Privacy Policy

1. Data Controller

Mentione is operated by Hoogers Digital B.V., a private limited company registered in the Netherlands (KvK 85329495, VAT NL863587653B01), with its principal office at Veemkade 300, 1019 HD, Amsterdam, Netherlands (“we”, “us”, “our”).

Questions about this policy or your personal data? Contact us at privacy@mentione.io.

2. Scope of This Policy

This Privacy Policy applies to personal data collected and processed when you visit mentione.io, create an account, use the Mentione platform, or connect third-party services such as Google Ads to your Mentione workspace.

This policy is written to satisfy the requirements of the EU General Data Protection Regulation (GDPR) and the Dutch UAVG, as well as Google's OAuth API Services User Data Policy.

3. Data We Collect

3.1 Account & profile data

When you register or sign in via Google OAuth or magic-link email, we collect your email address, name (if provided by your identity provider), and a unique user identifier. We store this alongside your organisation name and billing plan.

3.2 Google user data (OAuth)

When you connect a Google Ads account to Mentione, we request access to the https://www.googleapis.com/auth/adwords scope. This allows Mentione to:

• List the Google Ads customer accounts accessible to your Google account
• Read campaign names and daily budget values for campaigns you select as rule targets
• Update campaign status (enable/pause) and daily budget on your explicit instruction via a trigger rule

We store only the OAuth refresh token required to maintain access between sessions. Refresh tokens are stored encrypted in Supabase Vault (AES-256) and are never written to plain-text database columns, log files, or transmitted outside our infrastructure. We do not store a copy of your Google Ads data beyond what is needed to display connected account names in the Mentione interface.

Mentione's use of Google user data is limited to the practices disclosed in this Privacy Policy and complies with Google API Services User Data Policy, including the Limited Use requirements.

3.3 Usage & technical data

We collect server-side logs (via Axiom), error reports (via Sentry), and anonymous usage telemetry to operate and improve the service. This includes IP addresses, browser type, pages visited, and timestamps. Logs are retained for a maximum of 90 days.

3.4 Payment data

Billing is handled by Stripe. We do not store card numbers or full payment details on our servers. We retain Stripe customer IDs and subscription identifiers to manage your plan. Stripe's privacy policy applies to payment processing.

3.5 News & mention content

Mentione fetches publicly available news articles from third-party sources (GDELT, Bing News Search) based on keywords you configure. The headline, URL, snippet, and publication date of matching articles are stored in your workspace. This is public content and does not constitute personal data in most cases.

4. How We Use Your Data

We use data collected for the following purposes:

• Providing, operating, and maintaining the Mentione platform
• Authenticating your identity and maintaining your session
• Executing trigger rules that you create — including making API calls to Google Ads on your behalf
• Sending transactional emails (trigger notifications, approval requests, billing alerts) via Resend
• Diagnosing errors and improving platform reliability
• Complying with our legal obligations

We do not use your Google user data to serve advertising, train AI models, or share with third parties for their own purposes. We do not sell personal data.

5. Legal Basis for Processing (GDPR)

• Contract performance (Art. 6(1)(b)): processing your account data, billing data, and executing the ad automation actions you configure.
• Legitimate interests (Art. 6(1)(f)): security logging, fraud prevention, and service improvement where these interests are not overridden by your rights.
• Consent (Art. 6(1)(a)): connecting third-party platforms (Google Ads) — you grant OAuth consent explicitly and can revoke it at any time.
• Legal obligation (Art. 6(1)(c)): retaining invoices and financial records as required by Dutch tax law.

6. Data Sharing & Sub-processors

We share data only with sub-processors necessary to deliver the service. Each is bound by a Data Processing Agreement (DPA):

For transfers to the USA, Standard Contractual Clauses (SCCs) as approved by the European Commission serve as the transfer mechanism under GDPR Chapter V.

7. Data Retention

• Account data: retained while your account is active, then deleted within 30 days of account closure
• Google OAuth tokens: deleted immediately when you disconnect the Google Ads integration or close your account
• Trigger event audit logs: retained for 12 months, then automatically deleted
• News mentions and sentiment scores: retained for 12 months
• Server logs and error reports: retained for 90 days
• Invoices and financial records: retained for 7 years as required by Dutch tax law

8. Your Rights

Under the GDPR you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — ask us to correct inaccurate data
• Erasure — request deletion of your data (“right to be forgotten”)
• Restriction — ask us to limit how we process your data
• Portability — receive your data in a structured, machine-readable format
• Objection — object to processing based on legitimate interests
• Withdraw consent — revoke any consent you have given at any time

To exercise any right, email privacy@mentione.io. We will respond within 30 days. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl).

Revoking Google Ads access

You can disconnect your Google Ads account at any time in Integrations. This immediately deletes the stored OAuth refresh token. You can also revoke access directly via Google Account Permissions.

9. Security

We implement technical and organisational measures appropriate to the risk, including:

• Encryption of OAuth tokens at rest using Supabase Vault (AES-256)
• TLS encryption for all data in transit
• Row-Level Security (RLS) on all database tables — users can only access their own organisation's data
• Service-role keys for background jobs, never exposed to client-side code
• Leaked password protection and secure session management via Supabase Auth

Despite these measures, no system is perfectly secure. In the event of a data breach affecting your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR Art. 33.

10. Cookies & Local Storage

Mentione uses session cookies solely for authentication (managed by Supabase Auth). We do not use third-party tracking cookies, advertising cookies, or analytics cookies. No consent banner is required for strictly necessary cookies under the Dutch Telecommunications Act.

11. Children

Mentione is a business-to-business service intended for users aged 18 and over. We do not knowingly collect personal data from children under 16. If we become aware that a child has provided us data, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced via email to registered users and/or an in-app notice at least 14 days before taking effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the service after the effective date constitutes acceptance of the updated policy.

13. Contact