Privacy Policy
Privacy Policy
This privacy policy explains how Mena.ai collects, uses, stores, and protects your personal data when you visit our website (mena-ai.pt) and use our platform.
Last updated: February 2026
1. Data Controller
The entity responsible for the processing of your personal data is:
2. Categories of Personal Data Collected
Depending on how you interact with our website and platform, we may collect the following categories of personal data:
Website Analytics Data
When you visit our website, we collect anonymised usage data through Google Analytics, including: pages visited, time spent on pages, referral source, browser type, device type, approximate geographic location (country/city level), and interaction events. This data is collected only with your consent.
Newsletter Subscription Data
If you subscribe to our newsletter, we collect your email address. This data is stored in our CRM system, hosted on Supabase (EU region), for the sole purpose of sending you newsletters and platform updates.
Demo Scheduling Data
When you schedule a demonstration of our platform, you provide your name, email address, and preferred date/time. This data is processed through an embedded Google Calendar booking interface.
Platform User Data (Registered Users)
If you register for the Mena.ai platform, we collect your name, email address, professional credentials, and other information necessary for the provision of our clinical management services. All personally identifiable information (PII) and protected health information (PHI) is encrypted at field level in our database.
3. Purposes and Legal Basis for Processing
We process your personal data for the following purposes, each with a corresponding legal basis under Article 6 of the GDPR:
Website analytics and performance improvement
Consent (Article 6(1)(a) GDPR)
We use Google Analytics with Consent Mode v2 to understand how visitors use our website. No analytics data is collected until you provide consent via our cookie banner. You may withdraw consent at any time.
Newsletter delivery
Consent (Article 6(1)(a) GDPR)
We send newsletters only to users who have explicitly subscribed. You may unsubscribe at any time by clicking the unsubscribe link in any newsletter email or by contacting us directly.
Demo scheduling
Consent (Article 6(1)(a) GDPR) / Pre-contractual measures (Article 6(1)(b) GDPR)
We process your contact information to arrange a platform demonstration at your request.
Provision of clinical management platform services
Performance of a contract (Article 6(1)(b) GDPR)
We process registered user data to provide our clinical management platform services, including appointment scheduling, session notes, and billing.
4. Data Processors and Third-Party Services
We use the following third-party services to process data on our behalf. Each acts as a data processor under the GDPR:
Google Analytics (Google LLC)
Purpose: Website traffic analysis and usage statistics
Data processed: Anonymised browsing behaviour, device information, approximate location
Privacy policy: https://policies.google.com/privacy
PostHog (PostHog Inc.)
Purpose: Product analytics and website usage insights
Data processed: Anonymised usage data, hashed identifiers, page views (EU-hosted, cookieless by default)
Privacy policy: https://posthog.com/privacy
Google Calendar (Google LLC)
Purpose: Scheduling platform demonstrations
Data processed: Name, email, selected time slot
Privacy policy: https://policies.google.com/privacy
Supabase (Supabase Inc.)
Purpose: Newsletter subscription management, contact storage, and email delivery
Data processed: Email address, subscription source
Privacy policy: https://supabase.com/privacy
5. International Data Transfers
Some of our data processors, notably Google LLC, PostHog Inc., and Supabase Inc., may process data outside the European Economic Area. PostHog data is hosted in the EU (Frankfurt, Germany). Data transfers are carried out in compliance with the GDPR, relying on:
- The EU-U.S. Data Privacy Framework (adequacy decision adopted by the European Commission on 10 July 2023), where the data importer is certified under the framework.
- Standard Contractual Clauses (SCCs) adopted by the European Commission, as a supplementary safeguard.
- Additional technical measures, including encryption in transit and at rest.
We regularly review and assess the adequacy of the safeguards in place for international data transfers.
6. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:
| Data type | Retention period |
|---|---|
| Website analytics data | 26 months (Google Analytics default), then automatically deleted |
| Newsletter subscription data | Until you unsubscribe or request deletion |
| Demo scheduling data | 6 months after the scheduled demonstration |
| Platform user data | For the duration of the contractual relationship, plus any period required by applicable law |
7. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
Right of access
You may request a copy of the personal data we hold about you.
Right to rectification
You may request correction of inaccurate or incomplete personal data.
Right to erasure
You may request deletion of your personal data where there is no compelling reason for its continued processing.
Right to restriction of processing
You may request that we restrict the processing of your personal data in certain circumstances.
Right to data portability
You may request to receive your personal data in a structured, commonly used, machine-readable format.
Right to object
You may object to the processing of your personal data where we rely on legitimate interest as the legal basis.
Right to withdraw consent
Where processing is based on your consent, you may withdraw consent at any time without affecting the lawfulness of processing carried out prior to the withdrawal.
To exercise any of these rights, please contact us at support@mena-ai.pt. We will respond to your request within 30 days.
8. Right to Lodge a Complaint
If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the Portuguese Data Protection Authority (Comissao Nacional de Protecao de Dados - CNPD).
We encourage you to contact us first at support@mena-ai.pt so that we may attempt to resolve any concerns directly.
9. Cookies
Our website uses cookies. For detailed information about the cookies we use, their purposes, and how to manage your preferences, please refer to our Cookie Policy.
10. Automated Decision-Making
We do not carry out any solely automated decision-making, including profiling, that produces legal effects or similarly significantly affects you.
11. Use of Artificial Intelligence
The Mena.ai platform incorporates artificial intelligence (AI) features to assist mental health professionals with clinical note drafting, session summaries, and administrative tasks. Important points regarding our use of AI:
- AI is used as a clinical assistance tool only; it does not make clinical decisions, diagnoses, or treatment recommendations.
- All AI-generated content is reviewed and approved by the treating professional before becoming part of any clinical record.
- AI processing of clinical data occurs within our secured infrastructure, with all personally identifiable information and protected health information encrypted at field level.
- Users of the platform are informed when AI features are in use and may choose not to use AI-assisted features.
12. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Field-level encryption of all personally identifiable information (PII) and protected health information (PHI)
- Encryption of data in transit (TLS/SSL) and at rest
- Per-company encryption keys for multi-tenant data isolation
- Regular security assessments and monitoring
- Access controls and authentication mechanisms (JWT-based)
13. Children's Privacy
Our website and platform are not directed at children under the age of 16. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us so that we may take appropriate action.
14. Changes to This Privacy Policy
We may update this privacy policy from time to time to reflect changes in our practices or applicable legislation. Any material changes will be communicated by publishing the updated policy on this page with a revised "last updated" date. We encourage you to review this page periodically.
15. Contact Us
If you have any questions about this privacy policy or our data protection practices, please contact us: