MentisBook a discovery session
Legal

Privacy policy

Last updated: 10 May 2026 · Version 1.0

This policy explains how Mentis Digital Ltd (“Mentis”, “we”, “us”), a company registered in England & Wales (Company No. 16560281) with its registered office at 128 City Road, London, EC1V 2NX, United Kingdom, collects, uses, shares and protects personal data when you use mentisdigital.co.uk, our forms and chat assistant, our podcast (“The Signal”), or engage us as a service provider.

Mentis is the data controller for personal data collected through this website and direct commercial engagements with our clients. For data we process on behalf of a recruitment-agency client’s outbound campaigns (prospect contacts, hiring-manager interactions and signal data), we typically act as a data processor under a written services agreement; the recruitment agency remains the controller for that data.

1. Personal data we collect

We collect personal data in the following ways:

1.1 Information you provide

  • Lead-magnet conversation (see-if-we-fit): agency model and economics, niche, audience, mobile number (used solely to send a one-time SMS verification code), Calendly booking details if you choose a slot.
  • The Signal — Pitch Yourself form: name, email, role & agency, optional LinkedIn URL, the question you propose to discuss, optional one-line bio.
  • Discovery / contact forms and email: name, business email, agency name, the request itself.
  • AI assistant chat: the messages you type into the on-page chat. Conversation history is stored only in your browser’s session storage; we do not retain a permanent server-side log of individual conversations beyond request-time error logs.
  • Resource gates and password gates: email address and the resource accessed.
  • Podcast guest packs: details supplied by the guest or their representative (career history, themes, recording logistics, photo / brief-derived material).

1.2 Information collected automatically

  • Technical and usage data: IP address, user-agent, referrer, pages viewed, approximate location (derived from IP), device and browser characteristics, error diagnostics. Collected in server logs and through privacy-respecting analytics.
  • Cookies and similar technologies: see Section 7.

1.3 Information from third parties

  • Public business information we lawfully obtain from sources such as Companies House, LinkedIn public profiles, company websites, press releases, job boards and open-web signal data, to the extent permitted by the source and by data-protection law.
  • Data introduced by clients for the purpose of running their outbound campaign (their target ICP, their CRM exports, etc.). This data is processed on the client’s instructions under a written services agreement.

2. Why we use it (purposes & lawful bases)

Under the UK GDPR we must rely on a lawful basis for each processing activity. The principal bases we rely on are:

  • Performance of a contract (UK GDPR Art. 6(1)(b)): to provide the services you have engaged us for, including running BD campaigns under our services agreement, delivering booked discovery sessions, sending Calendly confirmations, and corresponding with you about the engagement.
  • Legitimate interests (Art. 6(1)(f)): to market our B2B services to recruitment-agency decision-makers in a targeted, low-volume, signal-led way; to maintain site security; to operate the AI assistant; to improve our service; to evaluate and respond to podcast guest pitches. Our interests are balanced against your rights and you can object at any time (see Section 9).
  • Consent (Art. 6(1)(a)): for non-essential cookies, for marketing emails to individuals, and for the inclusion of identifiable guests on The Signal podcast and related materials. You may withdraw consent at any time without affecting prior lawful processing.
  • Legal obligation (Art. 6(1)(c)): to comply with statutory record-keeping (e.g. Companies Act, tax), to respond to lawful requests from authorities, and to retain records required by the Privacy and Electronic Communications Regulations 2003 (PECR).

We do not sell personal data. We do not use your data for automated decision-making with legal or similarly significant effects.

3. Sharing and processors

We share personal data only with carefully selected third parties acting as processors on our behalf, or where required by law. Current processors include:

  • Vercel Inc. — web hosting and serverless functions for mentisdigital.co.uk.
  • Twilio Inc. (Twilio Verify) — one-time SMS verification codes for the see-if-we-fit conversation.
  • Calendly LLC — meeting scheduling and associated invitee details.
  • Groq Inc. — large-language-model inference for the on-page AI assistant. Messages you send to the assistant are forwarded to Groq for the purpose of generating a response.
  • n8n.io GmbH (self-hosted by Mentis) — workflow automation that routes inbound form submissions to our CRM and email.
  • Google LLC — Google Workspace email, documents and storage; analytics where deployed.
  • Unipile and the underlying LinkedIn / email platforms our campaign managers use to run outreach on behalf of clients.
  • HubSpot, Pipedrive, or the CRM specified in our client’s services agreement — campaign pipeline tracking.
  • Stripe Inc. — payment processing for invoices, where applicable.

A current sub-processor list, written processing terms, and international transfer safeguards are available on request to hello@mentisdigital.co.uk.

4. International transfers

Some of our processors are based outside the UK, principally in the United States and the European Economic Area. Where personal data is transferred outside the UK we rely on one or more of: (a) a UK adequacy regulation (e.g. for the EEA); (b) the UK International Data Transfer Agreement or UK Addendum to the EU Standard Contractual Clauses; or (c) the UK Extension to the EU–US Data Privacy Framework, where the recipient is certified under it. Copies of the relevant safeguards are available on request.

5. Retention

  • Marketing leads and prospect data: kept for up to 24 months from last meaningful interaction, unless you object earlier.
  • Discovery / contact form submissions: kept for up to 36 months for relationship management and audit.
  • SMS verification metadata: retained for up to 30 days; verification codes are short-lived (single use, expiring within 10 minutes).
  • AI-assistant transcripts: not retained server-side beyond request-time logs; in-browser session storage clears when you reset or close the tab.
  • Podcast guest data: retained for the life of the published episode plus a reasonable period thereafter for archival, distribution-platform and rights-management purposes.
  • Client engagement records and finance records: retained for at least six years to comply with contractual, tax and accounting obligations.

Where we no longer need personal data we delete or anonymise it.

6. Security

We apply appropriate technical and organisational measures proportionate to the risk: TLS in transit, access controls and least-privilege provisioning, two-factor authentication on critical accounts, segregation of client data inside the CRM, vetted sub-processors, and incident-response procedures. No system is perfectly secure; we will notify the Information Commissioner’s Office (ICO) and, where required, affected individuals of any qualifying personal data breach within the timeframes set by the UK GDPR.

7. Cookies

We use a minimal set of cookies. Strictly necessary cookies are required to operate the site (session, CSRF, password-gate state, in-browser chat history). Where deployed, analytics cookies (e.g. Vercel Analytics, Plausible or similar) help us understand aggregate site usage and are loaded only with your consent where required. Third-party embeds (Calendly, podcast players, social platforms) may set their own cookies subject to their own policies. You can control cookies through your browser settings. The full cookies notice and current deployment list are available on request.

8. AI assistant disclosure

The on-page assistant (“Mentis Assistant”) is powered by a third-party large-language model (Groq) and is provided for general informational and routing purposes only. It is not a regulated adviser. Conversations are sent to the model provider for inference. Do not share confidential, personal, or special-category data through the assistant. For anything material, contact hello@mentisdigital.co.uk.

9. Your rights

Subject to certain conditions, the UK GDPR gives you rights of: access, rectification, erasure, restriction of processing, data portability, objection (including to marketing and to processing based on legitimate interests), and to withdraw consent. To exercise any right, write to hello@mentisdigital.co.uk. We respond within one calendar month and may ask for proportionate proof of identity.

You also have the right to complain to the Information Commissioner’s Office at ico.org.uk/make-a-complaint. We’d appreciate the chance to address your concerns first, but you are not required to contact us before complaining to the ICO.

10. Marketing communications

We send B2B marketing email and LinkedIn outreach to recruitment-agency decision-makers in line with the soft-opt-in provisions of PECR and our legitimate-interests assessment. Every marketing message contains a clear unsubscribe link; replying with “unsubscribe” or “remove” will also be honoured. To opt out completely, email hello@mentisdigital.co.uk.

11. Children

Our services are intended for businesses and adult professionals. We do not knowingly collect personal data from anyone under 18.

12. Changes to this policy

We may update this policy from time to time. The version and last-updated date at the top of this page reflect the current version. Material changes will be notified on the homepage or by email where appropriate.

13. Contact us

Mentis Digital Ltd
Company No. 16560281, registered in England & Wales
Registered office: 128 City Road, London, EC1V 2NX, United Kingdom
Email: hello@mentisdigital.co.uk