Privacy Policy - MentraNova

At MentraNova, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our platform, website, mobile application, and related services (collectively, the "Platform").

MentraNova operates in the European Economic Area (EEA), and we are fully compliant with the General Data Protection Regulation (GDPR) and applicable national data protection laws.

        Key Points:
        We collect information you provide and information about how you use our Platform
We use your data to provide, improve, and personalize our services
We implement security measures to protect your information
You have extensive rights under GDPR to access, correct, and delete your data
Your data is processed and stored within the EU/EEA where possible

      

1. Data Controller

MentraNova is the data controller responsible for your personal data. You can contact us at:

MentraNova
Email: [email protected]
Legal Email: [email protected]
Website: www.mentranova.com
Veldegem, Belgium

2. Information We Collect

2.1 Information You Provide Directly

Account Information:

Name, email address, phone number
Profile information (photo, bio, preferences)
Authentication credentials (if using email/password)
Payment information (processed securely via Apple/Google payments)

Profile and Preferences:

Goals, challenges, and areas of focus
Coaching preferences and availability
Demographic information (age, location, occupation)
Health and wellness information (voluntarily provided)

Communications and Content:

Messages exchanged with coaches and support
Session notes and progress tracking data
Feedback, reviews, and testimonials
Survey responses and research participation data

2.2 Information from Third-Party Authentication

When you sign in using Google, Facebook, Apple, or X (Twitter), we receive:

Basic profile information (name, email, profile picture)
Account ID and authentication tokens
Information you've granted permission to share

2.3 Automatically Collected Information

Usage Data:

Pages viewed, features used, and actions taken
Session duration, frequency, and patterns
Coach interactions and engagement metrics
Search queries and feature preferences

Device and Technical Information:

Device type, operating system, browser type
IP address and general location (city/country)
Device identifiers (where permitted)
Network and connection information

Cookies and Tracking Technologies:

Session cookies for authentication and functionality
Analytics cookies to understand usage patterns (with consent)
Preference cookies to remember your settings
Marketing cookies (only with your explicit consent)

3. Legal Basis for Processing (GDPR)

Under GDPR, we process your personal data based on the following legal grounds:

Legal Basis	Purpose
Contract Performance (Art. 6(1)(b))	To provide the coaching services you've requested and fulfill our Terms and Conditions
Consent (Art. 6(1)(a))	Marketing communications, optional features, non-essential cookies, sensitive data processing
Legitimate Interests (Art. 6(1)(f))	Service improvement, fraud prevention, security, analytics (where not overridden by your rights)
Legal Obligation (Art. 6(1)(c))	Compliance with EU laws, legal requests, tax obligations, anti-money laundering

Where we rely on legitimate interests, we have balanced these interests against your rights and freedoms. You have the right to object to processing based on legitimate interests.

4. How We Use Your Information

4.1 Provide and Improve Services

Create and manage your account
Match you with suitable coaches and mentors
Facilitate coaching sessions and communications
Process payments and manage subscriptions
Track progress and provide personalized recommendations
Develop and improve our AI coaching features
Analyze usage patterns to enhance user experience

4.2 Communication and Support

Send transactional emails (confirmations, receipts, updates)
Provide customer support and respond to inquiries
Send important notices about service changes
Request feedback and conduct surveys
Send marketing communications (only with your consent)

4.3 Safety and Security

Verify identity and prevent fraud
Detect and prevent abuse, spam, and violations
Protect against security threats and technical issues
Enforce our Terms of Service
Comply with legal obligations

4.4 Research and Analytics

Conduct research to improve coaching methodologies
Analyze aggregate data for trends and insights
Generate anonymized statistical reports

5. How We Share Your Information

5.1 With Coaches and Mentors

When you're matched with or book a session with a coach, we share relevant profile information, goals, and preferences to facilitate effective coaching. Coaches are bound by confidentiality obligations.

5.2 Service Providers (Data Processors)

We share data with trusted third-party service providers who help us operate the Platform. All processors are bound by GDPR-compliant data processing agreements:

Payment Processing: Apple App Store / Google Play (In-App Purchases)
Cloud Hosting: Railway (application hosting)
AI Services: OpenAI Ireland Ltd. (AI coaching, coach matching, text embeddings — processing of EEA/Swiss data is contracted with OpenAI Ireland Ltd. under a signed DPA; any transfers outside the EEA happen under SCCs. OpenAI does not use API data to train its models.)
Analytics: Google Analytics 4, Firebase Analytics, PostHog
Email: Resend (transactional email delivery — US-based, SCCs in place)
Media Storage: Cloudinary (image and document uploads — US-based, SCCs in place)
Error Tracking: Sentry (application error monitoring — US-based, SCCs in place)
Push Notifications: Expo, Firebase Cloud Messaging (mobile push notifications)

5.3 Business Transfers

If MentraNova is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you and ensure the new entity continues to comply with GDPR.

5.4 Legal Requirements

We may disclose your information when required by EU or national law or in response to:

Court orders or legal processes from competent authorities
Government or regulatory requests
Protection of our rights, property, or safety
Prevention of fraud or illegal activities

5.5 Aggregated and Anonymized Data

We may share aggregated, anonymized data that cannot identify you with researchers, partners, or the public for analysis and reporting. This data is no longer considered personal data under GDPR.

5.6 With Your Consent

We may share your information with other parties when you explicitly consent, such as when you choose to share testimonials or participate in case studies.

6. International Data Transfers

We primarily store and process your data within the European Economic Area (EEA). Where we use service providers outside the EEA, we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs): Approved by the European Commission
Adequacy Decisions: Transfers to countries deemed adequate by the EU
Additional Safeguards: Supplementary measures as required by Schrems II
Your Explicit Consent: Where required and appropriate

You have the right to obtain information about these safeguards by contacting us.

7. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this policy and to comply with legal obligations:

Retention Periods:

Active Accounts: For the duration of your account plus applicable legal retention periods
Deleted Accounts: 30 days for recovery purposes, then permanently deleted (unless required by law)
Financial Records: 7 years for tax and audit purposes (as required by EU and national laws)
Communication Records: As long as needed for support, legal, and compliance purposes
Analytics Data: Anonymized within 26 months
Cookies: As specified in our cookie policy (typically 12-26 months)

After the retention period expires, we securely delete or anonymize your data so it can no longer identify you.

8. Your Rights Under GDPR

Under the General Data Protection Regulation, you have the following rights:

8.1 Right of Access (Art. 15)

Request confirmation of whether we process your personal data
Obtain a copy of your personal data
Receive information about processing purposes, categories, recipients, and retention periods

8.2 Right to Rectification (Art. 16)

Correct inaccurate or incomplete personal data
Update your profile information directly in account settings

8.3 Right to Erasure / "Right to be Forgotten" (Art. 17)

Request deletion of your personal data when:

It's no longer necessary for the purposes collected
You withdraw consent (where consent is the legal basis)
You object to processing and no overriding legitimate grounds exist
Data has been unlawfully processed
Deletion is required by legal obligation

Note: We may retain data if legally required or for establishing legal claims

8.4 Right to Restriction of Processing (Art. 18)

Request limitation of processing when:

You contest the accuracy of your data (pending verification)
Processing is unlawful but you prefer restriction over erasure
We no longer need the data but you need it for legal claims
You've objected to processing (pending verification)

8.5 Right to Data Portability (Art. 20)

Receive your data in a structured, machine-readable format (JSON, CSV)
Transfer your data to another service provider
Applies to data processed based on consent or contract

8.6 Right to Object (Art. 21)

Object to processing based on legitimate interests (Art. 6(1)(f))
Object to direct marketing at any time (absolute right)
Object to profiling for direct marketing

8.7 Right to Withdraw Consent (Art. 7(3))

Withdraw consent at any time (where consent is the legal basis)
Withdrawal doesn't affect lawfulness of prior processing
Easy withdrawal mechanisms provided

8.8 Right Not to be Subject to Automated Decision-Making (Art. 22)

Not be subject to decisions based solely on automated processing (including profiling) that produce legal or significant effects
Request human intervention and explanation of automated decisions

8.9 How to Exercise Your Rights

To exercise any of these rights:

Email: [email protected]
Account Settings: Many rights can be exercised directly through your account
Response Time: We will respond within 1 month (extendable to 3 months for complex requests)
Verification: We may request identification to verify your identity
Free of Charge: First request is free; excessive requests may incur administrative fees

9. Data Security

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with GDPR Art. 32:

9.1 Technical Measures

Encryption in transit (TLS 1.3) and at rest (AES-256)
Secure authentication (OAuth 2.0, JWT tokens with rotation)
Regular security audits and penetration testing
Intrusion detection and prevention systems
Automated backup and disaster recovery procedures
Pseudonymization and anonymization where appropriate

9.2 Organizational Measures

Access controls and principle of least privilege
Regular employee training on GDPR and data protection
Confidentiality agreements with all staff and contractors
Data protection impact assessments (DPIAs) for high-risk processing
Incident response and breach notification procedures
Documented data processing records (Art. 30)

9.3 Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms:

We will notify the relevant supervisory authority within 72 hours
We will notify affected individuals without undue delay if the breach poses a high risk
Notifications will include the nature of the breach, likely consequences, and measures taken

10. Special Categories of Personal Data

Certain information you provide may be considered "special categories" of personal data under GDPR Art. 9, including health information or data revealing aspects of your mental wellbeing. We:

Process special category data only with your explicit consent (Art. 9(2)(a))
Use it solely for providing coaching services you've requested
Implement enhanced security and confidentiality measures
Limit access to authorized personnel with legitimate need
Allow you to withdraw consent and request deletion at any time

Important: MentraNova is not a healthcare provider, and coaching sessions are not medical or psychological treatment. Do not share medical information that requires clinical confidentiality.

11. Cookies and Tracking Technologies

We use cookies and similar technologies in compliance with the ePrivacy Directive and GDPR. You will be presented with a cookie consent banner on your first visit.

Cookie Type	Purpose	Legal Basis
Strictly Necessary	Authentication, security, functionality	Legitimate interest (no consent required)
Analytics	Usage analysis, performance monitoring	Consent required
Preferences	Remember your settings and choices	Consent required (or legitimate interest)
Marketing	Targeted advertising, retargeting	Explicit consent required

You can manage cookie preferences through:

Our cookie consent banner (on first visit)
Cookie preference center in your account settings
Your browser settings

12. Children's Privacy

MentraNova is not intended for individuals under 18 years of age. We do not knowingly collect or process personal data from children. If you believe we have inadvertently collected information from a child, please contact us immediately at [email protected], and we will take steps to delete such information within 72 hours.

13. Third-Party Links and Services

The Platform may contain links to third-party websites or integrate with third-party services (such as OAuth providers). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any information.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

We will post the updated policy with a new "Last Updated" date
For material changes, we will notify you via email or prominent Platform notification at least 30 days before changes take effect
Where required by law, we will obtain your consent for material changes
Your continued use after notification period constitutes acceptance of updated policy

15. Supervisory Authority and Right to Lodge a Complaint

You have the right to lodge a complaint with your national data protection supervisory authority if you believe we have violated your privacy rights under GDPR.

Lead Supervisory Authority:
Gegevensbeschermingsautoriteit (GBA) — Belgian Data Protection Authority
Drukpersstraat 35, 1000 Brussels, Belgium
www.gegevensbeschermingsautoriteit.be

Find your national authority:
European Data Protection Board - List of Authorities

However, we encourage you to contact us first so we can address your concerns directly.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Privacy Contact
Email: [email protected]
Legal Email: [email protected]
Website: www.mentranova.com
Veldegem, Belgium

We will respond to all legitimate requests within one month in accordance with GDPR requirements.