Privacy Policy

for the OpenMentor.io service

Last updated: 9 July 2026

Data controller:
Georgiy Mogelashvili, an individual (sole operator of OpenMentor.io), based in the Netherlands.

Website: https://openmentor.io
Privacy contact: privacy@openmentor.io
General contact: hello@openmentor.io

This Policy explains what personal data OpenMentor.io (“OpenMentor”, “we”, “us”) collects, why we collect it, who we share it with, and what rights you have. We process personal data in accordance with the EU General Data Protection Regulation (GDPR).


1. What OpenMentor does

OpenMentor is an online platform that connects mentors with people looking for mentorship (mentees). Mentors publish a public profile; mentees send contact requests to a mentor of their choice. We act as a technical intermediary — sessions, payments, and any further communication happen directly between the mentor and the mentee.


2. What data we collect

2.1. Mentor profiles

When you register as a mentor and use the service, we process:

  • name or display name;
  • email address;
  • photo (avatar);
  • job title, workplace, experience, specialization, and profile description;
  • session price information;
  • links to external resources and an optional free-text “preferred contact” (any contact detail you choose to share), if provided;
  • calendar booking link, if provided;
  • any other information you voluntarily add to your profile.

Except for your email address, this information is published on the site and becomes publicly available at your own initiative when your profile is approved.

2.2. Mentee contact requests

When you send a request to a mentor, we process:

  • name;
  • email address;
  • an optional free-text “preferred contact” (any contact detail you choose to share), if provided;
  • the text of your message to the mentor;
  • your self-assessed experience level, if provided.

2.3. Session reviews

If you leave a review after a session, we process the review text, ratings, and recommendation scores you submit.

2.4. Authentication data

We use passwordless magic-link authentication. For mentors and moderators we process email addresses, short-lived single-use login tokens, and session cookies. We do not store passwords.

2.5. Analytics data (only with your consent)

With your consent (see section 8), we collect pseudonymous product-analytics events and device/browser data to understand how the service is used and to improve it.

2.6. Anti-abuse and technical data

To protect the service against spam, bots, and abuse, we process IP addresses, rate-limiting counters, Cloudflare Turnstile signals on public forms, and standard server logs (IP address, user agent, request metadata). We also collect operational error and performance telemetry to keep the service reliable.


3. Purposes and lawful bases

  • Operating the mentor catalog and delivering requests (publishing mentor profiles, passing a mentee’s request to the chosen mentor, session coordination, transactional emails) — performance of a contract (Art. 6(1)(b) GDPR).
  • Authentication and account access (magic links, sessions) — performance of a contract (Art. 6(1)(b) GDPR).
  • Session reviews and quality feedback — our legitimate interest in maintaining the quality of the platform (Art. 6(1)(f) GDPR).
  • Product analytics — your consent (Art. 6(1)(a) GDPR), given via the cookie banner and revocable at any time.
  • Security, anti-abuse, logging, and observability — our legitimate interest in keeping the service secure and reliable (Art. 6(1)(f) GDPR).

We do not send marketing or advertising emails.


4. Who we share data with

4.1. When you send a request, your name, email, optional contact handle, and message are shared with the mentor you selected, solely so that the mentor can respond. This happens at your initiative and is the core function of the service.

4.2. We use the following service providers (processors), which receive personal data only to the extent necessary to provide their services:

  • Hetzner — hosting and infrastructure (Germany, EU);
  • Amazon Web Services (SES) — transactional email delivery (EU region);
  • Amazon Web Services (S3) — storage of profile images (EU region);
  • PostHog — product analytics, EU cloud (only with your consent);
  • Google (Tag Manager) — loading of analytics tags (only with your consent);
  • Cloudflare (Turnstile) — spam and bot protection on public forms;
  • Grafana Cloud — logging, monitoring, and error tracking;
  • Cloudflare — DNS and content delivery.

4.3. If a mentor embeds a scheduling calendar (e.g. Calendly, Koalendar, or CalendLab) on their contact page, any data you enter into that calendar widget goes directly to the respective calendar provider under that provider’s own privacy policy. We recommend reviewing it before booking.

4.4. We do not sell personal data and do not share it with other third parties except where required by law.


5. International transfers

Our primary hosting is located in the EU (Hetzner, Germany). Our AWS email and storage services are configured to use EU regions, and our PostHog analytics instance is configured to use PostHog’s EU cloud. However, some of our providers (for example Cloudflare, Google, Grafana Labs, and Amazon Web Services as US-headquartered companies) may process limited data in the United States or other countries outside the EU/EEA. Where that happens, transfers are safeguarded by the European Commission’s Standard Contractual Clauses (SCCs) or an applicable adequacy decision (such as the EU-U.S. Data Privacy Framework).


6. How long we keep data

We retain personal data for as long as it remains relevant to providing the service, and we delete it on request (see section 7). We do not currently apply fixed automatic expiry periods to service data; your erasure request is honoured at any time.

  • Mentor profiles — kept while the profile is active on the platform; deleted upon your deletion request or account removal.
  • Mentee contact requests and reviews — kept while they remain relevant to the service (for example, so the mentor can respond to an open request and so reviews remain attributable); deleted or anonymized upon your request.
  • Login tokens — expire within minutes of issuance; sessions expire per their time-to-live.
  • Server logs and observability data — approximately 30 days.
  • Analytics data — per the retention settings of the analytics provider (PostHog).

Backups: deleted data may persist in encrypted backups for a limited period and is removed permanently when those backups expire on their regular rotation schedule.


7. Your rights

Under the GDPR you have the right to:

  • access the personal data we hold about you and receive a copy;
  • have inaccurate data corrected;
  • have your data erased (“right to be forgotten”);
  • restrict or object to processing based on legitimate interests;
  • receive your data in a portable format;
  • withdraw consent at any time (for consent-based processing such as analytics);
  • lodge a complaint with a data-protection supervisory authority. Our supervisory authority is the Dutch Autoriteit Persoonsgegevens; you may also complain to the supervisory authority of your own EU/EEA country.

To exercise any of these rights, email privacy@openmentor.io. We may ask you to verify your identity to prevent unauthorized access to personal data. We respond within one month, as required by law.


8. Cookies and analytics

We use two kinds of cookies and similar technologies (such as browser local storage):

  • Essential cookies — required for the service to work: session cookies for signed-in mentors and moderators, security and anti-abuse mechanisms (Cloudflare Turnstile on public forms), and the cookie/local-storage entry that remembers your consent choice (valid for 12 months). These are always on.
  • Analytics cookies — set by PostHog (product analytics) and by tags loaded through Google Tag Manager, to help us understand product usage. These load only if you accept them in the consent banner shown on your first visit. You can decline them without losing any functionality, and you can withdraw your consent at any time by clearing the site’s cookies and local storage in your browser (the banner will then appear again) or by contacting us.

9. Special categories of data

The service does not request and does not require special categories of personal data (such as health information, religious or political beliefs). The service is not intended for exchanging medical or health information. If you voluntarily include such information in free-text fields, it is considered provided at your own initiative; please refrain from doing so. Upon request, we will delete such information.


10. How we protect data

We apply appropriate technical and organizational measures, including:

  • TLS encryption for all connections;
  • passwordless magic-link authentication (no stored passwords);
  • HttpOnly, Secure session cookies;
  • rate limiting and Cloudflare Turnstile on public forms;
  • restricted access to administrative interfaces and APIs;
  • security monitoring and event logging;
  • regular updates of software components and dependencies.

11. Changes to this Policy

We may update this Policy from time to time. The current version is always available at openmentor.io/privacy. For significant changes we will provide notice on the site.