Privacy Policy

1. Introduction

Welcome to mentors.coach ("we," "our," or "us"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mentorship platform and services.

2. Information We Collect

2.1 Personal Information

We collect personal information that you voluntarily provide to us when you:

• Register for an whitelist
• Express interest in our services
• Participate in activities on our platform
• Contact us for support

This information may include: name, email address, phone number, professional background, career goals, resume/CV, LinkedIn profile, other socials, and payment information.

2.2 Automatically Collected Information

We automatically collect certain information when you visit, use, or navigate our platform, including: IP address, browser type, device information, usage data, and cookies.

We use third-party analytics services including Google Analytics and Yandex Metrica to collect and analyze usage data. These services may use cookies and similar technologies to track your interactions with our platform. For more information about how we use cookies, including cookie categories, retention periods, and consent mechanisms, please see our Cookie Policy.

3. Data Controller and Data Processor

Data Controller: mentors.coach acts as the data controller for personal information collected through our platform. As the data controller, we determine the purposes and means of processing your personal data.

Data Processors: We engage third-party service providers who act as data processors on our behalf, including:

• Stripe, Inc.: Payment processing and transaction management
• Amazon Web Services (AWS): Cloud hosting, data storage, and email delivery (AWS SES)
• Google Analytics: Website analytics and usage tracking
• Yandex Metrica: Traffic analytics and user behavior analysis

All data processors are contractually bound to process your data only in accordance with our instructions and applicable data protection laws. We maintain data processing agreements (DPAs) with all processors that include appropriate safeguards for your data.

4. Legal Bases for Processing (GDPR Article 6)

Under the General Data Protection Regulation (GDPR), we process your personal information based on the following legal bases:

• Performance of a Contract: We process your data to provide mentorship services, process payments, manage your account, and fulfill our obligations under our Terms of Service.
• Legitimate Interests: We process data for platform security, fraud prevention, analytics to improve our services, and business operations. We balance our legitimate interests against your privacy rights.
• Consent: We process data for email marketing, non-essential cookies, and analytics where you have provided explicit consent. You may withdraw consent at any time.
• Legal Obligation: We process and retain financial and transaction data to comply with tax, accounting, and other legal requirements (e.g., 7-year retention for financial records).
• Vital Interests: In rare cases, we may process data to protect your or another person's vital interests.

For each processing activity, we ensure that at least one legal basis applies. You have the right to object to processing based on legitimate interests, and we will consider your objection in accordance with applicable law.

5. How We Use Your Information

We use your information to:

• Provide, operate, and maintain our services
• Match you with appropriate mentors (see Automated Decision-Making section below)
• Process your transactions and manage your account
• Send you updates, newsletters, and marketing communications (with your consent)
• Respond to your inquiries and provide customer support
• Improve and personalize your experience
• Analyze usage patterns and optimize our platform
• Detect, prevent, and address technical issues and fraud
• Comply with legal obligations

6. Sharing Your Information

We may share your information in the following situations:

• With Mentors: We share relevant professional information with matched mentors to facilitate mentorship sessions. Mentors are independent contractors, not employees, and are contractually bound to maintain confidentiality and use your data only for mentorship purposes. They are required to comply with data protection expectations and may only access data necessary to provide mentorship services.
• Service Providers: We share information with third-party vendors who perform services on our behalf, including:
  • Stripe: Payment processing and transaction management. Stripe collects and processes payment information in accordance with their privacy policy and PCI DSS standards. We do not store your full payment card details.
  • Google Analytics: Website analytics and usage tracking
  • Yandex Metrica: Traffic analytics and user behavior analysis
  • AWS (Amazon Web Services): Cloud hosting, data storage, and email delivery via AWS Simple Email Service (SES). AWS processes data in accordance with their data processing agreement and applicable security standards.
• Business Transfers: In connection with any merger, sale, or acquisition of our business
• Legal Requirements: When required by law or to protect our rights and safety
• With Your Consent: We may share your information for any other purpose with your explicit consent

7. Data Security and Encryption

We implement appropriate technical and organizational security measures to protect your personal information. However, no electronic transmission or storage system is 100% secure, and we cannot guarantee absolute security.

7.1 Encryption

• Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.3 (Transport Layer Security), the industry-standard protocol for secure communications.
• Encryption at Rest: Data stored in our databases and file storage systems is encrypted using AES-256 (Advanced Encryption Standard with 256-bit keys), which is the same encryption standard used by banks and government agencies.

7.2 Access Controls

We implement role-based access control (RBAC) to ensure that only authorized personnel can access personal data. Access is limited to employees and contractors who need it to perform their job functions. All access is logged and regularly reviewed. We use strong authentication methods, including multi-factor authentication (MFA) where appropriate.

For more detailed information about our security practices, please see our Security page.

8. Automated Decision-Making and Profiling

Our platform uses automated systems to match mentees with appropriate mentors based on:

• User profile information (professional background, career goals, industry)
• Resume/CV data and skills
• Questionnaire responses
• User behavior and preferences

This automated matching constitutes "profiling" under GDPR Article 22. The automated decision-making is necessary for the performance of our mentorship services and does not produce legal effects or similarly significantly affect you.

Your Rights: You have the right to:

• Request human review of any automated decision
• Express your point of view regarding the automated processing
• Contest the automated decision and request manual review
• Receive an explanation of the logic involved in the automated processing

To exercise these rights, please contact us using the information provided in the Contact Us section below.

9. Your Privacy Rights

Depending on your location, you may have the following rights:

• Access and receive a copy of your personal information
• Correct inaccurate or incomplete information
• Request deletion of your personal information
• Object to or restrict processing of your information
• Data portability
• Withdraw consent at any time
• Opt-out of marketing communications

9.1 California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know what personal information we collect, use, disclose, and sell
• Right to delete personal information we have collected from you
• Right to opt-out of the sale or sharing of personal information
• Right to non-discrimination for exercising your privacy rights
• Right to correct inaccurate personal information
• Right to limit use and disclosure of sensitive personal information

We do not sell personal information. To exercise your rights, please contact us using the information provided in the Contact Us section below.

9.2 Additional US State Privacy Rights

In addition to California, residents of the following states have privacy rights under their respective state laws:

• Colorado (CPA): Right to access, delete, correct, and opt-out of targeted advertising and sale of personal information
• Virginia (VCDPA): Right to access, delete, correct, opt-out of targeted advertising and sale, and data portability
• Connecticut (CTDPA): Right to access, delete, correct, opt-out of targeted advertising and sale, and data portability
• Utah (UCPA): Right to access, delete, and opt-out of sale of personal information

To exercise your rights under any of these state laws, please contact us using the information provided in the Contact Us section below.

9.3 Right to File Complaints

If you are located in the European Economic Area (EEA) or United Kingdom, you have the right to file a complaint with your local data protection authority (supervisory authority) if you believe we have violated your data protection rights. You may also contact us first to resolve any concerns.

A list of EU data protection authorities can be found at edpb.europa.eu. UK residents can contact the Information Commissioner's Office (ICO) at ico.org.uk.

10. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required by law. Specific retention periods are as follows:

• Account Data: Retained while your account is active and for a reasonable period after account closure (typically 30 days) to allow for account recovery, unless you request earlier deletion.
• Resume/CV and Application Data: Retained for 5 years from the date of submission to facilitate mentorship matching and career development services, unless you request earlier deletion.
• Financial and Transaction Data: Retained for at least 7 years to comply with tax, accounting, and financial regulations in the United States and other applicable jurisdictions. This includes payment records, invoices, and transaction history processed through Stripe.
• Marketing Communications Data: Retained until you opt-out or withdraw consent, after which we will stop processing for marketing purposes but may retain minimal records to honor your opt-out request.
• Logs and System Data: Server logs, access logs (AWS CloudTrail, S3 access logs, VPC logs), and system monitoring data are retained for 30 days for security and troubleshooting purposes, after which they are automatically deleted.
• Legal and Compliance: We may retain certain data longer if required by law, regulation, or to resolve disputes, enforce our agreements, or protect our legal rights.

After the retention period expires, we will securely delete or anonymize your personal information in accordance with our data deletion procedures.

11. Data Storage Locations and AWS Regions

Your personal information is stored and processed in the following locations:

• Primary Storage: Amazon Web Services (AWS) in the eu-central-1 (Frankfurt, Germany) region
• Backup Storage: AWS maintains backups in geographically distributed locations within the European Union for disaster recovery purposes
• Payment Processing: Stripe processes payment data in accordance with their global infrastructure, which may include transfers to the United States. Stripe is PCI DSS Level 1 compliant and maintains appropriate safeguards.

We do not transfer your personal data across AWS regions unless necessary for disaster recovery or service availability. Any such transfers are conducted with appropriate safeguards in place.

12. International Data Transfers and Transfer Impact Assessments

Your information may be transferred to and processed in countries other than your country of residence, including the United States where some of our service providers operate. These countries may have different data protection laws.

12.1 Safeguards for Data Transfers

We ensure appropriate safeguards are in place for such transfers, including:

• Standard Contractual Clauses (SCCs): We use European Commission-approved Standard Contractual Clauses with all service providers that process EU/EEA personal data outside the EEA
• Transfer Impact Assessments (TIAs): We conduct Transfer Impact Assessments to evaluate the risks of transferring data to third countries and implement supplementary measures where necessary, in compliance with the Schrems II decision
• Technical Safeguards: Encryption in transit (TLS 1.3) and at rest (AES-256), access controls, and data minimization
• Organizational Safeguards: Data processing agreements, regular security audits, and compliance monitoring
• Legal Frameworks: Compliance with applicable data protection frameworks, including GDPR, and adherence to data processing agreements

12.2 Schrems II Compliance

Following the European Court of Justice's Schrems II decision, we have implemented additional safeguards for transfers of EU/EEA personal data to the United States and other third countries. These include technical measures (encryption, pseudonymization), contractual measures (SCCs with supplementary clauses), and organizational measures (access controls, audit procedures). We regularly review and update these safeguards to ensure continued compliance.

13. Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will:

• Notify Affected Users: Inform you without undue delay, and in any event within 72 hours of becoming aware of the breach, where feasible
• Notification Method: Notify you via email to the address associated with your account, or through a prominent notice on our website if email is not available
• Information Provided: The notification will include a description of the breach, the categories and approximate number of affected individuals, the likely consequences, and the measures we are taking to address the breach
• Supervisory Authority Notification: Report the breach to the relevant supervisory authority (data protection authority) within 72 hours, as required by GDPR Article 33

We maintain an incident response plan and regularly review our security measures to prevent data breaches. If you suspect a security incident, please contact us immediately using the information in the Contact Us section below.

14. EU/EEA Representative and Data Protection Officer

14.1 EU/EEA Representative

As a company operating from the United States that processes personal data of individuals in the European Economic Area (EEA) and United Kingdom, we are required under GDPR Article 27 to appoint an EU/EEA representative.

We are currently in the process of appointing an EU/EEA representative. Once appointed, we will update this Privacy Policy with the representative's contact information. In the meantime, you may contact us directly using the information provided in the Contact Us section below.

14.2 Data Protection Officer (DPO)

Under GDPR Article 37, we are not currently required to appoint a Data Protection Officer (DPO) because our core activities do not consist of processing operations that require regular and systematic monitoring of data subjects on a large scale, nor do we process special categories of data on a large scale. If our processing activities change in a way that requires a DPO, we will appoint one and update this Privacy Policy accordingly.

15. Data Minimization and Access Control

We follow the principle of data minimization, collecting and processing only the personal information that is necessary for the purposes outlined in this Privacy Policy.

15.1 Access Control

Access to personal data within our organization is strictly limited:

• Only authorized personnel who need access to perform their job functions can access personal data
• We implement role-based access control (RBAC) to ensure employees and contractors only have access to data relevant to their role
• All access is logged and regularly reviewed for security and compliance purposes
• We use strong authentication methods, including multi-factor authentication (MFA) for sensitive systems
• Employees and contractors are bound by confidentiality agreements and receive regular data protection training

We regularly audit access logs and review permissions to ensure that access remains appropriate and necessary.

16. Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:

• Posting the new Privacy Policy on this page with an updated "Last updated" date
• Sending an email notification to the address associated with your account (if applicable)
• Displaying a prominent notice on our website for significant changes

Your continued use of our Service after any changes to this Privacy Policy constitutes your acceptance of the updated policy.

18. Payment Processing

We use Stripe, Inc. ("Stripe") to process payments. When you make a payment, Stripe collects and processes your payment information, including credit card details, billing address, and transaction data.

Stripe's collection and use of your payment information is governed by their Privacy Policy, available at stripe.com/privacy. We do not store your full payment card details on our servers. Stripe is PCI DSS Level 1 compliant, the highest level of certification in the payment industry.

For questions about payment processing or to exercise your rights regarding payment data, you may contact Stripe directly or contact us using the information below.

19. Email Delivery

We use Amazon Web Services Simple Email Service (AWS SES) to deliver transactional and marketing emails, including verification codes, account notifications, and service updates.

AWS SES processes email delivery data (sender, recipient, subject, delivery status) in accordance with AWS's data processing agreement and applicable security standards. Email content is transmitted securely and stored temporarily for delivery purposes only.

For more information about AWS SES, please visit aws.amazon.com/ses.

Browser extension (Chrome)

The Mentors Coach browser extension helps job seekers save and track job applications from career sites and optionally fill application forms with their resume data when they choose to.

Permission justifications (for Chrome Web Store Privacy practices):

We certify that the extension's collection and use of data complies with Google's Developer Program Policies. Data is used only for the stated single purpose. We do not sell user data. Our full Privacy Policy above applies to the extension.

20. Contact Us

If you have questions or concerns about this Privacy Policy, or to exercise your privacy rights, please contact us at:

We will respond to your request within 30 days as required by applicable law. If you are a California resident, you may also contact us to request information about our data sharing practices or to opt-out of certain data sharing.