Menty — Privacy Policy
Effective Date: 31 May 2026 Last Updated: 31 May 2026
1. Introduction
Menty ("Menty", "we", "us", or "our") respects your privacy. This Privacy Policy explains what personal information we collect when you use the Menty mobile application (the "App") and related services (collectively, the "Service"), how we use it, the legal grounds we rely on under the EU General Data Protection Regulation 2016/679 ("GDPR"), and the rights you have over your data.
We are committed to processing your personal data lawfully, fairly, transparently, and with appropriate safeguards. Our primary data storage and AI processing happens inside the European Union.
By using Menty you agree to the data practices described in this Policy. If you do not agree, do not use the Service.
This Policy is read together with our Terms of Use.
2. Who We Are (Data Controller)
The controller responsible for your personal data under GDPR is:
Menty The Netherlands Email: support@menty.ai Web: https://menty.ai
For any privacy questions, requests, or complaints, contact us at the email address above. We aim to respond to GDPR rights requests within 30 days of receipt (extendable by up to 60 additional days for complex cases, as permitted by Article 12(3) GDPR).
3. What Personal Data We Collect
We collect the minimum data needed to operate the Service and deliver a useful experience. The categories below summarise what we collect, why, and how long we keep it.
3.1 Account & Identity Data
| Data | Source | Purpose |
|---|---|---|
| Phone number (if you sign in by phone) | You, at sign-up | Account authentication |
| Email address (if you sign in with Apple or Google) | Apple / Google sign-in flow | Account authentication |
| Firebase user ID (UID) | Generated automatically | Internal account identifier |
| Display name / username | You, in onboarding | Personalisation in the App |
| Date of birth | You, age-gate screen | Verify that you meet the 18+ minimum age |
| Sign-in provider (phone, Apple, Google) | Sign-in flow | Account management |
We do not sell or share your contact information with marketers.
3.2 Service & Content Data
| Data | Source | Purpose |
|---|---|---|
| Chat messages (text) | You, when you talk to Menty | Provide the Service |
| Voice recordings (if you use voice mode) | You, microphone input | Transcribe and process with the AI coach |
| Image attachments (if you attach a photo) | You, camera or photo library | Provide context to the AI coach |
| Selected goal(s) | You, in onboarding and in profile | Personalise sessions, insights, and challenges |
| Session history (timestamps, completion state, session numbers) | Generated as you use Menty | Daily-session logic, "Kom morgen terug" pacing |
| Insights, memories, and challenges (AI-derived) | Generated by AI from your inputs | Track progress, surface patterns |
All chat content is encrypted at rest before being stored — see Section 6.
3.3 Technical & Diagnostic Data
| Data | Source | Purpose |
|---|---|---|
| Device language and timezone | Device locale settings | Display correct language; schedule daily sessions in your local timezone |
| Push notification token | Apple Push Notification service (APNs) via Firebase Cloud Messaging | Send daily session reminders |
| Crash reports and error logs | Sentry SDK | Diagnose technical issues |
| Performance and request telemetry | Server-side logging (Axiom) | Operate and improve the Service |
We do not collect your precise location, contact lists, calendar events, browser history, advertising identifier (IDFA), or device-level health data. The App does not integrate with Apple HealthKit or any wearable.
3.4 Payment & Subscription Data
| Data | Source | Purpose |
|---|---|---|
| Apple ID-linked subscription status (active / cancelled / expired, plan, expiry date) | Apple's in-app purchase system via RevenueCat | Enforce subscription gating, sync entitlements across devices |
| Promotional offer code redemptions | Apple's in-app purchase system | Apply your offer to your account |
We never see or store your credit-card details, Apple ID password, or full payment information. All billing is handled by Apple.
3.5 What We Do Not Collect
- We do not use third-party advertising SDKs.
- We do not sell your personal data.
- We do not track you across other apps or websites.
- We do not access your precise location, contacts, calendar, photos beyond what you explicitly attach to a session, or health data outside the App.
- We do not record audio outside of voice-mode sessions you initiate.
4. How We Use Your Data (and the Legal Bases under GDPR)
Each processing purpose below is matched to the GDPR legal basis we rely on under Article 6 GDPR (and Article 9 GDPR where special-category data may be involved).
| Purpose | Categories of data | Legal basis |
|---|---|---|
| Provide the Menty Service — including AI coaching conversations, insights, challenges, session pacing | Account, Service & Content, Technical | Performance of a contract with you (Art 6(1)(b)) |
| Authenticate you when signing in | Account | Performance of a contract (Art 6(1)(b)) |
| Bill your subscription via Apple | Payment & Subscription | Performance of a contract (Art 6(1)(b)) |
| Send you push notifications about your daily session | Push token, timezone | Performance of a contract (Art 6(1)(b)); revocable at any time via OS settings |
| Process content of chats that may relate to mental wellbeing | Chat messages, voice recordings | Your explicit consent to process special-category data (Art 9(2)(a)), given when you accept this Policy and begin using the Service |
| Diagnose crashes and operate the Service securely | Technical & Diagnostic | Legitimate interests of operating a stable and secure service (Art 6(1)(f)), balanced against your interests |
| Detect and prevent fraud and abuse | Technical, Account | Legitimate interests (Art 6(1)(f)) and legal obligation (Art 6(1)(c)) |
| Comply with legal obligations (tax, consumer protection, regulator requests) | All | Legal obligation (Art 6(1)(c)) |
4.1 No Automated Decision-Making That Affects You Legally
We do not use your data for automated decisions that produce legal effects or similarly significant effects on you under Article 22 GDPR. The AI coach generates conversational responses, insights, and challenges — none of these are binding decisions about you.
4.2 What "Almost Anonymous" Really Means at Menty
We have designed Menty so that your chat content is treated as highly sensitive even within Menty. In practice:
- We need to know that you exist as a user (phone or email for sign-in, Firebase UID for account ownership).
- We do not need to know what you typed to operate billing, push notifications, sign-in, analytics, or crash reporting — and those systems never receive your chat content.
- Your chat content is held in a separate, encrypted store (see Section 6). Routine engineering, support, and analytics workflows never decrypt your conversations.
You are pseudonymous to most of our systems and to most operational tooling: identified by a UID, never by what you discussed. We are honest that this is not the same as full anonymity — you do have an identifiable account — but it is much closer to anonymous than how most apps treat user content.
5. Special Category Data (Mental Wellbeing Topics)
Conversations with Menty may include content about your emotions, stress, relationships, mental state, or wellbeing. Some of this could qualify as special-category personal data under Article 9 GDPR.
We rely on your explicit consent (Article 9(2)(a)) to process such data, given when you accept this Privacy Policy and begin using the Service. You may withdraw this consent at any time by deleting your account in the App (see Section 10), which removes all such data.
We do not share special-category content with advertisers, data brokers, or any third party other than the strict sub-processors described in Section 7 — and where data passes through a sub-processor (e.g. for AI inference), it is processed only in service of generating your next AI response.
6. How We Protect Your Data (Encryption Details)
6.1 In Transit
All communication between the App and our servers, and between our servers and external sub-processors, is encrypted in transit using modern, industry-standard transport encryption (TLS).
6.2 At Rest — Envelope Encryption
Your chat messages are stored using envelope encryption, with cryptographic keys held in a managed, hardware-backed key-management service hosted within the European Union:
- For each batch of messages, we generate a fresh, single-use data-encryption key.
- That key encrypts the plaintext content of your messages using strong, industry-standard authenticated encryption.
- The data-encryption key is itself encrypted by a master key that never leaves the hardware-backed key store; the raw master key cannot be exported or extracted.
- The encrypted message and the encrypted data-encryption key are stored together in our database. To read a message, our backend must first ask the key-management service to decrypt the data-encryption key.
- Every decryption is recorded in a tamper-resistant audit log, capturing when, by which service, and under which identity each decryption happened.
In plain language: our database alone is not enough to read your chats. An attacker would need both database access and valid key-management permissions, and every access leaves an audit log.
6.3 Operational Controls
- Production database access is restricted to a small set of named identities, protected by multi-factor authentication, and audit-logged.
- Production secrets (database credentials, API keys, encryption-key identifiers) are held in a dedicated secrets-management service, never in source code or on developer machines.
- Backups are encrypted with separate keys and have the same access controls as the live database.
6.4 What We Cannot Promise
No system is unbreakable. We continuously work to improve our security, but we cannot guarantee absolute protection. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Dutch supervisory authority within 72 hours (Article 33 GDPR) and notify affected users without undue delay where a high risk exists (Article 34 GDPR).
7. Who We Share Data With (Sub-Processors)
We use the following sub-processors. Each is bound by a written data-processing agreement, and they process your data only on documented instructions from us.
| Sub-processor | Role | Location | Transfer mechanism |
|---|---|---|---|
| Amazon Web Services EMEA SARL (AWS) | Cloud infrastructure: database, file storage, encryption, compute, and caching | European Union | No transfer; data stays in the EU |
| Google LLC — Vertex AI | AI model inference for generating Menty's responses, insights, and challenges | European Union | No transfer; we configure EU-only inference |
| Google LLC — Firebase Authentication & FCM | Phone / Apple / Google sign-in; push notification delivery | Global Google infrastructure | EU-US Data Privacy Framework (DPF) certified; Standard Contractual Clauses (SCCs) as fallback |
| Apple Inc. | App Store distribution, in-app purchases, push notifications, Sign in with Apple | United States | EU-US DPF certified |
| RevenueCat, Inc. | Subscription state management (which user has which active subscription) | United States | EU-US DPF certified; SCCs as fallback |
| Functional Software, Inc. (Sentry) | Error and crash monitoring | United States | EU-US DPF; SCCs as fallback |
| Axiom, Inc. | Application telemetry and server logs | United States | SCCs |
7.1 What Each Sub-Processor Sees
- AWS stores our database; encryption at rest protects you here (Section 6).
- Google Vertex AI receives only the message text and prior conversation context needed for the next AI response, processed in EU-only Vertex AI endpoints. Inputs are not used by Google to train its general-purpose models (per Google's Vertex AI data-processing terms).
- Firebase Authentication sees only your sign-in identifier (phone, Apple-ID-derived email, or Google account) and authentication metadata — no chat content.
- Firebase Cloud Messaging / APNs sees only the notification token for your device and the content of the push notification ("Your session is ready" etc.) — no chat content.
- Apple's in-app purchase system and RevenueCat see only subscription transaction data (which plan, when it renewed, etc.) — no chat content.
- Sentry sees crash and error stack traces. We configure Sentry not to capture user input by default. Stack traces may include the Firebase UID for diagnostic purposes but never the chat content.
- Axiom receives operational logs (request paths, latencies, error codes). It does not receive chat content.
7.2 Government and Legal Requests
We may disclose personal data to law-enforcement or regulatory authorities only when required by a legally binding order that we have reviewed and that applies to us as a Dutch / EU-based controller. We will challenge over-broad requests where appropriate and will notify the affected user where legally permitted.
We do not voluntarily share data with government authorities.
8. International Data Transfers
Our primary data storage, key management, and AI inference happen in the European Union. Where a sub-processor processes data outside the EU — primarily for sign-in, push notifications, App Store billing, error monitoring, and telemetry — we rely on one or more of:
- The EU-US Data Privacy Framework for transfers to certified US-based recipients;
- The European Commission's Standard Contractual Clauses (SCCs) as a fallback mechanism;
- Additional technical and organisational measures (encryption, pseudonymisation, access controls) where appropriate.
If you would like a copy of the SCCs or further information about our transfer mechanisms, contact us at support@menty.ai.
9. Data Retention
We keep your data only as long as we need it for the purpose for which it was collected.
| Category | Retention period |
|---|---|
| Account, chat content, insights, challenges, memories | For the life of your account. Deleted on request within 30 days. |
| Encrypted backups | Up to 30 days after deletion, then permanently destroyed |
| Crash and error logs (Sentry) | Up to 90 days, after which they are aggregated or deleted |
| Operational logs (Axiom) | Up to 30 days by default |
| Subscription state in RevenueCat | For as long as your subscription is active, plus up to 24 months for accounting and dispute purposes |
| Audit logs (key-management and sign-in events) | Up to 2 years, to meet security and accounting obligations |
| Records required by law (tax, finance) | The minimum period required by Dutch law (typically 7 years for tax records) |
10. Your Rights Under GDPR
You have the following rights regarding your personal data. Most of these can be exercised directly inside the App; for anything that cannot, email us at support@menty.ai.
| Right | What it means | How to use it |
|---|---|---|
| Access (Art 15) | A copy of the personal data we hold about you | Most data — including chat history — is visible inside the App. For a structured export, email us. |
| Rectification (Art 16) | Correction of inaccurate personal data | Edit your profile / goal / username in the App, or email us. |
| Erasure / "Right to be forgotten" (Art 17) | Deletion of your account and personal data | Use "Delete Account" in your profile in the App. Erasure typically completes within 30 days. |
| Restriction of processing (Art 18) | Temporarily limit how we process your data | Email us. |
| Data portability (Art 20) | Receive your data in a machine-readable format and have it transmitted to another controller | Email us. |
| Object (Art 21) | Object to processing based on legitimate interest | Email us. |
| Withdraw consent (Art 7(3)) | Withdraw the explicit consent for special-category processing | Deleting your account in the App achieves this. |
| Lodge a complaint (Art 77) | Complain to the supervisory authority of your habitual residence, place of work, or place of the alleged infringement | See Section 16. |
We do not charge fees for handling rights requests, except for manifestly unfounded or excessive requests where allowed by law (Article 12(5) GDPR).
10.1 Deletion: What Actually Happens
When you delete your account from the Profile → Delete Account screen:
- Your user record and all related data (sessions, messages, attachments, insights, challenges, memories) are removed from our production database.
- Your Firebase Authentication account is deleted from our authentication provider — your phone/email is no longer associated with any Menty account.
- Any uploaded media (voice recordings, images) in our object storage is asynchronously deleted by a cleanup job.
- Backup copies are permanently destroyed within 30 days as backup rotations complete.
- Your active Apple subscription is not automatically cancelled — see Section 12.3.
11. Children's Privacy
Menty is not directed at children. You must be at least 18 years old to use the Service. We do not knowingly collect personal data from anyone under 18.
If we become aware that a user is under 18, we will delete their account and associated data without delay. If you believe a child has provided us personal data, contact us at support@menty.ai.
12. Apple-Specific Data Handling
12.1 App Tracking Transparency (ATT)
Menty does not track you across apps and websites. We do not present the App Tracking Transparency prompt because we do not access the Apple Advertising Identifier (IDFA) for tracking.
12.2 Apple Sign-In
If you use Sign in with Apple, Apple shares your authentication identifier and the email address (or a private relay email) you authorise. We use this only for account creation and sign-in.
12.3 Subscription Cancellation vs Account Deletion
Cancellation of your active subscription must be done via Settings → [your name] → Subscriptions on your iPhone. Deleting your Menty account does not cancel your Apple subscription — only Apple can cancel subscriptions. If you delete your account while a subscription is active, you should also cancel the subscription with Apple to avoid further charges.
12.4 App Store Data Disclosure
The data types disclosed in our App Store "App Privacy" listing match the practices described in this Policy. If you notice a discrepancy, please notify us at support@menty.ai.
13. Push Notifications
We send push notifications to remind you that your daily session is ready. Notifications are delivered via Apple Push Notification service (APNs) through Firebase Cloud Messaging (FCM).
- The token used to address your device is provided by APNs and stored on our servers.
- The content of notifications is brief and does not include chat content.
- You can turn notifications off at any time in your device's Settings → Notifications → Menty.
We do not use push tokens for advertising, profiling, or any purpose other than sending you the notifications you opted into.
14. Voice and Image Data
14.1 Voice Mode
If you use Menty's voice mode, audio is captured by the App's microphone and sent to our backend (over TLS) for transcription and AI processing. The transcript is treated the same as a text chat message — encrypted at rest under the same key-management service.
We do not retain raw audio after a session ends; only the transcribed text is kept.
14.2 Image Attachments
If you attach a photo (from your camera or photo library) to a session, the image is uploaded to our encrypted object storage (hosted in the European Union) and referenced by the corresponding chat message. Images are encrypted at rest. They are deleted along with your account when you delete it; you can also delete individual attachments from within a session.
14.3 Permissions
Menty asks for microphone and photo-library access only when you choose to use those features. Granting these permissions is entirely optional. The OS-level permissions can be revoked at any time in your iPhone Settings.
15. AI Processing
The AI coach is powered by Google Vertex AI running large language models inside the European Union.
- Only the conversation context required to generate the next response is sent to Vertex AI per call.
- Google does not use Menty user inputs to train its general-purpose models (per Google's Vertex AI Generative AI data-processing terms).
- AI Output is generated dynamically and is not a stored fixed answer; we do, however, store the resulting text as part of the conversation history so that you can scroll back.
We do not currently combine your data with that of other users to train private models. If we ever do, we will update this Policy and provide you a meaningful choice before any such processing begins.
16. Crisis Safety and Data Flow in Sensitive Situations
If a conversation contains content that suggests imminent risk of harm, Menty's AI is designed to surface crisis-resource information (hotlines, emergency contacts). We do not automatically contact emergency services or report user content to third parties.
We may, however, retain logs of such interactions for safety review by a small, named group of authorised personnel, on a strict need-to-know basis, for the purpose of improving the Service's safety. Such reviews are governed by the same encryption and audit controls as the rest of the system (Section 6).
If you would prefer such interactions to be deleted, contact us at support@menty.ai and we will action it within 30 days.
17. Cookies and Trackers
The Menty mobile app does not use cookies, web beacons, or browser-style trackers. Standard mobile network identifiers (IP address) are processed transiently for connection routing and not retained for profiling.
If you use a Menty webpage (e.g. https://menty.ai), that website may use essential cookies; consult any cookie banner displayed on the website.
18. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes we will notify you via an in-App notice or by email, with a reasonable notice period before the changes take effect. The "Last Updated" date at the top of this document indicates the most recent revision.
Continued use of the Service after an updated Policy takes effect constitutes your acceptance of the updated Policy. If you do not agree, please stop using the Service and delete your account.
19. How to Contact Us
For any privacy-related question, concern, or rights request:
Menty Email: support@menty.ai Web: https://menty.ai
We will acknowledge your request within a reasonable time and respond substantively within 30 days of receipt (extendable by up to 60 days for complex requests, in line with Article 12(3) GDPR).
20. Supervisory Authority
If you believe our handling of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority — including:
Autoriteit Persoonsgegevens (the Dutch Data Protection Authority) Web: https://autoriteitpersoonsgegevens.nl Postal address: Postbus 93374, 2509 AJ The Hague, the Netherlands Phone: +31 (0)70 888 85 00
You may also complain to the supervisory authority in your country of habitual residence or place of work.
We always appreciate the chance to address your concern first, so we encourage you to contact us at support@menty.ai before escalating.
By using Menty, you confirm that you have read and understood this Privacy Policy.