MentBro

GDPR Compliance Policy

MentBro Ltd · Company No. 17163881 · Last updated: April 2026

1. Purpose and Scope

This document sets out MentBro Ltd's approach to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It applies to all personal data processed by MentBro in connection with the Service.

MentBro Ltd is the data controller as defined by UK GDPR. Company No. 17163881, registered in England and Wales.

2. Data Protection Principles

• Lawfulness, fairness and transparency: We process data on a valid legal basis and are open with users about how their data is used
• Purpose limitation: Data is collected for specified, explicit purposes and not processed in ways incompatible with those purposes
• Data minimisation: We collect only the data that is necessary for the purposes for which it is processed
• Accuracy: We take reasonable steps to ensure data is accurate and kept up to date
• Storage limitation: Data is not kept longer than necessary for its purpose
• Integrity and confidentiality: Data is secured against unauthorised access, loss, or destruction
• Accountability: MentBro takes responsibility for demonstrating compliance with these principles

3. Lawful Bases for Processing

3.1 Contract (Article 6(1)(b))

The primary basis for processing user data is the performance of a contract. When a user creates an account and uses the Service, processing of their profile data, coaching history, and subscription information is necessary to deliver the Service under our Terms and Conditions.

3.2 Legitimate Interests (Article 6(1)(f))

• Product analytics and improvement using aggregated, anonymised data
• Fraud detection and platform security
• Internal reporting and business development

In each case, we have conducted a Legitimate Interests Assessment confirming that our interests do not override users' fundamental rights and freedoms.

3.3 Legal Obligation (Article 6(1)(c))

Where required to retain or disclose data under applicable law, including HMRC requirements for financial records, we do so on this basis.

3.4 Consent (Article 6(1)(a))

Where users provide optional data such as LinkedIn or Instagram information, or where we send marketing communications, we rely on consent. Consent is freely given, specific, informed, and unambiguous. Users may withdraw consent at any time.

4. Special Category Data

MentBro does not intentionally collect special category data as defined by UK GDPR Article 9, including health data, political opinions, religious beliefs, or biometric data. Users should not submit such information through the platform. Where special category data is inadvertently submitted, it will be deleted upon identification.

5. Data Subject Rights

MentBro maintains procedures to respond to data subject rights requests within the statutory 30-day timeframe.

5.1 Right of Access (Article 15)

Users may request a copy of all personal data held about them. Requests are handled via aryan@mentbro.com. We will verify identity before releasing data.

5.2 Right to Rectification (Article 16)

Users may correct inaccurate data directly through their account settings or by contacting us.

5.3 Right to Erasure (Article 17)

Users may request deletion of their account and all associated personal data. Deletion is completed within 30 days. Certain data may be retained where required by law or for fraud prevention.

5.4 Right to Data Portability (Article 20)

Users may request their data in a structured, machine-readable format (JSON). This covers data provided directly by the user and data generated through use of the Service.

5.5 Right to Object (Article 21)

Users may object to processing based on legitimate interests. We will cease such processing unless we can demonstrate compelling legitimate grounds that override the user's interests.

5.6 Right to Restriction (Article 18)

Users may request restriction of processing in circumstances defined by Article 18, including where the accuracy of data is contested or where processing is unlawful.

6. Data Processors and Third Parties

Supabase

Database and authentication infrastructure. All user profile data, conversation history, goals, tasks, and application data is stored via Supabase, which operates under SOC 2 Type II certification.

Stripe

Payment processing. Handles billing information, subscription status, and payment history. Stripe is PCI DSS Level 1 certified and operates as an independent data controller for payment data.

Anthropic

AI model provider. Coaching queries and user context are processed through the Anthropic Claude API. MentBro relies on Anthropic's enterprise privacy commitments. Users should review Anthropic's privacy policy at anthropic.com/privacy.

7. International Data Transfers

Where personal data is transferred outside the UK, MentBro ensures appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the UK ICO
• Adequacy decisions where applicable

Transfers to Supabase, Stripe, and Anthropic are conducted under SCCs or equivalent mechanisms. MentBro maintains records of all international transfers.

8. Data Breach Response

• The breach will be assessed and contained as quickly as possible
• Where the breach is likely to result in a risk to individuals' rights and freedoms, we will notify the ICO within 72 hours of becoming aware
• Where the breach is likely to result in a high risk to individuals, we will notify affected users without undue delay
• All breaches will be recorded in our internal breach log regardless of whether they meet the reporting threshold

9. Privacy by Design

• Row-level security is enabled on all database tables, ensuring users can only access their own data
• Minimum necessary data is collected at each stage of the product
• AI queries include only the context necessary to generate a response
• Shareable cards contain only first name and a single focus statement — no sensitive profile data
• Optional data fields are clearly marked and are never required for core functionality

10. Retention Schedule

• Active account data: Retained for the duration of the account
• Deleted account data: Purged within 30 days of deletion, except where legal retention applies
• Payment records: Retained for 7 years in compliance with HMRC requirements
• Security and fraud logs: Retained for 12 months
• Anonymised analytics data: Retained indefinitely

11. Age Verification and Young Users

MentBro is intended for users aged 16 and over. We collect date of birth at registration to verify this. We do not knowingly collect data from users under 16. If we become aware that a user is under 16, we will delete their account and associated data promptly.

For users aged 16 and 17, no additional parental consent mechanism is required under UK GDPR, which sets the age of digital consent at 13 for information society services. However, MentBro recommends that users aged 16 and 17 inform a parent or guardian of their use of the Service.

12. Records of Processing Activities

MentBro maintains a Record of Processing Activities as required under UK GDPR Article 30. This internal record documents all processing activities, their purposes, legal bases, data categories, retention periods, and security measures. The ROPA is reviewed and updated at least annually.

13. Accountability and Review

MentBro Ltd's directors are accountable for data protection compliance. This policy is reviewed at least annually and updated to reflect changes in law, practice, or the Service.

14. Complaints and Supervisory Authority

Users who have concerns about how MentBro handles their personal data should contact us at aryan@mentbro.com in the first instance. If you remain unsatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

15. Contact

Data Controller: MentBro Ltd
Company No.: 17163881
Email: aryan@mentbro.com
Website: mentbro.com

← Back to MentBro