Go to the landing page

Privacy Policy

Effective date: 5 June 2026 · Last updated: 5 June 2026

This Privacy Policy explains how Mentor (“the app”) collects, uses, stores, and shares your personal data. It is written to comply with the EU General Data Protection Regulation (GDPR) and applies to all users of the app, regardless of location.

1. Who we are

Mentor is operated by Dmitry Shishov, an individual based in Spain, acting as the data controller for the purposes of GDPR.

Contact details for privacy matters are listed in Section 13 at the end of this policy. You can use them to exercise any of your rights described here, ask questions about your data, or report a concern.

2. What data we collect

We collect only the data needed to operate the app’s features. We do not collect data for advertising, do not sell data, and do not use analytics or tracking SDKs.

2.1 Account data

When you create an account, we collect:

  • Email address
  • Password (stored hashed, never in plaintext)
  • Name
  • Age
  • Gender

2.2 Lifestyle data

To personalise mentorship, the app stores data you provide through the onboarding assessment and ongoing use:

  • Assessment answers across six life areas (mind, body, society, essence, nature, career)
  • Current-state metric selections you make in the app
  • Targets and goals you set
  • Daily activities and progress entries
  • App usage patterns related to features you interact with (e.g., when you complete activities)

2.3 Device and notification data

If you grant notification permissions:

  • iOS push notification token
  • Your selected notification times
  • Your device timezone

2.4 AI interaction data

The app uses AI to generate personalised content and respond to your messages. As part of this:

  • Chat messages you send are transmitted to Anthropic for processing
  • Voice recordings you make using the voice input feature are transmitted to OpenAI for transcription
  • AI-generated content (greetings, target suggestions, morning bundles, chat replies) is stored in our database to avoid regenerating unchanged content

2.5 Authentication state

A session token is stored securely on your device (in iOS Secure Enclave via Apple’s Keychain) so you remain signed in between app launches. This token never leaves your device unless used to authenticate API requests.

2.6 What we do not collect

We do not collect:

  • Your precise location (GPS or otherwise)
  • Contacts, photos, calendar, or other device data outside the app
  • Advertising identifiers
  • Browsing history outside the app
  • Biometric data
  • Payment information (the app is currently free)

3. Legal basis for processing

Under GDPR, we process your data on the following legal bases:

  • Contract (Art. 6(1)(b)): processing necessary to provide the app’s services that you’ve signed up for, including account management, personalisation, and AI mentor features.
  • Consent (Art. 6(1)(a)): for push notifications, microphone access, and any optional features you explicitly opt into. You may withdraw consent at any time.
  • Legitimate interest (Art. 6(1)(f)): for security, fraud prevention, and improving the app’s reliability.

We do not process special category data (health data in the GDPR sense, religion, political opinions, etc.). The app’s lifestyle data is not medical data and is not used to make health decisions about you.

4. How we use your data

We use your data to:

  • Authenticate you and keep you signed in
  • Personalise the app’s interface (your name in greetings, suggested targets, etc.)
  • Generate AI mentor responses grounded in your actual situation
  • Send notifications at times you have configured
  • Track your progress over time so you can see trends
  • Operate the technical infrastructure (servers, databases, push services)

We do not use your data to:

  • Train AI models (your data is not used to train Anthropic, OpenAI, or any other AI model — see Section 6 for sub-processor terms)
  • Show you advertisements
  • Profile you for commercial purposes outside the app
  • Sell, rent, or share with third parties for their own purposes

5. Where your data is stored

The app uses Supabase as its database and authentication provider. Your data is stored in Supabase’s EU (Ireland) region. This means your primary data residency is within the European Economic Area.

Some processing happens outside the EU, as described in Section 6.

6. Sub-processors

To operate the app, we share data with the following service providers. Each is bound by their own privacy policies and data processing agreements with us. None of them sell your data or use it to train AI models on your inputs (per their stated API terms at time of writing).

  • Supabase — Database, authentication, edge functions. Location: EU (Ireland). Data shared: all account and lifestyle data.
  • Anthropic — AI chat replies, UI personalisation, target generation, morning bundles. Location: United States. Data shared: profile context (name, age, gender, metrics, progress, targets, activities, assessment) and chat messages, for the duration of each API request.
  • OpenAI — Voice transcription via the Whisper API. Location: United States. Data shared: audio recordings you make using the voice input feature, for the duration of each transcription request.
  • Apple Push Notification service (APNs) — Delivering notifications to your iOS device. Location: United States. Data shared: push notification content and your device push token.
  • Expo — Routing push notifications to APNs. Location: United States. Data shared: push notification content and your device push token.

Transfers outside the EU

Anthropic, OpenAI, Apple, and Expo are based in the United States. Personal data transferred to these providers relies on the EU-US Data Privacy Framework and/or Standard Contractual Clauses, as applicable to each provider. You may request copies of the relevant safeguards by emailing us.

AI provider data retention

  • Anthropic retains API inputs and outputs for up to 30 days for safety and abuse monitoring, after which they are deleted. Anthropic does not use API data to train their models.
  • OpenAI retains API inputs for up to 30 days for abuse monitoring, after which they are deleted. OpenAI does not use API data to train their models when accessed via the API.

These retention windows apply to each individual API call and are independent of how long we store your data in our own database.

7. How long we keep your data

  • While your account is active: we keep your data as long as you continue to use the app.
  • After you delete your account: all data associated with your account is deleted immediately and permanently from our database. This includes account data, lifestyle data, AI-generated content, push tokens, and all related records. We do not retain backups beyond standard short-term database backup windows.
  • AI provider retention: API requests previously sent to Anthropic and OpenAI may persist in their systems for up to 30 days per their respective policies. We have no ability to expedite deletion at those providers.

8. Your rights

Under GDPR, you have the following rights regarding your personal data:

  • Right of access: request a copy of the personal data we hold about you.
  • Right to rectification: correct inaccurate or incomplete data.
  • Right to erasure (“right to be forgotten”): request deletion of your data. You can also delete your account directly within the app, which performs immediate full deletion.
  • Right to restriction of processing: request that we limit how we use your data.
  • Right to data portability: request your data in a portable, machine-readable format.
  • Right to object: object to processing based on legitimate interest.
  • Right to withdraw consent: for any processing based on consent (notifications, microphone access), withdraw at any time.
  • Right to lodge a complaint: with the Spanish Data Protection Authority (Agencia Española de Protección de Datos, www.aepd.es) or the supervisory authority in your EU country of residence.

To exercise any of these rights, email us at the address in Section 13. We will respond within 30 days as required by GDPR.

9. Account deletion

You can permanently delete your account from within the app:

  • Open your profile.
  • Tap “Delete account” below the Log out option.
  • Type DELETE in the confirmation dialog to confirm.

Once confirmed, all your data is immediately and permanently removed from our database. This action cannot be undone.

10. Security

We protect your data through:

  • Encrypted connections (HTTPS/TLS) for all data transmitted between the app and our servers.
  • Encrypted storage of session tokens on your device via iOS Secure Enclave.
  • Passwords stored only as cryptographic hashes, never in plaintext.
  • Row-level security policies in our database that prevent users from accessing each other’s data.
  • Limited access to production systems, restricted to the operator (Dmitry Shishov).

No system is perfectly secure. If you believe your account has been compromised, contact us immediately at the address in Section 13.

11. Children’s privacy

The app is intended for users aged 18 and over. It is not directed at children. We do not knowingly collect data from users under 16. If you believe a child has provided us with personal data, contact us at the address in Section 13 and we will delete the account.

12. Changes to this policy

We may update this Privacy Policy as the app evolves. When we do:

  • The “Last updated” date at the top will change.
  • Material changes (e.g., new categories of data collected, new sub-processors) will be communicated to active users via in-app notification or email before they take effect.

Continued use of the app after a policy update constitutes acceptance of the revised terms. If you do not accept a change, you may delete your account at any time.

13. Contact

For any question about this policy, your data, or to exercise your rights:

Dmitry Shishov
Email: dimitry.shishov02@gmail.com

This policy is provided in English. If translated into other languages for convenience, the English version governs in case of discrepancy.