This Privacy Policy ("Policy") explains how Mentora LMS, a company incorporated in England and Wales ("we", "us", "our", or "The Processor"), collects, uses, discloses, and protects personal data in connection with the Mentora LMS platform (the "Platform").
The Platform is a software-as-a-service (SaaS) learning management system provided on a business-to-business (B2B) basis, allowing our customers ("Customers" or "Controller") to deploy and manage educational materials and courses for their designated employees and instructors ("Authorized Users"). We are committed to protecting personal data in compliance with the General Data Protection Regulation ("GDPR"). This Policy applies to all personal data we process as a controller or processor in relation to the Platform.
When we collect personal data directly from Customer representatives (e.g., for account setup, billing, or support), we act as the data controller, determining the purposes and means of processing. However, when we process personal data on behalf of a Customer (e.g., data of Authorized Users uploaded or generated through the Platform), we act as a data processor, following the Customer's instructions. In such cases, the Customer is the data controller responsible for ensuring lawful processing, and a data processing agreement (DPA) compliant with Article 28 of the GDPR will be incorporated into our Terms and Conditions ("Terms").
If you are an Authorized User, your personal data is primarily controlled by your employer (the Customer). You should refer to their privacy policies for primary details on how they handle your data. This Policy focuses on our processing activities. We do not engage in automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you.
This Policy uses a layered approach where possible, providing key information upfront with links or expansions for more details. We reserve the right to update this Policy at any time by posting the revised version on the Platform or notifying Customers via email. Changes will take effect 3 days after notice, unless a shorter period is required for legal reasons. Your continued use of the Platform after such changes constitutes acceptance.
Terms defined in our Terms of Service have the same meaning here, including "Personal Data", "Customer Data", "Authorized Users", "Content", and "Platform". Additional definitions:
We only collect Personal Data that is necessary for providing the Platform and related services. We do not collect Special Category Data unless it is explicitly included in Content uploaded by the Customer, in which case the Customer (as controller) must ensure a lawful basis exists, such as explicit consent or employment-related processing. The categories of Personal Data we collect include:
We minimize data collection and do not require individuals to provide Personal Data under statutory or contractual obligations unless specified by the Customer (e.g., for mandatory training). If data is not provided, certain Platform features may be unavailable, such as course access.
We collect Personal Data through the following methods:
We process Personal Data only for specified, explicit, and legitimate purposes. Below is a table linking the purposes of processing, the categories of Personal Data involved, and the applicable legal bases. Where we act as processor, processing is strictly per Customer instructions according to Terms and Conditions.
| Purpose | Categories of Personal Data | Legal Basis |
|---|---|---|
| Providing and maintaining the Platform, including hosting Content, managing user access, and tracking course progress for Authorized Users. | Account and profile information; Activity and engagement data; Content-embedded data; Technical and log data. | Performance of a contract (b) with the Customer; Legitimate interests (f) in efficient service delivery. |
| Billing, invoicing, and administering Subscriptions, including payment processing and account management. | Contact and identification information; Billing and payment information. | Performance of a contract (b). |
| Providing customer support, responding to queries, and troubleshooting issues. | Contact and identification information; Activity and engagement data; Technical and log data. | Performance of a contract (b); Legitimate interests (f) in resolving issues promptly. |
| Improving the Platform through analytics, bug fixes, and feature development (using anonymized or aggregated data where possible). | Usage and analytics data; Activity and engagement data; Technical and log data. | Legitimate interests (f) in enhancing product quality and user experience. |
| Ensuring security, preventing fraud, and complying with legal obligations (e.g., auditing). | All categories as relevant. | Legal obligation (c); Legitimate interests (f) in protecting the Platform and users. |
| Sending service-related communications (e.g., updates on Platform changes) to Customers. | Contact and identification information. | Legitimate interests (f); Consent (a) if opting in for non-essential updates. |
For any Special Category Data in Content, we do not process such data independently. You have the right to object to processing based on legitimate interests (see Section 8). Where consent is relied upon, it can be withdrawn at any time via [email protected], and withdrawal is as easy as giving consent.
We share Personal Data only when necessary and with appropriate safeguards:
5.1 With Sub-Processors: We use trusted third-party providers for services like cloud hosting (e.g., AWS), payment processing (e.g., PayPal), and AI services (e.g., OpenAI, Gemini). By using the Mentora LMS Platform you agree to be bound by Sub-processors' Terms and Privacy Policies. A current list of sub-processors is available upon request at [email protected].
5.2 With Affiliates: For internal administrative purposes, limited to entities under common control and subject to this Policy.
5.3 For Legal Reasons: To comply with laws, respond to court orders, or protect rights, property, or safety (e.g., in legal disputes).
5.4 In Business Transfers: If we undergo a merger, acquisition, or asset sale, Personal Data may be transferred to the acquiring entity, with notice provided where required.
5.5 International Transfers: Personal Data may be transferred to countries such as the US for certain sub-processors.
We do not sell or rent Personal Data.
We implement technical and organizational measures to secure Personal Data against unauthorized access, loss, alteration, or destruction. These include:
While we take all reasonable steps, no system is infallible. In the event of a personal data breach likely to result in high risk to individuals' rights, we will notify affected Data Subjects without undue delay.
We retain Personal Data only as long as necessary for the purposes outlined, or as required by law. Specific criteria and examples include:
Upon Subscription termination, we delete or return all Customer Data within 30 days, except for legally required backups (retained up to 6 months, inaccessible for other uses). Anonymized aggregates may be kept indefinitely for statistical purposes. For precise retention per data type, contact [email protected].
Authorized Users have the following rights regarding their Personal Data. These may be limited if we act as processor (in which case, contact your Employer first):
Right of Access:
Obtain confirmation of processing and a copy of your data.
Right to Rectification:
Correct inaccurate or incomplete data.
Right to Erasure ('Right to be Forgotten'):
Request deletion where no longer necessary or consent is withdrawn (subject to exceptions like legal obligations).
Right to Restriction of Processing:
Limit processing in certain cases, e.g., while accuracy is verified.
Right to Data Portability:
Receive your data in a structured, machine-readable format and transfer it to another controller.
Right to Object:
Object to processing based on legitimate interests or direct marketing, including profiling. We will stop unless compelling grounds override.
Right Not to Be Subject to Automated Decision-Making:
As noted, we do not engage in this.
Right to Withdraw Consent:
Where processing relies on consent, withdraw at any time without affecting prior lawfulness.
To exercise these rights, email [email protected] with details of your request. We may require identity verification. Responses are free unless requests are manifestly unfounded or excessive.
We use only essential cookies for core Platform functionality, such as session management and authentication. These are strictly necessary and do not require consent. No non-essential cookies (e.g., for advertising or third-party tracking) are used.
The Platform is designed for professional use and not intended for individuals under 18 years old. We do not knowingly collect Personal Data from children. If we become aware of such data, we will delete it immediately and notify the Customer.
The Platform may contain links to third-party websites or services (e.g., PayPal, OpenAI). We are not responsible for their privacy practices. Review their policies before interacting with the Mentora LMS Platform.
This Policy is governed by the laws of England and Wales. Any disputes will be resolved in accordance with our Terms.