Privacy Policy

Effective Date: April 13, 2026

1. Introduction

This Privacy Policy ("Policy") describes how Eve-Theology, LLC, a Nevada limited liability company and wholly owned subsidiary of MindHYVE.ai, Inc., a Nevada C-Corporation (collectively, "Eve-Theology," "we," "us," or "our"), collects, uses, discloses, retains, and protects your personal information when you access or use the TheoAI™ platform and all related services.

This Policy applies to all products and services offered under the TheoAI™ brand, including but not limited to:

Theo — the primary conversational AI interface, accessible at chat.theogrid.ai;
Majlis — the collaborative discussion platform, accessible at majlis.theogrid.ai;
Mizan — the comparative analysis tool, accessible at mizan.theogrid.ai; and
The TheoAI™ marketing website at www.theogrid.ai.

Eve-Theology, LLC is the data controller responsible for your personal information under applicable data protection laws. MindHYVE.ai, Inc. serves as the parent entity and may process data on behalf of Eve-Theology, LLC in accordance with this Policy.

By accessing or using any TheoAI™ product or service, you acknowledge that you have read, understood, and agree to the collection, use, and disclosure of your information as described in this Policy. If you do not agree with any part of this Policy, you must discontinue use of our services immediately.

2. Information We Collect

We collect information through several methods depending on how you interact with TheoAI™. The categories of information we collect are described below.

2.1 Account Information

When you create an account, we collect and process the following:

Full name and email address;
Password hash (your plaintext password is never stored; authentication is managed through Microsoft Azure AD B2C);
Subscription tier and account status;
Clover customer identifier, for the purpose of payment processing; and
Billing information as required to process your subscription (payment card details are processed and stored exclusively by Fiserv, Inc. (Clover); we do not receive, transmit, or store full payment card numbers).

2.2 Conversation Data

When you interact with TheoAI™, we collect and store:

Messages and prompts you submit to Theo, Majlis, or Mizan;
AI-generated responses, including citations, source references, and bibliographic data;
Reasoning traces, cognitive operations applied, and evidence chains generated during response processing;
Confidence levels and quality indicators associated with generated responses; and
Timestamps, conversation identifiers, and session metadata.

Conversations are stored to provide continuity of context, enable memory and personalization features, and improve the quality of responses over time within your individual account.

2.3 User Memories

TheoAI™ extracts and stores structured memories derived from your conversations. These memories may include your stated preferences, madhab or school of thought, topics of interest, personal context you voluntarily share, and other information relevant to providing personalized responses. You may view, edit, and delete individual memories at any time through the Settings interface within the applicable product.

2.4 Classification Data

Messages submitted to TheoAI™ are automatically classified for quality assurance and product improvement purposes. Classification metadata may include:

Detected emotional context (e.g., curiosity, seeking guidance, distress);
Inferred intent category (e.g., academic inquiry, practical ruling request, comparative analysis);
Urgency assessment;
Life context classification (e.g., general knowledge, marriage, finance, worship); and
Satisfaction signals derived from user behavior within a session.

This classification is performed by automated systems and is used solely for internal product improvement and safety monitoring. Classification data is not shared with third parties and is not used to make decisions that produce legal effects or similarly significant effects on you.

2.5 Anonymous Session Data

If you interact with TheoAI™ before creating an account, we collect limited session-level data, including:

A randomly generated session identifier;
Number of questions submitted during the session;
Country of origin (derived from your IP address at the time of the request; the raw IP address is not stored);
Referrer URL and UTM campaign parameters, if applicable;
Device type and browser user agent string.

This data is collected for analytics and product improvement purposes. Anonymous session data is not linked to your identity after account creation unless you convert from an anonymous session to a registered account during the same session, in which case the session data may be associated with your account to ensure service continuity.

2.6 Usage Data

We collect operational and usage data, including:

Token consumption and response latency metrics;
AI model identifiers used to generate responses;
Feature usage patterns (e.g., bookmarks, memory interactions, conversation exports, madhab selection); and
Subscription lifecycle events (e.g., upgrades, downgrades, cancellations).

2.7 Contact Form Submissions

If you submit a message through any contact form on our websites, we collect your name, email address, inquiry type, and the content of your message. This information is used solely to respond to your inquiry and is retained in accordance with Section 6 of this Policy.

3. How We Use Your Information

We use the information we collect for the following purposes:

To provide, operate, maintain, and improve TheoAI™ services, including generating contextually relevant, personalized responses based on your conversation history and stored memories;
To authenticate your identity and manage access to your account;
To process billing transactions, manage subscription status, and communicate with you regarding your account (via Clover);
To classify conversations for internal product quality assurance and safety monitoring;
To generate aggregated, anonymized analytical reports and intelligence snapshots for product development purposes (no individually identifiable data is included in such reports);
To detect, investigate, and prevent fraud, abuse, adversarial use, and violations of our Terms of Service;
To respond to your inquiries, support requests, and other communications;
To comply with applicable legal obligations, regulatory requirements, legal processes, or enforceable governmental requests; and
To protect the rights, safety, and property of Eve-Theology, LLC, MindHYVE.ai, Inc., our users, and the public.

We do NOT use your conversations, personal data, or any user-generated content to train, fine-tune, or otherwise improve artificial intelligence or machine learning models. TheoAI™'s AI capabilities are powered by the Islamic Primary Source Corpus (IPSC) and proprietary training data developed under the Eve-Genesis™ program. Your conversations remain your own and are never incorporated into training datasets.

4. Data Storage and Security

We implement comprehensive administrative, technical, and physical safeguards designed to protect your personal information against unauthorized access, alteration, disclosure, or destruction.

4.1 Infrastructure

All data is stored and processed on Microsoft Azure cloud infrastructure located in the East US 2 region (Virginia, United States). Our infrastructure leverages Azure's enterprise-grade security certifications, including SOC 1/2/3, ISO 27001, ISO 27018, and HIPAA BAA compliance.

4.2 Encryption

At rest: All data is encrypted using AES-256 encryption via Azure Storage Service Encryption and Transparent Data Encryption (TDE) for database services.
In transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher. Connections that do not support TLS 1.2 are rejected.

4.3 Authentication and Access Control

User authentication is managed through Microsoft Azure AD B2C with industry-standard JWT token issuance and validation;
All secrets, API keys, and credentials are stored in Azure Key Vault and accessed via managed identity — they are never stored in source code, configuration files, or environment variables in production; and
Internal access to production systems is restricted by role-based access control (RBAC) and requires multi-factor authentication.

4.4 Network Security

Backend services in production have no public-facing endpoints;
Service-to-service communication is secured via Azure Private Endpoints and network security groups (NSGs); and
Database connections require SSL/TLS and are restricted to authorized network segments.

4.5 Monitoring and Audit

Continuous security monitoring is performed via Azure Monitor and Application Insights;
Access and operational events are logged with tamper-evident audit trails; and
SOC 2 Type II audit preparation is currently underway, with formal attestation anticipated within the current fiscal year.

While we employ industry-leading measures to protect your data, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, and you acknowledge that you provide personal information at your own risk.

5. Data Sharing and Third Parties

We share personal information only with the categories of service providers described below, and only to the extent necessary to operate TheoAI™. Each third-party provider is bound by contractual obligations to protect your data and to use it only for the purposes we specify.

5.1 AI Processing

Anthropic, PBC. Your messages are transmitted to Anthropic for the purpose of generating AI responses. Messages are processed in real-time and are subject to Anthropic's data processing terms, which prohibit the use of your messages for model training. Anthropic does not retain your messages after processing is complete.

5.2 Payment Processing

Fiserv, Inc. (Clover). Payment and billing information is processed by Clover (Fiserv) in accordance with Clover's privacy policy and PCI DSS Level 1 compliance standards. We transmit only the data necessary to process your subscription. We do not receive, store, or have access to your full credit or debit card number.

5.3 Cloud Infrastructure

Microsoft Corporation (Azure). All TheoAI™ data is hosted on Microsoft Azure. Microsoft processes data in accordance with the Microsoft Products and Services Data Protection Addendum (DPA) and applicable Azure compliance certifications.

5.4 Analytics

Plausible Analytics. We use Plausible, a privacy-respecting, cookieless analytics service, to understand aggregate website usage. Plausible does not collect personal data, does not use cookies, and is hosted within the European Union. No individual user data is transmitted to Plausible.

5.5 Legal and Safety Disclosures

We may disclose your information if we believe in good faith that disclosure is reasonably necessary to:

Comply with applicable law, regulation, legal process, or governmental request;
Enforce our Terms of Service or other agreements;
Protect the safety, rights, or property of Eve-Theology, LLC, MindHYVE.ai, Inc., our users, or the public; or
Detect, prevent, or address fraud, security incidents, or technical issues.

5.6 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you via email or prominent notice on our website of any change in ownership or uses of your personal information, as well as any choices you may have regarding your information.

We do NOT sell, rent, lease, or trade your personal information to any third party. We do NOT share your data with advertisers or advertising networks. We do NOT engage in data brokerage of any kind.

6. Data Retention

We retain your personal information only for as long as reasonably necessary to fulfill the purposes for which it was collected, comply with our legal obligations, resolve disputes, and enforce our agreements. Specific retention periods are as follows:

Conversation data: Retained for the duration of your active account. Upon account deletion, conversation data is permanently deleted within thirty (30) calendar days.
User memories: Retained until you delete them individually through Settings or until your account is deleted, whichever occurs first.
Anonymous session data: Retained for ninety (90) days from the date of collection, then automatically and permanently purged.
Billing and financial records: Retained for seven (7) years from the date of the transaction, as required by applicable tax and financial reporting regulations (26 U.S.C. § 6501 et seq.).
Audit and security logs: Retained for three (3) years from the date of the event for security, compliance, and incident response purposes.
Aggregated analytics: Retained indefinitely in anonymized, aggregated form. Aggregated data does not contain individually identifiable information and cannot be reconstituted to identify any individual.

7. Your Rights

7.1 Rights Available to All Users

Regardless of your location, you have the following rights with respect to your personal information:

Access: You may request a copy of the personal information we hold about you.
Correction: You may update or correct inaccurate personal information through your account Settings or by contacting us.
Deletion: You may delete your account and all associated personal data. Account deletion requests are processed and completed within thirty (30) calendar days.
Data export: You may request a portable, machine-readable copy of your conversation history and account data.
Memory control: You may view, edit, and delete individual memories stored by TheoAI™ at any time through the Settings interface.
Opt-out of classification: You may request that automated message classification be disabled for your account by contacting privacy@mindhyve.ai.

7.2 Additional Rights for EU/EEA Residents (GDPR)

If you are located in the European Union or European Economic Area, you have additional rights under the General Data Protection Regulation (Regulation (EU) 2016/679):

Right to erasure: You may request the deletion of your personal data ("right to be forgotten") where there is no compelling reason for continued processing.
Right to data portability: You may request your personal data in a structured, commonly used, and machine-readable format, and have the right to transmit that data to another controller.
Right to restrict processing: You may request restriction of processing of your personal data under certain circumstances.
Right to object: You may object to the processing of your personal data where we rely on legitimate interests as the legal basis.
Right to withdraw consent: Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing performed prior to withdrawal.
Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority.

Legal bases for processing: We process your personal data under the following legal bases: (a) Consent — when you create an account and agree to this Policy; (b) Performance of a contract — when processing is necessary to provide the services you have requested; (c) Legitimate interests — for product improvement, security, and fraud prevention, where such interests are not overridden by your fundamental rights and freedoms.

7.3 Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (Cal. Civ. Code § 1798.100 et seq.):

Right to know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purpose for collecting the information, and the categories of third parties with whom we share it.
Right to delete: You have the right to request deletion of personal information we have collected from you, subject to certain exceptions.
Right to correct: You have the right to request correction of inaccurate personal information.
Right to opt-out of sale or sharing: We do NOT sell your personal information, nor do we share it for cross-context behavioral advertising. Therefore, there is no need to opt out, though we honor such requests.
Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
Sensitive personal information: We do NOT use sensitive personal information for purposes beyond what is necessary to provide TheoAI™ services.

To exercise your CCPA/CPRA rights, contact us at privacy@mindhyve.ai. We will verify your identity before processing your request. You may designate an authorized agent to submit a request on your behalf.

7.4 Children's Privacy (COPPA)

TheoAI™ is not directed at, and is not intended for use by, children under the age of thirteen (13). We do not knowingly collect, solicit, or maintain personal information from children under 13. If you are a parent or guardian and believe that your child under 13 has provided us with personal information, please contact us immediately at privacy@mindhyve.ai. Upon verification, we will promptly delete such information from our systems.

8. Cookies and Tracking Technologies

TheoAI™ employs a minimal-tracking approach to respect your privacy:

No advertising cookies. We do not use Google Analytics, Google Tag Manager, Facebook Pixel, or any third-party advertising or remarketing cookies or tracking technologies.
Essential session data only. Authentication tokens are stored in browser memory for the duration of your authenticated session. These are not persistent cookies and are cleared when you close your browser or log out.
Cookieless analytics. We use Plausible Analytics, a privacy-respecting, cookieless analytics service that does not collect personal data, does not use cookies, and does not track individual users.
No cross-site tracking. We do not track your activity across other websites or services. We do not participate in cross-site tracking networks or advertising exchanges.

9. International Data Transfers

Your personal information is stored and processed in the United States, specifically within the Microsoft Azure East US 2 region (Virginia). If you access or use TheoAI™ from a jurisdiction outside the United States, including from the European Union, European Economic Area, United Kingdom, or any other jurisdiction with data protection laws that differ from those of the United States, you acknowledge and consent to the transfer of your personal information to the United States.

For transfers of personal data from the EU/EEA to the United States, we rely on the European Commission's Standard Contractual Clauses (SCCs) as the lawful mechanism for such transfer, supplemented by additional technical and organizational measures as appropriate. Our cloud infrastructure provider, Microsoft Azure, maintains compliance with the EU-U.S. Data Privacy Framework.

If you have concerns about international data transfers, you may contact us at privacy@mindhyve.ai to discuss available safeguards.

10. Changes to This Policy

We reserve the right to modify this Privacy Policy at any time. When we make material changes, we will provide notice by one or more of the following means: (a) updating the "Effective Date" at the top of this Policy; (b) sending an email notification to the address associated with your account; or (c) displaying an in-app notification within TheoAI™.

We encourage you to review this Policy periodically. Your continued use of TheoAI™ after the effective date of a revised Policy constitutes your acceptance of the revised terms. If you do not agree to the revised Policy, you must discontinue use of our services.

For material changes that affect the fundamental nature of our data processing activities, we will provide at least thirty (30) days' advance notice before the changes take effect.

11. Contact Information

For privacy inquiries, data access requests, data deletion requests, or to exercise any of the rights described in this Policy, please contact:

Privacy Officer
Eve-Theology, LLC
A subsidiary of MindHYVE.ai, Inc.
1501 Quail St, Suite 130
Newport Beach, CA 92660
United States

Privacy inquiries: privacy@mindhyve.ai
General inquiries: hello@mindhyve.ai
Security concerns: security@mindhyve.ai

We will acknowledge receipt of your request within five (5) business days and endeavor to respond substantively within thirty (30) calendar days. If additional time is required due to the complexity or volume of your request, we will notify you of the extension and the reasons for the delay.