Privacy Policy

Effective Date: 2025-08-27  |  Last Updated: 2025-08-27

1) Scope & Definitions

This Policy applies comprehensively to all information relating to an identified or identifiable natural person ("Personal Data" or "Personal Information"). For the purposes of this Policy, an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

This Policy specifically covers, but is not limited to: (a) information collected during account registration and authentication processes, including email addresses, password hashes, one-time passwords (OTP), and identity verification tokens obtained through third-party authentication providers such as Google Sign-In and Apple Sign-In; (b) user-generated content you voluntarily upload or create through the Services, including but not limited to audio files, sound recordings, cover images, metadata, tags, descriptions, and any other media or textual content; (c) your interactions with the Services, including the creation, modification, deletion, and organization of soundscapes, playlists, favorites, and other personalized content; (d) technical and device information automatically collected when you access the Services; (e) payment and subscription information processed in connection with paid features or premium accounts; and (f) any communications, feedback, support requests, or other information you provide to us through customer support channels, email, in-app messaging, or other communication methods.

This Policy does not apply to information that has been properly anonymized or aggregated in such a manner that it can no longer be used to identify you, either alone or in combination with other information. We may use and disclose such anonymized or aggregated information for any purpose, as it is not considered Personal Data under applicable privacy laws.

2) Information We Collect

We collect various categories of information to provide, maintain, improve, and protect our Services. The information we collect falls into several categories as detailed below:

• Account & Identity Information: When you create an account with Mellows, we collect your email address, which serves as your primary account identifier and communication channel. We store a cryptographically hashed version of your password (never the plaintext password itself) to authenticate your access to the Services. If you choose to provide a display name or profile information, we collect and store that information as well. When you authenticate using third-party services such as Google Sign-In or Apple Sign-In, we receive and store authentication tokens, your email address associated with that third-party account, and potentially your name and profile picture, depending on the permissions you grant. We may also collect verification codes sent via email for two-factor authentication or account recovery purposes. This information is essential for account management, access control, and security purposes.
• Usage & Content Data: We collect comprehensive information about how you interact with our Services. This includes all content you voluntarily upload or create, such as audio files (sounds, recordings, music), cover images, thumbnails, metadata (titles, descriptions, tags, categories), and any associated information. We track your created soundscapes, including the specific sounds you've combined, volume levels, mixing preferences, loop settings, and timing configurations. We record your favorites, bookmarks, playlists, and collections to personalize your experience. We also collect information about your in-app actions, including searches, filters applied, content viewed, playback history, session duration, feature usage patterns, settings configurations, and preferences you've specified. This data helps us understand how users interact with our Services and enables us to improve functionality, recommend content, and provide a personalized experience tailored to your preferences.
• Device & Technical Information: When you access our Services, we automatically collect certain technical information about your device and how you connect to our Services. This includes your device type, model, and manufacturer; operating system name and version; mobile network information; unique device identifiers (such as device ID, advertising ID where permitted); browser type and version; IP address and approximate geographic location derived from your IP address (typically at the city or country level); language and region settings; time zone; access times and timestamps for each session; referring and exit pages; clickstream data showing the pages or features you accessed and in what order; and performance metrics such as page load times, server response times, and error rates. We also collect diagnostic and debugging information, including crash reports, error logs, system logs, and technical diagnostic data that helps us identify and fix bugs, improve stability, and optimize performance. This information is crucial for providing technical support, ensuring compatibility across different devices and platforms, detecting and preventing fraudulent activities, and maintaining the security and integrity of our Services.
• Payment & Subscription Information: If you subscribe to premium features, purchase in-app products, or make any payments through our Services, we collect information related to your subscription and billing. This includes your subscription tier or plan type, subscription status (active, cancelled, expired, trial), subscription start and renewal dates, billing frequency, invoice history, transaction IDs, payment amounts and currency, and your billing country or region for tax purposes. Please note that all payment card information (credit card numbers, CVV codes, expiration dates) is collected, processed, and stored directly by our PCI DSS-compliant payment processor (as listed in Section 5), and we never have access to or store your full payment card details on our systems. We only receive limited information such as the last four digits of your card, card brand (Visa, Mastercard, etc.), and payment status from our payment processor. This approach ensures the highest level of security for your financial information while allowing us to manage your subscription and provide billing support.
• Communications & Support: When you contact us for customer support, report issues, provide feedback, or communicate with us through any channel (including email, in-app support chat, contact forms, social media, or help desk tickets), we collect the content of those communications. This includes the messages you send, attachments you provide, your contact information, the nature of your inquiry or issue, any information you choose to share about your experience with the Services, screenshots or recordings you submit, and our responses and any resulting correspondence. We retain this information to provide effective customer support, resolve technical issues, address your concerns, improve our Services based on user feedback, and maintain a record of our interactions for quality assurance and training purposes. We may also use this information to detect patterns in user issues and proactively address common problems.
• Cookies, Analytics & Tracking Data: We and our third-party service providers use cookies, web beacons, pixels, local storage, SDKs (software development kits), and similar tracking technologies to collect information about your interactions with our Services over time. This includes information about your browsing behavior, feature usage patterns, session data, referring sources, advertising interactions, and conversion events. These technologies help us maintain your session, remember your preferences, analyze usage trends, measure the effectiveness of our features and marketing campaigns, provide targeted content and recommendations, and improve the overall user experience. For more detailed information about our use of these technologies, please refer to Section 4 below.
• Health & Fitness Data (Apple Health / HealthKit Integration): With your explicit, informed consent, our iOS application may collect health and fitness data from Apple Health (using Apple's HealthKit framework) on your device. The specific categories of health data we may access include: (a) Sleep Data: sleep duration, sleep stages (including deep sleep, REM sleep, core/light sleep, and awake periods), sleep start and end times, time in bed, and sleep analysis records; (b) Heart Rate Data: heart rate measurements, resting heart rate, heart rate during sleep, and heart rate recovery; (c) Heart Rate Variability (HRV): heart rate variability measurements which can indicate stress levels and recovery status; (d) Respiratory Data: respiratory rate and breathing patterns during sleep; (e) Blood Oxygen Saturation (SpO2): blood oxygen levels, particularly during sleep; (f) Activity Data: steps, distance, active energy burned, exercise minutes, and workout records that may affect sleep quality; and (g) Mindfulness Data:meditation and mindfulness session records. This health data is collected solely to provide you with personalized sleep analysis, sleep quality scores, sleep trend insights, health correlations, and tailored recommendations to help you improve your sleep quality and overall wellbeing. Important: (i) You must explicitly grant permission through iOS system prompts before we can access any HealthKit data; (ii) You can revoke this access at any time through your device's Settings > Privacy > Health > Mellows, or by disconnecting the Apple Health integration within our app; (iii) Your health data is transmitted securely using encryption (TLS 1.2 or higher) to our servers for processing and analysis; (iv) We do not store your health data in iCloud; (v) We do not use your health data for advertising, marketing, data mining, or any purpose other than providing health and fitness services directly to you; (vi) We do not sell, rent, or share your health data with third parties for their own purposes; (vii) Health data shared with our Service Providers (as listed in Section 5) is strictly limited to what is necessary for providing our Services and is subject to contractual data protection obligations; (viii) We comply with Apple's HealthKit guidelines and all applicable health data privacy regulations, including HIPAA where applicable. The collection of health data is entirely optional, and you can use many features of our Services without connecting to Apple Health.

3) Purposes & Legal Bases

We process your Personal Data only for specific, legitimate purposes and, where required by applicable law (particularly in the European Economic Area, the United Kingdom, and other jurisdictions with similar requirements), based on appropriate legal grounds. Below we describe the purposes for which we use your Personal Data and the corresponding legal bases that justify such processing:

• To Provide and Maintain the Services: We process your Personal Data to deliver the core functionality of our Services, including account creation and authentication, secure login and session management, user identity verification, content storage and retrieval, audio streaming and playback, soundscape creation and editing tools, content synchronization across devices, access to your created content and preferences, and all features available through the mobile application and web dashboard. This processing is necessary to perform our contractual obligations to you as outlined in our Terms of Service. Without this processing, we would be unable to provide you with access to and use of the Services. Legal basis: Performance of contract (GDPR Article 6(1)(b)) – the processing is necessary for the performance of the contract between you and Mellows Limited, or to take steps at your request prior to entering into that contract.
• To Improve, Optimize, and Secure the Services: We analyze usage patterns, performance metrics, and user interactions to continuously improve and optimize our Services. This includes conducting product analytics to understand how features are used, identifying and fixing bugs and technical issues, performing diagnostic testing and troubleshooting, optimizing application performance and load times, developing new features and enhancements, conducting A/B testing and experimentation, preventing fraud, abuse, and unauthorized access, detecting and responding to security incidents, monitoring for violations of our Terms of Service, protecting the rights, property, and safety of Mellows Limited, our users, and the public, and ensuring the stability, reliability, and security of our infrastructure. These activities are necessary to maintain the quality and security of our Services, protect our business operations, and provide all users with a safe and reliable platform.Legal basis: Legitimate interests (GDPR Article 6(1)(f)) – we have a legitimate interest in improving our Services, ensuring their security and stability, preventing fraud and abuse, and protecting our business and users' interests. We have assessed that these interests are not overridden by your data protection rights and freedoms.
• To Communicate with You: We use your contact information to send you important communications related to your use of the Services, including transactional emails about your account activities (registration confirmations, password resets, email verification), service announcements and updates about new features or changes to existing features, subscription and billing notifications (payment confirmations, renewal reminders, failed payment alerts), security alerts and warnings about suspicious activities or required actions, technical support responses and issue resolution updates, administrative messages about changes to our policies or terms, and responses to your inquiries and feedback. These communications are essential for the proper functioning of your account and to keep you informed about important matters affecting your use of the Services.Legal basis: Performance of contract (GDPR Article 6(1)(b)) for communications necessary to provide the Services and fulfill our contractual obligations; Legitimate interests (GDPR Article 6(1)(f)) for communications that serve our legitimate business interests in maintaining customer relationships, providing support, and ensuring informed consent regarding service changes.
• To Comply with Legal Obligations: We may process your Personal Data to comply with applicable laws, regulations, legal processes, and governmental requests. This includes fulfilling tax obligations and financial reporting requirements, maintaining records as required by applicable accounting and business regulations, responding to subpoenas, court orders, and lawful requests from public authorities (including law enforcement and national security agencies), complying with data breach notification requirements, cooperating with regulatory investigations, enforcing our legal rights, and fulfilling other legal duties imposed on us by law. In some cases, we may be required to disclose Personal Data to comply with these obligations.Legal basis: Legal obligation (GDPR Article 6(1)(c)) – the processing is necessary for compliance with a legal obligation to which Mellows Limited is subject under applicable laws and regulations.
• Marketing and Promotional Communications (Optional): With your express consent where required by law, or based on our legitimate interests where permitted, we may use your email address and usage information to send you marketing communications, promotional offers, newsletters, product updates, surveys, and information about events or new features that we believe may interest you. You have the right to opt out of receiving marketing communications at any time by clicking the "unsubscribe" link included in every marketing email, adjusting your notification preferences in your account settings, or contacting us directly. Please note that even if you opt out of marketing communications, we will still send you transactional and service-related messages that are necessary for your use of the Services. Legal basis: Consent (GDPR Article 6(1)(a)) where we are required to obtain your consent for marketing communications; Legitimate interests (GDPR Article 6(1)(f)) where we may send marketing communications based on our legitimate interest in promoting our Services, provided you have not opted out and such communications are permitted under applicable law.
• To Personalize Your Experience: We use information about your usage patterns, preferences, and interactions to provide you with personalized content recommendations, customized soundscape suggestions, tailored user interface elements, relevant search results, and a more engaging and relevant user experience. This processing helps us make the Services more useful and enjoyable for you based on your individual needs and preferences. Legal basis: Legitimate interests (GDPR Article 6(1)(f)) – we have a legitimate interest in providing personalized experiences that enhance user satisfaction and engagement with our Services.
• For Business Operations and Analytics: We process aggregated and anonymized data (which does not identify you personally) for business analytics, reporting, research, and strategic planning purposes. This helps us understand market trends, measure the effectiveness of our Services, make informed business decisions, and plan for future development. Legal basis:Legitimate interests (GDPR Article 6(1)(f)) – we have a legitimate interest in understanding our business performance and making data-driven decisions to improve our Services and business operations.
• To Provide Personalized Health & Sleep Analysis Services: With your explicit consent, we process health and fitness data obtained from Apple Health (HealthKit) to provide you with personalized sleep analysis and health-related features. This includes: (a) analyzing your sleep patterns, duration, and quality to generate sleep scores and insights; (b) identifying correlations between your sleep and other health metrics such as heart rate, HRV, respiratory rate, and activity levels; (c) tracking sleep trends over time and providing visualizations of your sleep history; (d) generating personalized recommendations to help improve your sleep quality based on your individual health data; (e) creating alerts or notifications about significant changes in your sleep patterns; and (f) enabling features that combine audio content with your health data to optimize your sleep experience. Health data is classified as "special category data" under GDPR and requires explicit consent for processing. We process this data solely for the purpose of providing health and fitness services to you and do not use it for any other purpose such as advertising, profiling for non-health purposes, or sharing with third parties for their own use. Legal basis: Explicit consent (GDPR Article 6(1)(a) for general processing and Article 9(2)(a) for processing special category health data) – before accessing any health data from Apple Health, we obtain your explicit, informed consent through the iOS system permission prompts and our in-app consent flow. You may withdraw your consent at any time by disconnecting Apple Health in your device settings or within our app, which will stop future collection of health data (though previously processed data may be retained as described in Section 7).

4) Cookies & Similar Technologies

We, along with our third-party service providers and partners, use cookies, web beacons, pixels, local storage, session storage, mobile SDKs, and other similar tracking technologies (collectively, "Cookies") to enhance your experience with our Services, maintain functionality, and analyze usage patterns. This section provides detailed information about how we use these technologies.

What Are Cookies: Cookies are small text files that are stored on your device (computer, smartphone, or tablet) when you visit a website or use an application. They contain information about your interactions and preferences, allowing the website or application to recognize your device on subsequent visits. Cookies can be "session cookies" (which are temporary and deleted when you close your browser or app) or "persistent cookies" (which remain on your device for a set period or until you manually delete them).

Types of Cookies We Use: We use several categories of Cookies, including: (1) Essential/Strictly Necessary Cookies that are required for the basic functionality of the Services, such as maintaining your login session, remembering your authentication status, enabling secure access to your account, and ensuring the Services work properly (these cookies cannot be disabled without severely limiting your ability to use the Services); (2) Functional Cookies that remember your preferences and choices, such as your language settings, theme preferences, volume levels, display options, and other customization settings to provide you with a more personalized experience; (3) Analytics and Performance Cookies that help us understand how users interact with our Services by collecting information about pages visited, features used, time spent on pages, navigation paths, error messages encountered, and other usage statistics (this information is typically aggregated and used to improve our Services); and (4) Advertising and Marketing Cookies (if applicable) that may be used to deliver relevant advertisements, track ad performance, measure campaign effectiveness, and prevent the same ads from being shown repeatedly.

Local Storage and Similar Technologies: In addition to cookies, we may use HTML5 local storage, session storage, IndexedDB, and other browser storage mechanisms to store data locally on your device. These technologies serve similar purposes to cookies but can store larger amounts of data and are not automatically transmitted to our servers with each request. We use these technologies to cache content for offline access, store user preferences and settings, improve application performance and loading times, and enhance your overall user experience.

Mobile SDKs: Our mobile applications may include third-party software development kits (SDKs) that collect information about your device and how you interact with the app. These SDKs are used for analytics, crash reporting, performance monitoring, and other purposes as described in this Policy. The information collected by these SDKs is subject to the privacy policies of the respective SDK providers.

Your Cookie Choices and Controls: You have several options to control or limit how Cookies are used: (1) Most web browsers are set to accept cookies by default, but you can adjust your browser settings to refuse all cookies, accept only certain cookies, or notify you when a cookie is being set. Please note that if you disable cookies, some features of our Services may not function properly, and you may not be able to access certain parts of the Services. (2) For mobile applications, you can control certain tracking features through your device settings, such as limiting ad tracking on iOS or opting out of interest-based ads on Android. (3) You can use browser extensions or privacy tools that block or manage cookies and tracking technologies. (4) If we provide a cookie preference center or consent management platform, you can manage your cookie preferences there, including the ability to accept or reject different categories of cookies (except for strictly necessary cookies, which are required for the Services to function).

Do Not Track Signals: Some browsers include a "Do Not Track" (DNT) feature that signals to websites that you do not want your online activities tracked. Currently, there is no industry consensus on how to respond to DNT signals, and we do not currently respond to DNT signals from browsers. However, you can use the other cookie controls described above to manage tracking.

For more information about cookies and how to control them, you can visit www.allaboutcookies.org orwww.youronlinechoices.eu (for EU users).

5) Sharing & Disclosure

We respect your privacy and are committed to protecting your Personal Data. We do not sell, rent, or trade your Personal Data to third parties for their own marketing purposes. However, we may share your Personal Data in the following limited circumstances:

• Service Providers and Data Processors: We engage carefully selected third-party service providers, vendors, contractors, and agents (collectively, "Service Providers") to perform services on our behalf and to help us operate, maintain, improve, and protect our Services. These Service Providers act as data processors and only process your Personal Data according to our documented instructions and for the specific purposes we authorize. The services they provide include, but are not limited to: cloud infrastructure and hosting services, database management and storage, content delivery networks (CDN) for faster media delivery, email delivery and communication services, authentication and identity verification, payment processing and subscription management, customer support and help desk platforms, analytics and monitoring tools, security and fraud prevention services, backup and disaster recovery services, and other technical, operational, or administrative support. We require all Service Providers to maintain appropriate technical and organizational security measures to protect your Personal Data, to process it only as instructed by us and in compliance with this Policy and applicable laws, and to notify us of any data breaches or security incidents. We conduct due diligence on our Service Providers and, where required by law, enter into data processing agreements that comply with applicable data protection regulations. A list of our primary Service Providers and their purposes is provided in the table below.
• Legal Requirements and Protection of Rights: We may disclose your Personal Data if we believe in good faith that such disclosure is necessary to: (a) comply with applicable laws, regulations, legal processes, or governmental requests, including responding to subpoenas, court orders, search warrants, or other lawful requests from public authorities, including law enforcement or national security agencies; (b) enforce our Terms of Service, this Privacy Policy, or other agreements, including investigation of potential violations; (c) detect, prevent, or address fraud, security breaches, technical issues, or illegal activities; (d) protect the rights, property, or safety of Mellows Limited, our users, or the public as required or permitted by law; (e) respond to claims that content violates the rights of third parties; or (f) protect against legal liability or defend ourselves in litigation or regulatory proceedings. Where possible and legally permitted, we will notify you before disclosing your information in response to legal requests, unless prohibited by law or court order, or if the request is an emergency.
• Business Transfers and Corporate Transactions: In the event that Mellows Limited is involved in a merger, acquisition, consolidation, restructuring, sale of assets, bankruptcy, or other corporate transaction or proceeding, your Personal Data may be transferred, sold, or assigned as part of that transaction. We will require any successor entity or acquiring party to honor the commitments made in this Privacy Policy with respect to your Personal Data. If the transaction results in material changes to how your Personal Data is handled, we will provide you with notice and, where required by law, obtain your consent. You will also have the opportunity to exercise your data protection rights (such as deletion or objection) in connection with such transfers, subject to applicable law.
• With Your Consent or at Your Direction: We may share your Personal Data with third parties when you explicitly consent to or request such sharing. This includes situations where you: (a) authorize us to share information with third-party services or applications that you choose to integrate or connect with Mellows (such as social media platforms, music streaming services, or other apps); (b) participate in features that inherently involve sharing, such as collaborative playlists or community features; (c) choose to make certain content public or share it with other users; or (d) otherwise direct us to share your information with specific third parties. You can revoke such consent or disconnect third-party integrations at any time through your account settings.
• Aggregated and Anonymized Data: We may share aggregated, de-identified, or anonymized information that cannot reasonably be used to identify you with third parties for any purpose, including for research, analytics, marketing, or business development purposes. Such information is not considered Personal Data and is not subject to the restrictions in this Privacy Policy.
• Public Content: If you choose to post content in public areas of our Services (such as public profiles, community forums, or shared soundscapes, if applicable), that content will be publicly available and can be seen, collected, and used by others. Please exercise caution when deciding what information and content you make public.

Each of the Service Providers listed above has its own privacy policy governing how it handles data. We encourage you to review their privacy policies to understand their data practices. We will update this list as we add or change Service Providers, and the most current list will always be available in this Privacy Policy.

6) International Transfers

Mellows Limited operates globally, and your Personal Data may be transferred to, stored in, and processed in countries other than your country of residence. These countries may have data protection laws that are different from the laws of your country and, in some cases, may not be as comprehensive or protective. Specifically, our servers and data centers may be located in various jurisdictions, and our Service Providers may operate from different countries around the world. This means that when you use our Services, your Personal Data may be transferred internationally.

European Economic Area (EEA), UK, and Switzerland: If you are located in the EEA, United Kingdom, or Switzerland, we comply with applicable legal requirements for international data transfers. When we transfer your Personal Data outside the EEA/UK/Switzerland to countries that have not been recognized as providing an adequate level of data protection by the European Commission or UK authorities, we implement appropriate safeguards to ensure your Personal Data remains protected. These safeguards include:

• Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses (also known as Model Clauses) or the UK International Data Transfer Agreement/Addendum, which are contractual commitments between companies transferring personal data to protect the privacy and security of the data. These are approved by the European Commission and UK authorities as providing adequate safeguards for international transfers.
• Adequacy Decisions: Where available, we transfer data to countries that have been deemed by the European Commission or UK authorities to provide an adequate level of data protection (such as Canada for commercial organizations under PIPEDA, or other jurisdictions recognized through adequacy decisions).
• Other Approved Mechanisms: We may rely on other appropriate safeguards recognized under applicable data protection laws, such as Binding Corporate Rules, approved certification mechanisms, or derogations for specific situations as permitted under GDPR Article 49.

We regularly review our international data transfer practices to ensure ongoing compliance with evolving legal requirements and regulatory guidance. You have the right to request more information about the safeguards we have put in place for international transfers of your Personal Data by contacting us using the information provided in Section 14 below.

Other Jurisdictions: If you are located in other jurisdictions with specific requirements for international data transfers, we comply with applicable local laws and regulations governing cross-border data flows. This may include obtaining your consent where required, implementing appropriate security measures, or complying with data localization requirements where applicable.

By using our Services and providing your Personal Data, you understand and consent to the transfer, storage, and processing of your information in countries where we operate or where our Service Providers are located, in accordance with this Privacy Policy and applicable law.

7) Retention

We retain your Personal Data only for as long as necessary to fulfill the purposes for which it was collected, as described in this Privacy Policy, and to comply with our legal, regulatory, accounting, and reporting obligations. The specific retention period depends on the nature of the information, the purposes for processing, and applicable legal requirements. We apply the principle of data minimization and periodically review our data retention practices to ensure we do not retain Personal Data longer than necessary.

General Retention Principles: Our retention decisions are based on several factors, including: (a) the nature and sensitivity of the Personal Data; (b) the purposes for which the data was collected and how it is used; (c) whether you have an active account with us; (d) legal, regulatory, tax, or accounting requirements that mandate retention of specific records for defined periods; (e) contractual obligations; (f) litigation holds and legal disputes that may require preservation of data; (g) the need to protect our rights, property, or safety, or those of our users; and (h) your data protection rights and requests (such as deletion requests).

Below are typical retention periods for different categories of data. Please note that these are general guidelines, and actual retention periods may vary based on specific circumstances and legal requirements in your jurisdiction:

• Account Data and Profile Information: We retain your account information (email address, password hash, profile details, account settings, and authentication data) for the entire duration your account remains active. If you delete your account or request account closure, we will delete or anonymize your account data within a reasonable timeframe, typically 30-90 days after the deletion request, unless we are required to retain certain information for longer periods to comply with legal obligations, resolve disputes, enforce our agreements, or for other legitimate purposes. During this period, your account may be deactivated but not fully deleted to allow for recovery in case of accidental deletion. After the retention period, your account data will be permanently deleted from our active systems, though some information may persist in backup systems for a limited additional period before being purged according to our backup rotation schedule.
• User-Generated Content (Sounds, Covers, Soundscapes): Content you upload or create (including audio files, images, metadata, soundscapes, playlists, and other creative works) is retained as long as your account is active and until you explicitly delete such content or close your account. When you delete specific content items, they are typically removed from our active systems within a short period (usually 1-30 days), though cached copies may persist temporarily in our content delivery networks or backup systems. When you delete your account, all associated content is scheduled for deletion according to the account deletion timeline described above. Please note that if you have shared content publicly or with other users, or if other users have incorporated your content into their own creations (to the extent permitted by our terms), copies of that content may remain accessible even after deletion from your account. Backup copies of deleted content may be retained in our backup and disaster recovery systems for up to 90 additional days before being permanently purged, but these backups are not accessible to users or used for operational purposes.
• Billing Records and Payment Information: Financial records, invoices, payment transaction data, and subscription history are retained as required by applicable tax, accounting, and financial regulations, which typically mandate retention for a period of 5-10 years from the date of the transaction, depending on your jurisdiction and the specific legal requirements applicable to Mellows Limited. This retention is necessary for audit purposes, tax compliance, financial reporting, fraud prevention, and to handle billing disputes or chargebacks. However, as noted in Section 2, we do not store complete payment card information; such data is held solely by our payment processor in accordance with PCI DSS requirements. We retain only the limited payment information necessary for billing administration and support.
• Technical Logs, Diagnostics, and Analytics Data: Technical logs (including access logs, error logs, security logs, and diagnostic data) are typically retained for a short period necessary for operational purposes, security monitoring, troubleshooting, and service improvement, usually 30-180 days depending on the type of log and business need. After this period, logs are either deleted or aggregated and anonymized for long-term analytics purposes. Security-related logs may be retained longer if required for investigating security incidents, detecting threats, or complying with legal obligations. Aggregated and anonymized analytics data that cannot identify you personally may be retained indefinitely for statistical analysis and business intelligence purposes.
• Communications and Support Records: Customer support tickets, email correspondence, chat logs, and other communications withMellows are retained for as long as necessary to provide ongoing support, resolve issues, maintain quality assurance, train staff, and defend against potential legal claims. Typically, these records are retained for 2-7 years from the date of the last interaction, or longer if related to ongoing issues, disputes, or legal matters. After this period, communications may be deleted or anonymized unless continued retention is required by law or for legitimate business purposes.
• Marketing and Consent Records: If you have opted in to receive marketing communications, we retain your marketing preferences and consent records for as long as necessary to honor your choices and comply with legal requirements for demonstrating consent. If you unsubscribe or withdraw consent, we retain minimal information (such as your email address) in a suppression list to ensure we do not inadvertently contact you again, as required by anti-spam laws and regulations. These suppression records are retained indefinitely or as required by applicable law.
• Legal Holds and Litigation: If Personal Data is subject to a legal hold, regulatory investigation, pending litigation, or government request, we will preserve the relevant data until the matter is resolved, regardless of the standard retention periods described above. Once the legal obligation is satisfied, the data will be deleted or returned to the normal retention schedule.
• Health & Fitness Data (Apple Health / HealthKit): We apply different retention periods for different types of health data based on the principle of data minimization:
  • Sleep Summary Records: Sleep date, duration, quality score, and sleep stage statistics (deep/light/REM/awake minutes) are retained for as long as your account is active. These aggregated metrics are necessary for long-term sleep trend analysis.
  • Sleep Stage Timeline: Detailed sleep stage transitions with timestamps (e.g., "deep sleep from 23:15 to 00:30") are stored locally on your device only to enable accurate sleep stage visualizations. This data is NOT uploaded to our servers—only aggregated statistics (total minutes of each sleep stage) are synced to the cloud for AI analysis and trend tracking. Local sleep stage data is retained for 1 year on your device to support seasonal comparisons. We use aggregated sleep data to analyze your sleep patterns and provide tailored recommendations. We do not use this data for advertising, marketing, or share it with third parties for non-sleep-related purposes.
  • Heart Rate, HRV, SpO2, Respiratory Rate, Skin Temperature Samples: Individual measurements with timestamps are stored locally on your device only for 1 year to enable detailed trend visualizations and seasonal pattern analysis. Only aggregated statistics (averages, min/max values) are uploaded to our servers for AI analysis. Detailed sample data is NOT uploaded to the cloud, in compliance with GDPR data minimization principles.
  • AI-Generated Insights: Sleep insights generated by our AI are retained for 30 days for reference purposes.
  Your Control: You have full control over your health data. You can: (i) disconnect Apple Health in your device's Settings > Privacy > Health > Mellows; (ii) use the "Disconnect Apple Health" option in our app; (iii) request deletion by contacting support@mellows.ai; (iv) export all your health data via the in-app export feature (GDPR Article 20 - Data Portability); or (v) delete your Mellows account entirely, which removes all associated health data within 30 days. Please note: (A) Aggregated, anonymized insights may be retained for analytical purposes; (B) Backup copies may persist for up to 90 additional days before permanent deletion; (C) Legal obligations may require minimum data retention.

Your Data Retention Rights: You have the right to request deletion of your Personal Data at any time, subject to certain exceptions where we may need to retain information to comply with legal obligations, resolve disputes, enforce agreements, or for other legitimate purposes recognized by applicable law. If you would like to request deletion of your Personal Data or have questions about our retention practices, please contact us using the information in Section 14.

After the applicable retention period expires, Personal Data will be securely deleted or destroyed in a manner that prevents reconstruction or recovery, or it will be aggregated or anonymized so that it can no longer identify you as an individual.

8) Security

Protecting your Personal Data is a top priority for Mellows Limited. We implement and maintain comprehensive technical, physical, organizational, and administrative security measures designed to protect your Personal Data against unauthorized access, use, disclosure, alteration, destruction, or loss. Our security practices are aligned with industry standards and best practices for data protection and information security.

Technical Security Measures: We employ multiple layers of technical safeguards to protect your data, including but not limited to:

• Encryption: We use industry-standard encryption protocols to protect data both in transit and at rest. All data transmitted between your device and our servers is encrypted using Transport Layer Security (TLS) 1.2 or higher, ensuring that information cannot be intercepted during transmission. Sensitive data stored in our databases, including passwords and authentication credentials, is encrypted using strong cryptographic algorithms. Passwords are hashed using secure, one-way hashing functions (such as bcrypt or Argon2) with salt, meaning we never store plaintext passwords. Backup data and archived information are also encrypted to prevent unauthorized access to historical records.
• Access Controls and Authentication: We implement strict access controls based on the principle of least privilege, meaning that employees, contractors, and systems are granted only the minimum level of access necessary to perform their specific job functions. Access to Personal Data is limited to authorized personnel who require it for legitimate business purposes. We use multi-factor authentication (MFA) for administrative access to sensitive systems and databases. User authentication is validated using secure session management, token-based authentication, and OAuth 2.0 protocols where applicable. We regularly review and audit access permissions to ensure they remain appropriate and revoke access when it is no longer necessary.
• Network and Infrastructure Security: Our infrastructure is protected by firewalls, intrusion detection and prevention systems (IDS/IPS), and network segmentation to isolate sensitive systems from general network traffic. We conduct regular vulnerability scans and penetration testing to identify and address potential security weaknesses. Our servers and applications are kept up-to-date with the latest security patches and updates. We use distributed denial-of-service (DDoS) protection and rate limiting to prevent service disruptions and abuse.
• Monitoring and Logging: We maintain comprehensive logging and monitoring systems that track access to Personal Data, system activities, and security events. These logs help us detect suspicious activities, investigate potential security incidents, and respond quickly to threats. We have implemented automated alerting systems that notify our security team of anomalous behavior or potential breaches in real-time.
• Secure Development Practices: Our development team follows secure coding guidelines and conducts security reviews of all code changes. We perform regular code audits and security testing, including static and dynamic analysis, to identify and remediate vulnerabilities before deployment. We maintain separate development, staging, and production environments to prevent accidental exposure of production data during testing.

Organizational and Administrative Measures: Beyond technical controls, we have implemented organizational policies and procedures to ensure data security:

• Employee Training and Awareness: All employees, contractors, and relevant third parties with access to Personal Data receive mandatory training on data protection, privacy, and security best practices. We conduct regular security awareness programs to educate staff about phishing, social engineering, and other security threats. All personnel with access to Personal Data are required to sign confidentiality agreements and comply with our internal data protection policies.
• Third-Party Security Requirements: We conduct due diligence on Service Providers and require them to implement appropriate security measures through contractual obligations and data processing agreements. We periodically review and audit our Service Providers' security practices to ensure ongoing compliance with our security standards and applicable laws.
• Incident Response Plan: We maintain a documented incident response plan that outlines procedures for detecting, investigating, containing, and remediating security incidents and data breaches. In the event of a security breach that affects your Personal Data, we will notify affected users and relevant supervisory authorities in accordance with applicable laws and within the required timeframes. We continuously review and improve our incident response procedures based on lessons learned and emerging threats.
• Regular Security Assessments: We conduct periodic internal security audits and risk assessments to evaluate the effectiveness of our security controls and identify areas for improvement. We may engage independent third-party security experts to perform external audits and penetration tests to validate our security posture.

Physical Security: Our physical infrastructure and data centers (whether operated by us or by our hosting providers) are secured with appropriate physical access controls, including surveillance systems, biometric access controls, security personnel, and environmental controls (such as fire suppression and climate control systems) to protect against physical threats and ensure business continuity.

Backup and Disaster Recovery: We maintain regular backup schedules to ensure data availability and business continuity in the event of system failures, disasters, or data loss events. Backup data is encrypted and stored in geographically distributed locations. We periodically test our disaster recovery procedures to ensure we can restore services and data in a timely manner.

Limitations: While we strive to protect your Personal Data using industry-leading security practices, please understand that no method of data transmission over the internet, no method of electronic storage, and no security system is 100% secure or impenetrable. Despite our best efforts, we cannot guarantee absolute security of your Personal Data. Unauthorized entry or use, hardware or software failure, human error, and other factors may compromise data security at any time. The internet itself is not a secure environment, and we cannot ensure or warrant the security of any information you transmit to us. You transmit all such information at your own risk.

Your Responsibility: You are also responsible for maintaining the security of your account credentials and should take precautions to protect them. Choose a strong, unique password for your Mellows account, enable two-factor authentication if available, do not share your password with others, be cautious of phishing attempts and suspicious communications claiming to be from Mellows, and log out of your account when using shared or public devices. If you believe your account security has been compromised or you notice any suspicious activity, please contact us immediately at support@mellows.ai.

9) Your Rights

Depending on your location and applicable data protection laws, you may have certain rights regarding your Personal Data. We are committed to facilitating the exercise of these rights, subject to applicable legal limitations and exceptions. This section describes the rights that may be available to you and how to exercise them.

European Economic Area (EEA), United Kingdom, and Switzerland: If you are located in the EEA, UK, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) and equivalent UK and Swiss laws:

• Right of Access: You have the right to request confirmation of whether we process your Personal Data and, if so, to obtain access to that data along with information about how it is being used, who it is shared with, how long it will be retained, and other details about the processing. You can request a copy of your Personal Data in a structured, commonly used, and machine-readable format.
• Right to Rectification: You have the right to request that we correct any inaccurate or incomplete Personal Data we hold about you. If you believe any information we have is incorrect, outdated, or incomplete, you can ask us to update or correct it.
• Right to Erasure ("Right to be Forgotten"): You have the right to request deletion of your Personal Data in certain circumstances, such as when: (a) the data is no longer necessary for the purposes for which it was collected; (b) you withdraw consent on which processing is based and there is no other legal basis for processing; (c) you object to processing based on legitimate interests and there are no overriding legitimate grounds for processing; (d) the data has been unlawfully processed; or (e) the data must be erased to comply with a legal obligation. Please note that we may not be able to delete all of your data if we have a legal obligation to retain it or if it is necessary for establishing, exercising, or defending legal claims.
• Right to Restriction of Processing: You have the right to request that we limit or restrict the processing of your Personal Data in certain situations, such as when: (a) you contest the accuracy of the data (during the period we verify accuracy); (b) the processing is unlawful but you prefer restriction over deletion; (c) we no longer need the data but you need it for legal claims; or (d) you have objected to processing and we are verifying whether our legitimate grounds override yours.
• Right to Data Portability: Where processing is based on your consent or a contract and is carried out by automated means, you have the right to receive your Personal Data in a structured, commonly used, and machine-readable format and to transmit that data to another controller without hindrance from us. Where technically feasible, you can request that we transmit your data directly to another controller.
• Right to Object: You have the right to object to processing of your Personal Data in the following circumstances: (a) when processing is based on legitimate interests or for the performance of a task in the public interest, you can object on grounds relating to your particular situation, and we will stop processing unless we can demonstrate compelling legitimate grounds that override your interests; (b) when processing is for direct marketing purposes, you have an absolute right to object at any time, and we will stop processing your data for such purposes; and (c) when processing is for scientific or historical research or statistical purposes, you can object on grounds relating to your particular situation, unless the processing is necessary for a task carried out for reasons of public interest.
• Right to Withdraw Consent: Where we rely on your consent as the legal basis for processing, you have the right to withdraw your consent at any time. Withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal. You can withdraw consent by adjusting your settings, unsubscribing from emails, or contacting us directly.
• Right to Lodge a Complaint: If you believe that our processing of your Personal Data violates applicable data protection laws, you have the right to lodge a complaint with a supervisory authority, particularly in the EU member state or UK country of your habitual residence, place of work, or place of an alleged infringement. You can find contact information for EU supervisory authorities at https://edpb.europa.eu/about-edpb/board/members_en and for the UK Information Commissioner's Office at https://ico.org.uk. We encourage you to contact us first so we can attempt to resolve your concerns directly.
• Automated Decision-Making and Profiling: You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless such processing is necessary for a contract, authorized by law, or based on your explicit consent. As stated in Section 12, we do not currently engage in such automated decision-making that produces legal or similarly significant effects.

Other Jurisdictions: If you are located in other jurisdictions, you may have similar rights under applicable local data protection laws. For example, residents of certain countries or regions may have rights to access, correct, delete, or object to the processing of their Personal Data. We will handle requests from individuals in all jurisdictions in accordance with applicable laws.

How to Exercise Your Rights: To exercise any of these rights, please contact us at support@mellows.ai with a detailed description of your request. To protect your privacy and security, we will need to verify your identity before processing your request. This may involve asking you to provide certain information to confirm you are the account holder or authorized representative. We may require additional information or documentation to verify complex or sensitive requests.

Response Time: We will respond to your request within the timeframes required by applicable law, typically within 30 days of receipt of your verified request (or within one month for GDPR requests). If we need additional time (up to 60 additional days under GDPR), we will inform you of the reason for the delay and the extended timeframe. We will provide our response in writing (including electronically) and, where feasible, in the same format as your request.

Fees: In most cases, exercising your data protection rights is free of charge. However, if your request is clearly unfounded, excessive, or repetitive, we may charge a reasonable fee to cover administrative costs or refuse to act on the request, in accordance with applicable law.

Limitations and Exceptions: Please note that there may be circumstances in which we are unable to fully comply with your request due to legal obligations, technical limitations, or where exercising your rights would adversely affect the rights and freedoms of others. In such cases, we will explain the reasons for any limitations on our ability to fulfill your request and inform you of any alternative measures available to you.

Authorized Agents: You may designate an authorized agent to submit requests on your behalf. To protect your privacy, we will require verification that the agent is authorized to act on your behalf, which may include a signed permission document, power of attorney, or other proof of authorization. We may also require you to directly verify your identity and confirm the authorization.

10) California Privacy (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act of 2018 (CCPA) as amended by the California Privacy Rights Act of 2020 (CPRA), and related regulations. This section provides additional information about your rights as a California resident and how to exercise them.

Categories of Personal Information We Collect: Over the past 12 months, we have collected the following categories of Personal Information from California residents, as defined by the CCPA: (a) Identifiers (such as name, email address, IP address, unique device identifiers); (b) Customer records (such as account information, billing address); (c) Commercial information (such as subscription history, payment transactions); (d) Internet or network activity (such as browsing history, search history, interactions with our Services); (e) Geolocation data (approximate location derived from IP address); (f) Audio, electronic, or similar information (such as uploaded audio files, customer support recordings); (g) Professional or employment-related information (if provided in communications); and (h) Inferences drawn from any of the above to create a profile about preferences and characteristics.

Sources of Personal Information: We collect Personal Information directly from you (when you create an account, use our Services, or communicate with us), automatically through your use of the Services (through cookies and similar technologies), and from third-party sources (such as authentication providers, payment processors, and analytics services).

Purposes for Collecting and Using Personal Information: We collect and use Personal Information for the business and commercial purposes described in Section 3 of this Privacy Policy, including to provide and maintain the Services, improve and personalize your experience, communicate with you, process payments, comply with legal obligations, protect against fraud and security threats, and for other operational and analytical purposes.

Disclosure of Personal Information: We may disclose your Personal Information to Service Providers who perform services on our behalf (as described in Section 5), to third parties as required by law or to protect our rights, in connection with business transfers, and with your consent or at your direction. We do not "sell" Personal Information as defined by the CCPA/CPRA (i.e., we do not exchange your Personal Information for monetary consideration). We may "share" Personal Information for cross-context behavioral advertising purposes (as defined by the CPRA) through third-party cookies and analytics tools, and you have the right to opt out of such sharing as described below.

Your California Privacy Rights: As a California resident, you have the following rights:

• Right to Know: You have the right to request that we disclose to you: (1) the categories of Personal Information we have collected about you; (2) the categories of sources from which the Personal Information was collected; (3) the business or commercial purpose for collecting, selling, or sharing Personal Information; (4) the categories of third parties to whom we disclose Personal Information; (5) the specific pieces of Personal Information we have collected about you; and (6) if we sold or shared Personal Information, the categories of Personal Information sold or shared to each category of recipient. You may submit up to two requests to know in a 12-month period.
• Right to Delete: You have the right to request that we delete the Personal Information we have collected from you, subject to certain exceptions (such as when we need to retain information to complete a transaction, detect security incidents, comply with legal obligations, or for other purposes permitted by law).
• Right to Correct: You have the right to request that we correct inaccurate Personal Information we maintain about you, taking into account the nature of the Personal Information and the purposes of processing.
• Right to Opt-Out of Sale or Sharing: You have the right to opt out of the "sale" of your Personal Information or the "sharing" of your Personal Information for cross-context behavioral advertising. As noted above, we do not sell Personal Information for monetary consideration. To the extent we share Personal Information for advertising purposes through cookies and similar technologies, you can opt out by adjusting your cookie preferences (if we provide a cookie management tool), using browser settings to block third-party cookies, or by enabling the Global Privacy Control (GPC) signal if your browser supports it.
• Right to Limit Use of Sensitive Personal Information: If we use or disclose sensitive Personal Information (as defined by the CPRA) for purposes other than those explicitly permitted by law, you have the right to limit such use. Currently, we do not use or disclose sensitive Personal Information in a manner that would trigger this right, but if our practices change, we will update this Policy and provide you with the ability to exercise this right.
• Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising any of your CCPA/CPRA rights. We will not deny you goods or services, charge you different prices or rates, provide you a different level or quality of goods or services, or suggest that you will receive a different price, rate, level, or quality of goods or services as a result of exercising your privacy rights, unless such differences are reasonably related to the value provided by your Personal Information or permitted by law.

How to Exercise Your California Rights: To exercise your rights to know, delete, or correct your Personal Information, please submit a verifiable consumer request by emailing us at support@mellows.ai with the subject line "California Privacy Rights Request." Please specify which right you are exercising and provide sufficient detail to allow us to identify you and locate your Personal Information in our systems. To verify your identity, we may ask you to provide information such as your account email address, account details, or other information that matches what we have on file. For requests to know specific pieces of information, we may require additional verification steps, such as a signed declaration under penalty of perjury.

Authorized Agents: You may designate an authorized agent to submit a request on your behalf. To do so, please provide the agent with written authorization signed by you, and we may require verification of both your identity and the agent's authority to act on your behalf. We may also require you to directly verify your identity with us and confirm that you provided the agent permission to submit the request.

Response Time and Format: We will respond to verifiable consumer requests within 45 days of receipt. If we need additional time (up to an additional 45 days), we will notify you of the reason and extension period. We will deliver our response electronically unless you request a different method. Any disclosures we provide will only cover the 12-month period preceding receipt of your request.

California Shine the Light Law: California Civil Code Section 1798.83 permits California residents to request information about the disclosure of their Personal Information to third parties for those third parties' direct marketing purposes. We do not disclose Personal Information to third parties for their own direct marketing purposes. If you have questions about this, you may contact us at support@mellows.ai.

Notice of Financial Incentive: We may offer financial incentives, rewards, discounts, or other benefits in exchange for the collection, retention, or sale of Personal Information, such as loyalty programs, promotional offers, or discounts for newsletter subscribers. The value of your Personal Information to us is reasonably related to the value of the incentive offered, based on factors such as the expense related to providing the incentive, the anticipated revenue generated, and the estimated value of the data. Participation in any such program is voluntary, and you may opt out at any time by following the instructions provided in the program terms or by contacting us. If and when we offer such programs, we will provide a separate notice with detailed terms and conditions.

11) Children

Protecting the privacy of children is particularly important to us. Our Services are not directed to, intended for, or designed to attract children under the age of 13 years (or under 16 years in the European Economic Area, United Kingdom, or other jurisdictions where the minimum age of consent for data processing is higher). We do not knowingly collect, use, store, or disclose Personal Data from anyone under the applicable minimum age without verified parental or guardian consent as required by law, including the Children's Online Privacy Protection Act (COPPA) in the United States, the GDPR in the EEA and UK, and similar laws in other jurisdictions.

By using our Services, you represent and warrant that you are at least 13 years of age (or the applicable minimum age in your jurisdiction). If you are under 18 years of age (or the age of majority in your jurisdiction), you represent that you have obtained permission from your parent or legal guardian to use the Services, and your parent or guardian agrees to be bound by this Privacy Policy and our Terms of Service on your behalf.

What Happens If We Learn We Have Collected Data from a Child: If we become aware that we have inadvertently collected Personal Data from a child under the applicable minimum age without proper parental consent, we will take immediate steps to delete that information from our systems as quickly as possible. We will also deactivate the associated account and cease any further collection or use of that child's Personal Data.

Parental Rights and Requests: If you are a parent or legal guardian and believe that your child under the applicable minimum age has provided us with Personal Data without your consent, please contact us immediately at support@mellows.ai with the subject line "Child Privacy Concern." Please provide sufficient information to help us identify the child's account (such as the email address used or username, if known). Upon verification of your parental status, we will promptly delete the child's Personal Data from our active systems and take appropriate measures to prevent future collection. Parents and guardians have the right to review Personal Data collected from their children, request deletion of such data, and refuse to permit further collection or use of their children's information.

Our Commitment: We are committed to complying with COPPA, the GDPR, and all other applicable children's privacy laws. We do not condition a child's participation in any activity on the disclosure of more Personal Data than is reasonably necessary for that activity. We implement age-gating mechanisms where appropriate to prevent access by underage users. If you have any questions or concerns about our practices regarding children's privacy, please contact us using the information provided in Section 14.

Third-Party Services and Links: Our Services may contain links to third-party websites, applications, or services that are not operated by us. We are not responsible for the privacy practices or content of these third-party services, including their collection of data from children. We encourage parents and guardians to be involved in their children's online activities and to review the privacy policies of any third-party services their children may access.

12) Automated Decision-Making

Automated decision-making refers to the process of making a decision by automated means (using technology such as algorithms, artificial intelligence, or machine learning) without any human involvement. Profiling refers to any form of automated processing of Personal Data to evaluate, analyze, or predict aspects concerning an individual's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

Our Current Practices: We want to assure you that we do not engage in automated decision-making that produces legal effects concerning you or similarly significantly affects you without human involvement. Specifically, we do not use automated systems to make decisions that would: (a) have legal effects on you, such as affecting your contractual rights, eligibility for benefits, or legal status; (b) significantly affect you in a similar manner, such as denying you access to services, automatically rejecting applications, or substantially affecting your access to opportunities.

Use of Automated Processing: While we do not engage in automated decision-making with legal or similarly significant effects, we do use some automated processing and algorithms for purposes that do not have such effects, including: (a) providing content recommendations, such as suggesting sounds, soundscapes, or features you might enjoy based on your usage patterns and preferences (these recommendations are optional and do not restrict your access to other content); (b) optimizing application performance, such as determining the most efficient content delivery methods or caching strategies; (c) detecting and preventing fraud, abuse, or security threats through automated monitoring and analysis; (d) analyzing aggregated data to understand usage trends and improve our Services; and (e) customizing your user interface based on your settings and preferences. These automated processes are designed to enhance your experience and do not make decisions that legally or significantly affect you.

Your Rights: Under GDPR and similar laws, you have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. Given that we do not currently engage in such automated decision-making, this right does not typically apply to our processing activities. However, if our practices change in the future, we will: (a) update this Privacy Policy to clearly disclose any automated decision-making that may significantly affect you; (b) obtain your explicit consent where required by law; (c) implement appropriate safeguards, such as providing meaningful information about the logic involved and the significance and envisaged consequences of such processing; (d) provide you with the right to obtain human intervention, express your point of view, and contest the decision; and (e) comply with all applicable legal requirements regarding automated decision-making.

Transparency and Control: We believe in transparency and giving you control over your data. If you have questions about how automated processing may affect you or if you wish to discuss our data processing practices, please contact us at support@mellows.ai. We are committed to maintaining fair, transparent, and accountable data practices that respect your rights and dignity.

If we introduce any automated decision-making processes in the future that may have legal or similarly significant effects, we will provide clear notice to affected users, explain how the automated decisions are made, what factors are considered, and how you can exercise your rights in relation to such decisions. We will implement appropriate measures to safeguard your rights, freedoms, and legitimate interests in connection with any such automated processing.

13) Changes to This Policy

We reserve the right to modify, update, or revise this Privacy Policy at any time to reflect changes in our data practices, legal requirements, technological developments, business operations, or for other reasons. When we make changes to this Policy, we will take appropriate steps to inform you, as described below.

Notice of Changes: We will indicate that changes have been made by updating the "Effective Date" at the top of this Privacy Policy. When we make changes, the updated Policy will be posted on this page with the new effective date. We encourage you to review this Policy periodically to stay informed about how we collect, use, and protect your Personal Data. Your continued use of the Services after the effective date of any changes constitutes your acceptance of the revised Privacy Policy.

Material Changes: If we make material changes to this Privacy Policy that significantly affect your rights or how we handle your Personal Data, we will provide more prominent notice before the changes take effect. Such notice may include: (a) sending an email to the address associated with your account (if you have provided an email address); (b) displaying a prominent notice on our website or within the mobile application; (c) requiring you to affirmatively acknowledge the changes when you next log in or use the Services; or (d) other appropriate means of communication depending on the nature of the changes and applicable legal requirements. Material changes may include, for example: significant expansions in the categories of Personal Data we collect; new purposes for processing that are not compatible with the original purposes; changes in data retention periods that significantly extend how long we keep your data; new categories of third parties with whom we share data; changes in our international data transfer practices; or reductions in your data protection rights.

Your Options: If you disagree with any changes to this Privacy Policy, you have the right to stop using the Services and close your account. If required by applicable law, we will seek your consent for certain material changes before they take effect, particularly if the changes involve processing your Personal Data in ways that are materially different from those disclosed when you initially provided your data or last consented to our data practices. If you do not provide required consent, you may not be able to continue using certain features or all of the Services.

Version History: We may maintain a version history or archive of previous versions of this Privacy Policy for reference purposes. If you would like to review a previous version of this Policy or have questions about changes we have made, please contact us at support@mellows.ai.

Effective Date of Changes: Unless otherwise specified, changes to this Privacy Policy will become effective on the date specified in the revised Policy. In some cases, where permitted by law, changes may become effective immediately upon posting. In cases where we are required to provide advance notice or obtain consent, the changes will not take effect until the notice period has expired or consent has been obtained.

We strongly encourage you to review this Privacy Policy regularly and especially before providing any new Personal Data or when you notice the effective date has changed. Staying informed about our privacy practices will help you make informed decisions about your use of our Services and your privacy.

14) Contact

If you have any questions, concerns, or comments about this Privacy Policy, our data practices, or how we handle your Personal Data, we encourage you to contact us. We are committed to addressing your inquiries promptly and working with you to resolve any issues. You can reach us through the following methods:

Company: Mellows Limited
Address: West Wing, 2/F, 822 Lai Chi Kok Road, Cheung Sha Wan, Kowloon, Hong Kong SAR
Email: support@mellows.ai
Website: https://mellows.ai

When contacting us by email, please include "Privacy Inquiry" or a descriptive subject line so we can route your message to the appropriate team member. For specific requests (such as data access, deletion, correction, or opt-out requests), please clearly state your request and provide sufficient information for us to verify your identity and locate your account.

Response Time: We aim to respond to all privacy-related inquiries within a reasonable timeframe, typically within 5-10 business days for general questions, and within the timeframes required by law for formal data subject requests (usually within 30-45 days, depending on the jurisdiction and nature of the request). If your inquiry is complex or requires additional time to address, we will contact you to provide an estimated response time and keep you informed of our progress.

Data Protection Officer: While we are not currently required to designate a Data Protection Officer (DPO) or Privacy Officer under applicable laws, we have designated privacy contacts responsible for overseeing compliance with this Privacy Policy and applicable data protection regulations. If your inquiry relates to data protection compliance, GDPR matters, or other regulatory issues, please address your communication to our privacy team at the email address above.

Supervisory Authority: If you are located in the EEA, UK, or Switzerland and you believe that our processing of your Personal Data violates applicable data protection laws, you have the right to lodge a complaint with a supervisory authority. You may contact the supervisory authority in your country of residence, place of work, or the location of the alleged violation. While you have this right, we encourage you to contact us first so we have the opportunity to address your concerns directly and attempt to resolve any issues.

California Residents: If you are a California resident and have questions about your privacy rights under the CCPA/CPRA, or wish to submit a request to know, delete, or correct your Personal Data, please email us at support@mellows.ai with "California Privacy Rights Request" in the subject line.

Additional Information: When contacting us about privacy matters, please provide as much detail as possible about your inquiry or request. This may include your account information, the nature of your request, specific concerns or questions, and any relevant context that will help us address your inquiry effectively. To protect your privacy and security, we may need to verify your identity before responding to certain requests, particularly those involving access to or deletion of Personal Data.

We take all privacy inquiries seriously and are committed to protecting your Personal Data and respecting your privacy rights. Thank you for taking the time to review our Privacy Policy and for trusting us with your information.