Privacy Policy

1. Who we are

Menty operates the mentorship marketplace at mentyelevate.com. The legal entity responsible for the personal data described in this Policy is [ENTITY NAME — TODO LAWYER REVIEW]. For privacy questions, contact privacy@mentyelevate.com (or hello@mentyelevate.com with “Privacy” in the subject line).

2. What this Policy covers

This Policy covers personal information processed when you visit our website, create an account, book or deliver mentorship sessions, exchange messages, make or receive payments, or otherwise use the Menty platform. It does not cover information you provide directly to third parties through links from our platform — for example, payment information you enter into Stripe’s hosted checkout, or content stored on a mentor’s personal device after a session.

3. Categories of personal information we collect

We collect the following categories of personal information. This section is intended to satisfy the California Consumer Privacy Act “notice at collection” requirement and the equivalent disclosure requirements of Colorado, Connecticut, Utah, and Virginia.

• —Identifiers — email address, password (stored as a salted hash, never plaintext), display name, account role (athlete / parent / mentor), tier, referral code, and timestamps for terms and policy acceptance.
• —Profile information — name, profile photo or media, sport, age range, city or general location, biography, credentials, public links you choose to add.
• —Athlete activity data — your goals, recorded metrics, lessons completed, mentor notes about your progress, drill responses, session check-ins, and session recap content. Shared with the mentor delivering your program.
• —Session metadata — scheduled times, duration, location (for in-person), program or call IDs, participants, and status (scheduled, completed, no-show, cancelled). Video and audio of sessions are not stored on Menty servers — see Section 7 (Daily.co).
• —Messages — the content of messages you exchange with mentors, athletes, parents, or Menty support, plus the metadata around them (timestamps, read receipts, attachments).
• —Payment information — limited fields only. Stripe handles full payment card data; Menty receives a payment-method token, the card brand and last 4 digits, billing ZIP, and transaction status. We never see or store your full card number.
• —Parent-portal information — when a parent links to an athlete account, the parent's name, email, relationship to the athlete, and funding permissions.
• —Geolocation (general) — derived from IP address. We do not collect precise device location.
• —Internet/network activity — pages and features you use, the referring URL, basic performance telemetry, browser type, OS, IP address. Used to operate the Service, prevent abuse, and improve performance.
• —Audio/visual content — profile photos and program media you upload, and athletic-performance video you submit for review. Not biometric identifiers.
• —Inferences — coarse usage profiles for product improvement (e.g., "this account uses the discover surface heavily"). Aggregated and not used for advertising.
• —Communications with us — when you contact support, we keep a record of the conversation and any information you provide to help resolve your request.
• —Cookies and similar technologies — see the Cookie Policy.

4. Sensitive personal information

Some of the information above is treated as “sensitive personal information” under the California Privacy Rights Act and similar state laws. We use sensitive personal information only to provide the Service, to prevent fraud, and to comply with law — never for cross-context behavioral advertising or inference about your characteristics.

• —Account credentials (password hash + reset tokens) — used solely to authenticate you.
• —Personal information of consumers under 16 — treated as sensitive PI under the 2026 CPRA amendments. We do not sell or share it.
• —Health-adjacent information you choose to provide — e.g., an injury history note you share with your mentor in messages or pre-session intake. We treat this as sensitive and never use it for advertising.

You may request that we limit our use of sensitive personal information to what is necessary to provide the Service — described in Section 14 under “Right to limit use.”

5. How we use your information

We use personal information to:

• —Provide the Service — host your account, run searches, schedule sessions, deliver messages, store progress, calculate fees, and pay out mentors.
• —Process payments — through Stripe — and detect and prevent payment fraud or chargebacks.
• —Operate the parent portal — link a parent to an athlete account, route funding, and relay recaps the mentor has marked share-with-parent.
• —Communicate with you — about session reminders, account changes, security alerts, parent digests, and support requests. Marketing emails are sent only when you have opted in, and you can opt out from any marketing email.
• —Improve and secure the Service — debug errors, monitor performance, prevent abuse, analyze usage patterns in aggregated form, and train product-quality models on de-identified data.
• —Comply with law — respond to lawful requests, enforce our Terms, defend our rights, and meet tax-reporting obligations (for mentors).
• —Record consent — the ConsentReceipt audit log captures each acceptance of our Terms, Privacy Policy, Cookie Policy, and Mentor Agreement (where applicable), with the document version, source, IP address, and User-Agent.

6. Lawful basis (EU/UK users)

If GDPR or UK GDPR applies to you, our lawful basis for each processing purpose is:

• —Contract necessity (Art. 6(1)(b)) — to provide the Service you signed up for: account creation, session scheduling, payments, messaging, recap delivery.
• —Legitimate interest (Art. 6(1)(f)) — to operate the platform securely (fraud prevention, abuse detection, audit logging), improve product quality, and run aggregated analytics. We have weighed these interests against your rights and welcome objection (Section 14).
• —Consent (Art. 6(1)(a)) — for non-essential cookies and marketing communications. You can withdraw consent at any time.
• —Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, anti-fraud, and law-enforcement obligations.

[TODO LAWYER REVIEW] If we accept EU/UK users at meaningful volume, this section will be paired with an appointed EU representative (Art. 27 GDPR / UK GDPR equivalent) and a documented international-transfer mechanism (Standard Contractual Clauses + supplementary measures). Until then, the Service is intended for users in the United States.

7. How we share information (sub-processors)

We do not sell or rent your personal information. We share it only with the service providers who help us run the Service, and only the data each one needs to do its job. Each provider is under a written contract that requires them to protect the data and use it only for our purposes.

• —Stripe (Stripe, Inc.) — payment processing and Stripe Connect payouts to mentors. Stripe is the controller for full payment card data; Menty receives only limited fields (token, brand, last 4, billing ZIP, status). stripe.com/privacy.
• —Daily.co (Daily, Inc.) — real-time video sessions. Video and audio streams pass through Daily.co and are not retained on Menty servers by default. daily.co/privacy.
• —Mux — video transcoding and adaptive streaming for the Resource Center and program-attached video. We send video files; Mux returns playback IDs and metadata. mux.com/privacy.
• —Vercel — hosting and serverless infrastructure for the Menty website and API. vercel.com/legal/privacy-policy.
• —Neon (or equivalent managed Postgres provider) — primary database storing account, profile, session, message, and progress data. Encryption at rest and in transit.
• —Upstash — managed cache and queues (rate limiting, session state, async job dispatch). neon.tech / upstash.com privacy.
• —Resend (or equivalent transactional email provider) — sends transactional email (session reminders, password resets, parent digests, mentor notifications).
• —Sentry — application error monitoring. Configured to redact known sensitive fields (e.g., parent portal access tokens, full message bodies). sentry.io/privacy.
• —Mentor — when you book a session or enroll in a program, the mentor sees your name, profile, and activity in their athlete roster. Mentors are bound by the Mentor Agreement to use this data only for delivering the services you booked.
• —Parent or guardian — when an athlete is a minor with a parent account linked, the parent has visibility into the athlete's activity (per the Family Link permissions the parent and athlete have agreed to).
• —Other users you choose to interact with — for example, a mentor's public profile is visible to all visitors; messages you send are visible to the recipient.
• —Legal and safety — we may share information when required by law, when we believe in good faith that disclosure is necessary to protect the rights, property, or safety of any person, or to investigate suspected violations of our Terms.
• —Business transfers — if Menty is involved in a merger, acquisition, or sale of all or part of its business, personal information may be transferred to the successor entity. We will notify users in advance.

[TODO LAWYER REVIEW] The exact named providers above will be confirmed against our live vendor inventory + DPAs, and an up-to-date sub-processor list will be maintained at a stable URL with at least 14 days’ notice for material additions.

8. Sources of personal information

We collect personal information directly from you (or from a parent acting on behalf of a minor athlete), automatically as you use the Service, and from a small number of third parties we work with — currently Stripe (payment status), any authentication provider you choose to sign in with, and Mux (video transcoding metadata). We do not buy personal information from data brokers.

9. Data retention

We keep personal information only as long as we need it for the purposes described in this Policy, or as required by law:

• —Active account data — for as long as your account is open.
• —After account closure — most account data is deleted within 30 days (recovery window), with full removal within 90 days. Payment-related metadata (transaction IDs, fee records, Stripe references) is retained for up to 7 years to meet U.S. tax and accounting obligations.
• —Session video and audio — not stored by Menty (handled by Daily.co per their retention defaults).
• —Session recaps, mentor notes, messages, progress data — retained for the duration of the relationship plus 24 months to support disputes, audit, and recordkeeping.
• —Children's personal information — deleted promptly on a verified parent request, otherwise retained per the rules above.
• —ConsentReceipt audit log — retained for the life of the account plus 7 years after closure for evidentiary defense. IP and User-Agent on those rows may be redacted on a verified data-subject deletion request while preserving the consent timestamp and document version.
• —Audit logs (security, abuse, anti-fraud) — 24 months from event.
• —Backups — may persist for up to 30 days after deletion in normal operating systems.

10. Children’s privacy (COPPA — under 13)

Menty takes children’s privacy seriously. Athletes under the age of 13 may use Menty only through a parent-operated account: the parent creates the account, accepts the Terms and this Policy, supervises the child’s use, and is the contact of record for all communications. The child does not have independent login credentials, and we do not knowingly accept direct registrations from children under 13. Our signup flow gates by date of birth and routes under-13 attempted-signups to a parent-operated path.

The personal information we collect about a child under 13 in this model — for example, the child’s first name, age, sport, goals, session attendance, and progress notes — is provided by the parent on the child’s behalf and is used solely to deliver the mentorship services the parent has booked. We do not show advertising to children, do not use children’s data for behavioral profiling, and do not share it with third parties for marketing.

Parents have the right to:

• —Review the personal information we have collected from or about their child;
• —Refuse further collection or use of their child's personal information;
• —Request deletion of their child's personal information at any time.

To exercise any of these rights, email privacy@mentyelevate.com from the parent email address on the account, with the child’s account name and a clear description of the request. We respond within a reasonable time and within any timeframe required by applicable law.

If the verified parent link to an under-13 athlete is revoked, the underlying athlete account is suspended pending alternative verified parental consent. The under-13 account exists only by virtue of that consent; withdrawing the consent withdraws the authorization to process the child’s data beyond what is required to honor the revocation itself.

11. Minors aged 13 to 17

Athletes between 13 and 17 may have their own account, with parent or guardian consent. Under the California Privacy Rights Act as amended (effective 2026), personal information about consumers under 16 is treated as sensitive personal information for purposes of any sale or sharing for cross-context behavioral advertising.

Menty’s position: we do not sell or share personal information for cross-context behavioral advertising, for any user, regardless of age. No opt-in to sale or sharing is required because no sale or sharing of that kind takes place.

12. We do not sell or share — Global Privacy Control

Menty does not sell personal information and does not share personal information for cross-context behavioral advertising, within the meaning of those terms under the California Privacy Rights Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, the Virginia Consumer Data Protection Act, the Texas Data Privacy and Security Act, or any other applicable state privacy law.

We recognize and honor the Global Privacy Control browser signal as an opt-out of any sale or sharing for cross-context behavioral advertising. Because we do not engage in such sale or sharing, the GPC signal is honored by default — its presence or absence does not change what we do with your data.

13. Your privacy rights (U.S. state laws)

Depending on where you live, you may have the following rights with respect to your personal information under California (CCPA/CPRA), Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia privacy laws:

• —Right to know — request the categories and specific pieces of personal information we have collected about you.
• —Right to access — request a portable copy of your personal information.
• —Right to correct — request correction of inaccurate information.
• —Right to delete — request deletion of your personal information, subject to legal retention requirements described in Section 9.
• —Right to limit use of sensitive personal information — restrict our use of the data described in Section 4 to what is necessary to provide the Service.
• —Right to opt out of sale or sharing for cross-context behavioral advertising — Menty does not engage in either, so the right is honored by default.
• —Right to opt out of profiling that produces legal or similarly significant effects — Menty does not engage in profiling of that kind.
• —Right to non-discrimination — we will not deny you the Service, charge a different price, or provide a different level of quality because you exercised a privacy right.
• —Right to appeal — if we deny a privacy request, you may appeal by replying to the denial email; we will respond within the timeframes required by applicable law.

If GDPR or UK GDPR applies to you, you also have the right to object to processing based on legitimate interest (Section 6), the right to restrict processing, the right to data portability, and the right to lodge a complaint with your supervisory authority. See Section 6 for our lawful basis and Section 14 for the request process.

14. How to exercise your privacy rights

To exercise any of the rights in Section 13, email privacy@mentyelevate.com with “Privacy Request” in the subject line, or write to us at the postal address in Section 1. Please describe the request (know, access, correct, delete, limit use, opt out, appeal) and the account email it relates to.

Verification. We verify your identity before fulfilling a request — typically by confirming the request from the email on file plus, for more sensitive requests (deletion, access to a portable copy of messages and progress data), a one-time link sent to that email. We do not ask for new personal information for verification beyond what we already have.

Authorized agent. You may designate an authorized agent to submit a request on your behalf (for example, a privacy-rights service). We will require written proof of the agent’s authority — a signed permission, power of attorney, or an equivalent verification method that the relevant state law permits. We may also contact you directly to confirm the request.

Response time. We respond within the timeframes required by applicable law — typically 45 days under CCPA/CPRA (with one 45-day extension when reasonably necessary), 45 days under the Colorado, Utah, Virginia, and Connecticut laws, and 30 days under GDPR.

15. Security

We use technical and organizational measures designed to protect your personal information, including encryption in transit (TLS), encryption at rest for stored data, hashed passwords (bcrypt / Argon2 family), role-based access controls, audit logging on sensitive operations, dependency scanning, and dependency updates on a regular cadence. No system can be 100% secure; please use a strong, unique password for your Menty account and tell us promptly if you suspect unauthorized access.

16. Data breach notification

If we become aware of a security incident affecting your personal information, we will notify you and any required authorities within the timelines required by applicable law. Notice will describe what happened, what data was involved, what we are doing in response, and steps you can take to protect yourself.

17. Cookies and tracking technologies

We use cookies and similar technologies to keep you signed in, remember your preferences, secure the Service against fraud, measure aggregated usage, and support certain third-party services (Stripe, Daily.co, Mux). For the full inventory, categorization, and your choices, see the Cookie Policy. We honor the Global Privacy Control browser signal (Section 12).

18. Marketing communications

Marketing emails are sent only when you have opted in. Every marketing email includes an unsubscribe link, and you can also update your preferences from your account settings. Opting out of marketing does not affect transactional messages — session reminders, security alerts, payment receipts, parent digests, or account changes — which we will continue to send while your account is active.

19. Users outside the United States

Menty is operated from the United States and the Service is intended for use by users in the United States. If you access the Service from outside the U.S., your personal information will be transferred to and processed in the United States, where data protection laws may differ from those in your country. See Section 6 for our GDPR/UK GDPR posture if those laws apply to you.

20. Changes to this Policy

We may update this Policy from time to time. For material changes, we will provide notice — by email, by an in-product notification, or both — and update the “Last updated” date at the top. We also bump a document version constant and prompt active users to re-accept on next sign-in. Your continued use of the Service after the effective date constitutes acceptance of the revised Policy.