Last Updated: August 25, 2025

The protection of your personal data is very important to us. In this policy, we provide detailed information about what data we collect when you use our online SaaS platform, Mentawise, how we process and protect it, and what your rights are in this regard.

This Privacy Policy explains the nature, scope, and purpose of the processing of personal data (hereinafter referred to as “Data”) within our platform and its associated features and content.

1. Data Controller

The controller responsible for data processing on this platform within the meaning of the General Data Protection Regulation (GDPR) is:

Dr. Georg Hackenberg
Edthof 13a, 4645 Grünau im Almtal, Austria
mail@mentawise.com

2. Types of Data Processed

We process various types of data to provide you with the best possible service on Mentawise:

• Master Data: Name, email address.
• Profile and Content Data: Optional profile picture, private and shared content spaces you create (title, description, color), the content within them (text, images, other files), and cryptographic keys for encryption.
• Usage and Metadata: Daily activities on the platform (e.g., content creation, modifications), daily space-specific activities, number of AI function calls.
• Permission Data: Lists of users with assigned roles (owner, editor, viewer) for content spaces.
• Payment Data: When using a paid plan, your email address and name are sent to our payment provider, Stripe. You will submit your credit card information directly to Stripe.

3. Purpose and Legal Basis of Data Processing

Your data is processed for the following purposes and on the following legal bases:

a) For the Performance of Contractual Services (Art. 6(1)(b) GDPR) The processing of your master data, profile and content data, usage and metadata, and permission data is necessary to provide you with the core features of Mentawise. This includes:

• User Account and Authentication: Your email address is used to create your account and for secure authentication via Google Firebase Authentication.
• Personalization and Profile: Your name and optional profile picture are used to personalize your profile. These are visible to other registered users of the platform to facilitate collaboration.
• Content Creation and Management: Storage of your content spaces, the content within them, and the associated permissions in Google Firebase Firestore.
• Security through Encryption: We store titles, descriptions, and content texts end-to-end encrypted in Google Firebase Firestore. The corresponding cryptographic keys are also stored there to ensure that only you and the users you authorize can access the content.
• File Storage: Images and other files you upload are stored in Google Firebase Storage.

b) To Provide AI Features (Art. 6(1)(b) GDPR) Mentawise offers AI-powered features for generating content suggestions (text and image) based on Google Gemini and Google Imagen.

• Data Transfer to Google: When using these features, the data necessary for the generation (such as previously encrypted titles and texts of content) is temporarily decrypted and transferred unencrypted to Google’s servers in the EU/EEA or the USA. This transfer is essential to provide the AI service.
• Counting AI Calls: The number of your monthly AI calls is tracked to manage usage within the limits of your subscribed plan.

c) For Processing Payments (Art. 6(1)(b) GDPR) For users who subscribe to a paid plan, we work with the payment service provider Stripe.

• Data Transfer to Stripe: To process payments, your name and email address are transferred to Stripe (Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA).
• Collection of Credit Card Data: You enter your credit card information directly into Stripe’s payment form. We do not store this data; it is processed directly and securely by Stripe.

d) To Protect Our Legitimate Interests (Art. 6(1)(f) GDPR) We process your daily activities in Google Firebase Firestore to analyze platform usage and to continuously improve and secure our service. This data is not public and is only visible to you.

4. Data Transfers and Third-Party Providers

We only share your data with third parties if it is necessary to fulfill our contractual obligations or based on our legitimate interests.

• Google Firebase (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland): We use various Google Firebase services as our backend infrastructure. These include:
  • Firebase Authentication: For user authentication.
  • Firebase Firestore: For storing user data, content, permissions, and cryptographic keys.
  • Firebase Storage: For storing images and other files. Google acts as our data processor. We have concluded a Data Processing Agreement (DPA) with Google in accordance with Art. 28 GDPR. A transfer of data to the USA cannot be excluded. This is based on the EU Commission’s Standard Contractual Clauses.
• Google AI (Google Ireland Limited): For the AI features (Gemini, Imagen), data is transferred to Google servers. Google processes this data to provide the service.
• Stripe (Stripe, Inc.): For processing payments. Stripe processes your payment data under its own responsibility. For information on data protection at Stripe, please see their privacy policy. Data transfer to the USA is contractually secured.

5. Data Security

We take extensive technical and organizational measures to protect your data.

• End-to-End Encryption: Titles and descriptions of content spaces, as well as content texts, are stored end-to-end encrypted in our database (Firebase Firestore). Only users with the appropriate cryptographic keys can decrypt this data.
• Unencrypted Data: Please note that images and other files are stored unencrypted in Google Firebase Storage. Furthermore, when using AI features, data is temporarily transferred to Google in an unencrypted state.
• Access Controls: Access to your data is strictly regulated. Private data such as your email address and your activities are only visible to you. Names and profile pictures are only visible to other registered users to enable collaboration.

6. Data Retention and Deletion

We store your personal data only for as long as is necessary to achieve the purposes stated here or as required by statutory retention periods.

• Marking as Deleted: When you mark content spaces or individual items as deleted, they become inaccessible to other users and are removed from the active view. However, they may remain in our systems for a certain period to allow for recovery before being permanently deleted.
• Account Deletion: If you terminate your user account, your personal data will be deleted after any statutory retention periods have expired.

7. Your Rights as a Data Subject

You have the following rights regarding your data that we process:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (“right to be forgotten”) (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object (Art. 21 GDPR)
• Right to withdraw consent (Art. 7(3) GDPR)
• Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

To exercise your rights, you can contact us at any time using the contact details provided in Section 1.

8. Changes to This Privacy Policy

We reserve the right to amend this Privacy Policy to ensure it always complies with current legal requirements or to implement changes to our services in the privacy policy, e.g., when introducing new features. The new privacy policy will then apply to your next visit.