Privacy Policy
Last updated: 8 May 2026 · Version 1.1
1. Who we are
Mentionhub is operated by Mentionhub OÜ, a private limited company registered in Tallinn, Estonia (registry code 17503260, registered office Narva mnt 5, 10117 Tallinn). Contact: privacy@mentionhub.ai. We are the data controller for personal data described below.
2. What we collect
When you create an account or use the service we collect:
- Account data — name, email address, organization (via Clerk).
- Authentication data — provider tokens for Google, Microsoft, or other SSO when used.
- Billing data — name, billing address, VAT ID, payment-method tokens (handled by our payment processor; we never store full card numbers).
- Usage data — which pages you view, which features you use, what brands you track. We use this to operate and improve the product.
- Brand-tracking configuration — the brand names and keywords you choose to monitor.
We do not collect special-category data (health, religion, biometrics) and we don't require it.
3. Public mention data
Mentionhub indexes publicly available news articles and social media posts that mention the brand keywords you track. This indexing covers only data that is already public on the open internet (RSS feeds, public Reddit / Bluesky / Lemmy / Wikipedia / YouTube content). We don't access private accounts, paywalled content you don't have rights to, or platforms that prohibit indexing in their robots.txt or terms of service.
If you are a person whose post about a brand has been indexed and you want it removed from our index, email privacy@mentionhub.ai and we will remove it within 30 days.
4. Why we use your data
- Provide the service you signed up for (Art. 6(1)(b) GDPR — contract).
- Send service-related email (account, security, billing).
- Comply with tax and accounting obligations under Estonian law.
- Improve the product through aggregated usage analytics.
- Defend our legal rights and detect abuse.
5. Sub-processors
We use the following service providers, each with a Data Processing Agreement covering EU data:
- Vercel — application hosting (US, EU regions).
- Supabase — Postgres database (Frankfurt EU region for Mentionhub).
- Clerk — authentication and user management (US, EU).
- Stripe or Paddle — payment processing. PCI-DSS Level 1.
- OpenAI — AI-pillar discovery prompts (US; Mentionhub does not send your customer or PII data, only the brand name and the static prompt library).
6. Data retention
Account data: kept until you delete your account, then up to 90 days for backup retention. Mention data: rolling 90-day window for active plans; purged 30 days after subscription ends. Billing records: 7 years for Estonian tax compliance.
7. Your rights
Under GDPR you have the right to access, rectify, erase, restrict, port, and object to processing of your personal data. Email privacy@mentionhub.ai and we will respond within 30 days. You can also complain to your local data protection authority (Estonia: Andmekaitse Inspektsioon; the Netherlands: Autoriteit Persoonsgegevens; etc.).
8. International transfers
Some of our sub-processors are based in the United States. Where data leaves the EEA we rely on EU Standard Contractual Clauses or the EU-US Data Privacy Framework (where the recipient is certified).
9. Cold-outreach campaigns (legitimate-interest assessment)
We send a small number of cold-outreach emails to people who hold marketing or communications roles at European companies, in order to introduce Mentionhub. Legal basis: legitimate interest under Art. 6(1)(f) GDPR. Every such email contains a one-click unsubscribe link and is sent only to corporate role addresses (no personal mailboxes).
Our full Data Protection Impact Assessment for these campaigns — including categories of data, sub-processors, retention, and a risks-and-mitigations matrix — is published at /legal/dpia-outreach.html. Contact privacy@mentionhub.ai for the signed PDF copy.
10. Changes
Material changes to this policy will be announced by email at least 14 days before they take effect.