Legal

Privacy Policy

Last updated: April 25, 2026 · Effective: April 25, 2026

1. Who We Are

This Privacy Policy explains how Hive Mind Nestor Private Limited ("Hive Mind Nestor", "we", "us", or "our") collects, uses, shares, and protects your personal data when you visit hivemindnestor.com, use the Hive Mind Ad Optimizer, or engage our consulting services.

We are the data controller (and data fiduciary under India's Digital Personal Data Protection Act, 2023) for the personal data we process about you, except where we process data on behalf of our customers, in which case we act as a data processor (data processor or "significant data fiduciary's processor" as applicable).

Registered office: Agra, Uttar Pradesh, India
Privacy contact: info@hivemindnestor.com

2. Data We Collect

We collect the following categories of personal data:

  • Account information: name, email address, company name, country, and password hash when you register for the Services.
  • Billing information: payment card details are collected and processed directly by our payment processor Paddle. We receive only the transaction reference, billing country, and last four digits of the card for reconciliation purposes.
  • Amazon integration data: when you connect your Amazon advertising or selling account, we receive OAuth tokens and access advertising performance data, campaign structures, keyword data, and sales data from the Amazon APIs.
  • Usage data: IP address, browser type, device identifiers, pages visited, actions taken, and timestamps, collected automatically through cookies and server logs.
  • Communications data: messages you send us via email, contact forms, or support channels.

3. How We Use Your Data

We process personal data for the following purposes:

  • To provide, operate, and maintain the Services;
  • To process payments and manage subscriptions (via Paddle);
  • To integrate with Amazon APIs and deliver optimization recommendations;
  • To communicate with you about your account, service updates, and support requests;
  • To detect, prevent, and investigate fraud, abuse, and security incidents;
  • To comply with legal obligations, including tax and accounting requirements;
  • With your consent, to send you marketing communications (you can opt out at any time).

4. Legal Bases for Processing

Under GDPR (for EEA and UK users) and DPDP (for Indian users), we rely on the following legal bases:

  • Contract performance — to deliver the Services you have subscribed to;
  • Consent — for marketing emails and non-essential cookies (you may withdraw consent at any time);
  • Legitimate interests — for security, fraud prevention, and service improvement;
  • Legal obligation — to comply with applicable tax, financial, and regulatory requirements.

5. Third Parties We Share Data With

We share personal data only with the following categories of third parties:

  • Paddle.com Market Limited — our merchant of record for SaaS subscription payments. Paddle processes billing information, issues invoices, remits taxes, and handles chargebacks. See paddle.com/privacy.
  • Amazon Web Services, Inc. — our primary infrastructure provider for Optimizer data storage and compute.
  • Amazon Advertising and Amazon Selling Partner APIs — to retrieve and update data on your behalf under your authorization.
  • Anthropic PBC — we use the Claude API to generate advertising recommendations and campaign analyses. Data sent to Anthropic is not used to train Anthropic's models.
  • Cloudflare, Inc. — for DNS, CDN, and DDoS protection of our websites.
  • Google LLC — for analytics (Google Analytics, with IP anonymization) and Workspace services.
  • Professional advisors and authorities — lawyers, accountants, and regulators, where necessary and lawful.

We do not sell your personal data to any third party, and we do not share personal data for the advertising purposes of third parties.

6. International Data Transfers

As Hive Mind Nestor is based in India and several of our processors are based in the United States, European Union, and United Kingdom, your personal data may be transferred across borders. Where we transfer personal data out of the EEA, UK, or other regulated jurisdictions, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, adequacy decisions, or equivalent protections.

7. Data Retention

We retain personal data only as long as necessary to fulfil the purposes described in this Policy and to comply with our legal obligations. Specifically:

  • Account data is retained for the duration of your subscription and for 24 months after cancellation;
  • Billing records are retained for 8 years to comply with Indian tax and accounting law;
  • Support communications are retained for 3 years;
  • Server and access logs are retained for 12 months.

Once retention periods expire, data is deleted or anonymized.

8. Your Rights

Depending on your jurisdiction, you have the right to:

  • Access the personal data we hold about you;
  • Request correction of inaccurate or incomplete data;
  • Request deletion ("right to be forgotten");
  • Restrict or object to processing;
  • Data portability (receive your data in a structured, machine-readable format);
  • Withdraw consent at any time, where processing is based on consent;
  • Lodge a complaint with a supervisory authority (in India: the Data Protection Board of India; in the EU: your local data protection authority; in the UK: the ICO).

To exercise any of these rights, email info@hivemindnestor.com. We will respond within 30 days.

9. Security

We implement technical and organizational measures appropriate to the sensitivity of the data we process, including encryption in transit (TLS 1.2+), encryption at rest for sensitive fields, role-based access control, audit logging, and regular security reviews. Despite our efforts, no system is perfectly secure, and we cannot guarantee absolute protection.

If you become aware of a security incident affecting your data, please report it to info@hivemindnestor.com.

For full details of our procedures, see our Incident Response Plan (PDF) and Security Incident Reporting Procedure (PDF). These documents describe how we detect, contain, report, and recover from security incidents — including our commitment to notify Amazon and affected parties within 24 hours of detection where applicable.

9a. Amazon Data Protection Policy compliance

Where we process Amazon Information on behalf of authorized Amazon Selling Partners — including Brand Analytics reports (Search Query Performance and Search Catalog Performance), advertising performance data, and order data accessed through the Amazon Selling Partner API and Amazon Advertising API — Hive Mind Nestor Private Limited maintains compliance with Amazon's Data Protection Policy (DPP) and Acceptable Use Policy (AUP). We have documented Incident Response Plans and Security Incident Reporting Procedures available upon request to info@hivemindnestor.com. Data accessed via the Selling Partner API, including Brand Analytics reports, is used exclusively to generate insights for the authorizing seller's own account, in accordance with sections 4.4 and 4.5 of Amazon's Acceptable Use Policy.

Specifically:

  • Amazon Information is accessed only via the official Amazon APIs after the seller completes Amazon's OAuth authorization flow;
  • Amazon Information is used exclusively to provide analytics and recommendations to the authorizing seller's own account, and is never aggregated across sellers, sold, or shared with third parties;
  • Amazon Information is encrypted in transit (TLS 1.2+) and at rest (AES-256); OAuth refresh tokens are stored only as encrypted environment variables;
  • Amazon Information is retained only for the duration of the seller's active subscription and is permanently deleted within 30 days of account closure or upon revocation of access;
  • Confirmed security incidents affecting Amazon Information are reported to Amazon and affected sellers within 24 hours of discovery, per our Security Incident Reporting Procedure.

Full operational details are described in our Data Protection Notice.

10. Cookies

We use the following categories of cookies:

  • Strictly necessary cookies — required for authentication, session management, and security;
  • Analytics cookies — Google Analytics with IP anonymization, used to understand how visitors interact with our site. Set only with your consent in jurisdictions that require it;
  • Preference cookies — to remember your language and region settings.

You can manage cookie preferences through our cookie banner or your browser settings. Blocking strictly necessary cookies may impair site functionality.

11. Children's Data

Our Services are not directed to individuals under 18. We do not knowingly collect personal data from children. If you believe we have collected data from a minor, please contact us and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to you by email or through a notice on the Services. Continued use of the Services after updates take effect constitutes acceptance of the revised Policy.

13. Contact Us

For any privacy-related questions or to exercise your data protection rights, contact our Data Protection Officer at info@hivemindnestor.com.