Privacy policy
Privacy policy
Privacy policy
1.Controller and Contact Information
This Privacy Policy explains how Mindroom.rocks, Inc., 16 Dupont St., Apt 24E, Brooklyn, New York, NY 11222, United States (“Company”, “we”, “us”, “our”) processes personal data when users access and use the mobile application MAIND and related services (collectively, the “Services”).
The mobile application MAIND is operated by Mindroom.rocks, Inc., which acts as the data controller within the meaning of applicable data protection laws.
Contact: support@mindroom.rocks
1.1. EU Representative (Article 27 GDPR)
Pursuant to Article 27 of the General Data Protection Regulation (GDPR), Mindroom.rocks, Inc. has appointed a representative within the European Union. The EU representative acts as a contact point for data subjects and supervisory authorities in the European Union with regard to data protection matters.
The EU representative can be contacted at:
[Name of EU Representative]
[Street Address]
[Postal Code, City]
[Country]
[Email Address]
2.Scope of This Privacy Policy
This Privacy Policy applies when you:
download or use the MAIND mobile application,
visit our websites or landing pages related to the Services (including one-page marketing sites),
create an account or use the app without an account,
use meditation, breathing, journaling, visualization, or AI-based features,
connect wearable devices,
access third-party shops or affiliate links,
communicate with us or receive notifications.
Certain processing is necessary to provide the Services (e.g., account identifiers and essential technical data). Other features are optional, such as wearable-based measurements. Advertising measurement (e.g., cookies/pixels) may be used on our websites or landing pages (where applicable) to measure campaign performance; we do not use the Meta Pixel or the Meta SDK (App Events) within the MAIND app for advertising tracking.
2.1 Subliminal Content Notice
The Services may include “subliminal” audio or video content that contains affirmations presented at low volume or rapid visual speed and may not be consciously perceivable atnormal settings. Such content is provided for informational and well-being purposes only and is not medical or therapeutic treatment.
3.Categories of Personal Data We Process
3.1 Data You Provide Voluntarily
name or username
email address
account credentials
user-generated content (e.g. journal entries, goals, prompts)
text or voice inputs submitted to the AI feature (if used)
subscription status and entitlement information received from app stores (e.g., active subscription state)
communications with support
3.2 Data Collected Automatically
IP address
device identifiers
operating system and app version
language settings
usage logs, timestamps, crash reports
approximate location derived from IP address (where applicable)
analytics identifiers (e.g., SDK identifiers)
advertising and campaign measurement data (e.g., aggregated campaign performance reports received from advertising platforms, and website cookie/pixel event data on our websites or landing pages, where enabled and where permitted by law)
3.3 Administrative Access (Admin Panel)
We maintain an administrative panel to operate, maintain, and support the Services. Authorized personnel may access user account information and user-generated content (e.g., journal entries, vision board content, uploaded images, and related inputs), as well as usage history (e.g., which meditations, breathing exercises, or subliminals were used and when). Where wearable-based features are enabled, authorized personnel may also access health-related measurements (e.g., HRV and session-related sensor data) for support, troubleshooting, safety, compliance, or to maintain the integrity of the Services.
We do not routinely review user-generated content for its substance. Access is limited to authorized personnel on a need-to-know basis and is subject to appropriate security controls. We may access, modify, or delete user-generated content, account data, and (where applicable) health-related measurements (i) at your request, (ii) to correct technical errors, (iii) to enforce our policies, or (iv) to comply with legal obligations.
4.Health Data and Special Categories of Data
4.1 Nature of Health Data
When you activate wearable-based features, we process health-related data, including but not limited to:
heart rate
heart rate variability (HRV)
activity-related metrics
session-related meditation or breathing data
physiological sensor measurements collected during meditation or breathing sessions (where enabled)
Such data qualifies as special category personal data (health data) under Article 9 GDPR. Health data is stored and processed in accordance with Section 10 (Cloud Infrastructure and Data Storage).
4.2 Legal Basis for Health Data Processing
Health data is processed only with your explicit consent, which is obtained before any wearable-based measurement is activated.
You may withdraw your consent at any time via the app settings. Withdrawal does not affect processing already carried out.
5.Wearable Devices and APIs
The Services may connect to wearable devices such as Apple Watch, Samsung Galaxy Watch, and Polar devices.
Wearable data is processed solely to display insights and feedback within the app. We do not share health data with wearable device manufacturers (e.g., Apple, Samsung, Polar) for their own purposes. Health data may be processed by our service providers acting on our behalf (e.g., cloud hosting) under contractual confidentiality and security obligations, and may be disclosed if required to comply with law. Data access is limited to the minimum scope required for functionality. You can also manage or revoke device-level permissions via your device operating system settings (iOS/Android).
6.AI Processing and Recommendations
6.1 AI Functionality
The Services use artificial intelligence to analyze user inputs and app usage in order to:
recommend app features (e.g. meditations or breathing exercises),
suggest general well-being content,
display informational references or third-party resources.
The AI does not provide medical advice, diagnoses, or treatment.
6.2 Data Used for AI Processing
AI processing may involve:
user text or voice inputs,
selected app features and preferences,
anonymized or aggregated usage data,
technical metadata.
User inputs may be stored temporarily to operate the AI features, prevent abuse, and ensure system quality.
Please do not include sensitive medical or health information in your AI prompts. If you choose to do so, you do so at your own discretion.
6.3 Independence from Health Data
AI-based features can be used independently of wearable devices and do not require the processing of health data unless the user explicitly enables wearable-based measurements.
6.4 AI Transparency (EU AI Act)
Our AI-based features are designed to support user experience and well-being. They do not produce legal or similarly significant effects within the meaning of Article 22 GDPR.
The AI systems implemented in the Services fall into the category of limited-risk AI systems under the EU Artificial Intelligence Act and are subject to applicable transparency obligations.
6.5 AI-Generated Audio and Voice Services (e.g., ElevenLabs)
We may use third-party voice generation or audio production services (such as ElevenLabs) to create pre-recorded guided meditation audio content. We do not send users’ personal data (including user prompts or health data) to these providers for voice generation
7.Nutritional Supplements and Affiliate Links
Affiliate links may be displayed both within AI-generated recommendations and directly within the app interface, including the home screen. When users interact with such links, they are redirected to third-party partner shops.
7.1 Informational Nature
Information about nutritional supplements is provided for informational purposes only and does not constitute medical advice. We do not guarantee effectiveness, suitability, or safety of any product.
7.2 Affiliate Disclosure
Some links are affiliate links. If you purchase a product through such a link, we may receive a commission. This does not increase the price you pay.
7.3 Third-Party Content
Third-party shops, products, and studies are operated independently. We do not control and are not responsible for their content, practices, or compliance with applicable laws. These third parties may collect personal data from you and use their own cookies or similar technologies when you visit their services; their practices are governed by their own privacy policies.
8.Cookies and Tracking Technologies
We may use cookies or similar technologies (including SDKs and mobile identifiers) to ensure functionality, security, analytics, and affiliate attribution.
Within the MAIND app, we use only necessary SDKs for functionality, security, and stability (e.g., crash reporting). We do not use the Meta Pixel in the app and do not integrate the Meta SDK (App Events) in the app for advertising tracking.
8.1 Meta (Facebook/Instagram) Advertising and Measurement (Outside the App)
We run advertising campaigns on Facebook and Instagram to direct users to the Apple App Store or Google Play Store. Meta processes information about ad interactions as an independent controller under its own policies. We generally receive only aggregated campaign performance reports (e.g., reach, clicks, installs/attribution in summarized form), where such reports are provided by the advertising platform.
8.3 EEA/UK (including Germany): Consent for Tracking Technologies
In the European Economic Area and the United Kingdom, the use of non-essential cookies, pixels, and similar technologies on our websites or landing pages generally requires your consent under ePrivacy rules and applicable national laws (e.g., Germany’s TDDDG (formerly TTDSG)). Where required, we will request your consent before placing or accessing such technologies on your device. You can withdraw your consent at any time via the consent/cookie settings on our websites or landing pages (where available).
8.4 Affiliate Tracking
Affiliate tracking may involve the transfer of technical identifiers (e.g., timestamps, device type) to enable attribution. This typically occurs when you click an affiliate link and visit a partner shop. We do not share directly identifying personal data with affiliate partners for attribution; however, partner shops may collect personal data directly from you under their own privacy policies.
9.Payments
Payments and subscriptions are processed exclusively through the Apple App Store and Google Play Store. We do not store payment card information. We may receive limited purchase-related information from the app stores (e.g., subscription status and entitlement information) to provide access to subscription features.
10.Cloud Infrastructure and Data Storage
Data is stored and processed using Google Cloud Platform as a data processor.
Data may be processed in the United States and the European Union. Where required, appropriate safeguards such as Standard Contractual Clauses are implemented. You can request additional information about these safeguards, including a copy of the relevant Standard Contractual Clauses, by contacting us at support@mindroom.rocks.
11.How We Share Personal Data
We may share personal data with:
• Service providers (e.g., cloud hosting, content delivery, customer support, security, and analytics) who process data on our behalf under contractual confidentiality and security obligations;
• Advertising and social media platforms (e.g., Meta) through which we run app-install campaigns: these platforms process data about ad interactions as independent controllers under their own privacy policies. We generally receive only aggregated campaign performance reports (e.g., reach, clicks, installs/attribution in summarized form), where such reports are provided by the platform. Where we use pixels/cookies on our websites or landing pages, we may also receive associated event-level reporting/insights via the platform’s business tools, subject to applicable law;
• Business transaction counterparties (e.g., in connection with a merger, acquisition, financing, reorganization, or sale of assets), where personal data may be disclosed as part of such transaction, subject to appropriate safeguards;
• Affiliate and partner shops when you click on external product links (in which case the third party may collect data directly from you under its own policies);
• Authorities, regulators, or other third parties where we believe disclosure is necessary to comply with law, protect rights and safety, investigate fraud or security incidents, or enforce our terms.
• We do not sell personal data. We may share personal data in connection with targeted advertising on our websites or landing pages (e.g., through pixels/cookies), where permitted by law. Depending on your U.S. state of residence, you may have the right to opt out of certain processing such as targeted advertising (see “United States Privacy Rights” below).
12.Legal Bases for Processing (EU/UK)
We process personal data based on:
• consent (Art. 6 (1)(a), Art. 9 (2)(a) GDPR),
• contract performance (Art. 6 (1)(b) GDPR),
• legal obligations (Art. 6 (1)(c) GDPR),
• legitimate interests (Art. 6 (1)(f) GDPR), where applicable.
legitimate interests (Art. 6 (1)(f) GDPR), where applicable.Where we use advertising measurement, attribution, and (where enabled) targeted advertising in the EEA/UK in connection with our websites or landing pages (e.g., cookies/pixels), we rely on your consent (Art. 6(1)(a) GDPR) and, where applicable, your consent under ePrivacy rules for accessing or storing information on your device.
Where we rely on legitimate interests (Art. 6(1)(f) GDPR), our interests include ensuring the security of the Services, preventing fraud/abuse, and improving and maintaining the Services. You can object to processing based on legitimate interests as described in Section 14.
13 .Data Retention
We retain personal data only as long as necessary for the purposes described in this Privacy Policy, including to provide the Services, maintain security, comply with legal obligations, and resolve disputes.
Retention depends on the data category and context, including:
• Account data (e.g., email address, account identifiers, subscription/entitlement status): retained for the life of the account and deleted after account deletion, unless a longer retention is required by law or for legal claims.
• User-generated content (e.g., journal entries, vision board content, uploaded images/quotes): retained until you delete it or delete your account, unless retention is required by law or for legal claims.
• Health data (e.g., HRV/heart rate and session-related sensor data, where enabled): retained as needed to provide the wearable-based features and deleted or anonymized when no longer needed or upon account deletion, unless retention is legally required.
• Security and audit logs (including administrative access logs): retained for a limited period necessary for security, troubleshooting, and abuse/fraud prevention (typically [90] days), unless longer retention is required for legal claims.
• Website cookie/pixel event data (where used on our websites or landing pages): retained in accordance with our configured retention settings and applicable law; you can withdraw consent and manage preferences via the consent/cookie settings on our websites or landing pages (where available).
14. Your Rights
Depending on your location, you may have rights to:
• access your personal data,
• correct inaccurate data,
• delete data,
• restrict or object to processing,
• data portability,
• withdraw consent,
• lodge complaints with supervisory authorities.
If you are in the EEA/UK, you have the right to object at any time to processing of your personal data for direct marketing purposes. You also have the right to lodge a complaint with a supervisory authority in your place of habitual residence, place of work, or place of the alleged infringement. You may also contact our EU Representative listed in Section 1.
We generally respond to requests within one month. In complex cases, this period may be extended by up to two additional months; we will inform you if an extension applies. To protect your privacy and security, we may request appropriate verification of your identity before fulfilling a request.
Consent settings for optional app features (e.g., wearable-based measurements) can be managed within the app settings. Consent for cookies/pixels on our websites or landing pages can be managed via the consent/cookie settings on those sites (where available). Requests can be submitted via support@mindroom.rocks.
15. United States Privacy Rights
Depending on your U.S. state of residence, you may have the right to:
• confirm whether we process personal data about you;
• access your personal data;
• correct inaccuracies in your personal data;
• request deletion of your personal data;
• obtain a copy of your personal data in a portable format (where applicable);
• opt out of certain processing, such as targeted advertising, and in some states, profiling in furtherance of decisions that produce legal or similarly significant effects (where applicable).
15.1 How to opt out (where applicable)
You can opt out of targeted advertising where applicable by (i) adjusting relevant platform settings (e.g., ad preferences on social media/advertising platforms), and/or (ii) adjusting your device settings. You may also contact us at support@mindroom.rocks with your request.
Where required by applicable law, we also honor opt-out preference signals (such as Global Privacy Control (GPC)) for our websites or landing pages. Where required, we
may also provide a “Do Not Sell or Share My Personal Information” link or equivalent mechanism on our websites or landing pages.
15.2 How to exercise your rights
You can submit a request by contacting us at support@mindroom.rocks. Please include your name, the email address associated with your account, your state of residence, and the specific request you would like to make.
15.3 Verification
To protect your privacy, we may need to verify your identity before fulfilling your request. If we cannot verify your identity, we may deny the request.
15.4 Authorized agents
Where permitted by law, you may designate an authorized agent to submit requests on your behalf. We may require proof of the agent’s authority and may also require you to verify your identity directly.
15.5 Appeals
If we deny your request, and your state law provides a right to appeal, you may appeal our decision by replying to our response or by contacting us at support@mindroom.rocks with the subject line “Privacy Appeal.”
We will not discriminate against you for exercising your privacy rights.
16. Children’s Privacy
The Services are not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors. The Services are not directed to children under 13 years of age.
17.Security Measures
We implement appropriate technical and organizational measures to protect personal data. This includes access controls (role-based access), logging and monitoring of administrative access, and measures designed to protect data in transit and at rest. No system can be guaranteed to be completely secure.
18.Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be communicated through the Services (e.g., in-app notice) and, where appropriate, via email associated with your account.
19.Contact
Mindroom.rocks, Inc.
16 Dupont St., Apt 24E
Brooklyn, NY 11222
United States
Email: support@mindroom.rocks
20.Language Version
This Privacy Policy may be provided in multiple languages for convenience.
In case of discrepancies, the English version shall prevail.
1.Controller and Contact Information
This Privacy Policy explains how Mindroom.rocks, Inc., 16 Dupont St., Apt 24E, Brooklyn, New York, NY 11222, United States (“Company”, “we”, “us”, “our”) processes personal data when users access and use the mobile application MAIND and related services (collectively, the “Services”).
The mobile application MAIND is operated by Mindroom.rocks, Inc., which acts as the data controller within the meaning of applicable data protection laws.
Contact: support@mindroom.rocks
1.1. EU Representative (Article 27 GDPR)
Pursuant to Article 27 of the General Data Protection Regulation (GDPR), Mindroom.rocks, Inc. has appointed a representative within the European Union. The EU representative acts as a contact point for data subjects and supervisory authorities in the European Union with regard to data protection matters.
The EU representative can be contacted at:
[Name of EU Representative]
[Street Address]
[Postal Code, City]
[Country]
[Email Address]
2.Scope of This Privacy Policy
This Privacy Policy applies when you:
download or use the MAIND mobile application,
visit our websites or landing pages related to the Services (including one-page marketing sites),
create an account or use the app without an account,
use meditation, breathing, journaling, visualization, or AI-based features,
connect wearable devices,
access third-party shops or affiliate links,
Certain processing is necessary to provide the Services (e.g., account identifiers and essential technical data). Other features are optional, such as wearable-based measurements. Advertising measurement (e.g., cookies/pixels) may be used on our websites or landing pages (where applicable) to measure campaign performance; we do not use the Meta Pixel or the Meta SDK (App Events) within the MAIND app for advertising tracking.
2.1 Subliminal Content Notice
The Services may include “subliminal” audio or video content that contains affirmations presented at low volume or rapid visual speed and may not be consciously perceivable atnormal settings. Such content is provided for informational and well-being purposes only and is not medical or therapeutic treatment.
3.Categories of Personal Data We Process
3.1 Data You Provide Voluntarily
name or username
email address
account credentials
user-generated content (e.g. journal entries, goals, prompts)
text or voice inputs submitted to the AI feature (if used)
subscription status and entitlement information received from app stores (e.g., active subscription state)
communications with support
3.2 Data Collected Automatically
IP address
device identifiers
operating system and app version
language settings
usage logs, timestamps, crash reports
approximate location derived from IP address (where applicable)
analytics identifiers (e.g., SDK identifiers)
advertising and campaign measurement data (e.g., aggregated campaign performance reports received from advertising platforms, and website cookie/pixel event data on our websites or landing pages, where enabled and where permitted by law)
3.3 Administrative Access (Admin Panel)
We maintain an administrative panel to operate, maintain, and support the Services. Authorized personnel may access user account information and user-generated content (e.g., journal entries, vision board content, uploaded images, and related inputs), as well as usage history (e.g., which meditations, breathing exercises, or subliminals were used and when). Where wearable-based features are enabled, authorized personnel may also access health-related measurements (e.g., HRV and session-related sensor data) for support, troubleshooting, safety, compliance, or to maintain the integrity of the Services.
We do not routinely review user-generated content for its substance. Access is limited to authorized personnel on a need-to-know basis and is subject to appropriate security controls. We may access, modify, or delete user-generated content, account data, and (where applicable) health-related measurements (i) at your request, (ii) to correct technical errors, (iii) to enforce our policies, or (iv) to comply with legal obligations.
4.Health Data and Special Categories of Data
4.1 Nature of Health Data
When you activate wearable-based features, we process health-related data, including but not limited to:
heart rate
heart rate variability (HRV)
activity-related metrics
session-related meditation or breathing data
physiological sensor measurements collected during meditation or breathing sessions (where enabled)
Such data qualifies as special category personal data (health data) under Article 9 GDPR. Health data is stored and processed in accordance with Section 10 (Cloud Infrastructure and Data Storage).
4.2 Legal Basis for Health Data Processing
Health data is processed only with your explicit consent, which is obtained before any wearable-based measurement is activated.
You may withdraw your consent at any time via the app settings. Withdrawal does not affect processing already carried out.
5.Wearable Devices and APIs
The Services may connect to wearable devices such as Apple Watch, Samsung Galaxy Watch, and Polar devices.
Wearable data is processed solely to display insights and feedback within the app. We do not share health data with wearable device manufacturers (e.g., Apple, Samsung, Polar) for their own purposes. Health data may be processed by our service providers acting on our behalf (e.g., cloud hosting) under contractual confidentiality and security obligations, and may be disclosed if required to comply with law. Data access is limited to the minimum scope required for functionality. You can also manage or revoke device-level permissions via your device operating system settings (iOS/Android).
6.AI Processing and Recommendations
6.1 AI Functionality
The Services use artificial intelligence to analyze user inputs and app usage in order to:
recommend app features (e.g. meditations or breathing exercises),
suggest general well-being content,
display informational references or third-party resources.
The AI does not provide medical advice, diagnoses, or treatment.
6.2 Data Used for AI Processing
AI processing may involve:
user text or voice inputs,
selected app features and preferences,
anonymized or aggregated usage data,
technical metadata.
User inputs may be stored temporarily to operate the AI features, prevent abuse, and ensure system quality.
Please do not include sensitive medical or health information in your AI prompts. If you choose to do so, you do so at your own discretion.
6.3 Independence from Health Data
AI-based features can be used independently of wearable devices and do not require the processing of health data unless the user explicitly enables wearable-based measurements.
6.4 AI Transparency (EU AI Act)
Our AI-based features are designed to support user experience and well-being. They do not produce legal or similarly significant effects within the meaning of Article 22 GDPR.
The AI systems implemented in the Services fall into the category of limited-risk AI systems under the EU Artificial Intelligence Act and are subject to applicable transparency obligations.
6.5 AI-Generated Audio and Voice Services (e.g., ElevenLabs)
We may use third-party voice generation or audio production services (such as ElevenLabs) to create pre-recorded guided meditation audio content. We do not send users’ personal data (including user prompts or health data) to these providers for voice generation
7.Nutritional Supplements and Affiliate Links
Affiliate links may be displayed both within AI-generated recommendations and directly within the app interface, including the home screen. When users interact with such links, they are redirected to third-party partner shops.
7.1 Informational Nature
Information about nutritional supplements is provided for informational purposes only and does not constitute medical advice. We do not guarantee effectiveness, suitability, or safety of any product.
7.2 Affiliate Disclosure
Some links are affiliate links. If you purchase a product through such a link, we may receive a commission. This does not increase the price you pay.
7.3 Third-Party Content
Third-party shops, products, and studies are operated independently. We do not control and are not responsible for their content, practices, or compliance with applicable laws. These third parties may collect personal data from you and use their own cookies or similar technologies when you visit their services; their practices are governed by their own privacy policies.
8.Cookies and Tracking Technologies
We may use cookies or similar technologies (including SDKs and mobile identifiers) to ensure functionality, security, analytics, and affiliate attribution.
Within the MAIND app, we use only necessary SDKs for functionality, security, and stability (e.g., crash reporting). We do not use the Meta Pixel in the app and do not integrate the Meta SDK (App Events) in the app for advertising tracking.
8.1 Meta (Facebook/Instagram) Advertising and Measurement (Outside the App)
We run advertising campaigns on Facebook and Instagram to direct users to the Apple App Store or Google Play Store. Meta processes information about ad interactions as an independent controller under its own policies. We generally receive only aggregated campaign performance reports (e.g., reach, clicks, installs/attribution in summarized form), where such reports are provided by the advertising platform.
8.3 EEA/UK (including Germany): Consent for Tracking Technologies
In the European Economic Area and the United Kingdom, the use of non-essential cookies, pixels, and similar technologies on our websites or landing pages generally requires your consent under ePrivacy rules and applicable national laws (e.g., Germany’s TDDDG (formerly TTDSG)). Where required, we will request your consent before placing or accessing such technologies on your device. You can withdraw your consent at any time via the consent/cookie settings on our websites or landing pages (where available).
8.4 Affiliate Tracking
Affiliate tracking may involve the transfer of technical identifiers (e.g., timestamps, device type) to enable attribution. This typically occurs when you click an affiliate link and visit a partner shop. We do not share directly identifying personal data with affiliate partners for attribution; however, partner shops may collect personal data directly from you under their own privacy policies.
9.Payments
Payments and subscriptions are processed exclusively through the Apple App Store and Google Play Store. We do not store payment card information. We may receive limited purchase-related information from the app stores (e.g., subscription status and entitlement information) to provide access to subscription features.
10.Cloud Infrastructure and Data Storage
Data is stored and processed using Google Cloud Platform as a data processor.
Data may be processed in the United States and the European Union. Where required, appropriate safeguards such as Standard Contractual Clauses are implemented. You can request additional information about these safeguards, including a copy of the relevant Standard Contractual Clauses, by contacting us at support@mindroom.rocks.
11.How We Share Personal Data
We may share personal data with:
• Service providers (e.g., cloud hosting, content delivery, customer support, security, and analytics) who process data on our behalf under contractual confidentiality and security obligations;
• Advertising and social media platforms (e.g., Meta) through which we run app-install campaigns: these platforms process data about ad interactions as independent controllers under their own privacy policies. We generally receive only aggregated campaign performance reports (e.g., reach, clicks, installs/attribution in summarized form), where such reports are provided by the platform. Where we use pixels/cookies on our websites or landing pages, we may also receive associated event-level reporting/insights via the platform’s business tools, subject to applicable law;
• Business transaction counterparties (e.g., in connection with a merger, acquisition, financing, reorganization, or sale of assets), where personal data may be disclosed as part of such transaction, subject to appropriate safeguards;
• Affiliate and partner shops when you click on external product links (in which case the third party may collect data directly from you under its own policies);
• Authorities, regulators, or other third parties where we believe disclosure is necessary to comply with law, protect rights and safety, investigate fraud or security incidents, or enforce our terms.
• We do not sell personal data. We may share personal data in connection with targeted advertising on our websites or landing pages (e.g., through pixels/cookies), where permitted by law. Depending on your U.S. state of residence, you may have the right to opt out of certain processing such as targeted advertising (see “United States Privacy Rights” below).
12.Legal Bases for Processing (EU/UK)
We process personal data based on:
• consent (Art. 6 (1)(a), Art. 9 (2)(a) GDPR),
• contract performance (Art. 6 (1)(b) GDPR),
• legal obligations (Art. 6 (1)(c) GDPR),
• legitimate interests (Art. 6 (1)(f) GDPR), where applicable.
legitimate interests (Art. 6 (1)(f) GDPR), where applicable.Where we use advertising measurement, attribution, and (where enabled) targeted advertising in the EEA/UK in connection with our websites or landing pages (e.g., cookies/pixels), we rely on your consent (Art. 6(1)(a) GDPR) and, where applicable, your consent under ePrivacy rules for accessing or storing information on your device.
Where we rely on legitimate interests (Art. 6(1)(f) GDPR), our interests include ensuring the security of the Services, preventing fraud/abuse, and improving and maintaining the Services. You can object to processing based on legitimate interests as described in Section 14.
13 .Data Retention
We retain personal data only as long as necessary for the purposes described in this Privacy Policy, including to provide the Services, maintain security, comply with legal obligations, and resolve disputes.
Retention depends on the data category and context, including:
• Account data (e.g., email address, account identifiers, subscription/entitlement status): retained for the life of the account and deleted after account deletion, unless a longer retention is required by law or for legal claims.
• User-generated content (e.g., journal entries, vision board content, uploaded images/quotes): retained until you delete it or delete your account, unless retention is required by law or for legal claims.
• Health data (e.g., HRV/heart rate and session-related sensor data, where enabled): retained as needed to provide the wearable-based features and deleted or anonymized when no longer needed or upon account deletion, unless retention is legally required.
• Security and audit logs (including administrative access logs): retained for a limited period necessary for security, troubleshooting, and abuse/fraud prevention (typically [90] days), unless longer retention is required for legal claims.
• Website cookie/pixel event data (where used on our websites or landing pages): retained in accordance with our configured retention settings and applicable law; you can withdraw consent and manage preferences via the consent/cookie settings on our websites or landing pages (where available).
14. Your Rights
Depending on your location, you may have rights to:
• access your personal data,
• correct inaccurate data,
• delete data,
• restrict or object to processing,
• data portability,
• withdraw consent,
• lodge complaints with supervisory authorities.
If you are in the EEA/UK, you have the right to object at any time to processing of your personal data for direct marketing purposes. You also have the right to lodge a complaint with a supervisory authority in your place of habitual residence, place of work, or place of the alleged infringement. You may also contact our EU Representative listed in Section 1.
We generally respond to requests within one month. In complex cases, this period may be extended by up to two additional months; we will inform you if an extension applies. To protect your privacy and security, we may request appropriate verification of your identity before fulfilling a request.
Consent settings for optional app features (e.g., wearable-based measurements) can be managed within the app settings. Consent for cookies/pixels on our websites or landing pages can be managed via the consent/cookie settings on those sites (where available). Requests can be submitted via support@mindroom.rocks.
15. United States Privacy Rights
Depending on your U.S. state of residence, you may have the right to:
• confirm whether we process personal data about you;
• access your personal data;
• correct inaccuracies in your personal data;
• request deletion of your personal data;
• obtain a copy of your personal data in a portable format (where applicable);
• opt out of certain processing, such as targeted advertising, and in some states, profiling in furtherance of decisions that produce legal or similarly significant effects (where applicable).
15.1 How to opt out (where applicable)
You can opt out of targeted advertising where applicable by (i) adjusting relevant platform settings (e.g., ad preferences on social media/advertising platforms), and/or (ii) adjusting your device settings. You may also contact us at support@mindroom.rocks with your request.
Where required by applicable law, we also honor opt-out preference signals (such as Global Privacy Control (GPC)) for our websites or landing pages. Where required, we
may also provide a “Do Not Sell or Share My Personal Information” link or equivalent mechanism on our websites or landing pages.
15.2 How to exercise your rights
You can submit a request by contacting us at support@mindroom.rocks. Please include your name, the email address associated with your account, your state of residence, and the specific request you would like to make.
15.3 Verification
To protect your privacy, we may need to verify your identity before fulfilling your request. If we cannot verify your identity, we may deny the request.
15.4 Authorized agents
Where permitted by law, you may designate an authorized agent to submit requests on your behalf. We may require proof of the agent’s authority and may also require you to verify your identity directly.
15.5 Appeals
If we deny your request, and your state law provides a right to appeal, you may appeal our decision by replying to our response or by contacting us at support@mindroom.rocks with the subject line “Privacy Appeal.”
We will not discriminate against you for exercising your privacy rights.
16.Children’s Privacy
The Services are not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors. The Services are not directed to children under 13 years of age.
17.Security Measures
We implement appropriate technical and organizational measures to protect personal data. This includes access controls (role-based access), logging and monitoring of administrative access, and measures designed to protect data in transit and at rest. No system can be guaranteed to be completely secure.
18.Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be communicated through the Services (e.g., in-app notice) and, where appropriate, via email associated with your account.
19.Contact
Mindroom.rocks, Inc.
16 Dupont St., Apt 24E
Brooklyn, NY 11222
United States
Email: support@mindroom.rocks
20.Language Version
This Privacy Policy may be provided in multiple languages for convenience.
In case of discrepancies, the English version shall prevail.
1.Controller and Contact Information
This Privacy Policy explains how Mindroom.rocks, Inc., 16 Dupont St., Apt 24E, Brooklyn, New York, NY 11222, United States (“Company”, “we”, “us”, “our”) processes personal data when users access and use the mobile application MAIND and related services (collectively, the “Services”).
The mobile application MAIND is operated by Mindroom.rocks, Inc., which acts as the data controller within the meaning of applicable data protection laws.
Contact: support@mindroom.rocks
1.1. EU Representative (Article 27 GDPR)
Pursuant to Article 27 of the General Data Protection Regulation (GDPR), Mindroom.rocks, Inc. has appointed a representative within the European Union. The EU representative acts as a contact point for data subjects and supervisory authorities in the European Union with regard to data protection matters.
The EU representative can be contacted at:
[Name of EU Representative]
[Street Address]
[Postal Code, City]
[Country]
[Email Address]
2.Scope of This Privacy Policy
This Privacy Policy applies when you:
download or use the MAIND mobile application,
visit our websites or landing pages related to the Services (including one-page marketing sites),
create an account or use the app without an account,
use meditation, breathing, journaling, visualization, or AI-based features,
connect wearable devices,
access third-party shops or affiliate links,
Certain processing is necessary to provide the Services (e.g., account identifiers and essential technical data). Other features are optional, such as wearable-based measurements. Advertising measurement (e.g., cookies/pixels) may be used on our websites or landing pages (where applicable) to measure campaign performance; we do not use the Meta Pixel or the Meta SDK (App Events) within the MAIND app for advertising tracking.
2.1 Subliminal Content Notice
The Services may include “subliminal” audio or video content that contains affirmations presented at low volume or rapid visual speed and may not be consciously perceivable atnormal settings. Such content is provided for informational and well-being purposes only and is not medical or therapeutic treatment.
3.Categories of Personal Data We Process
3.1 Data You Provide Voluntarily
name or username
email address
account credentials
user-generated content (e.g. journal entries, goals, prompts)
text or voice inputs submitted to the AI feature (if used)
subscription status and entitlement information received from app stores (e.g., active subscription state)
communications with support
3.2 Data Collected Automatically
IP address
device identifiers
operating system and app version
language settings
usage logs, timestamps, crash reports
approximate location derived from IP address (where applicable)
analytics identifiers (e.g., SDK identifiers)
advertising and campaign measurement data (e.g., aggregated campaign performance reports received from advertising platforms, and website cookie/pixel event data on our websites or landing pages, where enabled and where permitted by law)
3.3 Administrative Access (Admin Panel)
We maintain an administrative panel to operate, maintain, and support the Services. Authorized personnel may access user account information and user-generated content (e.g., journal entries, vision board content, uploaded images, and related inputs), as well as usage history (e.g., which meditations, breathing exercises, or subliminals were used and when). Where wearable-based features are enabled, authorized personnel may also access health-related measurements (e.g., HRV and session-related sensor data) for support, troubleshooting, safety, compliance, or to maintain the integrity of the Services.
We do not routinely review user-generated content for its substance. Access is limited to authorized personnel on a need-to-know basis and is subject to appropriate security controls. We may access, modify, or delete user-generated content, account data, and (where applicable) health-related measurements (i) at your request, (ii) to correct technical errors, (iii) to enforce our policies, or (iv) to comply with legal obligations.
4.Health Data and Special Categories of Data
4.1 Nature of Health Data
When you activate wearable-based features, we process health-related data, including but not limited to:
heart rate
heart rate variability (HRV)
activity-related metrics
session-related meditation or breathing data
physiological sensor measurements collected during meditation or breathing sessions (where enabled)
Such data qualifies as special category personal data (health data) under Article 9 GDPR. Health data is stored and processed in accordance with Section 10 (Cloud Infrastructure and Data Storage).
4.2 Legal Basis for Health Data Processing
Health data is processed only with your explicit consent, which is obtained before any wearable-based measurement is activated.
You may withdraw your consent at any time via the app settings. Withdrawal does not affect processing already carried out.
5.Wearable Devices and APIs
The Services may connect to wearable devices such as Apple Watch, Samsung Galaxy Watch, and Polar devices.
Wearable data is processed solely to display insights and feedback within the app. We do not share health data with wearable device manufacturers (e.g., Apple, Samsung, Polar) for their own purposes. Health data may be processed by our service providers acting on our behalf (e.g., cloud hosting) under contractual confidentiality and security obligations, and may be disclosed if required to comply with law. Data access is limited to the minimum scope required for functionality. You can also manage or revoke device-level permissions via your device operating system settings (iOS/Android).
6.AI Processing and Recommendations
6.1 AI Functionality
The Services use artificial intelligence to analyze user inputs and app usage in order to:
recommend app features (e.g. meditations or breathing exercises),
suggest general well-being content,
display informational references or third-party resources.
The AI does not provide medical advice, diagnoses, or treatment.
6.2 Data Used for AI Processing
AI processing may involve:
user text or voice inputs,
selected app features and preferences,
anonymized or aggregated usage data,
technical metadata.
User inputs may be stored temporarily to operate the AI features, prevent abuse, and ensure system quality.
Please do not include sensitive medical or health information in your AI prompts. If you choose to do so, you do so at your own discretion.
6.3 Independence from Health Data
AI-based features can be used independently of wearable devices and do not require the processing of health data unless the user explicitly enables wearable-based measurements.
6.4 AI Transparency (EU AI Act)
Our AI-based features are designed to support user experience and well-being. They do not produce legal or similarly significant effects within the meaning of Article 22 GDPR.
The AI systems implemented in the Services fall into the category of limited-risk AI systems under the EU Artificial Intelligence Act and are subject to applicable transparency obligations.
6.5 AI-Generated Audio and Voice Services (e.g., ElevenLabs)
We may use third-party voice generation or audio production services (such as ElevenLabs) to create pre-recorded guided meditation audio content. We do not send users’ personal data (including user prompts or health data) to these providers for voice generation
7.Nutritional Supplements and Affiliate Links
Affiliate links may be displayed both within AI-generated recommendations and directly within the app interface, including the home screen. When users interact with such links, they are redirected to third-party partner shops.
7.1 Informational Nature
Information about nutritional supplements is provided for informational purposes only and does not constitute medical advice. We do not guarantee effectiveness, suitability, or safety of any product.
7.2 Affiliate Disclosure
Some links are affiliate links. If you purchase a product through such a link, we may receive a commission. This does not increase the price you pay.
7.3 Third-Party Content
Third-party shops, products, and studies are operated independently. We do not control and are not responsible for their content, practices, or compliance with applicable laws. These third parties may collect personal data from you and use their own cookies or similar technologies when you visit their services; their practices are governed by their own privacy policies.
8.Cookies and Tracking Technologies
We may use cookies or similar technologies (including SDKs and mobile identifiers) to ensure functionality, security, analytics, and affiliate attribution.
Within the MAIND app, we use only necessary SDKs for functionality, security, and stability (e.g., crash reporting). We do not use the Meta Pixel in the app and do not integrate the Meta SDK (App Events) in the app for advertising tracking.
8.1 Meta (Facebook/Instagram) Advertising and Measurement (Outside the App)
We run advertising campaigns on Facebook and Instagram to direct users to the Apple App Store or Google Play Store. Meta processes information about ad interactions as an independent controller under its own policies. We generally receive only aggregated campaign performance reports (e.g., reach, clicks, installs/attribution in summarized form), where such reports are provided by the advertising platform.
8.3 EEA/UK (including Germany): Consent for Tracking Technologies
In the European Economic Area and the United Kingdom, the use of non-essential cookies, pixels, and similar technologies on our websites or landing pages generally requires your consent under ePrivacy rules and applicable national laws (e.g., Germany’s TDDDG (formerly TTDSG)). Where required, we will request your consent before placing or accessing such technologies on your device. You can withdraw your consent at any time via the consent/cookie settings on our websites or landing pages (where available).
8.4 Affiliate Tracking
Affiliate tracking may involve the transfer of technical identifiers (e.g., timestamps, device type) to enable attribution. This typically occurs when you click an affiliate link and visit a partner shop. We do not share directly identifying personal data with affiliate partners for attribution; however, partner shops may collect personal data directly from you under their own privacy policies.
9.Payments
Payments and subscriptions are processed exclusively through the Apple App Store and Google Play Store. We do not store payment card information. We may receive limited purchase-related information from the app stores (e.g., subscription status and entitlement information) to provide access to subscription features.
10.Cloud Infrastructure and Data Storage
Data is stored and processed using Google Cloud Platform as a data processor.
Data may be processed in the United States and the European Union. Where required, appropriate safeguards such as Standard Contractual Clauses are implemented. You can request additional information about these safeguards, including a copy of the relevant Standard Contractual Clauses, by contacting us at support@mindroom.rocks.
11.How We Share Personal Data
We may share personal data with:
• Service providers (e.g., cloud hosting, content delivery, customer support, security, and analytics) who process data on our behalf under contractual confidentiality and security obligations;
• Advertising and social media platforms (e.g., Meta) through which we run app-install campaigns: these platforms process data about ad interactions as independent controllers under their own privacy policies. We generally receive only aggregated campaign performance reports (e.g., reach, clicks, installs/attribution in summarized form), where such reports are provided by the platform. Where we use pixels/cookies on our websites or landing pages, we may also receive associated event-level reporting/insights via the platform’s business tools, subject to applicable law;
• Business transaction counterparties (e.g., in connection with a merger, acquisition, financing, reorganization, or sale of assets), where personal data may be disclosed as part of such transaction, subject to appropriate safeguards;
• Affiliate and partner shops when you click on external product links (in which case the third party may collect data directly from you under its own policies);
• Authorities, regulators, or other third parties where we believe disclosure is necessary to comply with law, protect rights and safety, investigate fraud or security incidents, or enforce our terms.
• We do not sell personal data. We may share personal data in connection with targeted advertising on our websites or landing pages (e.g., through pixels/cookies), where permitted by law. Depending on your U.S. state of residence, you may have the right to opt out of certain processing such as targeted advertising (see “United States Privacy Rights” below).
12.Legal Bases for Processing (EU/UK)
We process personal data based on:
• consent (Art. 6 (1)(a), Art. 9 (2)(a) GDPR),
• contract performance (Art. 6 (1)(b) GDPR),
• legal obligations (Art. 6 (1)(c) GDPR),
• legitimate interests (Art. 6 (1)(f) GDPR), where applicable.
legitimate interests (Art. 6 (1)(f) GDPR), where applicable.Where we use advertising measurement, attribution, and (where enabled) targeted advertising in the EEA/UK in connection with our websites or landing pages (e.g., cookies/pixels), we rely on your consent (Art. 6(1)(a) GDPR) and, where applicable, your consent under ePrivacy rules for accessing or storing information on your device.
Where we rely on legitimate interests (Art. 6(1)(f) GDPR), our interests include ensuring the security of the Services, preventing fraud/abuse, and improving and maintaining the Services. You can object to processing based on legitimate interests as described in Section 14.
13 .Data Retention
We retain personal data only as long as necessary for the purposes described in this Privacy Policy, including to provide the Services, maintain security, comply with legal obligations, and resolve disputes.
Retention depends on the data category and context, including:
• Account data (e.g., email address, account identifiers, subscription/entitlement status): retained for the life of the account and deleted after account deletion, unless a longer retention is required by law or for legal claims.
• User-generated content (e.g., journal entries, vision board content, uploaded images/quotes): retained until you delete it or delete your account, unless retention is required by law or for legal claims.
• Health data (e.g., HRV/heart rate and session-related sensor data, where enabled): retained as needed to provide the wearable-based features and deleted or anonymized when no longer needed or upon account deletion, unless retention is legally required.
• Security and audit logs (including administrative access logs): retained for a limited period necessary for security, troubleshooting, and abuse/fraud prevention (typically [90] days), unless longer retention is required for legal claims.
• Website cookie/pixel event data (where used on our websites or landing pages): retained in accordance with our configured retention settings and applicable law; you can withdraw consent and manage preferences via the consent/cookie settings on our websites or landing pages (where available).
14. Your Rights
Depending on your location, you may have rights to:
• access your personal data,
• correct inaccurate data,
• delete data,
• restrict or object to processing,
• data portability,
• withdraw consent,
• lodge complaints with supervisory authorities.
If you are in the EEA/UK, you have the right to object at any time to processing of your personal data for direct marketing purposes. You also have the right to lodge a complaint with a supervisory authority in your place of habitual residence, place of work, or place of the alleged infringement. You may also contact our EU Representative listed in Section 1.
We generally respond to requests within one month. In complex cases, this period may be extended by up to two additional months; we will inform you if an extension applies. To protect your privacy and security, we may request appropriate verification of your identity before fulfilling a request.
Consent settings for optional app features (e.g., wearable-based measurements) can be managed within the app settings. Consent for cookies/pixels on our websites or landing pages can be managed via the consent/cookie settings on those sites (where available). Requests can be submitted via support@mindroom.rocks.
15. United States Privacy Rights
Depending on your U.S. state of residence, you may have the right to:
• confirm whether we process personal data about you;
• access your personal data;
• correct inaccuracies in your personal data;
• request deletion of your personal data;
• obtain a copy of your personal data in a portable format (where applicable);
• opt out of certain processing, such as targeted advertising, and in some states, profiling in furtherance of decisions that produce legal or similarly significant effects (where applicable).
15.1 How to opt out (where applicable)
You can opt out of targeted advertising where applicable by (i) adjusting relevant platform settings (e.g., ad preferences on social media/advertising platforms), and/or (ii) adjusting your device settings. You may also contact us at support@mindroom.rocks with your request.
Where required by applicable law, we also honor opt-out preference signals (such as Global Privacy Control (GPC)) for our websites or landing pages. Where required, we
may also provide a “Do Not Sell or Share My Personal Information” link or equivalent mechanism on our websites or landing pages.
15.2 How to exercise your rights
You can submit a request by contacting us at support@mindroom.rocks. Please include your name, the email address associated with your account, your state of residence, and the specific request you would like to make.
15.3 Verification
To protect your privacy, we may need to verify your identity before fulfilling your request. If we cannot verify your identity, we may deny the request.
15.4 Authorized agents
Where permitted by law, you may designate an authorized agent to submit requests on your behalf. We may require proof of the agent’s authority and may also require you to verify your identity directly.
15.5 Appeals
If we deny your request, and your state law provides a right to appeal, you may appeal our decision by replying to our response or by contacting us at support@mindroom.rocks with the subject line “Privacy Appeal.”
We will not discriminate against you for exercising your privacy rights.
16. Children’s Privacy
The Services are not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors. The Services are not directed to children under 13 years of age.
17.Security Measures
We implement appropriate technical and organizational measures to protect personal data. This includes access controls (role-based access), logging and monitoring of administrative access, and measures designed to protect data in transit and at rest. No system can be guaranteed to be completely secure.
18.Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be communicated through the Services (e.g., in-app notice) and, where appropriate, via email associated with your account.
19.Contact
Mindroom.rocks, Inc.
16 Dupont St., Apt 24E
Brooklyn, NY 11222
United States
Email: support@mindroom.rocks
20.Language Version
This Privacy Policy may be provided in multiple languages for convenience.
In case of discrepancies, the English version shall prevail.