Last updated: 29/05/2026
At a Glance
Who we are
Myndstream is an artist-led, science-informed functional audio company. We unite world-class artistry, scientific insight, and purpose-built technology to create and distribute intentionally designed, evidence-informed music that supports health and wellbeing. All of our music is delivered through an easy-to-use digital platform, for personal and professional use worldwide.
What we collect
Contact details (e.g. name, email)
Technical data (e.g. device, IP address)
Usage and interaction data
Information you choose to provide
How we use it
To provide our services, improve performance, ensure security, and meet legal obligations.
Legal bases
We rely on contract, legitimate interests, consent, and legal obligations.
Do we use AI?
Yes — to support recommendations, analytics, and service improvement. We do not make solely automated decisions with legal or similarly significant effects.
Do we share data?
Yes — with service providers and partners where necessary, and with authorities where required. We do not sell personal data.
International Transfers
Your data may be transferred internationally with appropriate safeguards (e.g. standard contractual clauses).
Your rights
You may have rights to access, correct, delete, or restrict use of your data, and to object or withdraw consent.
Contact: hello@myndstream.com
Introduction
This Privacy Notice explains how Mynd Group Limited (“Myndstream”, “we”, “us”, or “our”) collects, uses, shares, and protects personal data in connection with:
Our websites and platforms (including https://myndstream.com https://play.myndstream.com, https://listen.myndstream.com)
Our music streaming and licensing services
Applications and digital services
Marketing, business development, and commercial activities
This Notice applies globally. Where local laws impose stricter requirements, those apply in addition to this Notice.
Who We Are
Mynd Group Limited
Unit 9 Westworks, White City Place
195 Wood Lane, London, W12 7FQ, United Kingdom
Email: hello@myndstream.com
We may act as:
Data Controller
Data Processor (where acting on behalf of partners)
Global Scope and Applicable Laws
We operate globally across jurisdictions including those listed in our operational footprint
Applicable laws may include:
UK GDPR & Data Protection Act 2018
EU GDPR
CCPA/CPRA (US)
LGPD (Brazil), POPIA (South Africa), PDPA (Thailand), etc.
For further information about your specific country, region or state, please refer to Country-Specific Privacy Provisions (Enhanced Annexes)
How Our Services Are Delivered
Direct Myndstream Platform Use
Myndstream acts as Data Controller
We manage accounts, licensing, and content delivery
Processing Data via Partner Integrations
In addition to directly accessing our Website, our music streaming service may be made available to you through a Software Development Kit (SDK) or Application Programming Interface (API) embedded in applications or platforms operated by our business clients (our ‘Integration Partners’). When you access our service this way, we and our Integration Partner are typically acting as Independent Data Controllers. The Data Controller is always responsible for protecting your personal data (see below).:
Our Collection (Myndstream’s Controller Data):
We collect your Identity Data, Usage Data, Location Data, and Device Data directly through the SDK to provide the music service and offer personalized content and recommendations, as fully detailed in this policy.
Partner Collection (Client’s Controller Data):
Our Integration Partner is responsible for the data they collect about your use of their application and is the controller for that data. You should refer to their Privacy Policy for details on their collection practices.
Client Obligation:
Our Integration Partners are contractually required to ensure that you are provided with this Privacy Policy and that they secure any necessary consent (such as for Location Data) before the data is shared with us.
Categories of Personal Data
We may collect, use, store and transfer the following:
Identity Data – name, username
Contact Data – email, address, phone
Profile Data – preferences, login credentials
Transaction Data – payments, subscriptions
Device Data – device type, IP, OS
Usage Data – platform interaction
Security Data – logs and authentication
Cookies Data – tracking identifiers
Marketing Data – communication preferences
Location Data – IP-based or device location
We do not intentionally collect special category data.
How We Collect Data
Directly from users
Automatically (cookies, logs, analytics)
Through business interactions
Further Information
Information You Provide
You may provide:
Name, company details, contact details
Payment-related information (processed by third parties)
Preferences and usage reports
Automatic Collection
We collect:
IP address, device information
Browser and system data
Usage patterns and interactions
via cookies and analytics tools such as Google Analytics.
Marketing Data Collection
We collect marketing data when:
You subscribe to newsletters
You sign up for trials or services
Cookies
We use:
Strictly necessary cookies
Required for platform functionality.
Analytics cookies
Used to measure usage and improve performance.
Advertising/targeting cookies
Used to personalise content and advertising.
Third parties (e.g., analytics providers) may also use cookies.
Users can:
Manage preferences via the cookie banner
Disable cookies via browser settings
Please note that disabling cookies may limit some functionality.
Purposes and Legal Bases
We process personal data under:
Contract (to provide you with the service as an individual user)
Legitimate Interests (to provide you with the service in a business to business context and to improve our service)
Consent (where required by law - e.g. marketing to consumers
Legal Obligation (for example, to comply with accounting and tax laws)
We use data to:
Provide services
Improve platform performance
Ensure security
Conduct analytics
Send marketing communications
Profiling and Automated Decision-Making
We may use profiling to:
Recommend content
Improve user experience
Support marketing
You have rights to object and request human review.
Use of Artificial Intelligence and Automated Technologies
We use artificial intelligence (“AI”) and automated technologies as part of our services to enhance functionality, improve user experience, and support business operations.
How We Use AI
We may use AI systems to:
Recommend music, playlists, and content based on user preferences and behaviour
Analyse usage patterns to improve platform performance and service delivery
Support marketing activities, including personalisation of communications (where permitted)
Detect and prevent fraud, abuse, or security incidents
Generate insights to improve our products and services
These systems may process:
Usage Data
Device Data
Location Data
Profile and preference information
Automated Decision-Making and Profiling
Some processing may involve automated decision-making and profiling, including:
Personalised content recommendations
User segmentation for analytics or marketing purposes
This processing is designed to:
Enhance your experience
Improve relevance of content and services
We do not make solely automated decisions that produce legal or similarly significant effects on individuals.
Human Oversight
Where AI is used:
Outputs are monitored and reviewed where appropriate
Human oversight is applied to ensure fairness, accuracy, and accountability
Your Rights
Depending on your location, you have the right to:
Object to profiling or automated processing
Request information about how automated decisions are made
Request human intervention where applicable
Withdraw consent where processing is based on consent
Data Minimisation and Safeguards
We implement safeguards to ensure AI is used responsibly:
Processing is limited to what is necessary for defined purposes
Data is protected using appropriate technical and organisational measures
AI systems are designed to avoid unfair bias and ensure accuracy
Data Sharing
We may share data with:
Group companies
Service providers (hosting, payments, analytics)
Professional advisers
Authorities (where required)
We may also:
Share anonymised statistical data
Transfer data in connection with mergers or acquisitions
We do not sell personal data.
International Transfers
Data may be transferred globally with safeguards such as:
Standard Contractual Clauses
Adequacy decisions
Risk assessments
Data Retention
We retain data only as necessary:
For the duration of service use
For up to 6 years after customer relationship ends (legal/tax)
Longer where required for legal or legitimate purposes
Anonymous data may be retained indefinitely.
Security Measures
We implement:
Encryption in transit and at rest
Access controls and role-based permissions
Secure infrastructure and monitoring
Incident response procedures
All data is stored securely, though no system is completely risk-free.
Your Rights
You may have rights to:
Access – You can ask to see what personal data an organisation holds about you.
Rectification – You can request correction of inaccurate or incomplete personal data.
Erasure – You can ask for your personal data to be deleted in certain circumstances.
Restriction – You can request that the use of your data is limited while issues are resolved.
Portability – You can receive your data in a usable format and transfer it to another service.
Objection – You can object to the processing of your data in certain situations.
Withdraw consent – You can withdraw your consent at any time where processing is based on it.
Complain to a supervisory body – You can lodge a complaint with a regulator such as the Information Commissioner's Office if you’re unhappy with how your data is handled.We may require identity verification and may refuse excessive or unfounded requests.
Children
Our services are not intended for children under 13 (or higher local limits).
We do not knowingly collect children’s data.
Further Information
Myndstream’s Website is not intended for those under the age of 13 (in some countries, stricter age limits may apply). We do not knowingly collect personal information from children under 13 or under the applicable age limit (the “Age Limit”), If you are under the Age Limit, do not use the Website and do not provide any personal information to us. If you are a parent of a child under the Age Limit and become aware that your child has provided personal information to us, please contact us at hello@myndstream.com and you may request to remove such information from our systems.
Third-Party Links
Our services may contain links to third-party platforms.
We are not responsible for their privacy practices.
Further Information
This Website may, from time to time, include links to third party websites, plug-ins and applications (for example, the ability to follow us on Facebook). Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our Website, you should read the privacy policy of every website you visit.
Changes to This Notice
We may update this Privacy Notice periodically.
The latest version will always be available on our platform and website.
Country-Specific Privacy Provisions (Enhanced Annexes)
United Kingdom
Personal data is processed in accordance with:
UK General Data Protection Regulation (UK GDPR)
Data Protection Act 2018
You have rights to:
Access, correct, and delete personal data
Restrict processing
Data portability
Object to processing (including marketing)
Withdraw consent
Right to Complain
You have the right to lodge a complaint with the Information Commissioner's Office.
European Economic Area (EEA)
Personal data is processed in accordance with the EU General Data Protection Regulation (EU GDPR).
You have the right to:
Access your personal data
Rectify inaccurate data
Request erasure
Restrict processing
Data portability
Object to processing
Not be subject to decisions based solely on automated processing (where applicable)
Withdraw consent
Right to Complain
You may lodge a complaint with your local supervisory authority in the EEA country where you live, work, or where an alleged infringement occurred.
Switzerland
Personal data is processed in accordance with the Swiss Federal Act on Data Protection (revFADP).
We process personal data in good faith, proportionately, and only for specified purposes.
Your Rights
You have the right to:
Access your personal data
Request correction of inaccurate data
Request deletion, where applicable
Object to certain processing activities
Right to Complain
You have the right to contact the Federal Data Protection and Information Commissioner.
United States
California (CCPA / CPRA)
You have the right to:
Know what personal data is collected and how it is used
Access and delete your personal data
Correct inaccuracies
Opt out of “sale” or “sharing” of personal data
Limit the use of sensitive personal information (where applicable)
We do not sell personal data.
Other U.S. States
You may have rights to:
Access, correct, and delete personal data
Data portability
Opt out of targeted advertising or profiling
Appeal decisions regarding your requests
Canada
Under applicable law (including PIPEDA), you have the right to:
Access and correct your personal data
Withdraw consent (subject to legal or contractual restrictions)
Latin America
Brazil (LGPD)
You have rights to:
Confirmation of processing
Access, correction, and deletion
Anonymisation or blocking
Data portability
Withdrawal of consent
Mexico, Argentina, Chile
You may exercise ARCO rights:
Access, rectification, cancellation, and objection
Africa
South Africa (POPIA)
You have rights to:
Access and correct personal data
Request deletion
Object to processing
Lodge complaints with the regulator
Other African Jurisdictions
(e.g. Nigeria, Kenya)
We apply equivalent protections in accordance with local laws.
Middle East
United Arab Emirates, Saudi Arabia, Qatar
You may have rights to:
Access, correction, and deletion
Restriction or objection to processing
Different legal frameworks may apply depending on jurisdiction.
Asia-Pacific
India (DPDP Act 2023)
You have rights to:
Access, correction, and erasure
Withdraw consent
Grievance redress
Southeast Asia
(Singapore, Thailand, Indonesia, Philippines, Malaysia)
Rights generally include:
Access and correction
Withdrawal of consent
East Asia
China (PIPL)
Where applicable:
Enhanced consent requirements
Potential data localisation obligations
Japan and South Korea
Rights include:
Access, correction, deletion
Restrictions on international data transfers
Australia and New Zealand
You have rights to:
Access and correct personal data
Lodge complaints with relevant regulators
Other Jurisdictions
Where not specifically listed, we:
Apply globally recognised data protection principles
Comply with applicable local laws
Provide rights consistent with those laws
Governance and Accountability
We maintain a structured privacy and data protection framework, including:
Records of Processing Activities (ROPA)
Data Protection Impact Assessments (DPIAs)
Vendor and partner contractual controls
Defined retention and deletion processes
Security and risk management controls
We regularly review and update our practices to ensure ongoing compliance.
Data Processing Framework
Processing Activity Mapping
Each activity described in the table below maps to a defined data processing activity carried out during our business operations:
Further information
Processing Activity | Purpose | Data Categories | Legal Bases | Source |
Account Management | User onboarding and account operation | Identity, Contact, Profile | Contract | User |
Music Streaming Service | Deliver music content | Usage, Device, Location | Contract / Legitimate Interest | User / Device |
Licensing & Transactions | Manage subscriptions and licensing | Identity, Transaction | Contract / Legal Obligation | User |
Marketing Communications | Send updates and promotions | Contact, Preferences | Consent / Legitimate Interest | User |
Platform Analytics | Improve service performance | Usage, Device | Legitimate Interest | Automated |
Security & Fraud Prevention | Protect platform integrity | Usage, Security logs | Legitimate Interest / Legal Obligation | Automated |
Data Flow Overview
Data Collection
Direct input (account creation, forms)
Automated collection (cookies, logs, analytics)
Partner integrations (SDK/API where applicable)
Data Processing
Hosted in secure cloud infrastructure
Access restricted via role-based permissions
Processed for defined purposes only
Data Sharing
Internal group entities
Service providers (hosting, payments, analytics)
Regulatory authorities where required
Data Storage
Stored in encrypted systems
Retained per defined retention schedules
Data Deletion / Anonymisation
Deleted after retention period
Or anonymised for analytics
Roles and Responsibilities
We define roles and responsibilities for each processing activity as follows:
Controller: Myndstream (direct platform use)
Processor: Service providers (e.g., hosting, payments)
Independent Controllers: Integration partners (where applicable)
Responsibilities are contractually governed via:
Data Processing Agreements (DPAs)
Vendor contracts
Integration agreements
Data Transfer Mapping
We record all international transfers as follows:
Destination country
Transfer mechanism (e.g., SCCs)
Risk assessment (where required)