Menthra Privacy Policy — HIPAA Compliant Data Protection

Last updated: April 1, 2026

Effective date: April 1, 2026

1. Who We Are

Menthra Inc. ("Menthra," "we," "us," or "our") is a Delaware C-Corporation headquartered in Frisco, Texas, USA. We operate a digital wellness platform that provides AI companion support, coaching, and licensed therapy services through our website (menthra.ai), web application (app.menthra.ai), and mobile applications (collectively, the "Platform").

This Privacy Policy applies to all users of the Platform, including individuals ("Clients"), therapists, coaches, and wellness creators ("Providers"), organizations deploying the Platform for their employees or students ("Organizations"), and visitors to our website.

2. What We Collect

2.1 Information you provide directly

• Account information: name, email address, phone number, date of birth, password
• Profile information: gender, location, timezone, communication preferences, emergency contact
• Provider credentials: professional licenses, certifications, degrees, malpractice insurance, specializations
• Conversation content: messages, voice recordings, video recordings, and files shared during AI companion sessions, coaching sessions, and therapy sessions
• Assessment responses: mental health screenings, intake questionnaires, progress assessments, and goal-setting inputs
• Payment information: billing address, payment method details (processed by our payment partners — we do not store full credit card numbers)
• Support communications: emails, contact form submissions, and feedback

2.2 Information collected automatically

• Device information: browser type, operating system, device identifiers, screen resolution
• Usage data: pages visited, features used, session duration, click patterns, error logs
• Log data: IP address, access times, referring URLs
• Cookies and similar technologies: see our Cookie Policy at menthra.ai/cookies

2.3 Information derived through AI processing

• Emotional signals: sentiment, emotional intensity, mood patterns extracted from conversations
• Behavioral patterns: triggers, recurring themes, avoidance patterns, progress indicators
• Risk assessments: crisis detection signals, safety flags
• Session insights: AI-generated summaries, pattern recognition, and cross-session connections
• Conversation starters: personalized prompts generated from your conversation history

2.4 Information from third parties

• Single Sign-On providers (Google, Apple, Microsoft): basic profile information if you choose to sign in with these services
• Organization administrators: your work email and department if your employer or school deploys Menthra for you (your conversation content is NEVER shared with your organization)
• Payment processors: transaction confirmation and fraud prevention data

3. How We Use Your Information

3.1 To provide the Platform

• Deliver AI companion conversations with memory and continuity
• Generate behavioral insights and pattern recognition
• Enable coaching and therapy sessions with context transfer
• Process payments and manage subscriptions
• Detect crisis situations and provide safety resources

3.2 To improve the Platform

• Analyze aggregate, anonymized usage patterns to improve features
• Monitor system performance and fix technical issues
• Develop new features based on aggregate user needs

3.3 To communicate with you

• Send session reminders and platform notifications
• Respond to support requests
• Send important updates about Platform changes, security incidents, or policy updates
• Marketing communications (only with your explicit consent, and you can opt out at any time)

3.4 To ensure safety and compliance

• Detect and respond to crisis situations
• Comply with mandatory reporting obligations
• Prevent fraud, abuse, and unauthorized access
• Meet legal and regulatory requirements

4. How We Protect Your Information

4.1 Encryption

• All data is encrypted in transit using TLS 1.2 or higher (256-bit SSL)
• All data is encrypted at rest using AES-256 encryption
• Conversation content receives additional application-layer encryption

4.2 Infrastructure

• Hosted on Microsoft Azure with US-based data residency
• Azure SOC 2 Type II certified infrastructure
• Automated backup with geo-redundant storage
• DDoS protection and web application firewall

4.3 Access controls

• Role-based access with principle of least privilege
• Multi-factor authentication for all administrative access
• Regular access reviews and audit logging
• Background checks for employees with data access

4.4 Monitoring

• 24/7 security monitoring and alerting
• Regular penetration testing by independent third parties
• Vulnerability scanning and patch management
• Incident response procedures with defined escalation paths

4.5 Breach notification

If we become aware of a security breach affecting your personal data, we will notify you within 72 hours via email and in-app notification, as well as any applicable regulatory authorities as required by law.

5. HIPAA Compliance

Menthra maintains compliance with the Health Insurance Portability and Accountability Act (HIPAA) for all health-related data processed on the Platform.

5.1 Protected Health Information (PHI)

Your conversations with AI companions and human providers, session notes, assessment results, behavioral health data, and any information that relates to your health condition, care, or payment for care constitutes PHI under HIPAA.

5.2 Business Associate Agreements

We maintain signed Business Associate Agreements (BAAs) with all third-party service providers who may access PHI, including Microsoft Azure (infrastructure), OpenAI (AI processing), HeyGen (avatar technology), ElevenLabs (voice synthesis), and Deepgram (speech recognition).

5.3 Minimum necessary standard

We limit access to PHI to the minimum necessary to accomplish the intended purpose. AI processing uses only the data required to provide your requested service.

5.4 Your HIPAA rights

• Right to access your PHI
• Right to request amendment of your PHI
• Right to an accounting of disclosures
• Right to request restrictions on certain uses
• Right to receive confidential communications
• Right to a copy of this notice

See our full HIPAA Notice of Privacy Practices at menthra.ai/hipaa-notice.

6. COPPA Compliance (Children and Teens)

6.1 Age restrictions

• Users must be at least 13 years old to use the Platform
• Users between 13 and 17 require parental or guardian consent
• We do not knowingly collect data from children under 13 without verified parental consent

6.2 Parental controls

• Parents and guardians can review their child's account status and engagement metrics (not conversation content)
• Parents can request deletion of their child's account and data
• Crisis detection alerts are sent to designated parent contacts for users under 18

6.3 Data minimization for minors

We collect only the minimum data necessary to provide the service for users under 18. We do not use minor data for marketing purposes. We do not share minor data with third parties except as required for Platform operation or by law.

7. Organization Deployments (Enterprise and Education)

When Menthra is deployed by an Organization (employer, school, university) for its members:

7.1 What the Organization CAN see

• Aggregate, anonymized wellness insights (e.g., "40% of users reported improved stress levels")
• Overall engagement metrics (number of active users, session frequency)
• Crisis intervention counts (without identifying individuals)

7.2 What the Organization CANNOT see

• Individual conversation content — NEVER
• Individual user identities in wellness reports — NEVER
• Which specific employees or students are using the Platform
• Individual assessment scores or progress data

7.3 Data ownership

• Your conversations belong to you, not your Organization
• If you leave the Organization, your data stays with you (you can transfer it to a personal account)
• If the Organization discontinues Menthra, you will be notified and given the opportunity to export your data

8. AI and Automated Processing

8.1 How AI processes your data

Menthra uses artificial intelligence to analyze your conversations and generate insights. This includes emotional signal extraction, pattern recognition, risk detection, and personalized response generation. All AI processing occurs on secure servers — your data is never processed on your local device.

8.2 AI model training

We do NOT use your individual conversation data to train, fine-tune, or improve our AI models unless you provide separate, explicit written consent. Our AI improvements are based on aggregate, de-identified data patterns only.

8.3 Provider digital twins

If you interact with a Provider's AI digital twin, the twin processes your conversation using the Provider's training content and Menthra's AI systems. The Provider may review conversation summaries and insights as part of your care — this is disclosed to you before your first session with their twin.

8.4 Automated decisions

Crisis detection is an automated process that may trigger escalation to human support. This is the only automated decision with significant effect on users. All other AI-generated insights are informational — they do not make decisions about your care, access, or status on the Platform.

9. Data Sharing and Third Parties

We share your data only with the following categories of recipients, and only to the extent necessary:

9.1 Service providers (under contract with data protection terms)

• Microsoft Azure: cloud infrastructure and data storage
• OpenAI: conversational AI processing
• HeyGen: avatar generation and video streaming
• ElevenLabs: voice synthesis
• Deepgram: speech-to-text processing
• Payment processors: Stripe (US), Cashfree/Razorpay (India)
• Analytics: anonymized usage data only

9.2 Your Providers

If you use coaching or therapy services, your Provider may access conversation summaries, progress data, and session notes as part of your care relationship. They cannot access data from other Providers you use on the Platform.

9.3 Legal requirements

We may disclose data when required by law, including:

• Valid court orders or subpoenas
• Mandatory reporting obligations (child abuse, imminent harm)
• Regulatory investigations by health authorities

9.4 Business transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will notify you of any such transfer and your options.

We NEVER share data with:

• Advertisers or ad networks
• Data brokers
• Insurance companies (unless you explicitly authorize it)
• Employers or schools (conversation content — see Section 7)

10. Data Retention

• Active account data: retained as long as your account is active
• Conversation history: retained as long as your account is active (this is core to the memory feature of the Platform)
• Closed account data: deleted within 90 days of account closure, except where legal retention is required
• Backup data: purged within 180 days of deletion from primary systems
• Analytics data: retained in aggregate, anonymized form indefinitely
• Legal hold data: retained as required by law or pending legal proceedings

You can request deletion of your data at any time by emailing privacy@menthra.ai. We will process deletion requests within 30 days.

11. Your Rights

Depending on your jurisdiction, you may have the following rights:

11.1 All users

• Right to access your data
• Right to correct inaccurate data
• Right to delete your data
• Right to export your data in a portable format
• Right to opt out of marketing communications
• Right to withdraw consent for optional data processing

11.2 California residents (CCPA/CPRA)

• Right to know what personal information is collected
• Right to delete personal information
• Right to opt out of the sale of personal information (we do not sell personal information)
• Right to non-discrimination for exercising privacy rights

11.3 European residents (GDPR)

• Right to data portability
• Right to restriction of processing
• Right to object to processing
• Right to lodge a complaint with a supervisory authority

11.4 India residents (DPDP Act)

• Right to access personal data
• Right to correction and erasure
• Right to nominate a representative
• Right to grievance redressal

To exercise any of these rights, contact privacy@menthra.ai. We will respond within 30 days.

12. International Data Transfers

Menthra processes data primarily in the United States on Microsoft Azure infrastructure. If you access the Platform from outside the United States, your data will be transferred to and processed in the United States.

For users in the European Economic Area, we rely on Standard Contractual Clauses approved by the European Commission for cross-border data transfers.

For users in India, we comply with the Digital Personal Data Protection Act including data localization requirements as applicable.

13. Cookies and Tracking

We use cookies and similar technologies as described in our Cookie Policy. We do not use advertising cookies or allow third-party advertising trackers on the Platform.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and/or prominent notice on the Platform at least 30 days before the changes take effect. Your continued use of the Platform after the effective date constitutes acceptance of the updated policy.

15. Contact

• Privacy Officer: privacy@menthra.ai
• Address: Menthra Inc., Frisco, Texas, USA
• For HIPAA-specific inquiries, see our HIPAA Notice of Privacy Practices.
• For safety concerns, contact safety@menthra.ai.

Complaints about data handling may also be directed to:

• U.S. Department of Health and Human Services (HIPAA)
• Your state Attorney General (state privacy laws)
• A supervisory authority in your jurisdiction (GDPR)