Website Terms & Conditions

Who we are

Myndstream is an artist-led, science-informed functional audio company. We unite

world-class artistry, scientific insight, and purpose-built technology to create and

distribute intentionally designed, evidence-informed music that supports health and

wellbeing. All of our music is delivered through an easy-to-use digital platform, for

personal and professional use worldwide.

What we collect

Contact details (e.g. name, email)

Technical data (e.g. device, IP address)

Usage and interaction data

Information you choose to provide

How we use it

To provide our services, improve performance, ensure security, and meet legal

obligations.

Legal bases

We rely on contract, legitimate interests, consent, and legal obligations.

Do we use AI?

Yes — to support recommendations, analytics, and service improvement. We do not

make solely automated decisions with legal or similarly significant effects.

Do we share data?

Yes — with service providers and partners where necessary, and with authorities

where required. We do not sell personal data.

International Transfers

Your data may be transferred internationally with appropriate safeguards (e.g.

standard contractual clauses).

Your rights

You may have rights to access, correct, delete, or restrict use of your data, and to

object or withdraw consent.

Contact: hello@myndstream.com

This Privacy Notice explains how Mynd Group Limited (“Myndstream”, “we”, “us”,

or “our”) collects, uses, shares, and protects personal data in connection with:

• Our websites and platforms (including https://myndstream.com
• https://play.myndstream.com, https://listen.myndstream.com)
• Our music streaming and licensing services
• Applications and digital services
• Marketing, business development, and commercial activities

This Notice applies globally. Where local laws impose stricter requirements, those

apply in addition to this Notice.

Mynd Group Limited

Unit 9 Westworks, White City Place

195 Wood Lane, London, W12 7FQ, United Kingdom

Email: hello@myndstream.com

We may act as:

• Data Controller
• Data Processor (where acting on behalf of partners)

We operate globally across jurisdictions including those listed in our operational

footprint

Applicable laws may include:

• UK GDPR & Data Protection Act 2018
• EU GDPR
• CCPA/CPRA (US)
• LGPD (Brazil), POPIA (South Africa), PDPA (Thailand), etc.

For further information about your specific country, region or state, please refer to

Country-Specific Privacy Provisions (Enhanced Annexes)

4.1 Direct Myndstream Platform Use

• Myndstream acts as Data Controller
• We manage accounts, licensing, and content delivery

4.2 Processing Data via Partner Integrations

In addition to directly accessing our Website, our music streaming service may be

made available to you through a Software Development Kit (SDK) or Application

Programming Interface (API) embedded in applications or platforms operated by our

business clients (our ‘Integration Partners’). When you access our service this way,

we and our Integration Partner are typically acting as Independent Data Controllers.

The Data Controller is always responsible for protecting your personal data (see

below).:

4.2.1 Our Collection (Myndstream’s Controller Data):

We collect your Identity Data, Usage Data, Location Data, and Device Data directly

through the SDK to provide the music service and offer personalized content and

recommendations, as fully detailed in this policy.

4.2.2 Partner Collection (Client’s Controller Data):

Our Integration Partner is responsible for the data they collect about your use of

their application and is the controller for that data. You should refer to their Privacy

Policy for details on their collection practices.

4.2.3 Client Obligation:

Our Integration Partners are contractually required to ensure that you are provided

with this Privacy Policy and that they secure any necessary consent (such as for

Location Data) before the data is shared with us.

We may collect, use, store and transfer the following:

• Identity Data – name, username
• Contact Data – email, address, phone
• Profile Data – preferences, login credentials
• Transaction Data – payments, subscriptions
• Device Data – device type, IP, OS
• Usage Data – platform interaction
• Security Data – logs and authentication
• Cookies Data – tracking identifiers
• Marketing Data – communication preferences
• Location Data – IP-based or device location

We do not intentionally collect special category data.

• Directly from users
• Automatically (cookies, logs, analytics)
• Through business interactions

Further Information

6.1 Information You Provide

You may provide:

• Name, company details, contact details
• Payment-related information (processed by third parties)
• Preferences and usage reports

6.2 Automatic Collection

We collect:

• IP address, device information
• Browser and system data
• Usage patterns and interactions

via cookies and analytics tools such as Google Analytics.

6.3 Marketing Data Collection

We collect marketing data when:

• You subscribe to newsletters
• You sign up for trials or services

We use:

7.1 Strictly necessary cookies

Required for platform functionality.

7.2 Analytics cookies

Used to measure usage and improve performance.

7.3 Advertising/targeting cookies

Used to personalise content and advertising.

Third parties (e.g., analytics providers) may also use cookies.

Users can:

• Manage preferences via the cookie banner
• Disable cookies via browser settings

Please note that disabling cookies may limit some functionality.

We process personal data under:

• Contract (to provide you with the service as an individual user)
• Legitimate Interests (to provide you with the service in a business to business
• context and to improve our service)
• Consent (where required by law - e.g. marketing to consumers
• Legal Obligation (for example, to comply with accounting and tax laws)

We use data to:

• Provide services
• Improve platform performance
• Ensure security
• Conduct analytics
• Send marketing communications

We may use profiling to:

• Recommend content
• Improve user experience
• Support marketing

You have rights to object and request human review.

9.1 Use of Artificial Intelligence and Automated Technologies

We use artificial intelligence (“AI”) and automated technologies as part of our

services to enhance functionality, improve user experience, and support business

operations.

9.1.1 How We Use AI

We may use AI systems to:

• Recommend music, playlists, and content based on user preferences and
• behaviour
• Analyse usage patterns to improve platform performance and service delivery
• Support marketing activities, including personalisation of communications
• (where permitted)
• Detect and prevent fraud, abuse, or security incidents
• Generate insights to improve our products and services
• These systems may process:
• Usage Data
• Device Data
• Location Data
• Profile and preference information

9.1.2 Automated Decision-Making and Profiling

Some processing may involve automated decision-making and profiling, including:

• Personalised content recommendations
• User segmentation for analytics or marketing purposes
• This processing is designed to:
• Enhance your experience
• Improve relevance of content and services
• We do not make solely automated decisions that produce legal or similarly
• significant effects on individuals.

9.1.3 Human Oversight

Where AI is used:

• Outputs are monitored and reviewed where appropriate
• Human oversight is applied to ensure fairness, accuracy, and accountability

9.1.4 Your Rights

Depending on your location, you have the right to:

• Object to profiling or automated processing
• Request information about how automated decisions are made
• Request human intervention where applicable
• Withdraw consent where processing is based on consent

9.1.5 Data Minimisation and Safeguards

We implement safeguards to ensure AI is used responsibly:

• Processing is limited to what is necessary for defined purposes
• Data is protected using appropriate technical and organisational measures
• AI systems are designed to avoid unfair bias and ensure accuracy

We may share data with:

• Group companies
• Service providers (hosting, payments, analytics)
• Professional advisers
• Authorities (where required)

We may also:

• Share anonymised statistical data
• Transfer data in connection with mergers or acquisitions

We do not sell personal data.

We retain data only as necessary:

• For the duration of service use
• For up to 6 years after customer relationship ends (legal/tax)
• Longer where required for legal or legitimate purposes

Anonymous data may be retained indefinitely.

We implement:

• Encryption in transit and at rest
• Access controls and role-based permissions
• Secure infrastructure and monitoring
• Incident response procedures

All data is stored securely, though no system is completely risk-free.

You may have rights to:

• Access – You can ask to see what personal data an organisation holds about
• you.
• Rectification – You can request correction of inaccurate or incomplete
• personal data.
• Erasure – You can ask for your personal data to be deleted in certain
• circumstances.
• Restriction – You can request that the use of your data is limited while issues
• are resolved.
• Portability – You can receive your data in a usable format and transfer it to
• another service.
• Objection – You can object to the processing of your data in certain situations.
• Withdraw consent – You can withdraw your consent at any time where
• processing is based on it.

Complain to a supervisory body – You can lodge a complaint with a regulator such

as the Information Commissioner's Office if you’re unhappy with how your data is

handled. We may require identity verification and may refuse excessive or

unfounded requests.

Our services are not intended for children under 13 (or higher local limits).

We do not knowingly collect children’s data.

Further Information

Myndstream’s Website is not intended for those under the age of 13 (in some

countries, stricter age limits may apply). We do not knowingly collect personal

information from children under 13 or under the applicable age limit (the “Age

Limit”), If you are under the Age Limit, do not use the Website and do not provide

any personal information to us. If you are a parent of a child under the Age Limit and

become aware that your child has provided personal information to us, please

contact us at hello@myndstream.com and you may request to remove such

information from our systems.

Our services may contain links to third-party platforms.

We are not responsible for their privacy practices.

Further Information

This Website may, from time to time, include links to third party websites, plug-ins

and applications (for example, the ability to follow us on Facebook). Clicking on

those links or enabling those connections may allow third parties to collect or share

data about you. We do not control these third-party websites and are not

responsible for their privacy statements. When you leave our Website, you should

read the privacy policy of every website you visit.

18.1 United Kingdom

Personal data is processed in accordance with:

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018

You have rights to:

• Access, correct, and delete personal data
• Restrict processing
• Data portability
• Object to processing (including marketing)
• Withdraw consent

18.1.1 Right to Complain

You have the right to lodge a complaint with the Information Commissioner's Office.

18.2 European Economic Area (EEA)

Personal data is processed in accordance with the EU General Data Protection

Regulation (EU GDPR).

You have the right to:

• Access your personal data
• Rectify inaccurate data
• Request erasure
• Restrict processing
• Data portability
• Object to processing
• Not be subject to decisions based solely on automated processing (where applicable)
• Withdraw consent

18.2.1 Right to Complain

You may lodge a complaint with your local supervisory authority in the EEA country

where you live, work, or where an alleged infringement occurred.

18.3 Switzerland

Personal data is processed in accordance with the Swiss Federal Act on Data

Protection (revFADP).

We process personal data in good faith, proportionately, and only for specified

purposes.

18.3.1 Your Rights

You have the right to:

• Access your personal data
• Request correction of inaccurate data
• Request deletion, where applicable
• Object to certain processing activities

18.3.2 Right to Complain

You have the right to contact the Federal Data Protection and Information

Commissioner.

18.4 United States

18.4.1 California (CCPA / CPRA)

You have the right to:

• Know what personal data is collected and how it is used
• Access and delete your personal data
• Correct inaccuracies
• Opt out of “sale” or “sharing” of personal data
• Limit the use of sensitive personal information (where applicable)

We do not sell personal data.

18.4.2 Other U.S. States

You may have rights to:

• Access, correct, and delete personal data
• Data portability
• Opt out of targeted advertising or profiling
• Appeal decisions regarding your requests

18.5 Canada

Under applicable law (including PIPEDA), you have the right to:

• Access and correct your personal data
• Withdraw consent (subject to legal or contractual restrictions)

18.6 Latin America

18.6.1 Brazil (LGPD)

You have rights to:

• Confirmation of processing
• Access, correction, and deletion
• Anonymisation or blocking
• Data portability
• Withdrawal of consent

18.6.2 Mexico, Argentina, Chile

You may exercise ARCO rights:

• Access, rectification, cancellation, and objection

18.7 Africa

18.7.1 South Africa (POPIA)

You have rights to:

• Access and correct personal data
• Request deletion
• Object to processing
• Lodge complaints with the regulator

18.7.2 Other African Jurisdictions

(e.g. Nigeria, Kenya)

We apply equivalent protections in accordance with local laws.

18.8 Middle East

18.8.1 United Arab Emirates, Saudi Arabia, Qatar

You may have rights to:

• Access, correction, and deletion
• Restriction or objection to processing

Different legal frameworks may apply depending on jurisdiction.

18.9 Asia-Pacific

18.9.1 India (DPDP Act 2023)

You have rights to:

• Access, correction, and erasure
• Withdraw consent
• Grievance redress

18.9.2 Southeast Asia

(Singapore, Thailand, Indonesia, Philippines, Malaysia)

Rights generally include:

• Access and correction
• Withdrawal of consent

18.10 East Asia

18.10.1 China (PIPL)

Where applicable:

• Enhanced consent requirements
• Potential data localisation obligations

18.10.2 Japan and South Korea

Rights include:

• Access, correction, deletion
• Restrictions on international data transfers

18.11 Australia and New Zealand

You have rights to:

• Access and correct personal data
• Lodge complaints with relevant regulators

18.12 Other Jurisdictions

Where not specifically listed, we:

• Apply globally recognised data protection principles
• Comply with applicable local laws
• Provide rights consistent with those laws

18.13 Governance and Accountability

We maintain a structured privacy and data protection framework, including:

• Records of Processing Activities (ROPA)
• Data Protection Impact Assessments (DPIAs)
• Vendor and partner contractual controls
• Defined retention and deletion processes
• Security and risk management controls

We regularly review and update our practices to ensure ongoing compliance.

19.1 Processing Activity Mapping

Each activity described in the table below maps to a defined data processing activity

carried out during our business operations:

Further information

Processing

Activity Purpose Data

Categories Legal Bases Source

Account

Management

User onboarding and

account operation

Identity,

Contact, Profile Contract User

Music Streaming

Service Deliver music content Usage, Device,

Location

Contract /

Legitimate Interest

User /

Device

Licensing &

Transactions

Manage subscriptions

and licensing

Identity,

Transaction

Contract / Legal

Obligation User

Marketing

Communications

Send updates and

promotions

Contact,

Preferences

Consent /

Legitimate Interest User

Platform Analytics Improve service

performance Usage, Device Legitimate Interest Automate

d

Security & Fraud

Prevention

Protect platform

integrity

Usage, Security

logs

Legitimate Interest /

Legal Obligation

Automate

d

19.2 Data Flow Overview

19.2.1 Data Collection

• Direct input (account creation, forms)
• Automated collection (cookies, logs, analytics)
• Partner integrations (SDK/API where applicable)

19.2.2 Data Processing

• Hosted in secure cloud infrastructure
• Access restricted via role-based permissions
• Processed for defined purposes only

19.2.3 Data Sharing

• Internal group entities
• Service providers (hosting, payments, analytics)
• Regulatory authorities where required

19.2.4 Data Storage

• Stored in encrypted systems
• Retained per defined retention schedules

19.2.5 Data Deletion / Anonymisation

• Deleted after retention period
• Or anonymised for analytics

19.3 Roles and Responsibilities

We define roles and responsibilities for each processing activity as follows:

• Controller: Myndstream (direct platform use)
• Processor: Service providers (e.g., hosting, payments)
• Independent Controllers: Integration partners (where applicable)

Responsibilities are contractually governed via:

• Data Processing Agreements (DPAs)
• Vendor contracts
• Integration agreements

19.4 Data Transfer Mapping

We record all international transfers as follows:

• Destination country
• Transfer mechanism (e.g., SCCs)
• Risk assessment (where required)