Privacy Policy

Last updated: March 2025

This Privacy Policy is also part of the Terms & Conditions. If you don’t agree with this Privacy Policy or the Terms & Conditions, you should not use our Services. If you have any questions please contact us at [email protected]

This Privacy Policy explains how MAGIKBEE, LDA (“Company”, “we” “us” or “our”) collects, uses, discloses, and safeguards your information when you visit our website beginmindfulness.com (”Website”) or use our mobile application Begin (“App”), and other online services that link to this Policy (collectively the “Services”).

We are committed to minimizing data collection and only require information necessary to provide and improve our Services. We prioritize privacy and security, presenting this Privacy Policy in a clear and structured way.

We may update this Privacy Policy at any time. The "Last Updated" date above will reflect changes.

OUR WEBSITE
beginmindfulness.com

OUR MOBILE APPLICATIONS (“APP”)
Begin

OUR SERVICES
OUR WEBSITE, OUR MOBILE APPLICATION and other online services that link to this Policy.

PERSONAL DATA
Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

PROCESSING
Any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

RESTRICTION OF PROCESSING
The marking of stored personal data with the aim of limiting their processing in the future;

CONTROLLER
The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

PROCESSOR
A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller;

CONSENT OF THE DATA SUBJECT
A freely given, specific, informed, and unambiguous indication of agreement to data processing.

All the data provided by you when using our Services will be processed by MAGIKBEE, LDA., a company with the VAT number PT513575820, whose registered address is 18A, 1º Frente, Rua de São Victor, Braga, Portugal.

We take data protection very seriously and would be glad to reply to any questions you may have. You may email us at [email protected]

We collect two basic types of information – personal information and anonymous information – and we may use personal and anonymous information to create a third type of information, aggregate information.

We may collect information whether or not you are logged in or registered, and may associate this tracking data with your registration account (if you have one), in which case we will treat it as personal information. Service providers that collect tracking data on our behalf (see the section “Disclosure to Third-Parties”) may provide an opportunity for you to choose not to be tracked online.

We collect information, including Personal Data, when users:

- register or log in to our Services;
- use our Services;
- contact us via email, social media, website form, or by any other available means.

Through the registration process, you may provide us with:

- nickname (used for personalization);
- e-mail address (for login, support, and optional marketing emails);
- password (encrypted and stored securely);
- content preferences: any selections related to exercises, prefered content, or saved favorites.

Email and password are required to access your account in the App. We will use your email to send our newsletter, and marketing emails or contact you in the context of product research activities (e.g. surveys) if you give us your prior consent, either at the moment of the registration or later. You can withdraw your consent at any time by sending us an email to [email protected] or by following the opt-out link with the text “Unsubscribe” that we provide at the bottom of every email we send (please notice that support emails in reply to a request of yours are an exception and do not have an “unsubscribe” option as they are not related to your communications subscription).

Please note that all processing of financial data is carried out by the payment provider chosen by you (Apple, Google Play, Amazon, Stripe); therefore, we do not collect that data. We encourage you to review their privacy policies and contact them directly for responses to your questions.

Activity Data is collected automatically when using the Services.

The Services may track Users by storing a unique identifier of their device, for analytics purposes or for storing Users’ preferences.

We may use cookies, web beacons, tracking pixels, and other tracking technologies to help customize the Services and improve your experience. When you access the Services, your personal information is not collected through the use of tracking technology. Most browsers are set to accept cookies by default. You can remove or reject cookies, but be aware that such action could affect the availability and functionality of the Services. You may not decline web beacons. However, they can be rendered ineffective by declining all cookies or by modifying your web browser’s settings to notify you each time a cookie is tendered, permitting you to accept or decline cookies on an individual basis.

You should be aware that getting a new computer, installing a new browser, upgrading an existing browser, or erasing or otherwise altering your browser’s cookies files may also clear certain opt-out cookies, plug-ins, or settings.

We do not combine this information with any personally identifiable information you may have submitted when signing up for a newsletter for example. Our systems do not recognize browser “Do Not Track” signals; but, you can opt-out of Google Analytics by visiting: https://tools.google.com/dlpage/gaoptout.

Identifiers that can be used to recognize a user over time and across Services (“Persistent Identifiers”) are collected on or through our Services solely for the purpose of supporting our internal operations and providing the Services.

Unless specified otherwise, all Data requested by our Services is mandatory and failure to provide this Data may make it impossible to provide them.

We do record the following data:

- Clicks / Taps
- Content bookmarked
- Content played (e.g., meditation, soundscape, breathing exercise)
- Features used (e.g., power nap helper, moodscapes)

- Browser
- Device type
- Device manufacturer
- Operating system
- Screen resolution
- Unique device identifier
- IP address (for security and content availability by region)

- Pages visited
- Content played
- Session duration
- Session progress

Once you register for our Services, we may collect and process information about your location based on your IP address. We only get your city name and never your exact location or accurate address.

We may use your location data to optimize our Services and develop new products, services, or features.

We collect all information that you provide to us, including any Personal Information when you contact us for customer support purposes, to resolve disputes, or troubleshoot problems.

We may collect and process the information you provide when you publish about us publicly, for instance, a testimonial about our Services on an App Store. We may also collect personal and other information you voluntarily provide us when entering contests or giveaways and/or responding to surveys.

We process personal data based on the following legal bases:

- Consent: When you register an account, subscribe to emails, or give explicit permission for marketing.

- Contractual Necessity: To provide the services you request (e.g., processing subscription payments).

- Legitimate Interest: To improve our Services, track engagement, and optimize content recommendations.

- Legal Obligation: When required by law (e.g., fraud prevention, tax records, security logs).

We may send push notifications to your mobile device to provide updates and other relevant messages, if you have opted in to receive them. You can manage push notifications in the application settings menu or in your mobile device settings.

We prioritize privacy and do not knowingly collect personal data from children under 16 without parental consent.

Begin is designed for adult users. While we provide content suitable for children, children are not the primary users of the app.

Users must be at least 16 years old to use the Services. If you are under the age of majority in your jurisdiction, you may only use the Services with the consent of a parent or guardian.

Begin does not allow children to create their own accounts or provide personal data directly. Parents or guardians are responsible for supervising their child's use of the app and selecting appropriate content. Any content available for children should only be used under adult supervision.

We comply with applicable laws, including:

- COPPA (Children’s Online Privacy Protection Act – U.S.): We do not knowingly collect, use, or disclose personal information from children under 13.

- GDPR-K (General Data Protection Regulation for Kids – EU): We do not process data from children under 16 without verified parental consent.

If we become aware that we have collected personal data from a child under 13 in the U.S. or under 16 in the EU without parental consent, we will delete it immediately.

If you believe your child has provided personal data without your consent, you may contact us at [email protected] to request data deletion.

The people who provide us with any personal data, hereinafter “Data Subjects” have the right to access their personal data, to change it, to limit its processing, to portate and to erase the data. To ask for anything related to personal data, please contact [email protected]

The data subjects have the right to know the personal information about them that we collect and process as well as the right to access that information.

The data subjects have the right to withdraw their consent to the processing of personal data that is mandatory for providing our Services (e.g.: marketing communications).

The data subjects have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning them.

The data subjects have the right to obtain from us the erasure of personal data concerning them without undue delay and we have the obligation to erase personal data without undue delay, except when there is a legal obligation to keep the data.

If you request account deletion, we will also remove your authentication credentials from Amazon Cognito. Some authentication data may be retained temporarily for security and fraud prevention. In that case, we will also delete all synchronized data from AWS cloud storage. However, locally stored data in AWS Amplify DataStore may persist on your device until the app is uninstalled. If you wish to clear this data, you may need to manually remove it from your device or reset the app settings.

The data subjects have the right to obtain from us restriction of processing where one of the following applies:

a) the data subject contests the accuracy of their personal data for a period enabling us to verify the accuracy of the personal data;

b) the processing is unlawful and the data subject opposes the erasure of their personal data and requests the restriction of the use instead;

c) we no longer need the data subject’s personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims.

When the data subject asks for data portability, if technically feasible, they can receive the personal data which they have provided us, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. Data portability is not equivalent to data erasure.

The data subjects have the right to object to the processing of their personal data. An objection may be in relation to all of the personal data we hold about them or only to certain information.

Residents of California have the right to receive once a year from us:

- information identifying any third-party companies to whom we may have disclosed (within the previous calendar year) their Personal Information for those companies’ direct marketing purposes; and
- a description of the categories of Personal Information disclosed.

If you are a California resident and wish to obtain such information, please send an email to [email protected]

Personal Data shall be processed and stored for as long as required by the purpose they have been collected for. Therefore:

Personal Data collected for purposes related to the performance of a contract between us and the Data Subject shall be retained until such contract has been fully performed.

Personal Data collected for the purposes of our legitimate interests shall be retained as long as needed to fulfill such purposes. Data subjects may find specific information regarding the legitimate interests pursued by us within the relevant sections of this document or by contacting us.

We may be allowed to retain Personal Data for a longer period whenever the data subject has given consent to such processing, as long as such consent is not withdrawn. Furthermore, we may be obliged to retain Personal Data for a longer period whenever required to do so for the performance of a legal obligation or upon order of an authority.

Once the retention period expires, Personal Data shall be deleted. Therefore, the right to access, the right to erasure, the right to rectification, and the right to data portability cannot be enforced after the expiration of the retention period.

We apply industry-standard encryption and security measures to protect user data.

We have put in place technical, administrative, and physical security measures that are designed to protect information from unauthorized access, disclosure, use, and modification. limit access to your personal data to those employees, agents, contractors, and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We regularly review our security procedures to consider appropriate new technology and methods. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

If we experience a data breach, we will:

- Notify affected users within 72 hours (for EU users).
- Comply with U.S. state laws regarding breach notifications.
- Take immediate steps to contain and mitigate the impact.

If you suspect a security issue, contact [email protected].

We do not sell, rent, or share your Personal Data for marketing. However, we may share certain data with third-party service providers to operate and improve our Services.

We may transfer data to third-party services outside the European Union (EU), including the United States.

When we do, we ensure that data protection standards are maintained using:

- Standard Contractual Clauses (SCCs)
- EU adequacy decisions (where applicable).
- Binding corporate rules for data processors.

We collect minimal personal data, and some nonpersonal data for internal use only or in conjunction with third parties to help us operate, analyze, and improve our Services. Some of our external third parties are based outside the European Union. Whenever we transfer your personal data out of the European Union, we make sure that our partners comply with the same levels of privacy protection we comply with and that they respect the principles in this Privacy Policy.

In addition, we may disclose your personal or non-personal information to additional parties if we believe we are required to by law, by a judicial proceeding, to protect our rights and properties, or to investigate fraud, intellectual property infringement, and any other conduct that might be illegal or expose us or a user of our Services to legal liability.

We may share your data with the third parties and for the purposes explained below.

We use Amazon Web Services (AWS), AWS Amplify DataStore, and Google to store and manage data. AWS Amplify DataStore allows us to store user-generated data locally on the device and sync it with cloud storage when online. Data synchronization is performed securely using AWS infrastructure.

We use, Google Analytics, and Firebase, all based outside the EU, to allow tracking technologies and remarketing services on the Website through the use of first-party cookies and third-party cookies, to, among other things, analyze and track users’ use of the Website, determine the popularity of certain content and better understand online activity. We do not transfer personal information to these third-party vendors. However, if you do not want any information to be collected and used by tracking technologies, you can visit the third-party vendor or the Network Advertising Initiative Opt-Out Tool or Digital Advertising Alliance Opt-Out Tool.

We use Amazon Web Services and Brevo to manage our marketing and transactional email communications.

We use RevenueCat to manage in-app subscriptions. RevenueCat is based outside the EU.

We use Amazon Cognito to manage user authentication and account security. When a user registers or logs in to our Services, Amazon Cognito processes their email, nickname, and password securely. The authentication credentials are stored within Cognito, and we do not store plaintext passwords on our servers. This ensures secure access control and enhanced security measures.

Additionally, user account deletions will also remove authentication credentials from Amazon Cognito. Some authentication data may be temporarily retained for security and fraud prevention purposes.

We use AWS Amplify DataStore to provide real-time synchronization for user data across multiple devices. This means user preferences, mindfulness activity history, and related data may be stored locally on the device and periodically synced to cloud storage when an internet connection is available.

AWS Amplify DataStore allows real-time synchronization for user-generated data across multiple devices. Any offline changes made in the app will be synced to our cloud storage once an internet connection is re-established. This ensures data consistency, but users should be aware that locally stored data will be automatically updated when online, unless manually removed.

To ensure privacy and security, AWS applies encryption to data at rest and in transit.

Additionally, we may disclose data:

- If required by law or legal process
- To investigate fraud, security issues, or enforce Terms & Conditions
- In case of a business transfer (e.g., merger or acquisition)

Our websites may contain links to third-party websites and applications of interest, including external services, that are not affiliated with us. Once you have used these links to leave the website, any information you provide to these third parties is not covered by this Privacy Policy, and we cannot guarantee the safety and privacy of your information. Before visiting and providing any information to any third-party websites, you should inform yourself of the privacy policies and practices (if any) of the third party responsible for that website, and should take those steps necessary to, at your discretion, protect the privacy of your information. We are not responsible for the content or privacy and security practices and policies of any third parties, including other sites, services, or applications that may be linked to or from the Website.

Most web browsers and some mobile operating systems include a Do-Not-Track (“DNT”) feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. No uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this Privacy Policy.

If you have any questions about this information you may email us at [email protected] with the subject line Privacy Policy.