Mentorio.me
Sign inGet started

Privacy Policy

v2026-04-18

Privacy Policy

Version: 2026-04-18 Last updated: April 18, 2026

At Mentorio.me we take your privacy seriously. This Privacy Policy explains what personal data we collect, on what legal basis, how we use it, with whom we share it, and what rights you have over it.

This policy applies to all users of the Platform (Experts and Clients) and is complemented by our Terms of Service and the Cookie Policy.

Data controller: Mentorio.me, Republic of Honduras. Contact: privacy@mentorio.me.

1. Data we collect

We collect the following data, depending on the user type and interaction:

1.1 Identity and account data

  • Full name
  • Email address
  • Password (stored as a secure hash, never in plain text)
  • Profile photo (optional)
  • Preferred language and time zone
  • Expert's public slug (URL /@username)

1.2 Expert's professional data

  • Biography, professional title, area of expertise
  • Prices, durations, and formats of published sessions
  • Links to social networks or own sites that the Expert chooses to display
  • Reviews received and replies to reviews

1.3 Payment data

Payments are processed by Stripe. We do not store full card data. We store:

  • Internal Stripe payment identifiers (Payment Intent ID, Customer ID)
  • Last 4 digits and brand of the card (when Stripe exposes them to us) — stored at payment time so we can show them in your billing history
  • Transaction history (amount, currency, date, status, associated session ID)
  • Expert bank details for payout processing: account holder name, country, IBAN or account number, SWIFT/BIC, routing number if applicable, and tax ID where the jurisdiction requires it. Sensitive fields (account number, SWIFT/BIC, tax ID) are stored encrypted with AES-256-GCM and are only accessible to authorized Platform staff when preparing a payout

1.4 Platform usage data

  • Sessions booked, rescheduled, canceled, completed
  • Preparation forms submitted by the Client to the Expert
  • Reviews published
  • Automatic messages and reminders sent
  • Own analytical events (what pages you visited, what actions you performed) stored in our database without third-party cookies

1.5 Communications data

  • Transactional emails sent (subject, recipient, delivery status)
  • Support tickets and conversations with our team

1.6 Technical and device data

  • IP address (truncated for analytics, full for security)
  • Browser type, operating system, browser language
  • Anonymous session identifier (cookie cc_cookie for consent)
  • Error logs (Sentry) and performance metrics

1.7 Inferred location data

  • Country and city inferred from the IP (we do not use GPS or precise geolocation)
  • Time zone declared by the user

1.8 Video session data

  • Date, time, duration, and participants of each session
  • Recordings only if the Expert activates them and the Client explicitly consents

2. Legal basis for processing (GDPR art. 6)

PurposeLegal basis
Create and maintain your accountPerformance of contract (art. 6.1.b)
Process payments and payoutsPerformance of contract (art. 6.1.b)
Comply with tax and legal obligationsLegal obligation (art. 6.1.c)
Send reminders and operational notificationsPerformance of contract (art. 6.1.b)
Prevent fraud and ensure securityLegitimate interest (art. 6.1.f)
Improve the Platform with own analyticsLegitimate interest (art. 6.1.f)
Send marketing communications (if any)Consent (art. 6.1.a)
Record sessionsExplicit consent (art. 6.1.a)

3. Purposes of use

We use your data exclusively to:

  • Operate the Platform (create profiles, publish sessions, process bookings)
  • Process payments and make payouts to the Expert
  • Send reminders, confirmations, and operational notifications
  • Prevent fraud, abuse, and violations of the Terms
  • Respond to support inquiries
  • Comply with legal and tax obligations
  • Generate aggregated internal statistics to improve the service

We do not sell personal data to third parties. We do not use your data for third-party behavioral advertising.

4. Sharing with third parties (data processors)

We share strictly necessary data with the following providers, each bound by data processing agreements compliant with the GDPR:

ProviderWhat they receiveFor what
Stripe (Ireland / USA)Name, email, amount, currency, country, card data (directly from the user, not from us)Payment processing, payouts, antifraud (Radar)
Daily.co (USA)Participant name, ephemeral room tokensIntegrated video calls
Amazon Web Services — SES (USA / Ireland depending on region)Email, name, content of the transactional emailEmail delivery
Sentry (USA)Error logs, truncated IP, user ID when applicableError diagnosis
Cloudflare (USA)IP, HTTP headers, requestsDNS, CDN, WAF, Turnstile (anti-abuse)
MinIO (self-hosted, own infrastructure)Video recordings, uploaded filesStorage

Postgres and Redis run on our own infrastructure.

5. International transfers

Some of our providers are located outside Honduras or outside the European Economic Area (EEA). When this implies an international transfer of personal data of European users, we rely on recognized mechanisms:

  • Standard Contractual Clauses (SCCs) from the European Commission when the provider does not have an adequacy decision.
  • EU–US Data Privacy Framework (EU–US DPF) when the provider is certified.

You can request more details about the applicable safeguards by writing to privacy@mentorio.me.

6. Data retention

  • Active account data: as long as the account exists.
  • Data after account closure: the account is marked inactive immediately; personal data is anonymized after 30 days.
  • Session recordings: automatically deleted 60 days after the end of the session.
  • Tax and transactional records: retained for 7 years pursuant to applicable legislation.
  • Technical and security logs: between 30 and 180 days depending on the type.
  • Analytical events: aggregated and anonymized after 12 months.

7. Your rights

In accordance with the GDPR and other applicable legislation, you have the following rights:

  • Access: obtain a copy of your personal data (exportable in JSON format).
  • Rectification: correct inaccurate data.
  • Deletion ("right to be forgotten"): request the erasure of your data, within legal limits (for example, tax records we must retain).
  • Portability: receive your data in a structured and machine-readable format.
  • Objection: object to processing based on legitimate interest.
  • Restriction: limit processing while we review an objection.
  • Consent revocation: withdraw your consent at any time (without retroactive effect).
  • Complaint to the authority: file a complaint with the competent data protection authority of your country.

8. How to exercise your rights

  • From the Platform: go to /account/security. From there you can:
    • Export your data in JSON format.
    • Edit basic data.
    • Delete your account.
    • Manage cookie preferences.
  • By email: write to privacy@mentorio.me. We will respond within 30 days (extendable by an additional 30 days in complex cases, pursuant to the GDPR).

We may ask you to verify your identity before addressing sensitive requests.

9. Minors

The Platform is not directed at persons under 18 years of age. We do not allow registration or use by minors. If we detect that an account belongs to a minor, we close it and delete their data pursuant to our retention policies.

If you are a parent or guardian and believe a minor created an account, contact us at privacy@mentorio.me.

10. Security

We apply reasonable technical and organizational measures to protect your data:

  • Encryption in transit (HTTPS/TLS) throughout the platform.
  • Encryption at rest for databases and recordings.
  • Secure hash of passwords (bcrypt/argon2).
  • Rate limiting on public endpoints to prevent abuse.
  • Two-factor authentication (2FA) planned as the next improvement.
  • Regular and encrypted backups.
  • Role-based access control for the internal team.
  • Monitoring of security events and errors.

Despite these efforts, no system is 100% secure. In the event of a security breach affecting your personal data, we will notify you within the deadlines set by applicable law.

11. Cookies

We use cookies necessary for the operation of the service and, subject to consent, other categories. See the Cookie Policy for the complete detail and preference management.

12. Changes to this Policy

We may update this Policy. Material changes will be notified with at least 30 days' advance notice by email and a notice on the Platform. Continued use implies acceptance. Historical versions are archived.

13. Contact and DPO

For any questions about this Policy, exercising rights, or incidents:

Currently we do not have a formal Data Protection Officer (DPO) designated; requests are handled by the internal legal team. If applicable law requires a DPO, we will designate one and update this section.