GDPR compliance statement

At Menteasy, we are committed to high standards of information security and data privacy.

1. Lawful basis for processing

We process user data under the lawful bases of Contractual Necessity (to provide the mentorship platform and manage billing) and Explicit Consent (specifically for OAuth-based calendar integrations).

2. Data minimisation & purpose limitation

We only collect the minimum data required to operate the service (Email, Name, and Calendar availability).

• No intrusive access: We do not read emails or access contact lists.
• Scoped access: Calendar access is used exclusively to sync mentorship sessions and prevent scheduling conflicts.

3. Data sovereignty & transfers

• Primary storage: Our core database is hosted by Supabase in the United Kingdom (London — eu-west-2 region).
• International transfers: Where we use sub-processors located in the US (such as Google, Microsoft, or Stripe), we ensure data protection via the EU-U.S. Data Privacy Framework and the UK Extension, ensuring a level of protection equivalent to European standards.

4. Data subject rights

We fully support the rights of our users under the GDPR, including:

• The right to access: Users can request a copy of their data at any time.
• The right to be forgotten: Users can request full deletion of their account, OAuth tokens, and billing profiles by contacting support@menteasy.com.
• Withdrawal of consent: Users can revoke calendar access instantly via their account settings.

5. Security & sub-processors

We use industry-leading sub-processors (Supabase, Vercel, Stripe) that maintain rigorous security certifications (SOC2/ISO 27001). We maintain Data Processing Agreements (DPAs) with our vendors to ensure your data remains encrypted and secure.

For more detailed information, please refer to our full Privacy policy. For privacy inquiries, contact support@menteasy.com.