Your privacy is just as important (if not more) than our privacy. We go to big lengths to ensure that your privacy is protected as much as possible. We're commited to making sure our service is private-by-default and we're a member of the Private by Default campaign.
When you download the application, you do not need to make an account. All of the things that you'd normally do with an account (favouriting and settings) will not be synced with any third-parties. You can export this data, as mentioned in the « Your Rights and Choices » section. If you sign up with Apple, Apple will allow us access to the following data:
Alternatively, if you sign up with an email address, we collect the following data:
When using your account, you can choose to favourite meditations, sleep stories, and other content on Mello. When you favourite one of these, the following data is stored with your account data:
Your settings that you use in the app will automatically sync between devices to give a seamless experience. This is stored alongside your favourited content IDs.
If you are on our website (
getmello.org) or our web app (
app.getmello.org), we also use a self-hosted Umami server to privately aggregate information to better understand what our audience uses in terms of devices. The following data is collected by Umami:
None of this data can be linked back to you by Mello, or any of the third-parties mentioned below.
We do not sell your data with any third-parties. Some data is shared with third-parties so that we may provide our service.
The following two processors only apply to the web (
app.getmello.org) and mobile apps. Supabase, our login provider, has access to:
Upstash, our database host, has access to:
The following three processors only apply to the website (
getmello.org) and web app (
Uberspace, our host for Umami, and Matt Ronchetto (doamatto), the maintainer of the Umami instance, has access to the entirety of the Uberspace instance. This is no more access than the general public, as mentioned below, to analytical data.
The general public has access to all the data collected by Umami.
Mello, its servers, and its members are under the jurisdiction of the United States. This means that the U.S. government has the ability to request user information from us. Due to our commitment to privacy, we would only provide data if they provide us with a valid legal order such as a subpoena. Should they provide us with such order and a valid email address to find the user in question, we will still be unable to give them any information because:
Truth be told: there's no be all and end all to protect your data. But, we do our best to use modern-day encryption methods as well as strict HSTS, DNSSEC, and CSP to ensure your experience is the way it was intended. We hash passwords with Argon2 locally, before sending them off your device.
We have signed special data protection agreements (DPAs) with Uberspace to protect the data on our Uberspace instance.
In the event of a data breach, we will send out an email notification, regardless of if you were affected or not, with password reset notifications, following information pertaining to what things may have been compromised. This will all be done as soon as we find said breach. Once this issue is patched, we may release information on the issue as well as a write-up on how we fixed it on GitHub.
In some countries, states, or provinces, you may have certain rights pertaining to your data. Regardless of where we're from, we want to give you as many choices as possible.
You'll be able to then download a JSON file containing your data, regardless of if you have an account or not.
This site's codebase is hosted publicly on GitHub. You can check the list of changes to this policy here.
You can write to legal [at] getmello.org to get help as swiftly as possible on amending and fixing this document, as well as get answers to questions regarding this policy.