Legal
Privacy policy
Last updated: 30 April 2026
1. Overview
At Menteasy, we believe in data minimisation. We only ask for the information we absolutely need to make your mentorship programme and calendar sync work. This policy outlines how we handle your data under EU GDPR and UK GDPR standards.
2. Data collection & usage
We categorise the data we collect into two areas:
- Account identity: we collect your email address (and optionally your name) to create your account and manage your login. This is stored in our secure database managed by Supabase.
- Calendar integration (OAuth): if you choose to sync your Google or Microsoft calendar, we request access to your calendar events via OAuth.
- We do not read your emails.
- We do not access your contacts.
- We only use this connection to sync your availability and schedule mentorship sessions inside Menteasy.
- Optional analytics (PostHog): if you accept cookies via our banner, we load PostHog (configured for PostHog Cloud in the European Union, EU data residency) for product analytics.
3. Our tech stack (sub-processors)
To run this service, we share specific data with the following providers:
| Provider | Purpose | Data location |
|---|---|---|
| Supabase | Core database & auth | UK (eu-west-2) |
| Calendar integration | USA / Global | |
| Microsoft | Calendar integration | USA / Global |
| Stripe | Payment processing | USA / Global |
| Vercel | Hosting; optional Web Analytics (cookie consent) | Global |
| PostHog | Product analytics (cookie consent) | EU (PostHog Cloud EU region) |
4. Lawful basis for processing
- Contractual necessity: we process your email and billing data to provide the service you paid for.
- Consent: we access your Google/Microsoft calendar data only after you give explicit permission via the OAuth popup. You can withdraw this consent at any time by disconnecting your calendar.
- Consent: optional PostHog (EU cloud) and Vercel Web Analytics run only if you click Accept on our cookie banner. You can withdraw consent by choosing Reject after clearing the site preference stored in your browser (remove local data for this site) or by contacting support@menteasy.com.
5. Data retention & deletion
- Retention: we keep your data as long as your account is active.
- Right to be forgotten: you may request full deletion of your data at any time. Since we currently process these requests manually, please email support@menteasy.com. We will purge your record from Supabase, revoke OAuth tokens, and delete your Stripe customer profile within 30 days.
6. International transfers
Your primary database is located in the United Kingdom. Optional analytics via PostHog are processed in PostHog's EU cloud. For our US-based partners (Google, Microsoft, Stripe, and aspects of Vercel's global infrastructure including Web Analytics), we rely on the EU–U.S. Data Privacy Framework and the UK Extension where transfers to the United States occur, so your data remains protected to European standards.