This Privacy Notice explains how Mentalley ("Mentalley", "we", "our", or "us") collects, uses, discloses, and safeguards information when you use our website, mobile experiences, or related services (collectively, the "Services"). Because Mentalley provides access to mental health therapy, certain information you choose to share may be sensitive. We only collect what we need to deliver the Services, and we do not sell your data.

IF YOU DO NOT AGREE WITH THIS NOTICE, PLEASE DO NOT USE THIS SERVICE. WHILE THIS STATEMENT PROVIDES A GENERAL GUIDELINE, IT IS HIGHLY RECOMMENDED TO CONSULT WITH A QUALIFIED ATTORNEY TO ENSURE THAT YOUR TERMS OF SERVICE ARE COMPLIANT WITH ALL APPLICABLE LAWS AND REGULATIONS. DO NOT USE THIS SERVICE FOR EMERGENCY MEDICAL NEEDS. IF YOU EXPERIENCE A MEDICAL EMERGENCY, IMMEDIATELY CONTACT 911 (IN THE US), 999 (IN THE UK), OR YOUR LOCAL EMERGENCY SERVICES.

Mentalley is a platform that connects clients with licensed therapists and enables scheduling, messaging, video sessions, and related features. This Notice applies to information we collect directly from you, automatically through your devices, or from third parties that you authorize (for example, when you sign in with Google or Apple).

We may update this Notice from time to time. We will change the "Effective Date" above and may notify you by posting an in-product banner, sending an email, or similar means. Your continued use of the Services after an update constitutes acceptance of the revised Notice.

A) Account & Identity Information: name, email address, password hashes, profile photo (optional), role (for example, "USER" or "THERAPIST"), and verification status.

B) Contact & Demographic Information: country/region, language, age confirmation (we require users to be 18+ unless a parent/guardian explicitly consents for teen services where available).

C) Authentication & Security: sign-in provider identifiers (Google/Apple/GitHub/Twitter), session tokens, two-factor codes, verification tokens, IP address, device identifiers.

D) Therapy-Related Information You Choose to Provide: intake answers, goals, preferences, messages to your therapist, session notes you submit, files you upload, and any other content you voluntarily share.

E) Therapist Profile & Credentials (Therapists Only): qualifications, licenses, bio, verification documents, availability, and payout or tax details as required by law or our provider terms.

F) Payment & Billing: the fact of payment, payment method type, transaction metadata, and billing country. Sensitive card details are handled by third-party processors and are not stored by Mentalley.

G) Usage & Device Data: log data, pages viewed, time stamps, referral URLs, approximate location derived from IP, browser and device information, crash and performance data.

H) Communications: emails you send us, support tickets, and marketing preferences (opt-in/opt-out).

I) Cookies & Similar Technologies: necessary cookies for login, security, session continuity, as well as optional analytics cookies (see Section 8).

We collect information directly from you; automatically from your browser, app, and devices; from therapists who use the platform; from payment, email, and analytics providers that support our Services; and from sign-in providers when you choose to log in with them.

A) Provide & Secure the Services: account creation, authentication (including OAuth and 2FA), session management, therapist matching, content hosting, and fraud prevention.

B) Therapy Delivery: enabling messaging, calls, scheduling, reminders, and secure exchange of information between you and your therapist at your direction.

C) Payments: to process subscriptions and one-time charges, resolve disputes, and comply with tax and accounting obligations.

D) Communications & Support: respond to inquiries, send notices about your account, deliver transactional emails (for example, verification or 2FA codes).

E) Analytics & Product Improvement: to understand usage, fix bugs, and improve performance and features.

F) Legal Compliance & Safety: comply with law, enforce our terms, and protect rights, safety, and security.

We do not use your therapy-related content for advertising. We do not sell your personal information.

Where the GDPR/UK GDPR applies, we process personal data as needed for: (i) performance of a contract (to provide the Services); (ii) our legitimate interests (for example, service security and improvement); (iii) compliance with legal obligations; or (iv) your consent (for example, non-essential analytics cookies or marketing emails). You may withdraw consent at any time.

We share information only as described below:

A) With Therapists You Choose: information you submit for care is shared with your selected therapist, under confidentiality obligations consistent with applicable law and our provider terms.

B) Service Providers (Processors): hosting and infrastructure, database and email delivery, authentication, analytics, and payment processors act on our instructions to help deliver the Services.

C) Sign-In Providers: if you log in with Google, Apple, GitHub, or Twitter, we receive the account identity they share (for example, email) to authenticate you.

D) Payments: transactions are processed by third-party payment processors; they receive billing data necessary to complete the transaction.

E) Compliance & Safety: we may disclose information to comply with legal obligations or in response to lawful requests, and to protect the rights, property, or safety of you, us, therapists, or others.

F) Business Transfers: if we undergo a merger, acquisition, or asset sale, your information may be transferred as part of that transaction, subject to this Notice.

We do not share data with third parties for their own advertising purposes.

A) Strictly Necessary Cookies: required for login, security, and core functionality.

B) Preferences & Features: to remember choices such as language.

C) Analytics (Optional): to measure usage and improve the Services. Where required, we request your consent for non-essential cookies. Most browsers let you control or block cookies.

We honor applicable consent requirements and provide opt-out mechanisms where legally required. Do Not Track signals may not be recognized by our systems.

We retain personal data only as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements. Typical retention periods include: account and authentication records for the life of the account; payment and tax records for the period required by law; support tickets and logs for a reasonable period to investigate issues and improve service. We may anonymize data for statistical and safety purposes.

We employ administrative, technical, and organizational safeguards designed to protect personal data, including encryption in transit, restricted access, and least-privilege controls. No method of transmission or storage is 100% secure; you are responsible for maintaining the secrecy of your login credentials and enabling 2FA where available.

Your information may be processed and stored in countries other than your own. Where required, we use appropriate safeguards such as Standard Contractual Clauses for cross-border transfers. By using the Services, you acknowledge such transfers.

The Services are intended for individuals 18 years and older. We do not knowingly collect personal data from children under 13. Teen services, where available, require verifiable parental or guardian consent and are subject to additional safeguards. If you believe a child has provided us information, contact us and we will take appropriate steps to delete it.

Depending on your location, you may have rights to access, correct, update, delete, restrict, or object to processing of your personal data, and to data portability. You may also have the right to withdraw consent and to lodge a complaint with your local supervisory authority. California residents may have additional rights, including the right to know, delete, correct, opt out of sale or sharing, and to limit use and disclosure of sensitive personal information. To exercise rights, contact us at engage@mentalley.com

You may request account deletion or a copy of your data by contacting engage@mentalley.com or visiting mentalley.com/help. We will verify your request and process it subject to applicable legal exemptions (for example, retaining records required for tax, fraud prevention, or legal compliance).

Mentalley is not a substitute for emergency care. If you are in danger or considering harm to yourself or others, call your local emergency number immediately. Crisis resources are listed on our site. Do not wait for a therapist or for an in-app message in an emergency.
Google: we may receive your name, profile image and email.
Apple: we receive a stable Apple user identifier and, if you choose, an email address (which may be an Apple private relay).
X (Twitter): we receive your user ID and public profile info; X does not provide email via OAuth 2.0.

We store only what’s needed for login (provider ID, display name, avatar URL, email if provided) and OAuth tokens to keep you signed in. We do not post, DM, or read private data from your accounts, and we do not sell this data.

Revoke access: You can disconnect access at the provider at any time (Google: Account → Security → Third-party access; Apple: Apple ID → Password & Security → Apps using Apple ID; X: Settings → Security & account access → Apps). We also provide in-app account deletion and token revocation.

Deletion: If you delete your Mentalley account or disconnect a provider, we delete OAuth tokens and the provider link within 72 hours, and permanently purge related identifiers within 30 days except where law requires retention (e.g., fraud prevention, accounting).

We offer sign-in via Google, Apple, and X (Twitter). When you choose one of these, we receive a unique identifier and basic profile info the provider shares to authenticate you and create or link your account.

A) Sign in with Google / Apple / GitHub / Twitter: if you choose a third-party sign-in, we receive the basic account details those providers share (for example, your email and a unique identifier) to authenticate you and create or link your account. We do not use these details for third-party advertising.

B) Apple App Store Data Types: we may collect identifiers (for example, email, user ID), contact information, usage data, diagnostics, and content you submit. These data are used for app functionality, account management, and security, and, with your consent where required, for analytics and product improvement. We do not track you across other companies' apps and websites for advertising.

C) Google Play Data Safety: the app discloses collection of personal info, messages you choose to send to your therapist, device or app performance data, and diagnostics. Data are encrypted in transit, you can request deletion, and collection is limited to features you use. We do not sell your data.

Payments are processed by third-party processors. We receive limited transaction metadata (for example, success or failure, currency, and amounts) and do not store full card numbers. Your payment data are subject to the processor's own privacy policy in addition to this Notice.

We do not sell your personal information. We do not use therapy session content, messages, or therapy-related information for targeted advertising.

If you have questions or requests about this Notice or our data practices, contact us at engage@mentalley.com or via the contact page at mentalley.com/help. We will respond within the time period required by applicable law.

Mentalley shall not be liable for any delay or failure to perform its obligations under these Terms due to causes beyond our reasonable control, including, but not limited to, acts of God, war, terrorism, pandemics, riots, embargoes, actions of civil or military authorities, government actions, cyber attacks by public or private parties including state or quasi-state actors, fire, floods, accidents, strikes, or shortages of transportation facilities, fuel, energy, labor, or materials.

© 2025 | Mentalley | All rights reserved.

Effective Date: August 10, 2025