MindHYVE.ai, Inc., a Nevada C corporation ("MindHYVE," "we," "us," or "our"), operates the TheoAI platform and its associated products, including the Theo consumer AI assistant, the Majlis institutional workspace, and the Mīzān financial-governance module (collectively, the "Services"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you access or use any of our Services, whether through our websites, applications, or APIs.

By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please do not use the Services. If you are accessing the Services on behalf of an organization, you represent that you have the authority to bind that organization to this Privacy Policy.

Account information. When you create an account, we collect your name, email address, and a securely hashed password. If you sign in through a third-party provider (such as Google), we receive your name and email address from that provider. Institutional accounts provisioned through Majlis may include additional role-based attributes configured by your organization's administrator.

Conversation content. When you use Theo or other TheoAI products, the text of your prompts and the AI-generated responses are stored in our database to provide features you rely on, including conversation history, bookmarks, saved memories, and data export. This content is associated with your account and is accessible only to you (and, for institutional accounts, to your organization's administrators if audit logging is enabled).

Profile and preferences. During onboarding and through your account settings, you may provide additional information such as your preferred school of jurisprudence (madhhab), knowledge level, subject-matter interests, language preference, and demographic details. This information is used to personalize your experience and is stored in your user profile.

Billing information. If you subscribe to a paid tier, payment details (such as credit card number, billing address, and transaction history) are collected and processed by our payment processor, Stripe, Inc. We do not store full payment card numbers on our servers; we retain only a tokenized reference, last four digits, and card expiration date for record-keeping purposes.

Usage analytics. On our marketing website, we collect anonymized, aggregated usage data through Plausible Analytics, a privacy-focused, cookie-free analytics service. Plausible does not track individual users and does not use cookies or persistent identifiers. Within the TheoAI product, we collect first-party usage events — such as page views, feature interactions, and session metadata — to understand how the Services are used and to improve reliability. These product analytics do not include conversation content.

Anonymous sessions. When you use our Services without creating an account, we assign a randomly generated session identifier to your browser. This session identifier is stored locally on your device and is used to provide continuity during your visit, enforce usage limits, and improve our Services. During anonymous sessions, we may also collect device type, approximate geographic location (country level), referring website URL, and marketing campaign identifiers. This anonymous session data is automatically deleted after 90 days of inactivity. No personally identifiable information is collected during anonymous sessions, and session identifiers cannot be used to identify you personally.

Conversation metadata. We collect metadata about your interactions with the Services, such as session timestamps, the number of queries per session, the product module accessed, the AI model used, token counts, and response latency metrics. This metadata is used for service delivery, capacity planning, and reliability monitoring.

Your conversations are stored to power features you use — not to train AI models. As described in Section 2, we store the text of your prompts and the AI-generated responses in our database so that you can access conversation history, bookmarks, saved memories, and data export. This content is encrypted at rest and is accessible only through your authenticated account.

We do not:

• Use any conversation content — including prompts, responses, or interaction patterns — to train, fine-tune, or improve any machine-learning model, whether ours or any third party's;
• Sell, license, or share conversation content with third parties for their own commercial, marketing, or advertising purposes;
• Use conversation content to build user profiles for advertising or to target you with ads;
• Provide conversation content to any third party, except (a) to the AI service providers identified in Section 6, which process prompts transiently to generate responses, or (b) where required by a valid court order or other compulsory legal process, in which case we will notify you to the extent permitted by law.

You control your data. You may view, export, or delete your conversation history at any time through your account settings. When you delete your account, your conversation content is permanently removed from our systems after a retention period described in Section 5.

Institutional Majlis deployments may optionally enable organization-controlled audit logging, in which case the institution — not MindHYVE — acts as the data controller for that logged content. Any such logging is configured and governed by the institution's own data-retention policies and is documented in the applicable institutional agreement.

We use the information we collect for the following purposes:

• Authentication and access control: To verify your identity, manage session tokens, enforce role-based access in Majlis, and protect against unauthorized access.
• Service delivery: To route your requests to the appropriate product module, deliver EBO responses, and maintain service availability and performance.
• Billing and subscription management: To process payments through Stripe, manage subscription tiers, issue invoices, handle refunds, and prevent billing fraud.
• Analytics and service improvement: To understand how the Services are used in aggregate — through Plausible Analytics on our marketing site and through first-party product analytics within the application — to identify performance bottlenecks and prioritize feature development. These analytics do not include conversation content.
• Communications: To send you transactional messages (such as account verification, password resets, billing receipts, and service-status notifications). We will not send marketing communications unless you have opted in, and you may unsubscribe at any time.
• Legal compliance: To comply with applicable laws, regulations, and legal processes, and to enforce our Terms of Service.

Legal basis for processing (EEA/UK users). Where the General Data Protection Regulation applies, our legal bases for processing are: contractual necessity (account management, service delivery, billing, and conversation storage for features you use); legitimate interest (analytics, service improvement, security, and fraud prevention); consent (marketing communications and optional profile information); and legal obligation (tax records, regulatory compliance, and law-enforcement requests).

All data processed by the Services is hosted on Microsoft Azure infrastructure. We employ industry-standard security measures to protect your information, including:

• Encryption at rest: All stored data, including account information and billing tokens, is encrypted using AES-256 encryption at the storage layer.
• Encryption in transit: All data transmitted between your device and our servers, and between our internal services, is encrypted using TLS 1.2 or higher.
• Multi-tenant isolation: Institutional Majlis workspaces are logically isolated at the data layer. One institution's data is never accessible to another institution or to consumer Theo users.
• Access controls: Internal access to production systems is restricted to authorized personnel, protected by multi-factor authentication, and logged for audit purposes.
• Incident response: We maintain an incident-response plan and will notify affected users and applicable regulatory authorities of a qualifying data breach in accordance with applicable law.

Data retention. If you delete your account, your personal information is anonymized immediately and your access is revoked. Conversation content, messages, and associated records are retained for up to ninety (90) days following account deletion to support account-recovery requests and to comply with legal obligations, after which they are permanently deleted from our systems.

Data controller. For consumer Theo users, MindHYVE acts as the data controller for personal information processed through the Services. For institutional Majlis deployments, the institution is typically the data controller and MindHYVE acts as the data processor, as documented in the applicable institutional agreement or Data Processing Agreement.

No system is perfectly secure. While we implement commercially reasonable safeguards, we cannot guarantee absolute security, and we disclaim liability for breaches resulting from circumstances beyond our reasonable control.

We engage the following categories of third-party service providers to operate the Services:

• AI processing: Anthropic processes user prompts to generate AI responses on our behalf. Prompts are transmitted to Anthropic's inference API transiently for response generation and are subject to Anthropic's data-processing terms. Under our agreement with Anthropic, your prompts are not used for model training.
• Microsoft Azure AI and infrastructure services: We use Azure OpenAI Service for text embeddings, Azure AI Search for corpus retrieval, Azure Speech Services for text-to-speech audio, and Azure Communication Services for transactional email. These services process data transiently as part of delivering the Services and are governed by Microsoft's data-protection agreements.
• Authentication: We provide direct email-based authentication managed by our own systems. Users may also sign in with Google, which shares your name and email address with us during the sign-in process. Google does not receive your conversation content or usage data from us.
• Payment processing: Stripe, Inc. processes all payment transactions. Your payment card data is submitted directly to Stripe and is subject to Stripe's privacy policy and PCI DSS compliance. MindHYVE does not receive or store your full card number.
• Analytics: Plausible Analytics provides privacy-focused, cookie-free analytics on our marketing website. Plausible does not collect personal data, does not use cookies, and does not track users across sites. All Plausible analytics data is aggregated and anonymous.
• Performance monitoring: Microsoft Application Insights collects performance telemetry and error diagnostics to maintain service reliability. This telemetry does not include conversation content.

We do not sell, rent, lease, or trade your personal information to any third party. We do not share your personal information with third parties for their own marketing or advertising purposes. We disclose personal information to third-party service providers only to the extent necessary to operate the Services and only under written agreements that require those providers to protect the information.

We will notify institutional customers with active Data Processing Agreements at least thirty (30) days before engaging a new sub-processor that processes personal data, providing an opportunity to object.

We do not use cookies for analytics, advertising, or cross-site tracking. Plausible Analytics operates without cookies and does not generate persistent identifiers. There are no third-party tracking pixels, advertising cookies, or cross-site tracking mechanisms on our websites or applications.

Authentication cookies. We use HTTP-only cookies (theoai_access and theoai_refresh) to maintain your authenticated session. These cookies are strictly functional — they keep you logged in and are not used for analytics, advertising, or cross-site tracking. They are scoped to our domain and are transmitted only over encrypted connections.

We use browser localStorage to persist user preferences on your device, such as your selected interface language, theme, and session identifiers for anonymous usage. Some localStorage data, such as session identifiers, may be included in the first-party product analytics described in Section 2, but is never shared with third parties or used for advertising. All localStorage data can be cleared at any time through your browser settings.

The Services are not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe that your child has provided us with personal information without your consent, please contact us at privacy@mindhyve.ai. Upon verification, we will promptly delete such information from our systems.

For users between the ages of 13 and 18, we recommend that a parent or guardian review this Privacy Policy and supervise the minor's use of the Services.

Depending on your jurisdiction, you may have certain rights regarding your personal information, including:

• Right of access: You may request a copy of the personal information we hold about you.
• Right to correction: You may request that we correct inaccurate or incomplete personal information.
• Right to deletion: You may request that we delete your personal information, subject to our legal obligations and legitimate business needs (such as fraud prevention and regulatory record-keeping).
• Right to data portability: Where technically feasible, you may request that we provide your personal information in a structured, commonly used, machine-readable format.
• Right to object: You may object to certain processing activities where we rely on legitimate interests as the legal basis.
• Right to withdraw consent: Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, please contact us at privacy@mindhyve.ai. We will respond to your request within thirty (30) days, or within the timeframe required by applicable law. We may ask you to verify your identity before processing your request.

California residents. If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information:

• Right to know: You have the right to request the categories and specific pieces of personal information we have collected about you, the sources from which it was collected, the purposes for collection, and the categories of third parties with whom it is shared.
• Right to delete: You have the right to request deletion of your personal information, subject to certain exceptions permitted by law.
• Right to opt out of sale or sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
• Non-discrimination: We will not discriminate against you for exercising your privacy rights under California law.

To exercise these rights, contact us at privacy@mindhyve.ai. We will verify your identity before processing your request.

The Services are hosted on Microsoft Azure's global cloud infrastructure. Your information may be processed in data centers located in the United States or in other regions where Azure operates, depending on service availability and performance optimization. By using the Services, you consent to the transfer of your information to jurisdictions that may have data-protection laws different from those of your country of residence.

Where personal data is transferred from the European Economic Area (EEA), the United Kingdom, or Switzerland to a jurisdiction that has not received an adequacy determination, we rely on appropriate safeguards, such as Standard Contractual Clauses approved by the European Commission, to ensure that your information receives an adequate level of protection.

Institutional customers may negotiate data-residency requirements as part of their Majlis enterprise agreements. Please contact us for details on available data-residency options.

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. When we make material changes, we will update the "Effective" date at the top of this page and post the revised policy on our website. For material changes that significantly affect how we process your personal information, we will make reasonable efforts to provide advance notice through the Services or via the email address associated with your account.

Your continued use of the Services after the effective date of a revised Privacy Policy constitutes your acceptance of the updated terms. We encourage you to review this page periodically to stay informed about how we protect your information.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

MindHYVE.ai, Inc.
A Nevada C corporation
1501 Quail St, Suite 130
Newport Beach, CA 92660
General: hello@mindhyve.ai
Privacy: privacy@mindhyve.ai

We will endeavor to respond to all inquiries within thirty (30) days.