MentoRate Privacy Policy

Your privacy is important to us. We are committed to protecting your personal data and ensuring transparency in how we handle it.

1. Introduction

This Privacy Policy explains how MentoRate ("we," "us," or "our") collects, uses, and protects your personal data when you use our user-generated content (UGC) platform. We are committed to respecting your privacy rights under the General Data Protection Regulation (GDPR) and Romanian law.

2. Who We Are

Data Controller:
MentoRate
Romania

For privacy-related inquiries, please contact us at: legal@mentorate.syu.nl.eu.org

3. What Personal Data We Collect

We collect minimal personal data necessary to maintain platform security and integrity:

Important: We do not require user accounts, email addresses, or other personally identifiable information to use MentoRate.

4. Why We Process Your Data (Legal Basis)

We process your personal data based on Legitimate Interest (Article 6(1)(f) GDPR).

Our legitimate interests include:

• Platform Security: Preventing spam, abuse, and malicious activity
• Service Integrity: Ensuring fair usage and protecting our community
• Rate Limiting: Managing system load and preventing automated abuse

We have conducted a balancing test to ensure that our legitimate interests do not override your fundamental rights and freedoms.

5. How We Use Your Data

5.1 Rate Limiting (Spam Prevention)

Your IP address is temporarily logged to enforce fair usage limits and prevent spam submissions from automated systems.

5.2 Content Moderation

We use automated systems to:

• Detect and remove harmful or abusive content
• Identify repeat offenders for temporary or permanent bans
• Protect our community from malicious actors

6. Data Retention

We do not retain personally identifiable data beyond what is strictly necessary for security purposes.

7. Third-Party Sub-Processors

We engage the following sub-processors to deliver our services:

7.1 Cloudflare, Inc.

• Purpose: Web hosting, CDN services, and edge computing (Workers AI)
• Location: United States (EU Standard Contractual Clauses apply)
• Data Processed: IP addresses, encrypted session data
• Privacy Policy: https://www.cloudflare.com/privacypolicy/

7.2 OpenRouter

• Purpose: AI-assisted content moderation
• Special Note: OpenRouter operates under Zero Data Retention (ZDR) policy. Content is processed in real-time and not stored.
• AI Training: your data is never used for model training
• Privacy Policy: https://openrouter.ai/privacy

All sub-processors are GDPR-compliant and bound by Data Processing Agreements (DPAs) that ensure the same level of data protection as required by EU law.

8. International Data Transfers

Some of our sub-processors are located outside the European Economic Area (EEA), specifically in the United States. We ensure adequate protection for such transfers through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Additional technical safeguards (encryption in transit and at rest)
• Due diligence on sub-processor privacy practices

9. Your Rights Under GDPR

As a data subject, you have the following rights:

9.1 Right of Access (Art. 15 GDPR)

You have the right to request confirmation of whether we process your personal data and, if so, access to that data and related information.

9.2 Right to Erasure ("Right to be Forgotten") (Art. 17 GDPR)

Given our short retention periods (maximum 7 days for IP addresses), personal data is automatically deleted. If you have specific concerns, you may request expedited deletion where technically feasible.

9.3 Right to Object (Art. 21 GDPR)

You have the right to object to processing based on legitimate interests. However, please note that this may limit your ability to use our platform, as IP-based rate limiting is essential for service operation.

9.4 Right to Restriction of Processing (Art. 18 GDPR)

You may request restriction of processing in specific circumstances, such as when you contest the accuracy of your data.

9.5 Right to Data Portability (Art. 20 GDPR)

Given the minimal data we collect, this right is generally not applicable to our service.

9.6 Right to Lodge a Complaint

If you believe we have violated your privacy rights, you have the right to file a complaint with:

10. Security Measures

We implement appropriate technical and organizational measures to protect your data:

• Encryption: All data transmitted between your browser and our servers uses TLS 1.3 encryption
• Data Minimization: We collect only what is strictly necessary
• Automated Purging: IP addresses are automatically deleted after 7 days
• Access Controls: Strict internal access limitations to any logged data

11. Cookies and Similar Technologies

We use essential, encrypted session cookies ("Guest Tokens") solely for:

• Maintaining your session state
• Security and anti-abuse measures

These cookies are not used for tracking, advertising, or analytics purposes.

12. Children's Privacy

MentoRate is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us immediately for deletion.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify users of material changes by:

• Updating the "Effective Date" at the top of this policy
• Displaying a prominent notice on our platform

14. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or your personal data:

This Privacy Policy has been drafted in compliance with Regulation (EU) 2016/679 (General Data Protection Regulation) and applicable Romanian data protection law.