Legal
Privacy Policy
Mentorise is operated from the United Kingdom. This policy explains what personal data we collect, why we collect it, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. If you are based in California, additional rights under CCPA are described in our Data & Compliance page.
1. Who we are
Mentorise ("we", "us", "our") is a career-mentorship platform that turns professional CVs into interactive, AI-powered profiles. We are the data controller for the personal data described in this policy.
Contact: hello@mentorise.co.uk
2. Data we collect and why
Account information
| Data | Purpose | Legal basis |
|---|---|---|
| Username | Identify your account | Contract performance |
| Email address | Password reset, weekly digest emails | Contract performance / Consent (digest) |
| 4-digit PIN (bcrypt hash — never stored in plain text) | Authenticate you | Contract performance |
| Invite code used at registration | Access control | Contract performance |
| Onboarding answers (goals, interests) | Personalise your experience | Legitimate interests |
| Email digest opt-in preference | Determine whether to send weekly summaries | Consent |
CV and career profile data
| Data | Purpose | Legal basis |
|---|---|---|
| CV file (PDF) | Extract career history for your profile | Contract performance |
| Extracted career timeline, education, skills | Generate AI clarification questions and your public profile | Contract performance |
| Your answers to AI-generated questions | Build your public career profile | Contract performance |
| Profile corrections and supplementary Q&A | Keep your profile accurate | Contract performance |
| Privacy exclusions (topics you want hidden) | Honour your privacy preferences in profile responses | Contract performance |
Conversation data
| Data | Purpose | Legal basis |
|---|---|---|
| Questions you ask other profiles; answers returned | Personalise your experience; improve signal matching | Legitimate interests |
| Questions others ask your profile; answers returned | Provide the mentorship service; generate weekly digest | Contract performance |
| Inferred interest signals from conversation patterns | Surface relevant profiles and career insights | Legitimate interests |
Analytics
| Data | Purpose | Legal basis |
|---|---|---|
| Anonymous session ID (stored in browser localStorage, not a cookie) | Understand aggregate usage without identifying individuals | Legitimate interests |
| Page visit timestamps, session duration, last screen viewed | Product analytics and improvement | Legitimate interests |
| Your user ID associated to page visits once logged in | Understand how registered users navigate the product | Legitimate interests |
Support and bug reports
If you submit a bug report, we store the text you provide along with your username. We use this solely to investigate and resolve the issue.
3. Cookies and local storage
| Name | Type | Duration | Purpose |
|---|---|---|---|
user_id | HTTP cookie (HttpOnly, Secure, SameSite=Lax) | 7 days | Keeps you signed in |
_anon_id | Browser localStorage | Until cleared | Anonymous analytics identifier |
We do not use advertising cookies, third-party tracking cookies, or any cookies from Google, Meta, or other ad networks.
4. How we use AI (OpenAI)
We use OpenAI's API (model: GPT-4o-mini) to:
- Generate clarification questions from your CV
- Build and summarise your career profile
- Answer questions asked by other users about your profile
- Cluster questions for your weekly email digest
- Infer career interest signals from conversation patterns
To do this, we send relevant parts of your CV content, answers, and conversation context to OpenAI's API. OpenAI is based in the United States. We rely on OpenAI's Data Processing Agreement and Standard Contractual Clauses as the legal basis for this international transfer. OpenAI's privacy practices are described at openai.com/privacy.
We do not use your data to train OpenAI models. OpenAI's API terms prohibit training on API-submitted data by default.
5. Email communications
We send two types of email:
- Transactional: PIN reset magic links. These are sent when you request them and cannot be opted out of.
- Weekly digest: A summary of the top questions asked about your profile that week. You can opt out at any time via your account settings or by emailing hello@mentorise.co.uk.
6. Data retention
| Data category | Retention period |
|---|---|
| Account and profile data | Until you request deletion of your account |
| Uploaded CV (PDF file) | Until your account is deleted |
| Conversation logs | Until your account is deleted |
| Analytics (page visits) | Retained indefinitely in aggregated form |
| PIN reset tokens | 7 days (tokens expire and are invalidated after use) |
| Bug reports | Until resolved or account deleted |
7. Your rights under UK GDPR
You have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Ask us to correct inaccurate or incomplete data.
- Erasure ("right to be forgotten"): Request deletion of your account and all associated personal data.
- Restriction: Ask us to limit how we process your data in certain circumstances.
- Portability: Receive your data in a structured, machine-readable format.
- Objection: Object to processing based on legitimate interests.
- Withdraw consent: Where processing is based on consent (e.g. email digest), you may withdraw it at any time without affecting prior lawful processing.
To exercise any of these rights, email hello@mentorise.co.uk. We will respond within one month.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
8. Data security
We implement appropriate technical and organisational measures to protect your personal data, including:
- PINs are hashed using bcrypt with a unique salt — we never store your PIN in plain text
- Authentication cookies are HttpOnly, Secure, and SameSite=Lax
- All connections are encrypted via HTTPS/TLS
- Admin access is restricted to a single named account verified server-side
- Security headers (X-Frame-Options, X-Content-Type-Options, HSTS, CSP) are applied to all responses
9. Children
Mentorise is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us data, contact us and we will delete it promptly.
10. Changes to this policy
We may update this policy from time to time. Material changes will be communicated by email or by a notice on the platform. Continued use of Mentorise after changes take effect constitutes acceptance of the revised policy.
11. Contact
For any privacy-related questions or requests: hello@mentorise.co.uk