Mindhyv

Privacy Policy

Effective Date: April 9, 2026
Last Updated: April 9, 2026

1. Introduction

This Privacy Policy describes how Mindhyv, LLC ("Mindhyv," "we," "us," or "our"), the data controller operating the Honeycomb platform, collects, uses, discloses, and protects your personal information. This Policy applies to our website, mobile applications, APIs, and all related services (collectively, the "Services").

This Policy applies globally, including to users in the European Economic Area (EEA), the United Kingdom (UK), California, and all other jurisdictions where the Services are available. By using our Services, you acknowledge that you have read and understood this Policy.

2. Data We Collect

We collect the following categories of personal data when you use our Services:

2.1 Account Data

  • Email address
  • Password (stored as a hashed value; never stored in plaintext)
  • Phone number
  • Date of birth
  • Account creation timestamp
  • Account status (active, suspended, deleted)

2.2 Profile Data

  • Display name and legal name
  • Gender
  • Location (city/region, if provided)
  • Biography
  • Avatar and cover photo
  • Profile links (website, social handles)
  • Language preferences

2.3 Content Data

  • Posts, stories, comments, and reactions you create
  • Media uploads (images, videos), including any embedded EXIF metadata
  • Content you save, share, or repost

2.4 Communication Data

  • Direct messages and group messages
  • Read receipts
  • Lists of blocked and muted users
  • Content you have reported

2.5 Transaction Data

  • Stripe customer ID
  • Payment method type and last four digits
  • Transaction amounts and timestamps
  • Billing address
  • Purchase history
  • Wallet balance and payout information
  • Refund records
  • Tax identifiers (where applicable)

2.6 Usage Data

  • IP address
  • Device type, operating system, and browser
  • Device identifiers
  • Pages accessed and clickstream data
  • Search queries and interaction data
  • Notification interactions
  • Session duration
  • Geolocation derived from IP address; precise location only with your explicit permission
  • Crash logs and diagnostic data

2.7 AI Interaction Data

  • Prompts you submit to AI-powered features
  • AI-generated outputs returned to you
  • Feature usage context (which tool or feature was used)
  • Feedback you provide on AI outputs

2.8 Third-Party OAuth Data

If you connect a third-party account to sign in or link your profile, we may receive limited data from that provider. We request only the minimum scopes necessary and do not access your contacts or friend lists without explicit authorization. Supported providers include:

  • Google
  • Apple
  • Twitter (X)
  • Facebook
  • Discord
  • LinkedIn
  • TikTok
  • VK
  • Telegram
  • Microsoft
  • GitHub

2.9 Cookies and Similar Technologies

We use cookies, web beacons, pixels, and local storage. Please refer to our Cookie Policy for full details on the types of cookies we use and how to manage your preferences.

3. How We Use Your Data

3.1 Service Operation and Delivery

Account creation and maintenance, authentication, profile display, content creation and delivery, messaging and stories, social commerce features, transaction processing, and search and discovery.

3.2 Personalization

Feed personalization, account and creator suggestions, content recommendations, and language or locale customization based on your preferences and behavior.

3.3 Payments and Financial Services

Processing payments and payouts, maintaining your wallet, ensuring tax compliance, and detecting fraudulent financial activity.

3.4 Communications

Sending transactional notifications (e.g., receipts, security alerts), service announcements, and promotional communications (where you have opted in).

3.5 Analytics and Improvement

Analyzing usage trends, conducting A/B testing, measuring feature effectiveness, and identifying and fixing bugs to improve the Services.

3.6 AI Features

Processing your prompts and generating AI outputs, improving AI quality and safety, monitoring for misuse, and collecting aggregated or anonymized data to refine our AI models.

3.7 Fraud Prevention and Safety

Detecting and preventing fraud, abuse, and spam; enforcing our Terms of Service and Community Guidelines; protecting user safety; and removing accounts held by minors.

3.8 Legal Compliance

Complying with applicable laws and regulations, responding to legal processes, establishing or defending legal claims, and fulfilling tax and accounting obligations.

4. Legal Bases for Processing (GDPR)

For users in the EEA and UK, we rely on the following legal bases under the GDPR:

Performance of Contract (Art. 6(1)(b))

  • Account creation and authentication
  • Profile display and content operations
  • Messaging and stories delivery
  • Payment and transaction processing
  • Transactional notifications
  • Third-party OAuth authentication

Legal Obligation (Art. 6(1)(c))

  • Transaction record retention
  • Tax compliance reporting
  • Responding to law enforcement requests

Consent (Art. 6(1)(a))

  • Promotional and marketing communications
  • Non-essential cookies and tracking technologies
  • Precise geolocation data

Legitimate Interest (Art. 6(1)(f))

  • Feed personalization and content recommendations
  • Analytics and product improvement
  • AI quality improvement and safety monitoring
  • Fraud prevention and abuse detection
  • Age verification
  • Establishing or defending legal claims
  • Essential cookies and session tracking

Where processing is based on consent, you may withdraw your consent at any time via your account settings or by contacting us at [email protected]. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

5. How We Share Your Data

We do not sell your personal data. We share your information only in the circumstances described below.

5.1 Service Providers (Data Processors)

We engage trusted third-party service providers who process data on our behalf under contractual obligations to use it only for specified purposes and to maintain appropriate security measures:

  • Supabase, Inc. — Database hosting, authentication, and real-time infrastructure. Receives account, profile, content, communication, usage, and AI interaction data, as well as session tokens and Row-Level Security policies.
  • Stripe, Inc. — Payment processing, subscriptions, payouts, fraud detection, and tax reporting. Receives name, email, billing address, payment details, transaction amounts, Stripe customer ID, and wallet or payout data.
  • OpenAI, Inc. — AI feature processing. Receives AI prompts, input context, and selected content for the purpose of generating AI outputs.
  • Cloudflare, Inc. — Hosting, CDN, DDoS protection, and DNS. Receives IP addresses, HTTP headers, traffic metadata, and cached static assets for content delivery, optimization, and security.

5.2 Law Enforcement and Legal Requests

We may disclose your data where required by law, to protect the rights and safety of users or the public, to detect or prevent fraud, or to enforce our agreements. Where permitted by law, we will provide prior notice of such disclosures.

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or asset sale, your data may be transferred to the successor entity. We will provide notice and choice options as required by applicable law.

5.4 With Your Consent

We share your data with third parties when you explicitly consent, such as when you make content public, authorize a third-party integration, or participate in a promotion or contest.

5.5 Aggregated and De-identified Data

We may share aggregated or anonymized data that cannot reasonably be used to identify you for analytics, research, and marketing purposes.

6. International Data Transfers

Mindhyv is based in the United States. If you access our Services from outside the United States, your data may be transferred to and processed in the US or other countries that may have different data protection standards than your home country.

6.1 Transfers from the EEA and UK

For transfers of personal data from the EEA or UK, we rely on the following safeguards:

  • Standard Contractual Clauses (SCCs) adopted pursuant to Commission Implementing Decision (EU) 2021/914
  • Adequacy decisions issued by the European Commission or UK Secretary of State, where applicable
  • EU-U.S. Data Privacy Framework, UK Extension, and Swiss-U.S. Data Privacy Framework, where we are certified and these apply

6.2 Your Acknowledgment

By using our Services, you acknowledge that your data will be processed in the United States and potentially other jurisdictions, subject to reasonable security measures regardless of your location.

7. Data Retention

We retain your data only for as long as necessary for the purposes described in this Policy, or as required by law. Retention periods by data type:

  • Account data: Duration of account plus 30 days after deletion (recovery grace period); permanently deleted after 30 days.
  • Profile data: Duration of account plus 30 days; deleted with account.
  • Content (posts, comments, reactions): Until deleted by user or account deletion plus 30 days.
  • Stories: 24 hours from creation (auto-deleted; ephemeral by design).
  • Communication data (DMs, group messages): Until deleted by user or account deletion plus 30 days; persists for other participants until they delete.
  • Transaction data: 7 years from the transaction date, in compliance with US federal tax law (IRS) and financial regulations.
  • Wallet data: Duration of account plus 7 years after final transaction for financial record-keeping and compliance.
  • AI interaction data: 90 days from the interaction date for quality assurance, safety monitoring, and abuse detection; then permanently deleted.
  • Usage and analytics data: 1 year in identifiable form; then aggregated or anonymized and retained indefinitely.
  • Cookies and tracking data: Varies by cookie type; see our Cookie Policy.
  • OAuth tokens: Duration of account or until revoked; invalidated upon account deletion or user revocation.
  • Security logs (IP and access logs): 1 year for fraud detection, abuse prevention, and incident investigation.
  • Legal hold data: Duration of the legal hold plus applicable statute of limitations; excluded from standard deletion schedules.

Data is deleted using industry-standard secure deletion methods. Backup systems may retain encrypted copies for up to 30 days beyond the applicable retention period, after which they are permanently purged.

8. Your Rights Under the GDPR (EEA and UK Users)

If you are located in the EEA or UK, you have the following rights under the General Data Protection Regulation (GDPR) and applicable UK data protection law:

8.1 Right of Access (Art. 15)

Obtain confirmation of whether we process your data and receive a copy of it, along with information about processing purposes, retention periods, recipients, and your rights.

8.2 Right to Rectification (Art. 16)

Request correction of inaccurate personal data or completion of incomplete data we hold about you.

8.3 Right to Erasure / Right to Be Forgotten (Art. 17)

Request deletion of your personal data where it is no longer necessary, where you have withdrawn consent, where you have objected to processing, where the data was unlawfully processed, or where deletion is legally required. This right is not absolute and is subject to exceptions for legal obligations, establishment or defense of legal claims, and other grounds under Art. 17(3).

8.4 Right to Restriction of Processing (Art. 18)

Request that we restrict processing of your data where you contest its accuracy, where processing is unlawful but you oppose erasure, where we no longer need the data but you require it for legal claims, or where you have objected to processing pending verification of our legitimate grounds.

8.5 Right to Data Portability (Art. 20)

Receive your personal data in a structured, commonly used, machine-readable format (such as JSON or CSV) and transmit it to another controller, where processing is based on consent or contract and carried out by automated means.

8.6 Right to Object (Art. 21)

Object to processing of your data based on our legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, or the processing is necessary for legal claims. You have an absolute right to object to processing for direct marketing purposes.

8.7 Right to Withdraw Consent (Art. 7(3))

Withdraw consent at any time via your account settings or by contacting us at [email protected]. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

8.8 Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with the data protection supervisory authority in your habitual place of residence, place of work, or place of the alleged infringement. A list of EEA supervisory authorities is available at edpb.europa.eu. UK residents may contact the Information Commissioner's Office (ICO) at ico.org.uk.

8.9 How to Exercise Your Rights

You may exercise any of the above rights by:

  • Emailing [email protected]
  • Using the in-platform tool: Account Settings > Privacy > Data Rights Requests
  • Mailing our Privacy Team at the address listed in Section 15

We will confirm receipt of your request within 72 hours and respond within 30 days. For complex or numerous requests, we may extend the response period by up to 60 additional days with explanation. We may request verification of your identity before processing your request. We do not charge a fee unless a request is manifestly unfounded or excessive.

9. Your Rights Under the CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

9.1 Right to Know

Request disclosure for the preceding 12 months of: the categories and specific pieces of personal information we collected about you, the categories of sources, the business or commercial purposes for collection, and the categories of third parties with whom we shared your information.

9.2 Right to Delete

Request deletion of personal information we have collected about you, subject to exceptions such as completing a transaction, detecting security incidents, complying with legal obligations, or exercising free speech.

9.3 Right to Correct

Request correction of inaccurate personal information that we maintain about you.

9.4 Right to Opt-Out of Sale or Sharing

We do not sell your personal information as defined by the CCPA/CPRA, and we do not engage in cross-context behavioral advertising sharing. If our practices change, we will provide a "Do Not Sell or Share My Personal Information" link as required.

9.5 Right to Limit Use of Sensitive Personal Information

Request that we limit the use and disclosure of sensitive personal information (such as precise geolocation and login credentials) to purposes necessary to provide the Services. We do not use sensitive personal information beyond what is necessary for our Services.

9.6 Right to Non-Discrimination

We will not deny you services, charge different prices, provide a different quality of service, or suggest that you will receive different treatment for exercising your CCPA/CPRA rights.

9.7 How to Exercise Your Rights (California Residents)

You may exercise any of the above rights by:

  • Emailing [email protected]
  • Using the in-platform tool: Account Settings > Privacy > Data Rights Requests
  • Mailing our Privacy Team at the address listed in Section 15

We will respond within 45 days; we may extend the response period by up to 45 additional days with notice. We will verify your identity by matching information you provide against our records. You may designate an authorized agent to submit requests on your behalf with proof of written authorization and separate verification of your identity.

9.8 California "Shine the Light" (Civil Code § 1798.83)

We do not disclose personal information to third parties for their own direct marketing purposes.

10. Cookies and Tracking Technologies

We use cookies, web beacons, pixels, and local storage to operate the Services, remember your preferences, authenticate sessions, analyze usage, and improve performance. For comprehensive details on the types of cookies we use, how long they persist, and how to manage your preferences, please review our Cookie Policy.

You may manage your cookie preferences via the cookie consent banner displayed when you first visit the Services, or through your browser settings. Please note that disabling certain cookies may impair the functionality of the Services.

11. Children's Privacy

Our Services are intended solely for users who are 18 years of age or older. We do not knowingly collect personal information from individuals under the age of 18. We verify compliance with this age requirement during the registration process.

If we discover that we have collected personal information from a person under 18, we will promptly delete that data, terminate the associated account, and notify the appropriate authorities where required by law. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at [email protected] or via the address in Section 15.

12. Security Measures

We implement industry-standard technical and organizational security measures to protect your personal data against unauthorized access, disclosure, alteration, and destruction.

12.1 Encryption

  • In Transit: TLS 1.2 or higher for all data transmitted between your device and our servers.
  • At Rest: AES-256 or equivalent encryption for personal data stored in our databases.

12.2 Access Controls

Role-based access controls (RBAC) limit employee and contractor access to personal data on a strict need-to-know basis. Multi-factor authentication (MFA) is required for all administrative system access. We conduct regular access reviews to ensure permissions remain appropriate.

12.3 Database Security

Supabase Row-Level Security (RLS) policies are enforced at the database level to ensure that queries return only data the authenticated user is authorized to access, providing protection beyond application-level access controls.

12.4 Infrastructure Security

  • DDoS protection and web application firewall (WAF) via Cloudflare
  • Regular vulnerability assessments and security audits
  • Secure software development lifecycle practices including code reviews and dependency scanning
  • Incident response procedures and breach notification protocols in compliance with GDPR Art. 33–34 and applicable state breach notification laws

12.5 Limitations

No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee absolute security. In the event of a data breach, we will notify affected users and relevant authorities as required by applicable law.

13. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' prior notice by updating the policy with a revised effective date, posting a prominent notice on the platform, and sending an email to the address associated with your account.

For non-material changes, we may update the policy without individual notice. Your continued use of the Services after the effective date of any update constitutes acceptance of the revised Policy. If you do not agree with the changes, you must discontinue use of the Services and delete your account before the effective date.

14. Additional Disclosures

14.1 Do Not Track Signals

There is currently no universally accepted standard for responding to Do Not Track (DNT) signals. We do not currently respond to DNT signals from browsers. We will update this Policy if a uniform standard is established and we adopt a response mechanism.

14.2 Automated Decision-Making

We use automated decision-making in certain contexts, including AI-powered content moderation and fraud detection, which may affect your access to features or content. You have the right to request human review of any automated decision that significantly affects you by contacting us at [email protected].

For EEA and UK users, GDPR Art. 22 applies to decisions based solely on automated processing that produce legal or similarly significant effects, except where the decision is necessary for a contract, authorized by law, or based on your explicit consent.

14.3 Third-Party Links

Our Services may contain links to third-party websites, services, or applications. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party services before providing them with your personal information.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Data Controller

Mindhyv, LLC
2020 Fieldstone Pkwy Ste 900-77
Franklin, TN 37069, USA
Email: [email protected]

Data Protection Officer (DPO)

Email: [email protected]
Attn: Data Protection Officer

EU Representative (Art. 27 GDPR)

For EEA-based inquiries regarding our GDPR obligations, please contact us at:
Email: [email protected]
Attn: EU Representative

UK Representative

For UK-based inquiries regarding our UK GDPR obligations, please contact us at:
Email: [email protected]
Attn: UK Representative

Mailing Address for Data Rights Requests

Mindhyv, LLC
Attn: Privacy Team
2020 Fieldstone Pkwy Ste 900-77
Franklin, TN 37069, USA

For general support inquiries unrelated to privacy, please contact us at [email protected].