Privacy Policy and Cookie Notice

Mind Chill Nootropics Ltd, company number 09667911, registered in England and Wales, is the controller of personal data covered by this Privacy Policy unless a specific page, form, order document, statement of work, or service-specific notice expressly states that another entity is the controller for that processing.

Mindchill Research Pte. Ltd., UEN 202544340Z, is a related group entity responsible for Singapore-based operations and for processing personal data subject to the Personal Data Protection Act 2012 (Singapore) where applicable.

This Privacy Policy applies to mindchill.ai and other Mind Chill branded websites, shops, portals, forms, subdomains, and digital properties that link to this notice and are operated by Mind Chill Nootropics Ltd or Mindchill Research Pte. Ltd.

You can contact us at [email protected] for privacy, cookie, support, or legal matters.

This Policy explains what personal data we collect, how we use it, the lawful bases we rely on, who we share it with, how long we keep it, the transfers we make, your rights, and how we use cookies and similar technologies.

We may collect and use the following categories of personal data, depending on how you interact with us:

Contact and identity data, such as name, display name, email address, postal address, billing address, company name, job title, organisation, and account identifiers.

Transaction and order data, such as purchases, subscriptions, invoices, payment-status information, fulfilment details, and records of goods, services, digital content, or event access you request.

Account and credential data, such as usernames, hashed passwords or passkey/account metadata, invite status, verification status, support history, and security logs.

Communications and submissions, such as messages, contact-form submissions, community posts, memorial submissions, nominations, attachments, media, feedback, and survey responses.

Technical and device data, such as IP address, approximate geolocation inferred from IP, browser type, operating system, device identifiers, timestamps, logs, error diagnostics, and security signals.

Usage data, such as pages visited, navigation paths, referrer information, interactions, and site-performance data.

Compliance and risk data, such as fraud indicators, sanctions-check outcomes where applicable, abuse-prevention records, and evidence needed to investigate complaints, disputes, or misuse.

Wallet and digital-asset data, where relevant, such as public wallet addresses, token or transaction references, and interaction records relating to digital items or access credentials. We do not control public blockchains and cannot alter or erase on-chain records.

We collect personal data directly from you when you browse the site, fill in a form, contact us, buy something, sign up, join a waiting list, submit content, take part in a campaign, attend an event, or otherwise interact with us.

We also collect some data automatically through server logs, security tooling, cookies, similar technologies, and analytics or performance tools.

We may receive information from service providers, payment providers, delivery partners, fraud-screening providers, analytics providers, event platforms, community tools, public blockchains, or publicly available sources where relevant.

We use personal data only where we have a lawful basis to do so. The main lawful bases we rely on are:

Contract. We use personal data where necessary to take steps at your request before entering into a contract, or to perform our contract with you. This includes processing orders, supplying digital content, managing access, administering accounts, providing support, and handling billing or fulfilment.

Legitimate interests. We use personal data where reasonably necessary for our legitimate interests, provided your rights and interests do not override those interests. This includes operating and improving the site and services, maintaining platform integrity, preventing fraud and abuse, securing systems, handling ordinary business administration, responding to enquiries, keeping records, defending claims, and carrying out proportionate business-to-business marketing.

Consent. We rely on consent where required by law, including for certain categories of cookies or similar technologies, certain electronic marketing to individuals, or where we ask for optional information or permissions.

Legal obligation. We use personal data where necessary to comply with legal, regulatory, accounting, tax, sanctions, consumer-protection, or law-enforcement obligations.

Vital interests or legal claims. In limited cases, we may use personal data to protect someone's vital interests or to establish, exercise, or defend legal claims.

More specifically, we may use personal data to:

• operate, maintain, and secure the site and related services;
• process orders, payments, refunds, subscriptions, memberships, event registrations, and fulfilment;
• provide access to gated materials, downloads, portals, communities, accounts, or digital experiences;
• respond to enquiries, complaints, support requests, and legal notices;
• moderate submissions and communities, and review content for compliance, editorial, safety, or rights-related reasons;
• prevent fraud, abuse, spam, scraping, account compromise, and security incidents;
• measure performance, diagnose faults, improve user experience, and refine site structure or content;
• send service messages, transactional communications, legal notices, and, where allowed, marketing communications;
• keep internal records, manage suppliers, exercise contractual rights, and enforce our terms;
• comply with legal obligations, respond to regulators or law-enforcement where required, and protect the rights, property, safety, and integrity of Mind Chill, our users, and others;
• operate, verify, support, suspend, revoke, correct, reissue, or enforce rules relating to official digital assets, recognition records, wallets, and related platform entitlements where reasonably necessary;
• maintain official records of approved assets and investigate fraud, impersonation, misuse, mistaken allocations, or disputes relating to digital items or recognition status.

We may send service-related messages where necessary for a contract, account administration, or a legitimate operational purpose.

We may send marketing communications where permitted by law. For electronic marketing to individuals, we will obtain consent where required, or rely on an available lawful route such as the soft opt-in where the legal conditions are met.

You can opt out of marketing at any time using the unsubscribe link in a message, by changing your preferences where available, or by contacting us. We may retain limited suppression information so we can respect your opt-out.

Where we send marketing messages to Singapore telephone numbers, we will comply with the Do Not Call (DNC) provisions of the Personal Data Protection Act 2012 and screen numbers against the DNC Registry before sending such messages. You may register your Singapore number at pdpc.gov.sg.

We may share personal data with the following categories of recipients where necessary and appropriate:

• hosting, cloud, infrastructure, security, and technical support providers;
• payment processors, commerce platforms, billing providers, fulfilment and delivery providers;
• analytics, performance, experimentation, communications, CRM, support-desk, and email service providers;
• professional advisers, auditors, insurers, bankers, and legal or compliance providers;
• group companies and project entities where needed for operations, licensing, support, governance, finance, or service delivery;
• regulators, tax authorities, law-enforcement agencies, courts, or other public authorities where required or permitted by law;
• a buyer, investor, lender, or restructuring counterparty in connection with a financing, acquisition, reorganisation, or asset sale.

For the public UK-operated Mind Chill site covered by this notice, Mind Chill Nootropics Ltd is the controller and is the entity responsible for this processing unless we explicitly tell you otherwise.

Where a separate group entity provides a specific enterprise service, project, or contracted offering, the relevant page, order form, statement of work, or service-specific notice should identify that entity and explain the relevant data roles.

Some of our suppliers, service providers, support teams, or group entities may be located outside the United Kingdom, or may access personal data from outside the United Kingdom, including potentially in Singapore or other jurisdictions.

Where we make a restricted transfer of personal data to a separate legal entity outside the UK, we will use a lawful transfer mechanism and appropriate safeguards as required by UK data protection law.

You may contact us at [email protected] for further information about the safeguards used for relevant restricted transfers.

We keep personal data only for as long as reasonably necessary for the purposes for which it was collected, including to satisfy legal, accounting, tax, reporting, security, dispute-resolution, and enforcement requirements.

Retention periods vary by category. By way of general guide:

• account, enquiry, support, and form-submission records are usually kept for as long as needed to manage the relationship and for a reasonable period afterwards;
• transactional and accounting records may be retained for up to 6 years or longer where required by law or necessary for legal claims;
• security logs are retained for a limited period appropriate to security, abuse-prevention, and incident-response needs;
• cookie data and analytics retention varies by technology and provider settings;
• where data is no longer required, we will delete it, aggregate it, anonymise it, or securely archive it where lawful and appropriate.

We use reasonable technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

However, no internet transmission, storage system, third-party platform, or blockchain environment is completely secure, so we cannot guarantee absolute security.

Subject to applicable law, you may have rights to request access, rectification, erasure, restriction, objection, portability, or withdrawal of consent, and the right to complain to a supervisory authority.

Where we rely on legitimate interests for direct marketing, you have the right to object at any time and we must stop that marketing.

If you want to exercise your rights, ask a privacy question, or make a data-related complaint, contact us at [email protected] or by post at our registered office. We may need to verify your identity before acting on a request.

If you have concerns about how we use personal data, we would appreciate the chance to address them first.

You also have the right to complain to the Information Commissioner's Office (ICO) in the UK.

The following provisions apply to the extent that the Personal Data Protection Act 2012 (Singapore) (PDPA) applies to our collection, use, or disclosure of your personal data. For Singapore-based processing, the organisation responsible under the PDPA is Mindchill Research Pte. Ltd., UEN 202544340Z. These provisions supplement — and do not replace — the rights and obligations described elsewhere in this Policy.

(a) Purpose limitation. We collect, use, and disclose personal data only for the purposes set out in this Policy, or for purposes a reasonable person would consider appropriate in the circumstances, or as otherwise permitted or required by law. We will not use personal data for a new purpose that a reasonable person would consider materially different without taking appropriate steps, such as notifying you or obtaining consent.

(b) Consent. Where we rely on consent as a basis under the PDPA, we will obtain your consent before collecting, using, or disclosing personal data for that purpose. You may withdraw consent at any time by contacting us at [email protected]. Withdrawal of consent will not affect our right to continue processing personal data on other lawful bases, including contract performance, legitimate interests, or legal obligation. Withdrawal will also not affect processing that has already occurred on the basis of your earlier consent.

(c) Access and correction. Subject to exceptions under the PDPA, you may request access to the personal data we hold about you and request correction of any data you believe to be inaccurate, incomplete, or misleading. We aim to respond within 30 calendar days of receiving a valid request. A reasonable fee may be charged for providing access in accordance with applicable guidelines. Send access or correction requests to [email protected].

(d) Accuracy. We take reasonable steps to ensure that personal data we collect or use is accurate and complete where it may be used to make a decision that affects you, or is likely to be disclosed to another organisation.

(e) Protection. We protect personal data in our possession or under our control using reasonable security arrangements — including the technical and organisational measures described in section 12 of this Policy — to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks.

(f) Retention and disposal. We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as otherwise required or permitted by law. When personal data is no longer required, we will make reasonable efforts to dispose of it, destroy it, or anonymise it in a secure manner.

(g) Transfer outside Singapore. Where we transfer personal data to a recipient outside Singapore, we comply with the transfer requirements in PDPA section 26 and the applicable Regulations by taking such steps as are reasonable to ensure that the recipient protects the personal data to a standard comparable to that required under the PDPA, or as otherwise permitted by applicable law or authorised by the Personal Data Protection Commission (PDPC).

(h) Breach notification. In the event of a notifiable data breach affecting personal data subject to the PDPA, we will notify the PDPC within 3 calendar days of assessing that the breach is notifiable, and will notify affected individuals in accordance with PDPA requirements and PDPC guidance.

(i) Supervisory authority. Complaints or concerns relating to our PDPA compliance may be directed to the Personal Data Protection Commission (PDPC) at pdpc.gov.sg. We would appreciate the opportunity to address any concerns before you contact the PDPC.

Our public sites and services are generally not directed to children unless a specific service says otherwise. We do not knowingly collect personal data from children in breach of applicable law. If you believe a child has provided personal data unlawfully, contact us so we can review the matter.

We may update this Privacy Policy from time to time to reflect legal, technical, or business changes. The latest version will be posted on the relevant site with the updated date.

This Cookie Notice explains how we use cookies and similar technologies, such as pixels, local storage, scripts, SDK-style tools, tags, and device or browser-based identifiers, on our UK-operated Mind Chill sites.

Strictly necessary technologies. These are used where needed to deliver the service you request, maintain security, authenticate sessions, remember key selections, prevent fraud, or enable core technical functionality.

Statistics or analytics technologies. We may use technologies to understand how our service is used and to improve the site or service. Where we rely on an applicable legal exception, we will provide the required information and a simple way to object. Where consent is required, we will ask for it first.

Appearance or functionality technologies. We may use technologies to remember visual or functional preferences, such as language choice, interface settings, or responsive display behaviour.

Marketing and advertising technologies. We may use these only where legally permitted and, where required, after obtaining consent.

Third-party embeds and plugins. If we embed video, maps, fonts, social tools, or similar third-party content, those providers may set or access technologies when you interact with the content.

You can manage cookie preferences through our consent or preference tools where available, your browser settings, device controls, or other mechanisms we provide.

Blocking some technologies may affect site functionality, availability, or user experience.

UK

Mind Chill Nootropics Ltd, a company registered in England and Wales

Company number: 09667911

SINGAPORE

Mindchill Research Pte. Ltd., a company incorporated in Singapore

UEN: 202544340Z

Contact, support, privacy, cookie, legal notices, and PDPA matters (including Data Protection Officer enquiries): [email protected]