Mentapath

Privacy Policy

Effective 2026-06-08

1. What this policy covers

This policy explains what data Mentapath collects when you use the Service at mentapath.com, how we use it, who we share it with, and the choices you have. By using the Service you consent to the practices described here.

2. Data we collect

Account data. Email, name, hashed password, profile photo (from OAuth provider, if used), workspace name, role (admin / member), workspace and account creation dates.

Content data. Files you upload (spreadsheets, PDFs, documents, emails), wiki pages and analyses generated by the Service from your uploads, queries you ask, alerts created for your workspace, and an activity log of those events.

Billing data. A Paddle customer ID, subscription status, plan, and current billing period. We do not store full payment card numbers; Paddle stores those.

Technical data. IP address (used for rate limiting and abuse detection), user agent, request paths, HTTP status codes, and error reports. We track failed login attempts and authentication events in an audit log.

AI usage data. Per-workspace counts of language model calls, input/output tokens, and computed cost. This drives the usage gauge on your billing page.

We do not collect or process information about your health, financial accounts, political views, religious beliefs, sexual orientation, or biometrics. Do not upload such categories of content.

3. Cookies and tracking

We use a small number of strictly-necessary cookies:

  • Session cookies (__Secure-authjs.*, __Host-authjs.*) — HttpOnly, Secure, SameSite=Lax. Keep you logged in. Set by NextAuth.
  • CSRF token — protects state-changing requests.

We do not use third-party advertising cookies, analytics trackers, or fingerprinting.

4. Why we process your data

  • To provide the Service — parse your uploads, build your wiki, answer your queries. Legal basis: performance of the contract you accept by agreeing to our Terms.
  • To process payments — bill you for paid subscriptions. Legal basis: contractual necessity.
  • To secure the Service — rate-limit abuse, detect intrusion, audit-log security-relevant events. Legal basis: our legitimate interest in protecting the Service and other customers.
  • To communicate — send transactional emails (password resets, invoice failures, security alerts). Legal basis: contract / legitimate interest.
  • To comply with law — respond to lawful requests and meet tax / accounting obligations.

We do not use Your Content to train language models, sell your data, or share it with advertisers.

5. Third-party processors

To run the Service we share specific data with vetted vendors. Each processes data on our instructions and under their own privacy terms:

  • DeepInfra (U.S.): your uploaded content and queries are sent here for AI inference. DeepInfra serves the DeepSeek model from U.S.-based infrastructure and, per their terms, does not use API inputs or outputs to train models, subject to DeepInfra's own privacy practices.
  • Paddle (Paddle.com Market Limited, UK): payment card data, billing address, subscription state. Paddle acts as our merchant of record and is responsible for collecting and remitting sales tax / VAT.
  • Resend (U.S.): destination email + the transactional email body (sign-in links, password resets, invoice failures).
  • Railway (U.S.): hosts our application, the Postgres database that stores account + content metadata, and the file volume that stores your uploaded files.
  • Cloudflare (global): DNS, captcha (Turnstile), edge proxying. Sees IP addresses and request metadata.
  • Sentry (U.S.): error stack traces and request metadata when something crashes. Configured to scrub cookies and Authorization headers.
  • Google / Microsoft: only if you sign in via their OAuth providers — we receive your name, email, and profile photo from them.

6. International transfers

All of the processors above are based in the United States (Cloudflare operates globally for edge proxying). If you are located outside the U.S., your data will be transferred to and processed there. Where applicable we rely on the EU Standard Contractual Clauses (or equivalent local mechanism) for international transfers.

7. How long we keep data

  • Your Content — for as long as your account is active. On account or workspace deletion, hard-deleted within 30 days from primary storage and an additional 30 days from backups.
  • Audit log — 12 months, then deleted.
  • Billing records — at least 7 years, as required by tax law.
  • Sentry error reports — 90 days, per Sentry defaults.

8. Your rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccuracies (most fields are editable from Settings).
  • Delete your account and Your Content (Settings → Delete account).
  • Export your data in a portable format — email us.
  • Withdraw consent for processing where consent is the basis.
  • Lodge a complaint with your local data protection authority.

To exercise these rights, email [email protected]. We respond within 30 days.

9. Security

We use industry-standard measures: TLS 1.3 in transit, bcrypt for password hashes, isolated per-workspace storage, parameterized SQL queries, captcha + rate limiting on authentication routes, and strict Content Security Policy headers. Despite these measures, no system is perfectly secure. If we discover a breach affecting your data, we will notify you and, where required, the appropriate regulator within 72 hours.

10. Children

The Service is intended for business use and is not directed to children under 18. We do not knowingly collect data from children. If you believe a child has provided data to us, contact us and we will delete it.

11. Changes to this policy

We may update this policy as the Service evolves. Material changes will be announced via email and at least 14 days before they take effect.

12. Contact

Privacy questions or requests: [email protected]. Security disclosures: [email protected].