Privacy Policy

1. Introduction

This Privacy Policy describes how Mentis ("we," "us," or "our") collects, uses, shares, and protects your personal information when you use our educational flashcard application and services (the "Service"), including our web application, iOS app, and Android app.

By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this policy, please do not use the Service.

Contact Information:
Email: privacy@mentis.app
Website: https://mentis.app

2. Information We Collect

2.1 Information You Provide Directly

When you create an account and use our Service, you provide:

• Account Information: Name, email address, password
• Profile Information: Username, profile picture (optional)
• User-Generated Content: Flashcards, decks, notes, study materials
• Study Progress: Learning data, mastery levels, study session history
• Payment Information: Processed securely by Stripe (web), Apple App Store (iOS), or Google Play Store (Android). We do not store full credit card details.
• Communications: Messages you send to customer support, feedback, and surveys

2.2 Information Collected Automatically

When you use the Service, we automatically collect:

• Device Information: Device type, operating system version, unique device identifiers
• Usage Data: Study sessions, card interactions, features used, time spent in app
• Location Data: General location derived from IP address (not precise GPS location)
• Analytics Data: App performance metrics, crash reports, user interaction patterns via Firebase Analytics
• Log Data: IP address, browser type, pages visited, timestamps

2.3 Information from Third Parties

• OAuth Authentication: When you sign in with Google or Apple, we receive basic profile information (name, email, profile picture) as permitted by the provider
• Payment Verification: Transaction data from RevenueCat, Stripe, Apple App Store, and Google Play Store to verify subscription status

2.4 AI-Powered Features

When you use AI features (flashcard generation, text enhancement, quiz generation):

• We send your input text and prompts to OpenAI for processing
• OpenAI processes this data according to their Data Processing Addendum
• Important: OpenAI does not use API customer data to train their models
• AI-generated content becomes part of your flashcard data and is subject to this Privacy Policy
• We may retain AI request logs for debugging and service improvement (anonymized after 30 days)

3. How We Use Your Information

We use your personal information for the following purposes:

3.1 Service Delivery (Legal Basis: Contract Performance)

• Provide and maintain the Service
• Enable study features (spaced repetition algorithm, progress tracking, quiz games)
• Process AI requests for flashcard generation and enhancement
• Synchronize data across your devices

3.2 Account Management (Legal Basis: Contract Performance, Legal Obligation)

• Create and manage your account
• Authenticate users and prevent fraud
• Process payments and manage subscriptions
• Respond to your support requests

3.3 Communication (Legal Basis: Legitimate Interest, Consent)

• Send service-related notifications (account updates, security alerts)
• Respond to your inquiries and provide customer support
• Send marketing communications (only with your consent; you can opt out anytime)
• Notify you of new features, updates, and improvements

3.4 Improvement & Analytics (Legal Basis: Legitimate Interest)

• Analyze usage patterns to improve features and user experience
• Detect and fix bugs, optimize performance
• Conduct research and development
• Generate anonymized statistics and insights

3.5 Social Features (Legal Basis: Contract Performance, Consent)

• Enable groups, friends, and deck sharing functionality
• Display progress and achievements to other users (as you choose)
• Facilitate community interactions

3.6 Safety & Security (Legal Basis: Legitimate Interest, Legal Obligation)

• Detect and prevent fraud, abuse, and illegal activity
• Enforce our Terms of Service and Community Guidelines
• Protect the safety and security of our users
• Comply with legal obligations

4. How We Share Your Information

We do not sell your personal information to third parties.

We share your information only in the following circumstances:

4.1 Service Providers

We share data with trusted third-party service providers who assist in operating our Service. All service providers are contractually obligated to protect your data and use it only for the purposes we specify.

4.2 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information is transferred and becomes subject to a different privacy policy.

4.3 Legal Requirements

We may disclose your information if required by law or in response to:

• Valid legal requests from government authorities
• Court orders or subpoenas
• Protection of our legal rights
• Emergency situations involving danger to persons or property

4.4 With Your Consent

We may share your information with third parties when you explicitly consent, such as:

• Publicly sharing decks you mark as "public"
• Sharing study progress with group members
• Connecting with friends within the app

5. Data Retention

We retain your personal information only as long as necessary for the purposes outlined in this Privacy Policy. After the retention period, we securely delete or anonymize your data unless legally required to retain it longer.

6. Your Rights and Choices

6.1 Rights for EEA Users (GDPR)

If you are in the European Economic Area, you have the following rights:

• Right to Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your data ("right to be forgotten")
• Right to Data Portability: Receive your data in a machine-readable format
• Right to Restrict Processing: Limit how we use your data
• Right to Object: Object to processing based on legitimate interests (e.g., marketing)
• Right to Withdraw Consent: Withdraw consent at any time (doesn't affect prior processing)
• Right to Lodge a Complaint: File a complaint with your local data protection authority

How to Exercise Your Rights: Email us at privacy@mentis.app or use the in-app privacy settings. We will respond within 30 days.

6.2 Rights for California Residents (CCPA)

If you are a California resident, you have these additional rights:

• Right to Know: Know what personal information we collect, use, disclose, and sell
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out of Sale: Opt-out of data "sales" (note: we do not sell your data)
• Right to Non-Discrimination: Receive equal service regardless of privacy choices
• Right to Correct: Correct inaccurate personal information
• Right to Limit Use of Sensitive Information: Limit use of sensitive personal information

How to Exercise Your Rights: Email privacy@mentis.app or use our in-app privacy settings. We will respond within 45 days (with one 45-day extension if needed).

6.3 General Privacy Controls

All users can:

• Access and export your data: Download all flashcards, decks, and study progress
• Delete content: Delete individual cards, decks, or your entire account
• Control sharing: Choose what content to share publicly or with groups
• Manage cookies: Control cookies through your browser settings
• Opt-out of marketing: Unsubscribe from marketing emails via the link in each email
• Manage notifications: Control push notifications in app settings or device settings

7. Children's Privacy (COPPA)

Our Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at privacy@mentis.app. We will delete such information within 30 days.

For users aged 13-17: We recommend obtaining parental consent before creating an account. Parents can contact us to request access to or deletion of their child's data.

8. Data Security

We implement industry-standard security measures to protect your data:

• Encryption: All data encrypted at rest (AES-256) and in transit (TLS 1.2+)
• Access Controls: Role-based access restrictions; only authorized personnel can access user data
• Regular Audits: Security assessments, vulnerability scans, and penetration testing
• Secure Hosting: Data hosted on certified secure cloud infrastructure
• Password Protection: Passwords hashed using bcrypt
• Two-Factor Authentication: Optional 2FA for enhanced account security

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your data using commercially acceptable means, we cannot guarantee absolute security.

Data Breach Notification: In the event of a data breach affecting your personal information, we will notify you within 72 hours (GDPR requirement) or as required by applicable law.

9. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States, where our servers and service providers are located.

For EEA Users: We rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate data protection when transferring data outside the EEA. You can request a copy of our SCCs by emailing privacy@mentis.app.

For UK Users: We comply with UK GDPR requirements for international data transfers.

10. Cookies and Tracking Technologies

We use cookies and similar technologies for essential functionality, analytics, and preferences. You can control cookies through your browser settings or in-app privacy settings.

Note: Disabling essential cookies may affect Service functionality (e.g., you may not be able to log in).

11. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies before providing any personal information.

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements.

We will notify you of material changes by:

• Posting the updated policy with a new "Last Updated" date at the top
• Sending an email notification to your registered email address (for significant changes)
• Displaying an in-app notification

Continued use of the Service after changes take effect constitutes your acceptance of the updated Privacy Policy.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

13. Contact Us

For privacy questions, concerns, or to exercise your rights, please contact us:

Email: privacy@mentis.app
Data Protection Officer: privacy@mentis.app

Response Time: We will respond to privacy requests within:

• GDPR: 30 days (1 month)
• CCPA: 45 days (with optional 45-day extension)