← Back to app

Legal

Data & Compliance

Last updated: June 2026  ·  Effective date: June 2026

This page provides a full inventory of personal data collected by Mentorise, our legal bases for processing, and your rights under UK GDPR and the California Consumer Privacy Act (CCPA). For our full privacy practices, see our Privacy Policy.

Full data inventory

Every personal data point Mentorise collects, where it comes from, and why.

Identity & account data

Data pointSourceStored asPurpose
UsernameYou (signup)Plain text (unique)Account identity
Email addressYou (signup)Plain text (unique)PIN reset, weekly digest
4-digit PINYou (signup)bcrypt hash — never plain textAuthentication
Invite codeYou (signup)Plain textAccess control
Account creation timestampSystemISO timestampRecord-keeping
Email digest opt-in statusYou (signup checkbox)BooleanDetermines whether to send weekly digest
Profile hidden statusYou (settings)BooleanControls directory visibility
Onboarding answers (goals, interests, area)You (onboarding flow)JSONPersonalise profile and experience

CV & career profile data

Data pointSourceStored asPurpose
CV file (PDF)You (upload)File on server ({session_id}.pdf)Career data extraction
Career timeline (jobs, titles, dates, organisations)Extracted from CV by AIJSONProfile generation
Education history (institutions, degrees, dates)Extracted from CV by AIJSONProfile generation
Skills listExtracted from CV by AIJSONProfile generation
AI-generated clarification questionsGenerated by OpenAI from CVJSONBuild Q&A profile
Your answers to clarification questionsYou (Q&A flow)JSONPublic profile content
Answer corrections (edited answers)You (profile editing)Text per questionKeep profile accurate
Supplementary Q&A (additional questions & answers)You (settings)Text pairsEnrich public profile
Public profile summaryGenerated by OpenAIJSONProfile card display
Privacy exclusionsYou (settings)TextFilter AI responses on your profile
Questions skipped (with timestamps and reasons)SystemJSON arrayImprove question quality

Conversation & interaction data

Data pointSourceStored asPurpose
Questions asked to other profilesYou (query interface)TextLog interactions; derive interest signals
AI answers received from other profilesGenerated by OpenAITextDisplay response; log interaction
Questions asked about your profile by othersOther usersTextWeekly digest; improve matching
AI answers given on your behalfGenerated by OpenAITextLog interaction; weekly digest
Conversation confidence level (high / medium / low)System (AI output)TextQuality signal
Inferred interest signals from conversationsDerived by OpenAIJSONSurface relevant profiles
Inferred career signals from CVDerived by OpenAIJSONImprove match scoring
Profile match scores between usersGenerated by OpenAIScore (0–100) + text blurbDirectory relevance ranking

Analytics data

Data pointSourceStored asPurpose
Anonymous session ID (_anon_id)Generated in browser, stored in localStorageRandom stringDistinguish unique visitors before login
Page visit entry timestampSystemISO timestampUsage analytics
Session duration (updated every 60s)System (heartbeat)Integer (seconds)Engagement analytics
Last screen viewedSystemScreen name stringFunnel analytics
User ID linked to visit (once logged in)SystemUser ID referenceUnderstand registered-user behaviour

Support & transactional data

Data pointSourceStored asPurpose
Bug report textYou (bug report form)TextResolve reported issues
PIN reset token (one-time, 7-day expiry)SystemUUID hex stringAuthenticate PIN reset flow
PIN reset email address & nameYou (forgot PIN flow)Temporary — deleted on use or expirySend reset link

Third-party processors

ProcessorCountryData sharedPurposeSafeguard
OpenAI United States CV content, career answers, conversation context, profile summaries AI question generation, profile building, conversation answering, digest clustering Data Processing Agreement + Standard Contractual Clauses (SCCs)
SMTP email provider Configurable Name, email address, reset token link Transactional emails and weekly digest Encrypted SMTP (TLS)

We do not sell, rent, or share your personal data with advertisers or data brokers.

UK GDPR compliance

Mentorise is operated from the United Kingdom. UK GDPR and the Data Protection Act 2018 apply to all processing of personal data.

Legal bases for processing

Processing activityLegal basis
Creating and maintaining your accountContract — necessary to provide the service
Processing your CV and building your profileContract — core service delivery
Sending PIN reset emailsContract — necessary for account access
Sending weekly digest emailsConsent — opt-in at signup, withdrawable at any time
Logging conversations and deriving interest signalsLegitimate interests — improve profile matching and personalisation
Analytics (page visits, session duration)Legitimate interests — understand product usage to improve the service
Sharing profile data with other registered usersContract — the published-profile feature is the core purpose of the service
Transferring CV data to OpenAI for processingContract — necessary to provide AI-powered features

Your rights

Under UK GDPR you have the right to:

To exercise your rights, email hello@mentorise.co.uk. We respond within one calendar month.

You may also complain to the Information Commissioner's Office (ICO): ico.org.uk  |  0303 123 1113.

International transfers

When your data is processed by OpenAI (US), it leaves the UK. We rely on Standard Contractual Clauses (SCCs) as the lawful mechanism for this transfer, consistent with ICO guidance on UK GDPR international transfers.

Data retention schedule

Data categoryRetention periodReason
Account data (username, email, PIN hash)Until account deletion requestRequired to operate the service
CV file (PDF)Until account deletionNeeded to re-process if required
Career profile data (answers, corrections, Q&A)Until account deletionCore service content
Conversation logsUntil account deletionService history and signal generation
Analytics page visitsIndefinite (aggregated use)Product analytics
PIN reset tokens7 days or until used (whichever is first)Security — tokens are single-use
Bug reportsUntil resolved or account deletedIssue resolution

CCPA — California Consumer Privacy Act

If you are a California resident, you have additional rights under CCPA. Mentorise does not sell personal information.

Categories of personal information collected

CCPA categoryExamples from MentoriseCollected?
IdentifiersUsername, email address, user IDYes
Personal information (Cal. Civ. Code § 1798.80)Name (username), emailYes
Internet / network activityPage visits, session duration, screens viewedYes
Professional / employment informationCareer history, education, skills (from CV)Yes
Inferences drawn from personal informationInterest signals, career signals, profile match scoresYes
Geolocation dataNoneNo
Biometric informationNoneNo
Financial informationNoneNo
Health / medical informationNoneNo
Sensitive personal informationNone (PIN is hashed, not stored)No

How personal information is used

Personal information is used for the following business purposes:

Your CCPA rights

To exercise your CCPA rights, email hello@mentorise.co.uk with the subject line "CCPA Request". We will respond within 45 days.

Security measures

MeasureDetail
PIN storagebcrypt with unique salt — never stored in plain text
Transport encryptionHTTPS/TLS on all connections
Authentication cookiesHttpOnly, Secure, SameSite=Lax
Security headersX-Content-Type-Options, X-Frame-Options: DENY, Strict-Transport-Security, Content-Security-Policy
Admin accessSingle named account verified server-side against environment variable
Rate limitingLogin, sign-in, and PIN reset endpoints rate-limited
File storageUploaded PDFs stored outside web root, named by session ID (not user-controlled filename)
DatabasePostgreSQL with parameterised queries throughout

Contact & requests

For all data-related enquiries, access requests, deletion requests, or complaints:

Email: hello@mentorise.co.uk

We aim to respond to all requests within 30 days (45 days for CCPA requests). If you are unsatisfied with our response, you may contact the ICO (UK users) or your state Attorney General (US users).