Effective date: 5 June 2026 · Last updated: 5 June 2026
This Privacy Policy explains how Mentor (“the app”) collects, uses, stores, and shares your personal data. It is written to comply with the EU General Data Protection Regulation (GDPR) and applies to all users of the app, regardless of location.
1. Who we are
Mentor is operated by Dmitry Shishov, an individual based in Spain, acting as the data controller for the purposes of GDPR.
Contact details for privacy matters are listed in Section 13 at the end of this policy. You can use them to exercise any of your rights described here, ask questions about your data, or report a concern.
2. What data we collect
We collect only the data needed to operate the app’s features. We do not collect data for advertising, do not sell data, and do not use analytics or tracking SDKs.
2.1 Account data
When you create an account, we collect:
Email address
Password (stored hashed, never in plaintext)
Name
Age
Gender
2.2 Lifestyle data
To personalise mentorship, the app stores data you provide through the onboarding assessment and ongoing use:
Assessment answers across six life areas (mind, body, society, essence, nature, career)
Current-state metric selections you make in the app
Targets and goals you set
Daily activities and progress entries
App usage patterns related to features you interact with (e.g., when you complete activities)
2.3 Device and notification data
If you grant notification permissions:
iOS push notification token
Your selected notification times
Your device timezone
2.4 AI interaction data
The app uses AI to generate personalised content and respond to your messages. As part of this:
Chat messages you send are transmitted to Anthropic for processing
Voice recordings you make using the voice input feature are transmitted to OpenAI for transcription
AI-generated content (greetings, target suggestions, morning bundles, chat replies) is stored in our database to avoid regenerating unchanged content
2.5 Authentication state
A session token is stored securely on your device (in iOS Secure Enclave via Apple’s Keychain) so you remain signed in between app launches. This token never leaves your device unless used to authenticate API requests.
2.6 What we do not collect
We do not collect:
Your precise location (GPS or otherwise)
Contacts, photos, calendar, or other device data outside the app
Advertising identifiers
Browsing history outside the app
Biometric data
Payment information (the app is currently free)
3. Legal basis for processing
Under GDPR, we process your data on the following legal bases:
Contract (Art. 6(1)(b)): processing necessary to provide the app’s services that you’ve signed up for, including account management, personalisation, and AI mentor features.
Consent (Art. 6(1)(a)): for push notifications, microphone access, and any optional features you explicitly opt into. You may withdraw consent at any time.
Legitimate interest (Art. 6(1)(f)): for security, fraud prevention, and improving the app’s reliability.
We do not process special category data (health data in the GDPR sense, religion, political opinions, etc.). The app’s lifestyle data is not medical data and is not used to make health decisions about you.
4. How we use your data
We use your data to:
Authenticate you and keep you signed in
Personalise the app’s interface (your name in greetings, suggested targets, etc.)
Generate AI mentor responses grounded in your actual situation
Send notifications at times you have configured
Track your progress over time so you can see trends
Operate the technical infrastructure (servers, databases, push services)
We do not use your data to:
Train AI models (your data is not used to train Anthropic, OpenAI, or any other AI model — see Section 6 for sub-processor terms)
Show you advertisements
Profile you for commercial purposes outside the app
Sell, rent, or share with third parties for their own purposes
5. Where your data is stored
The app uses Supabase as its database and authentication provider. Your data is stored in Supabase’s EU (Ireland) region. This means your primary data residency is within the European Economic Area.
Some processing happens outside the EU, as described in Section 6.
6. Sub-processors
To operate the app, we share data with the following service providers. Each is bound by their own privacy policies and data processing agreements with us. None of them sell your data or use it to train AI models on your inputs (per their stated API terms at time of writing).
Supabase — Database, authentication, edge functions. Location: EU (Ireland). Data shared: all account and lifestyle data.
Anthropic — AI chat replies, UI personalisation, target generation, morning bundles. Location: United States. Data shared: profile context (name, age, gender, metrics, progress, targets, activities, assessment) and chat messages, for the duration of each API request.
OpenAI — Voice transcription via the Whisper API. Location: United States. Data shared: audio recordings you make using the voice input feature, for the duration of each transcription request.
Apple Push Notification service (APNs) — Delivering notifications to your iOS device. Location: United States. Data shared: push notification content and your device push token.
Expo — Routing push notifications to APNs. Location: United States. Data shared: push notification content and your device push token.
Transfers outside the EU
Anthropic, OpenAI, Apple, and Expo are based in the United States. Personal data transferred to these providers relies on the EU-US Data Privacy Framework and/or Standard Contractual Clauses, as applicable to each provider. You may request copies of the relevant safeguards by emailing us.
AI provider data retention
Anthropic retains API inputs and outputs for up to 30 days for safety and abuse monitoring, after which they are deleted. Anthropic does not use API data to train their models.
OpenAI retains API inputs for up to 30 days for abuse monitoring, after which they are deleted. OpenAI does not use API data to train their models when accessed via the API.
These retention windows apply to each individual API call and are independent of how long we store your data in our own database.
7. How long we keep your data
While your account is active: we keep your data as long as you continue to use the app.
After you delete your account: all data associated with your account is deleted immediately and permanently from our database. This includes account data, lifestyle data, AI-generated content, push tokens, and all related records. We do not retain backups beyond standard short-term database backup windows.
AI provider retention: API requests previously sent to Anthropic and OpenAI may persist in their systems for up to 30 days per their respective policies. We have no ability to expedite deletion at those providers.
8. Your rights
Under GDPR, you have the following rights regarding your personal data:
Right of access: request a copy of the personal data we hold about you.
Right to rectification: correct inaccurate or incomplete data.
Right to erasure (“right to be forgotten”): request deletion of your data. You can also delete your account directly within the app, which performs immediate full deletion.
Right to restriction of processing: request that we limit how we use your data.
Right to data portability: request your data in a portable, machine-readable format.
Right to object: object to processing based on legitimate interest.
Right to withdraw consent: for any processing based on consent (notifications, microphone access), withdraw at any time.
Right to lodge a complaint: with the Spanish Data Protection Authority (Agencia Española de Protección de Datos, www.aepd.es) or the supervisory authority in your EU country of residence.
To exercise any of these rights, email us at the address in Section 13. We will respond within 30 days as required by GDPR.
9. Account deletion
You can permanently delete your account from within the app:
Open your profile.
Tap “Delete account” below the Log out option.
Type DELETE in the confirmation dialog to confirm.
Once confirmed, all your data is immediately and permanently removed from our database. This action cannot be undone.
10. Security
We protect your data through:
Encrypted connections (HTTPS/TLS) for all data transmitted between the app and our servers.
Encrypted storage of session tokens on your device via iOS Secure Enclave.
Passwords stored only as cryptographic hashes, never in plaintext.
Row-level security policies in our database that prevent users from accessing each other’s data.
Limited access to production systems, restricted to the operator (Dmitry Shishov).
No system is perfectly secure. If you believe your account has been compromised, contact us immediately at the address in Section 13.
11. Children’s privacy
The app is intended for users aged 18 and over. It is not directed at children. We do not knowingly collect data from users under 16. If you believe a child has provided us with personal data, contact us at the address in Section 13 and we will delete the account.
12. Changes to this policy
We may update this Privacy Policy as the app evolves. When we do:
The “Last updated” date at the top will change.
Material changes (e.g., new categories of data collected, new sub-processors) will be communicated to active users via in-app notification or email before they take effect.
Continued use of the app after a policy update constitutes acceptance of the revised terms. If you do not accept a change, you may delete your account at any time.
13. Contact
For any question about this policy, your data, or to exercise your rights: