Privacy Policy

Effective date: 12 May 2026 Last updated: 12 May 2026

This Privacy Policy explains how Mentor Beauty Apps EOOD ("Mentor", "we", "us", or "our"), a company incorporated under the laws of the Republic of Bulgaria, collects, uses, discloses, and protects personal data when you use the Mentor platform — including our learner web app, mentor web app, admin web app, and mobile apps for iOS and Android (together, the "Service").

We are the controller of the personal data processed under this Policy within the meaning of Regulation (EU) 2016/679 (the "GDPR"). For users outside the European Economic Area, we apply equivalent standards on a global basis.

If you have questions about this Policy or how we handle your personal data, contact us at support@mybeautymentors.com.

1. Scope

This Policy applies to anyone who interacts with the Service, including:

Learners — individuals who browse, purchase, subscribe to, and consume courses on Mentor.
Mentors — individuals or entities who create, publish, and sell course content on Mentor.
Admins — staff or authorized partners who manage the platform.
Visitors — anyone who visits our marketing or public pages without an account.

It does not apply to third-party websites, apps, or services that link to or from Mentor. Those are governed by their own privacy notices.

2. Personal data we collect

We collect personal data in three ways: (a) information you give us, (b) information generated when you use the Service, and (c) information we receive from third parties.

2.1 Information you provide

Account data — name, email address, password (stored as a salted hash), profile photo, preferred language, time zone, role (Learner, Mentor, Admin).
Mentor profile data — biography, areas of expertise, social links, public display name, payout/tax identifiers (where required for revenue payments).
Course content data — for Mentors: the courses, videos, descriptions, attachments, quizzes, and other materials you upload.
Communications — messages you send to support, replies in course discussions, comments, ratings, and reviews.
Payment data — billing name, billing address, country, VAT/tax identifier, the last four digits and brand of your card. We do not store full card numbers, CVV codes, or full bank details. Full payment instrument data is collected and processed by our payment processor, Stripe, under its own privacy notice.

2.2 Information generated by your use of the Service

Authentication data — session tokens, device fingerprints, login timestamps, IP address, and "remember me" tokens managed via Better-Auth.
Usage data — pages viewed, courses started, lessons completed, search queries, clicks, time spent, and other interaction events.
Video playback data — when you watch a video, our video provider (Mux) processes playback metrics (start time, watch duration, buffering, quality, device, and approximate location based on IP) for delivery and analytics purposes.
Device and technical data — device type, operating system, browser type and version, screen size, language, referrer URL, IP address, mobile advertising identifiers (where applicable).
Log data — server logs, error reports, and diagnostic data (including crash logs collected by Sentry where enabled).
Cookies and similar technologies — see our separate Cookie Policy.

2.3 Information from third parties

Authentication providers — if you sign in via a third-party identity provider (e.g., Google), we receive your name, email, and a profile identifier in line with the permissions you grant.
Payment processors — Stripe shares transaction status, payment method metadata, fraud signals, and dispute information with us.
Tax and compliance partners — where required, we receive tax residency and identity verification data from compliance partners for Mentor payouts.

2.4 We do not knowingly collect data from children

The Service is not directed to children under 16. If you are under 16, do not use the Service or provide personal data to us. If we become aware that we have collected personal data from a child under 16 without verifiable parental consent, we will delete it.

3. How we use your personal data and legal bases (GDPR)

For users in the European Economic Area, the United Kingdom, and Switzerland, we rely on the following legal bases under Article 6 GDPR:

Purpose	Examples	Legal basis
Provide the Service	Create and authenticate your account, deliver courses, host video, store files, send transactional emails	Performance of a contract (Art. 6(1)(b))
Process payments and payouts	Charge subscriptions, process one-time purchases, pay Mentors their share of revenue, handle refunds	Performance of a contract; legal obligation (Art. 6(1)(b), (c))
Prevent fraud and secure the Service	Rate-limiting, anomaly detection, abuse prevention, audit logging, breach response	Legitimate interests (Art. 6(1)(f))
Customer support and dispute handling	Respond to tickets, investigate complaints, manage chargebacks	Performance of a contract; legitimate interests (Art. 6(1)(b), (f))
Improve and develop the Service	Analytics, A/B testing, debugging, product research	Legitimate interests; consent where required (Art. 6(1)(f), (a))
Marketing communications	Newsletters, promotional emails about new courses or features	Consent or legitimate interests, depending on jurisdiction (Art. 6(1)(a)/(f))
Comply with law	Tax records, accounting obligations, lawful requests from authorities	Legal obligation (Art. 6(1)(c))
Enforce our terms	Investigate violations, suspend or terminate accounts	Legitimate interests; performance of a contract

You can object to processing based on legitimate interests at any time (see Section 8).

4. Cookies and similar technologies

We use cookies, local storage, and similar technologies to keep you signed in, remember preferences, secure the Service against abuse, and — with your consent where required — measure usage and improve the Service. For a full list of categories, providers, and how to manage your choices, see our Cookie Policy.

5. How we share your personal data

We share personal data only as described below. We do not sell your personal data.

5.1 Service providers (processors)

We engage trusted vendors to operate the Service. They process personal data on our behalf under written agreements and only on our instructions. Categories include:

Cloud hosting and database — hosting providers for our application and PostgreSQL database (e.g., Neon, AWS-region providers).
Authentication — Better-Auth (self-hosted), session and credential storage.
Payments — Stripe for card processing, subscriptions, payouts to Mentors, fraud screening, and tax handling.
Video hosting and streaming — Mux for video ingestion, transcoding, adaptive streaming, and playback analytics.
File storage — S3-compatible object storage for user-uploaded files (course materials, avatars, attachments).
Search — Typesense for full-text course search.
Caching and rate-limiting — Redis / Upstash for session and rate-limit data.
Email delivery — SMTP and transactional email providers (e.g., Postmark).
Analytics — Google Tag Manager and analytics tools (where consent has been provided).
Error and crash reporting — Sentry (where enabled).
Customer support tooling — helpdesk and ticketing platforms.

5.2 Other Mentor users

Some data is visible to other users by design:

Your public profile (display name, photo, bio, mentor courses) is visible to anyone with access to the Service.
Course reviews and discussion posts you publish are visible to other learners and the Mentor of the course.
Mentors receive limited information about Learners enrolled in their courses (e.g., Learner display name, progress, and submitted answers).

5.3 Business transfers

If we are involved in a merger, acquisition, financing, restructuring, sale of assets, bankruptcy, or insolvency, personal data may be transferred to a successor or affiliate as part of that transaction. We will notify you and ensure equivalent protections continue to apply.

5.4 Legal and safety

We may disclose personal data when we believe in good faith it is necessary to (a) comply with applicable law, court order, or other legal process; (b) enforce our Terms; (c) protect the rights, property, or safety of Mentor, our users, or the public; or (d) detect, prevent, or address fraud, security, or technical issues.

6. International transfers

Mentor is established in Bulgaria, and personal data is primarily processed within the European Economic Area. Some of our service providers (including Stripe, Mux, Google, and others) may process personal data outside the EEA, including in the United States.

When we transfer personal data outside the EEA, we rely on appropriate safeguards under Articles 44–49 GDPR, including:

the European Commission's Standard Contractual Clauses (2021 version);
adequacy decisions where applicable;
supplementary technical measures (encryption in transit and at rest, access controls).

You may request a copy of the safeguards we apply by contacting office@mybeautymentors.com.

7. Data retention

We keep personal data only as long as needed for the purposes described in this Policy or as required by law. Indicative retention periods:

Account data — for the life of your account, plus up to 12 months after deletion or last activity (to allow account recovery and dispute handling).
Transaction records (invoices, payouts, tax) — at least 10 years, as required by Bulgarian tax and accounting law.
Course content uploaded by Mentors — for as long as the course is active and for a commercially reasonable period after takedown to handle refund and licensing claims.
Server logs and security logs — typically 30–180 days.
Marketing data — until you withdraw consent or object.
Backups — encrypted backups are retained on a rolling basis (typically 30–90 days) and deletion requests are honored on the next backup rotation.

When retention expires, we delete or irreversibly anonymize the data.

8. Your rights

Subject to applicable law (and in particular under the GDPR), you have the right to:

Access the personal data we hold about you and receive a copy.
Rectify inaccurate or incomplete personal data.
Erase your personal data ("right to be forgotten") in certain circumstances.
Restrict processing in certain circumstances.
Object to processing based on our legitimate interests, including for direct marketing.
Data portability — receive your data in a structured, commonly used, machine-readable format.
Withdraw consent at any time where processing is based on consent. Withdrawal does not affect prior processing.
Lodge a complaint with a supervisory authority. Mentor's lead supervisory authority is the Commission for Personal Data Protection of the Republic of Bulgaria (Комисия за защита на личните данни / CPDP) — https://www.cpdp.bg. You may also complain to the supervisory authority in your country of residence.

To exercise these rights, contact support@mybeautymentors.com or use the in-app account controls. We will respond within one (1) month, extendable by two further months for complex requests, in line with Article 12(3) GDPR. We may need to verify your identity before acting on a request.

9. Security

We apply technical and organizational measures appropriate to the risk, including:

TLS encryption for data in transit;
encryption at rest for databases and object storage;
salted password hashing;
role-based access control and least-privilege access for staff;
audit logging of administrative actions;
regular dependency and vulnerability scanning;
isolated development, staging, and production environments;
incident response procedures and breach notification in line with Articles 33–34 GDPR.

No system is perfectly secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and, where required, notify affected users.

10. Automated decision-making

We do not use automated decision-making that produces legal or similarly significant effects on you within the meaning of Article 22 GDPR. We do use automated systems for fraud detection, abuse prevention, and content recommendations; these systems do not, on their own, make significant decisions about you without human review.

11. Marketing communications

If you receive marketing emails from us, you can unsubscribe at any time using the link in any such email or by adjusting your notification preferences in your account settings. Transactional emails (e.g., receipts, password resets, course updates) are part of the Service and cannot be opted out of while you maintain an active account.

12. Third-party links and services

The Service may link to external websites, payment pages, or third-party services. We are not responsible for the privacy practices or content of third parties. Review their privacy notices before providing personal data.

13. Changes to this Policy

We may update this Policy from time to time. When we make material changes, we will notify you by email or via an in-app notice and update the "Last updated" date at the top of this Policy. Continued use of the Service after the effective date of the updated Policy constitutes acceptance of the changes.

14. Contact us

Mentor Beauty Apps EOOD Republic of Bulgaria Email: support@mybeautymentors.com Privacy inquiries: office@mybeautymentors.com

If you are in the EEA and prefer to contact our representative, please email office@mybeautymentors.com and we will direct your request appropriately.

This Privacy Policy is provided for transparency and does not constitute legal advice. We recommend reviewing it with qualified counsel before publication.