Privacy Policy

Effective Date: May 6, 2026

1. Introduction

This Privacy Policy ("Policy") describes how Eve-Theology, LLC, a Nevada limited liability company and wholly owned subsidiary of MindHYVE.ai, Inc., a Nevada C-Corporation (collectively, "Eve-Theology," "we," "us," or "our"), collects, uses, discloses, retains, and protects your personal information when you access or use the TheoAI™ platform and all related services.

This Policy applies to all products and services offered under the TheoAI™ brand, including but not limited to:

Theo — the primary conversational AI interface, accessible at chat.theogrid.ai;
Majlis — the collaborative discussion platform, accessible at majlis.theogrid.ai;
Mizan — the comparative analysis tool, accessible at mizan.theogrid.ai; and
The TheoAI™ marketing website at www.theogrid.ai.

Eve-Theology, LLC is the data controller responsible for your personal information under applicable data protection laws. MindHYVE.ai, Inc. serves as the parent entity and may process data on behalf of Eve-Theology, LLC in accordance with this Policy.

By accessing or using any TheoAI™ product or service, you acknowledge that you have read, understood, and agree to the collection, use, and disclosure of your information as described in this Policy. If you do not agree with any part of this Policy, you must discontinue use of our services immediately.

2. Information We Collect

We collect information through several methods depending on how you interact with TheoAI™. The categories of information we collect are described below.

2.1 Account Information

When you create an account, we collect and process the following:

Full name and email address;
Authentication credentials. TheoAI™ supports several authentication methods. For users who sign in via federated identity providers (Microsoft, Google, or Apple), we receive an opaque identifier issued by Microsoft Entra External ID (formerly Azure AD B2C) and store no password. For users who register and sign in via native email-and-password, we store a one-way bcrypt hash (cost factor 10) of your password — your plaintext password is never stored, transmitted in cleartext, or recoverable from the hash. We rotate authentication-related secrets on a quarterly cadence and on personnel change;
Subscription tier and account status;
Payment-processor identifiers. Where you maintain a paid subscription, we store the customer identifier issued by our active payment processor (Fiserv, Inc. dba "Clover") and, for legacy subscriptions migrated from a prior processor, the associated identifier from that prior processor; and
Billing information as required to process your subscription (payment card details are processed and stored exclusively by the payment processor of record; we do not receive, transmit, or store full payment card numbers under any condition).

2.2 Conversation Data

When you interact with TheoAI™, we collect and store:

Messages and prompts you submit to Theo, Majlis, or Mizan;
AI-generated responses, including citations, source references, and bibliographic data;
Reasoning traces, cognitive operations applied, and evidence chains generated during response processing;
Confidence levels and quality indicators associated with generated responses; and
Timestamps, conversation identifiers, and session metadata.

Conversations are stored to provide continuity of context, enable memory and personalization features, and improve the quality of responses over time within your individual account.

2.3 User Memories

TheoAI™ extracts and stores structured memories derived from your conversations. These memories may include your stated preferences, madhab or school of thought, topics of interest, personal context you voluntarily share, and other information relevant to providing personalized responses. You may view, edit, and delete individual memories at any time through the Settings interface within the applicable product.

2.4 Classification Data

Messages submitted to TheoAI™ are automatically classified for quality assurance and product improvement purposes. Classification metadata may include:

Detected emotional context (e.g., curiosity, seeking guidance, distress);
Inferred intent category (e.g., academic inquiry, practical ruling request, comparative analysis);
Urgency assessment;
Life context classification (e.g., general knowledge, marriage, finance, worship); and
Satisfaction signals derived from user behavior within a session.

This classification is performed by automated systems and is used solely for internal product improvement and safety monitoring. Classification data is not shared with third parties and is not used to make decisions that produce legal effects or similarly significant effects on you.

2.5 Anonymous Session Data

If you interact with TheoAI™ before creating an account, we collect limited session-level data, including:

A randomly generated session identifier;
Number of questions submitted during the session;
Country of origin (derived from your IP address at the time of the request; the raw IP address is not stored);
Referrer URL and UTM campaign parameters, if applicable;
Device type and browser user agent string.

This data is collected for analytics and product improvement purposes. Anonymous session data is not linked to your identity after account creation unless you convert from an anonymous session to a registered account during the same session, in which case the session data may be associated with your account to ensure service continuity.

2.6 Usage Data

We collect operational and usage data, including:

Token consumption and response latency metrics;
AI model identifiers used to generate responses;
Feature usage patterns (e.g., bookmarks, memory interactions, conversation exports, madhab selection);
Subscription lifecycle events (e.g., upgrades, downgrades, cancellations); and
Internet Protocol (IP) addresses associated with authenticated sessions and security-relevant events. We retain IP addresses in two places: (a) the active-session record so you can review and revoke devices from your account Settings, and (b) the security audit log for events such as sign-in, sign-out, password change, and account deletion. IP addresses are used solely for fraud prevention, account-takeover detection, security monitoring, and incident response. They are not used for advertising, profiling, location-based service personalization, or any analytics outside the security-monitoring purpose. Retention follows the schedule in Section 6.

2.7 Contact Form Submissions

If you submit a message through any contact form on our websites, we collect your name, email address, inquiry type, and the content of your message. This information is used solely to respond to your inquiry and is retained in accordance with Section 6 of this Policy.

3. How We Use Your Information

We use the information we collect for the following purposes:

To provide, operate, maintain, and improve TheoAI™ services, including generating contextually relevant, personalized responses based on your conversation history and stored memories;
To authenticate your identity and manage access to your account;
To process billing transactions, manage subscription status, and communicate with you regarding your account (via Clover);
To classify conversations for internal product quality assurance and safety monitoring;
To generate aggregated, anonymized analytical reports and intelligence snapshots for product development purposes (no individually identifiable data is included in such reports);
To detect, investigate, and prevent fraud, abuse, adversarial use, and violations of our Terms of Service;
To respond to your inquiries, support requests, and other communications;
To comply with applicable legal obligations, regulatory requirements, legal processes, or enforceable governmental requests; and
To protect the rights, safety, and property of Eve-Theology, LLC, MindHYVE.ai, Inc., our users, and the public.

We do NOT use your conversations, personal data, or any user-generated content to train, fine-tune, or otherwise improve artificial intelligence or machine learning models. TheoAI™'s AI capabilities are powered by the Islamic Primary Source Corpus (IPSC) and proprietary training data developed under the Eve-Genesis™ program. Your conversations remain your own and are never incorporated into training datasets.

4. Data Storage and Security

We implement comprehensive administrative, technical, and physical safeguards designed to protect your personal information against unauthorized access, alteration, disclosure, or destruction.

4.1 Infrastructure

All data is stored and processed on Microsoft Azure cloud infrastructure located in the East US 2 region (Virginia, United States). Our infrastructure leverages Azure's enterprise-grade security certifications, including SOC 1/2/3, ISO 27001, ISO 27018, and HIPAA BAA compliance.

4.2 Encryption

At rest: All data is encrypted using AES-256 encryption via Azure Storage Service Encryption and Transparent Data Encryption (TDE) for database services.
In transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher. Connections that do not support TLS 1.2 are rejected.

4.3 Authentication and Access Control

User authentication is managed through Microsoft Azure AD B2C with industry-standard JWT token issuance and validation;
All secrets, API keys, and credentials are stored in Azure Key Vault and accessed via managed identity — they are never stored in source code, configuration files, or environment variables in production; and
Internal access to production systems is restricted by role-based access control (RBAC) and requires multi-factor authentication.

4.4 Network Security

Backend services in production have no public-facing endpoints;
Service-to-service communication is secured via Azure Private Endpoints and network security groups (NSGs); and
Database connections require SSL/TLS and are restricted to authorized network segments.

4.5 Monitoring and Audit

Continuous security monitoring is performed via Azure Monitor and Application Insights;
Access and operational events are logged with tamper-evident audit trails; and
SOC 2 Type II audit preparation is currently underway, with formal attestation anticipated within the current fiscal year.

While we employ industry-leading measures to protect your data, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, and you acknowledge that you provide personal information at your own risk.

5. Data Sharing and Third Parties

We share personal information only with the categories of service providers described below, and only to the extent necessary to operate TheoAI™. Each third-party provider is bound by contractual obligations to protect your data and to use it only for the purposes we specify.

5.1 AI Processing

Anthropic, PBC. Your messages are transmitted to Anthropic for the purpose of generating AI responses. Messages are processed in real-time and are subject to Anthropic's data processing terms, which prohibit the use of your messages for model training. Anthropic does not retain your messages after processing is complete.

5.2 Payment Processing

Fiserv, Inc. (Clover). Payment and billing information is processed by Clover (Fiserv) in accordance with Clover's privacy policy and PCI DSS Level 1 compliance standards. We transmit only the data necessary to process your subscription. We do not receive, store, or have access to your full credit or debit card number.

5.3 Cloud Infrastructure

Microsoft Corporation (Azure). All TheoAI™ data is hosted on Microsoft Azure. Microsoft processes data in accordance with the Microsoft Products and Services Data Protection Addendum (DPA) and applicable Azure compliance certifications.

5.4 Analytics & Behavioural Telemetry (consent-gated)

The following services run only after you grant analytics consent through the cookie banner. Decline consent at any time and these services are not loaded.

Microsoft Clarity (a Microsoft Corporation product): session replay, heatmaps, and behavioural analytics. Microsoft processes data in accordance with the Microsoft Products and Services Data Protection Addendum (DPA). We use Clarity’s consentv2 API to pass your consent decision; Clarity sets cookies (_clck, _clsk) only when consent is granted.
Microsoft Application Insights (Azure Monitor): pageview and custom-event telemetry, also processed by Microsoft under the Azure DPA. Used to debug performance and reliability of TheoAI™ surfaces.
Meta Pixel (Meta Platforms, Inc.): conversion tracking for marketing-page outbound clicks. Implemented via Meta’s Consent Mode — the pixel is registered with consent: revoke by default and only fires after you grant ad-storage consent through the cookie banner.
First-party event tracker: aggregate page-view, scroll-depth, and CTA-click events sent to our own backend at api.theogrid.ai/api/v1/events. These events are only transmitted when analytics consent is granted; otherwise the queue is dropped client-side without ever leaving your browser.

We do not sell your data to advertisers; the Meta Pixel is used solely for measuring outbound conversion, not for retargeting or audience-building. You can revoke consent at any time via the cookie banner controls or by clearing the theogrid-consent entry from your browser’s localStorage.

5.5 Legal and Safety Disclosures

We may disclose your information if we believe in good faith that disclosure is reasonably necessary to:

Comply with applicable law, regulation, legal process, or governmental request;
Enforce our Terms of Service or other agreements;
Protect the safety, rights, or property of Eve-Theology, LLC, MindHYVE.ai, Inc., our users, or the public; or
Detect, prevent, or address fraud, security incidents, or technical issues.

5.6 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you via email or prominent notice on our website of any change in ownership or uses of your personal information, as well as any choices you may have regarding your information.

We do NOT sell, rent, lease, or trade your personal information to any third party. We do NOT share your data with advertisers or advertising networks. We do NOT engage in data brokerage of any kind.

6. Data Retention

We retain your personal information only for as long as reasonably necessary to fulfill the purposes for which it was collected, comply with our legal obligations, resolve disputes, and enforce our agreements. Specific retention periods are as follows:

Conversation data: Retained for the duration of your active account. Upon account deletion, your account record is anonymized immediately (your email, name, and avatar are removed and replaced with generic placeholder values; your password hash is cleared; your active sessions are revoked). Underlying conversation messages, audit log entries, and session records associated with your account are permanently purged within ninety (90) calendar days of account deletion as part of our scheduled data-retention cleanup. We retain this 90-day window to support fraud-investigation, financial-reconciliation, and abuse-handling obligations that may arise immediately after account termination.
User memories: Retained until you delete them individually through Settings or until your account is deleted, whichever occurs first.
Anonymous session data: Retained for ninety (90) days from the date of collection, then automatically and permanently purged.
Billing and financial records: Retained for seven (7) years from the date of the transaction, as required by applicable tax and financial reporting regulations (26 U.S.C. § 6501 et seq.).
Audit and security logs: Retained for three (3) years from the date of the event for security, compliance, and incident response purposes.
Aggregated analytics: Retained indefinitely in anonymized, aggregated form. Aggregated data does not contain individually identifiable information and cannot be reconstituted to identify any individual.

7. Your Rights

7.1 Rights Available to All Users

Regardless of your location, you have the following rights with respect to your personal information:

Access: You may request a copy of the personal information we hold about you.
Correction: You may update or correct inaccurate personal information through your account Settings or by contacting us.
Deletion: You may delete your account at any time through the Settings interface within the TheoAI™ chat application. Upon submission of a deletion request, your profile is anonymized immediately and you are signed out of all active sessions. Underlying conversation data, messages, and audit log entries are scheduled for permanent purge within ninety (90) calendar days of the deletion request, in accordance with our data-retention schedule (see Section 6).
Data export: You may request a portable, machine-readable copy of your conversation history and account data.
Memory control: You may view, edit, and delete individual memories stored by TheoAI™ at any time through the Settings interface.
Opt-out of classification: You may request that automated message classification be disabled for your account by contacting privacy@mindhyve.ai.

7.2 Sensitive Personal Data — Religious Belief

TheoAI™ is, by design, a platform for Islamic-scholarship research. The substance of your interactions with the Services — including the questions you submit, the topics you research, the madhab or school of thought you indicate as a preference, and the contextual classifications applied to your messages — reveals data about your religious or philosophical beliefs and practices. Several jurisdictions classify this category of information as sensitive personal data, including:

Indonesia — Personal Data Protection Law (Law No. 27 of 2022, "UU PDP"), Article 4;
Malaysia — Personal Data Protection Act 2010, Section 40;
Kingdom of Saudi Arabia — Personal Data Protection Law (Royal Decree No. M/19 of 1443H, "PDPL"), Article 6;
United Arab Emirates — Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, Article 5;
Arab Republic of Egypt — Law No. 151 of 2020 on the Protection of Personal Data, Article 12; and
European Union / European Economic Area — Regulation (EU) 2016/679 ("GDPR"), Article 9.

Legal basis — explicit consent. Each of the statutes above requires explicit, informed, and freely given consent before sensitive personal data may be processed. By creating an account and confirming the dedicated explicit-consent statement presented at registration, you consent to TheoAI™'s processing of data revealing your religious and philosophical beliefs for the limited purpose of providing personalized scholarly research services as described in this Policy. You may withdraw your consent at any time through the Settings interface within the chat application or by contacting privacy@mindhyve.ai. Withdrawal of consent does not affect the lawfulness of processing performed prior to withdrawal and may necessitate termination of your account if continued service provision becomes impossible without the withdrawn data.

Universal data-subject rights. Regardless of the specific jurisdiction in which you reside, you may exercise the following rights with respect to your sensitive personal data: the right of access, the right to rectification, the right to erasure, the right to data portability, the right to restrict processing, the right to object to processing, and the right to withdraw consent. To exercise any of these rights, contact privacy@mindhyve.ai; we will verify your identity and respond within thirty (30) calendar days.

Right to lodge a complaint. You have the right to lodge a complaint with the data protection supervisory authority in your jurisdiction of residence, including (without limitation) the Indonesian Ministry of Communication and Informatics, the Malaysian Personal Data Protection Department (JPDP), the Saudi Data and AI Authority (SDAIA), the UAE Data Office, the Egyptian Personal Data Protection Centre, the Information Commissioner's Office (UK), or any competent supervisory authority in the European Union.

7.3 California Residents

For California residents, the rights described in Section 7.1 above are the same rights afforded under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), Cal. Civ. Code § 1798.100 et seq. We do not sell your personal information, and we do not share your personal information for cross-context behavioral advertising. We do not use sensitive personal information for any purpose beyond providing the Services as described in this Policy. We will not discriminate against you for exercising any of your privacy rights. To exercise your rights, contact privacy@mindhyve.ai; you may designate an authorized agent to submit a request on your behalf.

7.4 Children's Privacy (COPPA)

TheoAI™ is not directed at, and is not intended for use by, children under the age of thirteen (13). We do not knowingly collect, solicit, or maintain personal information from children under 13. If you are a parent or guardian and believe that your child under 13 has provided us with personal information, please contact us immediately at privacy@mindhyve.ai. Upon verification, we will promptly delete such information from our systems.

8. Cookies, Consent & Tracking Technologies

8.1 Consent management

On your first visit to theogrid.ai or ipsc.theogrid.ai a cookie consent banner is displayed. Until you make a choice, no analytics cookies are set, the Microsoft Clarity SDK is not loaded, the Meta Pixel does not fire (it sits in consent: revoke state), and our first-party event tracker does not transmit anything to our backend.

Your consent decision is stored in your browser at localStorage['theogrid-consent'] with the following shape:

{
  "ad_storage":        "granted" | "denied",
  "analytics_storage": "granted" | "denied",
  "ts":                "ISO-8601 timestamp",
  "v":                 1
}

This shape mirrors Microsoft Clarity’s consentv2 API and Meta’s Consent Mode so we can extend to granular toggles later without breaking the contract. To revoke consent, clear the entry or click “Decline” when the banner is shown again.

8.2 Cookies set when you accept

_clck (Microsoft Clarity, 1 year): persistent Clarity user ID for session stitching.
_clsk (Microsoft Clarity, 1 day): connects page views into sessions.
_fbp (Meta Pixel, 90 days): browser-level identifier used by Meta for conversion measurement.
theogrid-consent (first-party, no expiry): your consent decision (see 8.1). This is set even if you decline, so we know not to re-prompt.

8.3 What we do NOT do

No advertising retargeting. The Meta Pixel is used only for outbound-conversion measurement, not for retargeting audiences or building advertising profiles.
No data sale. We do not sell, rent, or trade your data to advertisers, brokers, or audience networks.
No cross-site tracking. We do not deploy any third-party identifiers that follow you across other websites.
Limited analytics in chat. Microsoft Clarity is configured in strict-mode content masking, which automatically masks form input fields (including the text you type into the chat composer). Rendered chat content (the messages you have sent and the AI's responses, displayed on screen) may be recorded for product-quality and behavioural-analysis purposes in line with the rest of this Policy. Clarity does not receive your account credentials, payment-card data, or any data that would enable a third party to reconstruct your account.

8.4 EEA / UK / Switzerland enforcement

Beginning 2025-10-31, Microsoft Clarity enforces consent-signal requirements for visitors from the European Economic Area, United Kingdom, and Switzerland. If you decline consent or do not respond to the banner, Clarity operates in no-consent mode (no cookies, no session stitching), and the Meta Pixel and first-party tracker remain dormant. The site’s functionality is unaffected.

9. International Data Transfers

Your personal information is stored and processed in the United States, specifically within the Microsoft Azure East US 2 region (Virginia). TheoAI™ serves users globally; in particular, our user base includes residents of Indonesia, Malaysia, Pakistan, Bangladesh, Saudi Arabia, the United Arab Emirates, Egypt, Qatar, Bahrain, Kuwait, Jordan, Morocco, Algeria, Tunisia, Nigeria, the United Kingdom, the European Union, and the United States. Wherever you reside, your personal information is transferred to and processed in the United States in connection with your use of the Services.

Cross-border transfer consent. By creating an account or otherwise using the Services from a jurisdiction outside the United States, you consent to the transfer of your personal information to the United States and to its processing on infrastructure operated by Microsoft Corporation in accordance with the Microsoft Products and Services Data Protection Addendum. We rely on Microsoft's contractual and technical safeguards (including AES-256 encryption at rest, TLS 1.2+ encryption in transit, and access controls implemented via Microsoft Entra ID) to maintain a level of protection equivalent to that required by your local law.

If you have concerns about international data transfers or wish to exercise rights specific to your jurisdiction, contact us at privacy@mindhyve.ai or our Data Protection Officer at dpo@mindhyve.ai.

10. Data Breach Notification

In the event of a personal-data breach affecting your personal information, we will notify you and applicable supervisory authorities in accordance with applicable law. Specifically:

For breaches subject to Indonesian Law No. 27 of 2022 (UU PDP), Egyptian Law No. 151 of 2020, EU Regulation 2016/679 (GDPR), or any other statute requiring 72-hour notification, we will notify the relevant supervisory authority and affected data subjects within seventy-two (72) hours of confirmed discovery.
For breaches subject to U.S. state notification statutes (including but not limited to Cal. Civ. Code § 1798.82) or to the data-protection laws of the Kingdom of Saudi Arabia, the United Arab Emirates, Malaysia, or other jurisdictions requiring notification "as soon as practicable" or "without undue delay," we will notify affected individuals in the most expedient time possible without unreasonable delay, and in any event within seventy-two (72) hours where reasonably practicable.

The notification will describe the nature of the breach, the categories of personal data affected, the likely consequences, the technical and organizational measures taken or proposed to address the breach and mitigate its possible adverse effects, and the contact information of our Data Protection Officer (dpo@mindhyve.ai). Maintaining a current and reachable email address on your account is your responsibility; failure to do so may delay your receipt of notification through no fault of ours.

11. Changes to This Policy

We reserve the right to modify this Privacy Policy at any time. When we make material changes, we will provide notice by one or more of the following means: (a) updating the "Effective Date" at the top of this Policy; (b) sending an email notification to the address associated with your account; or (c) displaying an in-app notification within TheoAI™.

We encourage you to review this Policy periodically. Your continued use of TheoAI™ after the effective date of a revised Policy constitutes your acceptance of the revised terms. If you do not agree to the revised Policy, you must discontinue use of our services.

For material changes that affect the fundamental nature of our data processing activities, we will provide at least thirty (30) days' advance notice before the changes take effect.

12. Contact Information

For privacy inquiries, data access requests, data deletion requests, or to exercise any of the rights described in this Policy, please contact:

Data Protection Officer / Privacy Officer
Eve-Theology, LLC
A wholly owned subsidiary of MindHYVE.ai, Inc.
1501 Quail St, Suite 130
Newport Beach, CA 92660
United States

Data Protection Officer: dpo@mindhyve.ai
Privacy inquiries: privacy@mindhyve.ai
General inquiries: hello@mindhyve.ai
Security concerns: security@mindhyve.ai

We will acknowledge receipt of your request within five (5) business days and endeavor to respond substantively within thirty (30) calendar days. If additional time is required due to the complexity or volume of your request, we will notify you of the extension and the reasons for the delay.