GDPR & UK GDPR COMPLIANCE POLICY
Last updated: June 1, 2026
Ensuring the absolute security, confidentiality, and integrity of our users' personal data is of paramount importance to us.
This General Data Protection Regulation ("GDPR") and United Kingdom General Data Protection Regulation ("UK GDPR") Compliance Policy describes how Shellix Smart Solutions Bilişim Teknolojileri Yazılım İthalat ve İhracat Anonim Şirketi ("Shellix", "Shellix Bilişim A.Ş.") and Mistikist LTD ("Mistikist UK") (collectively referred to as "we", "our", "us", or the "Group") process, store, protect, and transfer personal data of users residing in the European Economic Area ("EEA"), Switzerland, and the United Kingdom ("UK") in strict compliance with Regulation (EU) 2016/679 (GDPR) and the UK Data Protection Act 2018 ("DPA 2018").
DATA CO-CONTROLLERS INFORMATION
Shellix Smart Solutions Bilişim Teknolojileri Yazılım İthalat ve İhracat Anonim Şirketi ("Shellix Bilişim A.Ş.")
Mersis No: 0769152927300001
Address: Kötekli Mahallesi Denizli Yolu Bulvarı No:4B/23 Menteşe/MUĞLA, Türkiye
Mistikist LTD ("Mistikist UK")
Company Number: 15705777
Address: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
Support Email: [email protected]
1. Principles of Data Processing
In accordance with Article 5 of the GDPR, we ensure that all personal data is:
- Processed lawfully, fairly, and in a transparent manner in relation to the data subject ("lawfulness, fairness, and transparency").
- Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes ("purpose limitation").
- Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed ("data minimization").
- Accurate and, where necessary, kept up to date ("accuracy").
- Kept in a form which permits identification of data subjects for no longer than is necessary ("storage limitation").
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing ("integrity and confidentiality").
2. Categories of Personal Data & Legal Basis for Processing
We process personal data based on the following legal foundations as outlined under Article 6 of the GDPR:
- Subscription & Transactional Data: Subscription packages, invoice address, VAT or tax details, and payment histories. Note: All credit card processing is securely routed through our PCI-DSS compliant partner Aköde/Tosla via 256-bit SSL encryption. We never store or log credit card CVVs or raw numbers.
- User-Generated Frequency Material: Personal audio uploads used for frequency modulation inside the player.
3. International Data Transfers & Sub-Processors
To deliver global high-availability binaural beat streams, safe subscription billing, and real-time interactive widgets, the Group relies on global cloud architectures and secure billing sub-processors:
- Cloud & Hosting Infrastructure: Google Cloud Platform (GCP), Google Firebase, Amazon Web Services (AWS), and Microsoft Azure servers located outside the EEA and the UK.
- Secure Payment Processors: Stripe (for global USD/EUR/GBP checkouts under Mistikist LTD) and Aköde/Tosla (for TRY checkouts under Shellix Bilişim A.Ş.).
- Attribution, Analytics & Telemetry: AppsFlyer (mobile attribution and attribution mapping), Microsoft Clarity (user behavior session analytics and heatmaps), and Google/Microsoft Analytics (traffic patterns and usage analytics).
When personal data is transferred outside the EEA or the UK, we implement rigorous safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission and the UK Information Commissioner's Office (ICO), ensuring our sub-processors enforce industry-leading physical security, TLS/SSL transit protocols, and encryption at rest.
4. Rights of EEA & UK Data Subjects
Under Chapter III of the EU/UK GDPR, users residing in the EEA, EU, UK, and Switzerland have extensive rights regarding their personal data, which include:
- Right of Access (Art. 15): The right to obtain confirmation as to whether your personal data is being processed and to access your data.
- Right to Rectification (Art. 16): The right to request the correction of inaccurate or incomplete personal data.
- Right to Erasure / "Right to be Forgotten" (Art. 17): The right to request the deletion of your personal data where it is no longer necessary for the purposes for which it was collected.
- Right to Restriction of Processing (Art. 18): The right to restrict processing of your data under specific conditions.
- Right to Data Portability (Art. 20): The right to receive your personal data in a structured, commonly used, and machine-readable format.
- Right to Object (Art. 21): The right to object to the processing of your data, particularly for profiling or direct marketing.
- Right to Withdraw Consent (Art. 7(3)): If processing is based on consent, you have the right to withdraw your consent at any time.
5. Data Deletion & How to Exercise Your Rights
If you wish to view, modify, restrict, or completely delete your personal data from the Mistikist application or web records, please contact us by writing an email to [email protected].
We will verify your identity to ensure request legitimacy and process your data deletion or modification request free of charge within 30 days. You also have the right to lodge a complaint with a competent supervisory authority in your country of residence if you believe our data operations violate data protection regulations.