Legal

Data & Compliance

Last updated: June 2026 · Effective date: June 2026

This page provides a full inventory of personal data collected by Mentorise, our legal bases for processing, and your rights under UK GDPR and the California Consumer Privacy Act (CCPA). For our full privacy practices, see our Privacy Policy.

Full data inventory

Every personal data point Mentorise collects, where it comes from, and why.

Identity & account data

Data point	Source	Stored as	Purpose
Username	You (signup)	Plain text (unique)	Account identity
Email address	You (signup)	Plain text (unique)	PIN reset, weekly digest
4-digit PIN	You (signup)	bcrypt hash — never plain text	Authentication
Invite code	You (signup)	Plain text	Access control
Account creation timestamp	System	ISO timestamp	Record-keeping
Email digest opt-in status	You (signup checkbox)	Boolean	Determines whether to send weekly digest
Profile hidden status	You (settings)	Boolean	Controls directory visibility
Onboarding answers (goals, interests, area)	You (onboarding flow)	JSON	Personalise profile and experience

CV & career profile data

Data point	Source	Stored as	Purpose
CV file (PDF)	You (upload)	File on server (`{session_id}.pdf`)	Career data extraction
Career timeline (jobs, titles, dates, organisations)	Extracted from CV by AI	JSON	Profile generation
Education history (institutions, degrees, dates)	Extracted from CV by AI	JSON	Profile generation
Skills list	Extracted from CV by AI	JSON	Profile generation
AI-generated clarification questions	Generated by OpenAI from CV	JSON	Build Q&A profile
Your answers to clarification questions	You (Q&A flow)	JSON	Public profile content
Answer corrections (edited answers)	You (profile editing)	Text per question	Keep profile accurate
Supplementary Q&A (additional questions & answers)	You (settings)	Text pairs	Enrich public profile
Public profile summary	Generated by OpenAI	JSON	Profile card display
Privacy exclusions	You (settings)	Text	Filter AI responses on your profile
Questions skipped (with timestamps and reasons)	System	JSON array	Improve question quality

Conversation & interaction data

Data point	Source	Stored as	Purpose
Questions asked to other profiles	You (query interface)	Text	Log interactions; derive interest signals
AI answers received from other profiles	Generated by OpenAI	Text	Display response; log interaction
Questions asked about your profile by others	Other users	Text	Weekly digest; improve matching
AI answers given on your behalf	Generated by OpenAI	Text	Log interaction; weekly digest
Conversation confidence level (high / medium / low)	System (AI output)	Text	Quality signal
Inferred interest signals from conversations	Derived by OpenAI	JSON	Surface relevant profiles
Inferred career signals from CV	Derived by OpenAI	JSON	Improve match scoring
Profile match scores between users	Generated by OpenAI	Score (0–100) + text blurb	Directory relevance ranking

Analytics data

Data point	Source	Stored as	Purpose
Anonymous session ID (`_anon_id`)	Generated in browser, stored in localStorage	Random string	Distinguish unique visitors before login
Page visit entry timestamp	System	ISO timestamp	Usage analytics
Session duration (updated every 60s)	System (heartbeat)	Integer (seconds)	Engagement analytics
Last screen viewed	System	Screen name string	Funnel analytics
User ID linked to visit (once logged in)	System	User ID reference	Understand registered-user behaviour

Support & transactional data

Data point	Source	Stored as	Purpose
Bug report text	You (bug report form)	Text	Resolve reported issues
PIN reset token (one-time, 7-day expiry)	System	UUID hex string	Authenticate PIN reset flow
PIN reset email address & name	You (forgot PIN flow)	Temporary — deleted on use or expiry	Send reset link

Third-party processors

Processor	Country	Data shared	Purpose	Safeguard
OpenAI	United States	CV content, career answers, conversation context, profile summaries	AI question generation, profile building, conversation answering, digest clustering	Data Processing Agreement + Standard Contractual Clauses (SCCs)
SMTP email provider	Configurable	Name, email address, reset token link	Transactional emails and weekly digest	Encrypted SMTP (TLS)

We do not sell, rent, or share your personal data with advertisers or data brokers.

UK GDPR compliance

Mentorise is operated from the United Kingdom. UK GDPR and the Data Protection Act 2018 apply to all processing of personal data.

Legal bases for processing

Processing activity	Legal basis
Creating and maintaining your account	Contract — necessary to provide the service
Processing your CV and building your profile	Contract — core service delivery
Sending PIN reset emails	Contract — necessary for account access
Sending weekly digest emails	Consent — opt-in at signup, withdrawable at any time
Logging conversations and deriving interest signals	Legitimate interests — improve profile matching and personalisation
Analytics (page visits, session duration)	Legitimate interests — understand product usage to improve the service
Sharing profile data with other registered users	Contract — the published-profile feature is the core purpose of the service
Transferring CV data to OpenAI for processing	Contract — necessary to provide AI-powered features

Your rights

Under UK GDPR you have the right to:

Access — obtain a copy of your personal data
Rectification — have inaccurate data corrected
Erasure — request deletion of your account and all associated data
Restriction — limit how your data is processed in certain circumstances
Portability — receive your data in a structured, machine-readable format
Object — object to processing based on legitimate interests
Withdraw consent — withdraw consent for digest emails at any time

To exercise your rights, email hello@mentorise.co.uk. We respond within one calendar month.

You may also complain to the Information Commissioner's Office (ICO): ico.org.uk | 0303 123 1113.

International transfers

When your data is processed by OpenAI (US), it leaves the UK. We rely on Standard Contractual Clauses (SCCs) as the lawful mechanism for this transfer, consistent with ICO guidance on UK GDPR international transfers.

Data retention schedule

Data category	Retention period	Reason
Account data (username, email, PIN hash)	Until account deletion request	Required to operate the service
CV file (PDF)	Until account deletion	Needed to re-process if required
Career profile data (answers, corrections, Q&A)	Until account deletion	Core service content
Conversation logs	Until account deletion	Service history and signal generation
Analytics page visits	Indefinite (aggregated use)	Product analytics
PIN reset tokens	7 days or until used (whichever is first)	Security — tokens are single-use
Bug reports	Until resolved or account deleted	Issue resolution

CCPA — California Consumer Privacy Act

If you are a California resident, you have additional rights under CCPA. Mentorise does not sell personal information.

Categories of personal information collected

CCPA category	Examples from Mentorise	Collected?
Identifiers	Username, email address, user ID	Yes
Personal information (Cal. Civ. Code § 1798.80)	Name (username), email	Yes
Internet / network activity	Page visits, session duration, screens viewed	Yes
Professional / employment information	Career history, education, skills (from CV)	Yes
Inferences drawn from personal information	Interest signals, career signals, profile match scores	Yes
Geolocation data	None	No
Biometric information	None	No
Financial information	None	No
Health / medical information	None	No
Sensitive personal information	None (PIN is hashed, not stored)	No

How personal information is used

Personal information is used for the following business purposes:

Providing and improving the Mentorise platform
Enabling AI-powered career profile features
Facilitating profile discovery between users
Sending transactional and (with consent) digest emails
Analytics and product improvement

Your CCPA rights

Right to know: You may request details of the personal information we have collected about you, its sources, purposes, and any third parties it was shared with in the past 12 months.
Right to delete: You may request deletion of your personal information. We will delete your account and associated data within 30 days, subject to any legal obligations.
Right to correct: You may request correction of inaccurate personal information.
Right to opt out of sale or sharing: We do not sell or share personal information with third parties for cross-context behavioural advertising. This right is therefore not applicable.
Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise your CCPA rights, email hello@mentorise.co.uk with the subject line "CCPA Request". We will respond within 45 days.

Security measures

Measure	Detail
PIN storage	bcrypt with unique salt — never stored in plain text
Transport encryption	HTTPS/TLS on all connections
Authentication cookies	HttpOnly, Secure, SameSite=Lax
Security headers	X-Content-Type-Options, X-Frame-Options: DENY, Strict-Transport-Security, Content-Security-Policy
Admin access	Single named account verified server-side against environment variable
Rate limiting	Login, sign-in, and PIN reset endpoints rate-limited
File storage	Uploaded PDFs stored outside web root, named by session ID (not user-controlled filename)
Database	PostgreSQL with parameterised queries throughout

Contact & requests

For all data-related enquiries, access requests, deletion requests, or complaints:

Email: hello@mentorise.co.uk

We aim to respond to all requests within 30 days (45 days for CCPA requests). If you are unsatisfied with our response, you may contact the ICO (UK users) or your state Attorney General (US users).