Mention Privacy Policy

This Privacy Policy explains how Mention AI Inc. ("Mention", "we", "us", "our") collects, uses, shares, and protects personal information when you use our knowledge management and learning platform (the "Service"), our marketing website at mentionai.app, and any related products. Mention AI Inc. is a corporation incorporated in British Columbia, Canada.

If you have questions about this policy, contact us at privacy@mentionai.app. A physical mailing address is available on written request to that email.

1. Who this policy applies to

This policy applies to:

• Visitors to our marketing website.
• Customers — organizations that subscribe to Mention, and the administrators who manage those subscriptions.
• Members — individuals invited by a Customer's administrators to learn through Mention.
• Developers — individuals who use API keys, the MCP server, or other developer-facing surfaces to integrate with Mention.

2. Our role: controller and processor

Mention plays two different roles depending on the data involved:

• Controller. For account information about administrators and members (such as name, email, authentication credentials, and billing details), and for marketing-website data, Mention determines how that information is used and is the controller (or, under U.S. state laws, the "business").
• Processor / service provider. For content that a Customer connects to Mention (documents, transcripts, chat threads, code, web pages) and for member learning data (progress, knowledge-check answers, questions asked), Mention processes that information on behalf of the Customer organization. The Customer is the controller of that information; Mention acts on the Customer's instructions and as described in our agreement with the Customer.

If you are a Member of an organization and want to exercise rights over your data, contact your organization's administrator first. You may also contact us, and we will route your request to the Customer or assist them in responding.

3. Information we collect

Information you provide

• Account information. Name, email address, password, and authentication identifiers, handled through our authentication provider, Clerk.
• Organization information. Organization name, plan tier, audience configuration, and similar settings.
• Billing information. Payment-method details and billing address. Card details are handled by Stripe (through Clerk) and are not stored on Mention's systems.
• Communications. Messages you send us at our support, sales, privacy, or legal email addresses.

Member learning data

• Article and SOP completion status, knowledge-check answers and grades, and questions asked through the Q&A panel.
• Audience membership and access timestamps.

Administrators of a Member's organization can see this information. Aggregated questions may be surfaced as FAQs to other Members of the same Audience.

Customer content from connected sources

When an administrator connects a content source and activates assets, Mention receives content from that source, which may include:

• Documents and pages (Notion, Confluence, Google Drive, Dropbox, Box, SharePoint, OneDrive, manual links, web crawls).
• Markdown files from default branches of selected GitHub repositories.
• Meeting transcripts and recordings metadata (Zoom, Google Meet, Microsoft Teams), where the Customer's organization permits recording and transcription.
• Chat threads captured on demand from Slack and Microsoft Teams.
• Video transcripts (YouTube).
• Asset metadata such as titles, authors, modification timestamps, and source identifiers.

Mention only ingests sources and assets that an administrator has connected and activated.

Information collected automatically

• Device and connection data: IP address, browser type, operating system, device identifiers, and similar technical information.
• Usage data: pages and features used, actions taken, timestamps, and referring URLs, collected through PostHog.
• Diagnostic data: error reports, stack traces, and performance traces, collected through Sentry.
• Cookies and similar technologies as described in Section 12.

4. How we use information

We use the information described above to:

• Provide, operate, and maintain the Service, including ingesting connected content, generating Articles, SOPs, and Q&A answers, detecting contradictions, and tracking learning progress.
• Authenticate users and protect accounts.
• Process payments, manage subscriptions, and meter credit usage.
• Communicate with you about your account, the Service, security notices, and billing.
• Diagnose errors, monitor performance, prevent abuse, and improve reliability.
• Improve the Service, including by analyzing usage in aggregate. We do not use Customer content to train AI/ML models (see Section 5).
• Comply with legal obligations, enforce our Terms of Service, and protect our rights and the rights of our users.

5. AI processing and training

Mention uses Google Vertex AI (Gemini models) to process Customer content and generate Articles, SOPs, knowledge-check feedback, and Q&A answers. The following commitments apply:

• We do not train AI or machine-learning models on your content. Customer content, Member learning data, and prompts and outputs generated through the Service are not used to train generalized models, our own models, or third-party models.
• Our LLM provider does not train on your prompts or outputs. Prompts and completions sent to Google Vertex AI are not used by Google to train its models.
• AI outputs are derivative. Articles, SOPs, and Q&A answers are AI-generated from your connected content. They may contain inaccuracies. You should review AI-generated content before relying on it for important decisions.

6. Service providers and sub-processors

We rely on a small set of third-party service providers to operate the Service. Customer content, Member data, and account information are processed only by the providers below, each of which is bound by data-protection obligations:

• Google Cloud Platform (United States). Hosting, application infrastructure, Firestore (application database), and BigQuery (analytics warehouse). Encryption at rest is provided by Google-managed keys.
• Google Vertex AI — Gemini (United States). Large language model inference for content generation. Inputs and outputs are not used by Google to train models.
• Clerk (United States). User authentication and identity management, including handling of sign-up, sign-in, and session credentials.
• Stripe (United States). Payment processing and subscription billing, integrated through Clerk. Stripe receives payment-method information directly.
• PostHog (United States). Product-usage analytics.
• Sentry (United States). Error monitoring and performance diagnostics.

We also operate self-hosted Weaviate (vector store) and Neo4j (graph database) instances on Google Cloud Platform infrastructure. Data in those systems remains within our Google Cloud environment and is not transmitted to the vendors of that software.

A current Data Processing Addendum (DPA) is available to Customers on request to privacy@mentionai.app.

7. How we share information

We do not sell or rent personal information, and we do not share personal information for cross-context behavioural advertising or similar advertising purposes.

We disclose information only as described below:

• To service providers listed in Section 6, solely to provide the Service.
• Within your organization. Administrators of a Customer organization can view Member learning data, questions, and completion status as part of normal use of the Service.
• For legal reasons. We may disclose information when we believe in good faith that disclosure is necessary to comply with applicable law, valid legal process, or government requests; to enforce our agreements; to protect the security or integrity of the Service; or to protect the rights, property, or safety of Mention, our users, or others.
• In connection with a transaction. If we are involved in a merger, acquisition, financing, reorganization, or sale of assets, information may be transferred as part of that transaction. We will notify Customers of any such transfer that materially affects this policy.
• With your consent or at your direction.

8. International data transfers

Mention's infrastructure and service providers are located in the United States. If you access the Service from Canada or another country, your information will be transferred to, stored in, and processed in the United States. By using the Service, you consent to that transfer and processing.

For Canadian Customers and Members: personal information processed in the United States is subject to U.S. law and may be accessed by U.S. courts, law enforcement, and national-security authorities under U.S. legal process.

9. Data retention and deletion

• Active accounts. We retain Customer content, Member data, and account information for as long as the account is active.
• Cancellation and grace period. When a Customer cancels, we keep account data for a 30-day grace period during which an administrator can export data through self-serve tools or by request to support.
• Permanent deletion. After the grace period, we permanently delete Customer content, Member data, and account information within 90 days, except where retention is required by law or for legitimate operational purposes such as fraud prevention or dispute resolution.
• Inactive free accounts. Free-tier accounts that have been inactive for more than 12 months may be deactivated and deleted with reasonable advance email notice.
• Disconnected sources. When a source is disconnected, the source's assets are deleted from Mention. Articles, SOPs, and other AI-generated outputs derived from those assets are retained until an administrator deletes them or the account is deleted.
• Conversation captures. Slack and Microsoft Teams threads captured on demand expire automatically about one hour after capture if not activated.
• Backups and logs. Aggregated backups, audit logs, and diagnostic logs may persist for a limited additional period and are then overwritten in the ordinary course.

10. Security

We protect information using a combination of technical and organizational measures, including:

• TLS encryption for data in transit.
• Encryption at rest using Google-managed encryption keys, applied through Google Cloud Platform's underlying infrastructure controls.
• Identity, access, and authentication controls operated through Clerk, with least-privilege access to production systems.
• Continuous error and security monitoring through Sentry and Google Cloud's native tooling.

Mention does not currently hold third-party security certifications such as SOC 2 or ISO 27001. Our security posture relies substantially on the underlying controls provided by Google Cloud Platform. No system is perfectly secure; if you believe your account has been compromised, contact us immediately at privacy@mentionai.app.

11. Your privacy rights

Canadian residents (PIPEDA and provincial laws)

If you are in Canada, you have the right to request access to and correction of your personal information, and to withdraw consent to our processing (subject to legal or contractual restrictions). To exercise these rights, email privacy@mentionai.app. If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada (priv.gc.ca) or the privacy regulator in your province.

U.S. state privacy rights (California, Virginia, Colorado, Connecticut, Utah, and similar laws)

If you are a resident of a U.S. state with a comprehensive privacy law, you may have the following rights, subject to legal limitations:

• The right to know what personal information we collect about you and how we use and disclose it.
• The right to access, correct, or delete your personal information.
• The right to opt out of the sale or sharing of personal information for cross-context behavioural advertising. Mention does not sell or share personal information for advertising and has not done so in the preceding 12 months.
• The right not to be discriminated against for exercising your rights.

To exercise these rights, email privacy@mentionai.app. We may need to verify your identity before responding. If you are a Member of a Customer organization, please contact your administrator first; we will assist the Customer in responding to verified requests.

Authorized agents

You may designate an authorized agent to make a request on your behalf. We may require written proof of authorization and verification of your identity.

12. Cookies and similar technologies

We use a small number of cookies and similar technologies:

• Strictly necessary cookies set by Clerk for authentication, session management, and security.
• Analytics cookies and identifiers set by PostHog to help us understand product usage in aggregate.

We do not use advertising cookies or third-party advertising trackers. You can control cookies through your browser settings; disabling strictly necessary cookies will prevent the Service from functioning.

13. Children

The Service is not directed to children. You must be at least 16 years old to use Mention. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal information, contact privacy@mentionai.app and we will delete it.

14. Third-party links and integrations

The Service connects to third-party platforms (such as Notion, Google Drive, Slack, and similar tools) at the direction of a Customer's administrator. Those platforms are operated by third parties under their own terms and privacy policies. We are not responsible for the privacy practices of those third parties. When you authorize an integration, you authorize the data flows described in this policy and in the Customer's agreement with us.

15. Changes to this policy

We may update this policy from time to time. When we do, we will update the Effective Date at the top of this page. If changes are material, we will provide additional notice by email to administrators or through an in-app notice. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.