mentmi

2.1 Account Registration and Login

When you create or log in to a mentmi account, we need to collect:

• Third-Party Authentication Data: Google or Apple account information (including your unique provider identifier, email address, profile picture, and display name).

Lawful Basis: Performance of a contract.

2.2 Information Required for College Planning Services

To provide you with personalized college planning and assessment services, we collect and process the following information (some sensitive data requires explicit authorization from the student or their parent/guardian, or must be provided by the school within its lawful scope of authority):

• Academic and Performance Data: Transcripts, school grades, standardized test scores (e.g., SAT, ACT, TOEFL, IELTS, etc.), and course enrollment records;
• Personal Background and Activities: Interests, extracurricular activities, competition awards, social practices, academic projects, and volunteer experiences;
• Admissions Intentions and Goals: Intended majors, target universities/higher education institutions, and university application timelines;
• Psychological and Trait Assessment Data: Student strengths, traits, and potential data collected through AI structured interviews and psychometric tools (this data constitutes sensitive personal information and strictly requires explicit consent from both the student and their parent/guardian);
• Application Material Drafts: Personal statements, self-descriptions, and application essay drafts (used solely for AI-assisted analysis and strategy guidance, and will never be shared externally).

Lawful Bases: Performance of a contract; your explicit consent.

2.3 Device and Log Information (Automatically Collected)

To maintain the security and stability of the Platform, prevent fraud, and optimize our technical architecture, we automatically collect:

• Device Data: Hardware model, operating system version, unique device identifiers (e.g., UUID), IP address, network type, and browser type;
• Log Data: Access timestamps, operation logs, page browsing paths, clickstream data, application crash logs, and performance metrics;
• Cookies and Similar Technologies: Used to maintain your login session state, remember your language preferences, and perform de-identified performance analysis.

Lawful Basis: Our legitimate interests (maintaining cybersecurity and optimizing product experience).

2.4 Exceptions Where Consent is Not Required

Under a very limited number of specific circumstances permitted by applicable law, we may process your personal information without your prior consent:

• Compliance with Legal Obligations: To comply with applicable laws, regulations, court orders, enforceable government mandates, or to cooperate with law enforcement investigations;
• Protection of Vital Interests: In emergency situations where it is necessary to protect your vital interests or those of another individual, such as life-threatening situations or physical safety;
• Maintenance of Legitimate Interests: Where processing is absolutely necessary to ensure the safe and stable operation of the Platform, such as detecting, preventing, and resolving technical faults, fraud, or security vulnerabilities.

4.1 Compliance Responsibilities of Schools and Institutions

As the data controller or contracting party, before authorizing students to use the Platform, the school shall:

• Obtain explicit, legally valid, informed consent from students and their parents/legal guardians regarding personal information processing in accordance with applicable privacy laws;
• Ensure that student information entered into or transmitted through the Platform is true, accurate, lawful, and does not infringe upon any third-party rights;
• Implement rigorous account permission management, strictly following the principle of "least privilege" when configuring access rights for counselors and students.

4.2 Essential Rights of Parents and Guardians

As the legal guardian of a minor student, you hold the following rights:

• To review and access all personal information of your child stored on this Platform at any time;
• To request the correction, restriction of processing, or deletion of your child's personal information;
• To withdraw consent at any time for specific information processing activities (such as AI microphone access during interviews);
• To request the complete cancellation of your child's account and the erasure of all historical data.

6.1 Principles for Sharing and Entrusted Processing

We will not share your personal information with any third-party commercial organizations. We will only provide data to third parties under the following highly limited circumstances:

• With Your Explicit Consent;
• Legal & Law Enforcement Requirements: In response to subpoenas, court judgments, or lawful disclosure requests from global law enforcement and regulatory authorities;
• Entrusted Data Processors (Third-Party Service Providers): To maintain basic infrastructure operations, we may engage heavily audited third-party service providers. These providers can only access data within the minimum scope required to perform their duties and are legally bound by strict Data Protection Agreements (DPAs).

6.2 Categories of Third-Party Service Providers

The third-party infrastructure and services we integrate include:

• Cloud Infrastructure & Storage Providers: Utilized for high-security, encrypted storage of student profiles, logs, and report data;
• AI Model & Computing Providers: Utilized to support core AI interview and report generation features (data is masked or de-identified prior to transmission);
• Communication & Notification Providers: Utilized to send verification codes, system notifications, and email alerts;
• Crash Monitoring & Performance Auditing: Utilized to capture real-time system crash logs and optimize client stability for white-label or B2C users.

We conduct strict security assessments on all our partners to ensure they maintain equivalent data protection capabilities as our Platform.

6.3 Mergers, Acquisitions, and Transfers

• We will not transfer your personal information to any other third parties unless we obtain your explicit consent;
• In the event of a merger, acquisition, asset transfer, or bankruptcy liquidation involving the transfer of personal information, we will require the successor to remain bound by this Privacy Policy; otherwise, the successor must obtain your authorization and consent anew.

7.1 Technical and Managerial Security Measures

We implement physical, electronic, and managerial safety measures that conform to international industry standards to safeguard your data:

• Transmission Encryption: All end-to-end data transmission across the Platform is strictly forced to use TLS/HTTPS encryption protocols;
• Storage Encryption: Sensitive personal information (such as grades, psychometric data, essays, etc.) is encrypted at rest on the server side using high-strength cryptographic algorithms (such as AES-256);
• Strict Access Control: Implementing strict Role-Based Access Control (RBAC), limiting personal data access strictly to essential personnel who have passed Multi-Factor Authentication (MFA);
• Regular Security Audits: Conducting automated vulnerability scans, code audits, and penetration tests on a recurring basis;
• Emergency & Notification Plan: Maintaining a robust data incident response mechanism. In the unfortunate event of a data breach, we will notify affected users, schools, and competent data protection authorities within the strict statutory timeframes required by applicable law.

Although we have implemented the above reasonable and effective security measures, there are still uncontrollable risks in the internet environment. We recommend that you use complex passwords, change them regularly, and never share your account information with others.

7.2 Cross-Border Data Transmission

To deliver globalized AI services, and subject to compliance with applicable laws, your data may be transferred to, stored, and processed on servers located outside your country of residence. Regardless of where the data is processed, we ensure it receives a level of protection no less than that required by this policy through the execution of Standard Contractual Clauses (SCCs) or other legally recognized data safeguard mechanisms.

9.1 Right to Access and Information

You have the right to view and access your personal profile in "Account Settings." Counselors may view the student profiles they manage within the scope authorized by the school.

9.2 Right to Rectification

If you find that your personal information on the Platform is incorrect or incomplete, you have the right to correct it online or request that we update it.

9.3 Right to Erasure ("Right to be Forgotten")

You have the right to request the deletion of your personal information when:

• A contract expires or you withdraw your consent;
• We process data in violation of our agreement or applicable law.

9.4 Right to Withdraw Consent

You may withdraw authorization for specific functions (such as microphone access or device data) at any time through system settings. Withdrawing consent does not affect the lawfulness of any processing carried out prior to the withdrawal.

9.5 Right to Restrict Processing and Object

Under certain conditions (such as when you contest the accuracy of the data), you have the right to request that we restrict or pause the processing of your data.

9.6 Right to Data Portability

You or an authorized school administrator have the right to request the export of core student profile data in a structured, commonly used, and machine-readable format.

9.7 Right to Account Cancellation

You may voluntarily apply to cancel your account in "Account Settings." Account cancellation is irreversible; once completed, all your personal data will be wiped in accordance with the law.

9.8 Right to Lodge a Complaint

If you believe our personal information processing behavior has infringed upon your legitimate rights and interests, please contact us:

• Email: contact@mentmi.com

We will respond to your complaint within 15 business days.