| Promotional communications | Consent | Art. 6(1)(a) |
| Feed personalization and recommendations | Legitimate interest (improving user experience) | Art. 6(1)(f) |
| Analytics, A/B testing, and product improvement | Legitimate interest (service improvement) | Art. 6(1)(f) |
| AI feature operation (prompt processing, output generation) | Performance of a contract | Art. 6(1)(b) |
| AI quality and safety monitoring | Legitimate interest (safety and service quality) | Art. 6(1)(f) |
| Fraud prevention, abuse detection, and platform safety | Legitimate interest (security and fraud prevention) | Art. 6(1)(f) |
| Age verification (18+ enforcement) | Legal obligation and Legitimate interest | Art. 6(1)(c), Art. 6(1)(f) |
| Responding to law enforcement requests | Legal obligation | Art. 6(1)(c) |
| Establishing, exercising, or defending legal claims | Legitimate interest | Art. 6(1)(f) |
| OAuth authentication via third-party providers | Performance of a contract | Art. 6(1)(b) |
| Cookies and tracking (non-essential) | Consent | Art. 6(1)(a) |
| Processing of precise geolocation data | Consent | Art. 6(1)(a) |
Where we rely on legitimate interest as a legal basis, we have conducted balancing tests to ensure that our interests do not override your fundamental rights and freedoms. You may contact us at any time to request information about these assessments.
Where we rely on consent, you may withdraw your consent at any time by adjusting your account settings or contacting us at the address listed in Section 15. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.
5. How We Share Your Data
Section titled “5. How We Share Your Data”We do not sell your personal data. We share personal data only in the following circumstances:
5.1 Service Providers (Data Processors)
Section titled “5.1 Service Providers (Data Processors)”We engage the following third-party service providers who process personal data on our behalf, under written data processing agreements:
| Service Provider | Role | Data Shared | Purpose |
|---|---|---|---|
| Supabase, Inc. | Database hosting, authentication, real-time infrastructure | Account data, profile data, content data, communication data, usage data, AI interaction data, session tokens, Row-Level Security policies | Primary data storage, user authentication, real-time data delivery, database infrastructure |
| Stripe, Inc. | Payment processing | Name, email address, billing address, payment method details, transaction amounts, Stripe customer ID, wallet and payout data | Payment processing, subscription management, payouts, fraud detection, tax reporting |
| OpenAI, Inc. | AI feature processing | AI prompts, input context, user-selected content submitted to AI features | Generating AI-powered outputs and responses within Platform features |
| Cloudflare, Inc. | Hosting, CDN, DDoS protection, DNS | IP addresses, HTTP request headers, traffic metadata, cached static assets | Content delivery, performance optimization, security protection, DDoS mitigation |
Each service provider is contractually obligated to process personal data only for the purposes specified above, to implement appropriate technical and organizational security measures, and to delete or return personal data upon termination of the agreement.
5.2 Law Enforcement and Legal Requests
Section titled “5.2 Law Enforcement and Legal Requests”We may disclose your personal data to law enforcement authorities, government agencies, courts, or other third parties where we believe in good faith that disclosure is:
- Required by applicable law, regulation, or legal process (including subpoenas, court orders, or government requests);
- Necessary to protect the rights, property, or safety of Mindhyv, our users, or the public;
- Necessary to detect, prevent, or address fraud, security issues, or technical problems; or
- Necessary to enforce our Terms of Service or other agreements.
Where permitted by law, we will notify you of such requests before disclosing your data, unless notification is prohibited by law or would jeopardize an investigation.
5.3 Business Transfers
Section titled “5.3 Business Transfers”In the event of a merger, acquisition, reorganization, bankruptcy, asset sale, or other business transaction involving all or a portion of our assets, your personal data may be transferred to the acquiring entity or successor. We will provide notice of any such transfer and any choices you may have regarding your data.
5.4 With Your Consent
Section titled “5.4 With Your Consent”We may share your personal data with third parties where you have provided explicit consent, including:
- When you choose to share content publicly on the Platform
- When you authorize a third-party integration or application
- When you participate in promotions, contests, or surveys operated by third parties
5.5 Aggregated and De-identified Data
Section titled “5.5 Aggregated and De-identified Data”We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you with third parties for analytics, research, marketing, and other business purposes. Such data is not considered personal data under applicable law.
6. International Data Transfers
Section titled “6. International Data Transfers”Honeycomb is operated by Mindhyv, LLC, based in the United States. Your personal data may be transferred to, stored, and processed in the United States and other countries outside your country of residence, including countries that may not provide the same level of data protection as your home country.
6.1 Transfers from the EEA and UK
Section titled “6.1 Transfers from the EEA and UK”For personal data transferred from the EEA or UK to the United States or other countries not subject to an adequacy decision by the European Commission or the UK Government, we rely on the following safeguards:
- Standard Contractual Clauses (SCCs): We use the European Commission’s Standard Contractual Clauses (as approved by Commission Implementing Decision (EU) 2021/914) as the primary transfer mechanism for data transferred to our service providers and within our organization. Where required, we supplement SCCs with additional technical and organizational measures.
-
Adequacy Decisions: Where the European Commission or UK Government has issued an adequacy decision for a recipient country, we may rely on that decision as a basis for the transfer.
-
EU-U.S. Data Privacy Framework: To the extent applicable and certified, we may rely on the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and/or the Swiss-U.S. Data Privacy Framework as a basis for transfers to the United States.
6.2 Your Acknowledgment
Section titled “6.2 Your Acknowledgment”By using the Services, you acknowledge that your personal data will be processed in the United States and potentially other jurisdictions. We take reasonable steps to ensure that your data is treated securely and in accordance with this Policy, regardless of where it is processed.
7. Data Retention
Section titled “7. Data Retention”We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. The following table sets forth our standard retention periods by data type:
| Data Type | Retention Period | Rationale |
|---|---|---|
| Account data | Duration of active account + 30 days after account deletion request | Allows for account recovery within a grace period; permanently deleted after 30 days |
| Profile data | Duration of active account + 30 days after account deletion request | Deleted with account data |
| Content data (posts, comments, reactions) | Until the user deletes the content, or account deletion + 30 days | User-controlled; removed upon account deletion |
| Stories | 24 hours from time of creation (auto-deleted) | Ephemeral by design; automatically purged after 24 hours regardless of account status |
| Communication data (DMs, group messages) | Until the user deletes the message, or account deletion + 30 days | User-controlled deletion; messages are removed for the deleting user but may persist for other participants until they also delete or their account is deleted |
| Transaction data | 7 years from the date of the transaction | Required by U.S. federal tax law (IRS), accounting regulations, and financial compliance obligations |
| Wallet data | Duration of active account + 7 years after final transaction | Financial record-keeping and compliance |
| AI interaction data (prompts, outputs) | 90 days from the date of the interaction | Used for quality assurance, safety monitoring, and abuse detection; permanently deleted after 90 days |
| Usage and analytics data | 1 year in identifiable form; aggregated and anonymized thereafter | Identifiable data deleted after 1 year; aggregated statistical data retained indefinitely |
| Cookies and tracking data | Varies by cookie type (see Cookie Policy) | See our Cookie Policy for specific retention periods |
| OAuth tokens | Duration of active account or until revoked by user | Tokens are invalidated upon account deletion or user revocation |
| Security logs (IP addresses, access logs) | 1 year | Fraud detection, abuse prevention, and security incident investigation |
| Legal hold data | Duration of legal hold plus applicable statute of limitations | Data subject to legal holds is excluded from standard deletion schedules |
When personal data is no longer required, we securely delete or irreversibly anonymize it using industry-standard methods. Backup systems may retain encrypted copies for a limited additional period (not to exceed 30 days beyond the retention period) to support disaster recovery, after which they are permanently purged.
8. Your Rights Under the GDPR (EEA and UK Users)
Section titled “8. Your Rights Under the GDPR (EEA and UK Users)”If you are located in the European Economic Area (EEA) or the United Kingdom (UK), you have the following rights under the General Data Protection Regulation (GDPR) and the UK GDPR, respectively:
8.1 Right of Access (Art. 15)
Section titled “8.1 Right of Access (Art. 15)”You have the right to obtain confirmation as to whether we are processing your personal data and, if so, to receive a copy of that data along with information about the purposes of processing, categories of data, recipients, retention periods, and your rights.
8.2 Right to Rectification (Art. 16)
Section titled “8.2 Right to Rectification (Art. 16)”You have the right to request that we correct any inaccurate personal data and complete any incomplete personal data concerning you.
8.3 Right to Erasure (“Right to Be Forgotten”) (Art. 17)
Section titled “8.3 Right to Erasure (“Right to Be Forgotten”) (Art. 17)”You have the right to request the deletion of your personal data where:
- The data is no longer necessary for the purposes for which it was collected;
- You withdraw consent (where consent was the legal basis) and no other legal basis applies;
- You object to the processing and there are no overriding legitimate grounds;
- The data has been unlawfully processed; or
- Deletion is required to comply with a legal obligation.
This right is not absolute. We may retain data where necessary for compliance with legal obligations, establishment or defense of legal claims, or where another exception under Art. 17(3) applies.
8.4 Right to Restriction of Processing (Art. 18)
Section titled “8.4 Right to Restriction of Processing (Art. 18)”You have the right to request restriction of processing where:
- You contest the accuracy of the data (for a period allowing us to verify accuracy);
- The processing is unlawful and you oppose erasure;
- We no longer need the data, but you require it for legal claims; or
- You have objected to processing pending verification of our legitimate grounds.
8.5 Right to Data Portability (Art. 20)
Section titled “8.5 Right to Data Portability (Art. 20)”You have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., JSON or CSV) and to transmit that data to another controller, where processing is based on consent or contract and carried out by automated means.
8.6 Right to Object (Art. 21)
Section titled “8.6 Right to Object (Art. 21)”You have the right to object to the processing of your personal data where processing is based on our legitimate interests (Art. 6(1)(f)). Upon receiving your objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims.
You have an absolute right to object to the processing of your personal data for direct marketing purposes at any time.
8.7 Right to Withdraw Consent (Art. 7(3))
Section titled “8.7 Right to Withdraw Consent (Art. 7(3))”Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. You may withdraw consent by:
- Adjusting your account privacy and notification settings;
- Disabling specific features (e.g., AI features, promotional emails);
- Contacting us at the address listed in Section 15.
8.8 Right to Lodge a Complaint with a Supervisory Authority
Section titled “8.8 Right to Lodge a Complaint with a Supervisory Authority”If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement. A list of EEA supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en.
For UK residents, complaints may be directed to the Information Commissioner’s Office (ICO) at https://ico.org.uk.
8.9 How to Exercise Your Rights
Section titled “8.9 How to Exercise Your Rights”To exercise any of the rights above, please contact us:
- Email: [PRIVACY_EMAIL]
- In-Platform: Account Settings > Privacy > Data Rights Requests
- Mail: See Section 15
We will respond to your request within 30 days (or 72 hours for access requests to confirm receipt). If we need additional time due to the complexity or volume of requests, we will notify you of an extension of up to 60 additional days and explain the reasons for the delay.
We may request verification of your identity before fulfilling your request. We will not charge a fee for exercising your rights unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act.
9. Your Rights Under the CCPA/CPRA (California Residents)
Section titled “9. Your Rights Under the CCPA/CPRA (California Residents)”If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):
9.1 Right to Know
Section titled “9.1 Right to Know”You have the right to request that we disclose the following for the 12-month period preceding your request:
- The categories of personal information we collected about you;
- The specific pieces of personal information we collected about you;
- The categories of sources from which we collected your personal information;
- The business or commercial purposes for which we collected or sold your personal information;
- The categories of third parties with whom we shared your personal information.
9.2 Right to Delete
Section titled “9.2 Right to Delete”You have the right to request that we delete personal information we collected from you, subject to certain exceptions (e.g., completing a transaction, detecting security incidents, complying with legal obligations, or exercising free speech).
9.3 Right to Correct
Section titled “9.3 Right to Correct”You have the right to request that we correct inaccurate personal information that we maintain about you.
9.4 Right to Opt-Out of Sale or Sharing
Section titled “9.4 Right to Opt-Out of Sale or Sharing”We do not sell your personal information, as defined under the CCPA/CPRA. We do not share your personal information for cross-context behavioral advertising.
If our data practices change in the future, we will update this Policy and provide a conspicuous “Do Not Sell or Share My Personal Information” link on our website and in-app settings.
9.5 Right to Limit Use of Sensitive Personal Information
Section titled “9.5 Right to Limit Use of Sensitive Personal Information”To the extent we collect sensitive personal information (as defined under the CPRA), including precise geolocation data or account login credentials, you have the right to limit our use and disclosure of such information to purposes necessary to perform the Services. We do not use sensitive personal information for purposes beyond what is necessary to provide the Services.
9.6 Right to Non-Discrimination
Section titled “9.6 Right to Non-Discrimination”We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not:
- Deny you the Services;
- Charge you different prices or rates;
- Provide you a different level or quality of the Services; or
- Suggest that you will receive a different price, rate, or quality of the Services.
9.7 How to Exercise Your Rights (California)
Section titled “9.7 How to Exercise Your Rights (California)”To submit a request to know, delete, or correct, please contact us:
- Email: [PRIVACY_EMAIL]
- In-Platform: Account Settings > Privacy > Data Rights Requests
- Mail: See Section 15
We will verify your identity before fulfilling your request by matching the information you provide with the information we maintain. We will respond within 45 days of receiving your verifiable request. If we need additional time, we will notify you of an extension of up to 45 additional days.
You may designate an authorized agent to submit requests on your behalf. We may require the authorized agent to provide written proof of authorization and may separately verify your identity.
9.8 California “Shine the Light” (Civil Code Section 1798.83)
Section titled “9.8 California “Shine the Light” (Civil Code Section 1798.83)”California residents may request information about personal data we disclosed to third parties for their direct marketing purposes during the preceding calendar year. We do not disclose personal data to third parties for their direct marketing purposes.
10. Cookies and Tracking Technologies
Section titled “10. Cookies and Tracking Technologies”We use cookies, web beacons, pixels, local storage, and similar tracking technologies to operate the Services, remember your preferences, authenticate your sessions, analyze usage, and improve performance.
For comprehensive information about the types of cookies we use, their purposes, and how to manage your cookie preferences, please refer to our Cookie Policy.
You may manage your cookie preferences at any time through the cookie consent banner displayed on our website or by adjusting your browser settings. Note that disabling certain cookies may impair the functionality of the Services.
11. Children’s Privacy
Section titled “11. Children’s Privacy”The Services are intended for users who are 18 years of age or older. We do not knowingly collect, solicit, or process personal data from individuals under 18 years of age. We require all users to provide their date of birth during registration and verify that they meet the minimum age requirement.
If we become aware that we have collected personal data from an individual under 18 years of age, we will take prompt steps to:
- Delete the personal data from our systems;
- Terminate the associated account; and
- Notify any relevant supervisory authorities if required by applicable law.
If you are a parent or guardian and believe that your child under 18 has provided personal data to us, please contact us immediately at the address listed in Section 15 so that we can take appropriate action.
12. Security Measures
Section titled “12. Security Measures”We implement robust technical and organizational measures designed to protect your personal data against unauthorized access, alteration, disclosure, destruction, and other forms of unlawful processing. These measures include, but are not limited to:
12.1 Encryption
Section titled “12.1 Encryption”- In Transit: All data transmitted between your device and our servers is encrypted using Transport Layer Security (TLS 1.2 or higher).
- At Rest: Personal data stored in our databases is encrypted at rest using AES-256 encryption or equivalent industry-standard algorithms.
12.2 Access Controls
Section titled “12.2 Access Controls”- Role-based access controls (RBAC) limit employee and contractor access to personal data on a need-to-know basis.
- Multi-factor authentication (MFA) is required for all administrative access to systems containing personal data.
- Regular access reviews are conducted to ensure that permissions remain appropriate.
12.3 Database Security
Section titled “12.3 Database Security”- Supabase Row-Level Security (RLS): Our database infrastructure utilizes Supabase Row-Level Security policies to ensure that database queries return only data that the authenticated user is authorized to access. RLS policies are enforced at the database level, providing an additional layer of protection beyond application-level access controls.
12.4 Infrastructure Security
Section titled “12.4 Infrastructure Security”- DDoS protection and web application firewall (WAF) via Cloudflare.
- Regular vulnerability assessments and security audits.
- Secure software development lifecycle (SDLC) practices, including code reviews and dependency scanning.
- Incident response procedures and breach notification protocols in compliance with GDPR Art. 33-34 and applicable state breach notification laws.
12.5 Limitations
Section titled “12.5 Limitations”While we implement commercially reasonable security measures, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee the absolute security of your personal data. In the event of a data breach that affects your personal data, we will notify you and the relevant supervisory authorities in accordance with applicable law.
13. Changes to This Policy
Section titled “13. Changes to This Policy”We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or business operations.
Material Changes: For material changes to this Policy, we will provide at least 30 days’ prior notice before the changes take effect. Notice will be provided by:
- Posting the updated Policy on our website with a revised “Last Updated” date;
- Displaying a prominent notice within the Platform (e.g., a banner or modal notification);
- Sending an email notification to the address associated with your account.
Non-Material Changes: For minor, non-substantive changes (e.g., formatting, typographical corrections, clarifications that do not alter the meaning), we may update the Policy without prior notice.
Your continued use of the Services after the effective date of any updated Policy constitutes your acceptance of the changes. If you do not agree with the updated Policy, you must discontinue your use of the Services and delete your account.
14. Additional Disclosures
Section titled “14. Additional Disclosures”14.1 Do Not Track Signals
Section titled “14.1 Do Not Track Signals”Some web browsers transmit “Do Not Track” (DNT) signals. There is currently no universally accepted standard for how companies should respond to DNT signals. At this time, we do not respond to DNT signals. We will update this Policy if and when a uniform standard is established.
14.2 Automated Decision-Making
Section titled “14.2 Automated Decision-Making”We may use automated decision-making processes, including AI-powered content moderation and fraud detection systems. These systems may make decisions that affect your access to certain features or content. You have the right to request human review of any automated decision that significantly affects you by contacting us at the address listed in Section 15.
For users in the EEA/UK, you have the right under GDPR Art. 22 not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except where such processing is necessary for a contract, authorized by law, or based on your explicit consent.
14.3 Third-Party Links
Section titled “14.3 Third-Party Links”The Platform may contain links to third-party websites, services, or applications that are not operated by us. This Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party service before providing your personal data.
15. Contact Us
Section titled “15. Contact Us”If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Data Controller: Mindhyv, LLC [STREET ADDRESS] [CITY, STATE ZIP CODE] United States
Data Protection Officer (DPO): [DPO NAME] Email: [DPO_EMAIL]
EU Representative (Art. 27 GDPR): [EU REPRESENTATIVE NAME] [EU REPRESENTATIVE ADDRESS] Email: [EU_REP_EMAIL]
UK Representative: [UK REPRESENTATIVE NAME] [UK REPRESENTATIVE ADDRESS] Email: [UK_REP_EMAIL]
General Privacy Inquiries: Email: [PRIVACY_EMAIL]
Mailing Address for Data Rights Requests: Mindhyv, LLC Attn: Privacy Team [STREET ADDRESS] [CITY, STATE ZIP CODE] United States
This Privacy Policy is provided for informational purposes and does not constitute legal advice. Consult with qualified legal counsel to ensure compliance with applicable laws in your jurisdiction.