Legal — Mentage LLC
MEVA Platform · Effective Date: April 8, 2026
Note: MEVA is a general wellness platform. It is not a medical device, clinical assessment tool, diagnostic instrument, or screening instrument, and is not intended to diagnose, treat, cure, mitigate, prevent, or monitor any disease or medical condition.
Contents
Section 1
This Privacy Policy ("Policy") describes how Mentage LLC ("Mentage," "we," "us," or "our") collects, uses, stores, discloses, and protects information in connection with your access to and use of the MEVA platform, including all associated websites, applications, and services (collectively, the "Service").
MEVA is a general wellness platform. It is not a medical device, clinical assessment tool, diagnostic instrument, or screening instrument, and is not intended to diagnose, treat, cure, mitigate, prevent, or monitor any disease or medical condition.
This Policy governs information collected through the Service. It does not apply to information collected by third parties, including third-party websites or services linked from or integrated with the Service.
By creating an account or using the Service, you acknowledge that you have read and understood this Policy. If you do not agree with this Policy, do not create an account or use the Service.
Section 2
Mentage collects the following categories of information in connection with the Service:
Account Registration Information
When you create an account, we collect your email address and password. Authentication is managed through AWS Cognito.
Technical Data
We collect limited technical data necessary to operate, maintain, and secure the Service. This includes: (a) IP address; (b) User Agent and browser details; and (c) error logs, collected automatically through standard server-side processes. CloudFront access logs are retained in an S3 bucket with Object Lock COMPLIANCE mode enforcing a 2,557-day retention period.
Device and Session Data
Authentication through AWS Cognito stores session data in your browser's local storage to maintain your authenticated session. This includes the following data, stored using the amazon-cognito-identity-js SDK:
Username (your email address) — persists until you sign out or clear your browser's local storage;
ID Token (JWT) — expires approximately one hour after issuance and is silently refreshed while your session is active;
Access Token (JWT) — expires approximately one hour after issuance and is silently refreshed while your session is active;
Refresh Token — persists in local storage for up to thirty (30) days and is cleared when you sign out; and
Clock Drift Value — a clock synchronization value used by the SDK; persists until you sign out or clear your browser's local storage.
This data is stored in first-party local storage scoped to the Mentage application domain. It is used solely for authentication and session management and is not used for advertising, analytics, or third-party tracking. You can clear this data at any time by signing out of the Service or clearing your browser's local storage.
Payment Transaction Data
Subscription and token purchases are processed through Stripe's hosted checkout, which operates on Stripe's own domain (checkout.stripe.com). You are redirected to Stripe's hosted checkout page to complete any purchase. No payment card data is transmitted through or processed on the Mentage application domain. Mentage does not directly receive or store your full payment card number. Mentage may receive from Stripe limited transaction metadata — including payment confirmation, transaction identifiers, card type, and the last four digits of your card number — for subscription management and recordkeeping.
User-Submitted Information
Depending on the features you use, you may submit information, responses, wellness data, or other content in the course of using the Service. See also Section 8A of the Terms of Service (User-Submitted Content).
Consent Records
When you complete the onboarding consent flow, Mentage records your acceptance event in a consent table, capturing: a server-generated event UUID, your patient UUID, consent type, consent version, acceptance status, server-generated timestamp, IP address, User Agent string, and a retention date calculated from the date of consent creation. Consent records are subject to a minimum retention period and may survive account deletion in anonymized form. See Section 8 for details.
Provider-Originated Data — Business Associate Context
In certain arrangements where Mentage provides services on behalf of a healthcare provider or covered entity under a signed Business Associate Agreement ("BAA"), Mentage may receive, store, or transmit protected health information ("PHI") as defined under HIPAA. See Section 14 for details, including important disclosures regarding the current platform architecture.
Section 3
Mentage collects information in the following ways:
Directly from you: when you register for an account, make a purchase, use Service features, or communicate with us.
Automatically: when you access the Service, through standard server-side infrastructure, including IP address, User Agent and browser details, and CloudFront access logs.
Through authentication session storage: the Cognito SDK writes session data to your browser's local storage upon sign-in as described in Section 2.
From Stripe: Mentage receives limited transaction metadata from Stripe following a completed purchase as described in Section 2.
Based on current operational facts confirmed by internal audit (April 13, 2026): Mentage does not embed third-party tracking scripts, third-party analytics tools, or third-party data collection software within the user-facing application. No Stripe-originated cookies or local storage entries are set on the Mentage application domain. Mentage does not collect biometric identifiers, MAC addresses, or precise physical location data. CloudFront does not forward geolocation headers to the backend origin.
Section 4
Mentage uses collected information for the following purposes:
To provide, operate, maintain, and improve the Service;
To create and manage your account, authenticate your identity, and process transactions;
To process payments and manage subscriptions through Stripe;
To communicate with you about your account, transactions, service updates, and support inquiries;
To detect, investigate, and prevent fraud, unauthorized access, and other illegal or harmful activities;
To enforce our Terms of Service and other applicable agreements;
To comply with applicable legal obligations, respond to lawful requests, and protect the rights, property, or safety of Mentage, our users, or others; and
For any other purpose disclosed to you at the time of collection or with your consent.
Section 5
Mentage does not sell your personal information.
Mentage may disclose information in the following circumstances:
Service Providers
Mentage shares information with third-party service providers that perform functions on our behalf, including Amazon Web Services (cloud hosting, data storage, and CloudFront access log management), AWS Cognito (authentication), and Stripe (payment processing). These providers access information only as necessary to perform their functions and are contractually obligated to maintain its confidentiality and security.
Legal and Regulatory Compliance
Mentage may disclose information as required by applicable law, regulation, legal process, or valid governmental request, or where Mentage reasonably believes disclosure is necessary to prevent or investigate fraud, enforce these Terms, or protect the rights, property, or safety of Mentage, our users, or others.
Corporate Transactions
In connection with a merger, acquisition, financing, reorganization, sale of assets, or similar business transaction, your information may be transferred or disclosed as part of that transaction, subject to customary confidentiality arrangements.
With Your Consent
Mentage may share information when you direct us to do so or otherwise provide your consent.
Section 6
Subscription and token purchases are processed exclusively through Stripe's hosted checkout, operating on Stripe's own domain (checkout.stripe.com). When you initiate a purchase, you are redirected from the Mentage application to Stripe's domain to complete the transaction. No payment processing code from Stripe runs on the Mentage application domain, and no Stripe-originated cookies or storage entries are set on the Mentage application domain.
Stripe may set its own cookies or storage entries on checkout.stripe.com in accordance with Stripe's own privacy policy. Those technologies are scoped to Stripe's domain and are not accessible to or controlled by Mentage. For information about Stripe's privacy and security practices, visit stripe.com/privacy.
Mentage may receive from Stripe limited transaction metadata for subscription management and recordkeeping: payment confirmation status, transaction identifiers, card type, and the last four digits of your card number.
Section 7
The Service is hosted on Amazon Web Services ("AWS"). User data is stored in AWS RDS databases located in the us-east-1 (Northern Virginia) region, deployed across multiple availability zones, with automated database backups retained on a 35-day rolling window for production (03:00–04:00 UTC backup window) and a 7-day rolling window for development. Long-term archival beyond 35 days is maintained through the AWS Backup ArchiveBackupVault with monthly recovery points retained for 2,555 days (approximately 7 years). Authentication is managed through AWS Cognito.
Mentage selects infrastructure providers that maintain industry-standard security certifications. Mentage does not control and is not responsible for the independent security practices of third-party infrastructure providers.
Section 8
Information is stored on servers located in the United States (AWS us-east-1 region).
Mentage retains account data and associated records for seven (7) years following account inactivity. As of April 13, 2026, this retention period is technically enforced at multiple layers: (a) RDS snapshots are archived through the AWS Backup ArchiveBackupVault with monthly recovery points retained for 2,555 days; (b) CloudFront access logs are retained in an S3 bucket with Object Lock COMPLIANCE mode set to 2,557 days; and (c) consent records include a row-level retain_until column set at record creation to created_at plus 2,555 days. This retention period reflects Mentage's current legal, operational, contractual, and business requirements and is not uniformly mandated by HIPAA across all of Mentage's business lines.
Log-level data, including server logs, error logs, access logs, and infrastructure diagnostic data retained through AWS CloudWatch Logs or similar services, may be retained for periods that differ from account-level data retention periods based on Mentage's operational, security, and compliance requirements. Log-level data is treated as a distinct category from account data for retention purposes.
Consent records created at account registration are subject to a minimum retention period calculated from the date of consent creation, which may extend beyond the standard account data retention period and may survive account deletion. Following account deletion, Mentage retains consent records in a form that has been stripped of directly identifying personal information — including IP address and User Agent string — while preserving the record of acceptance and its associated timestamp for purposes of enforceability and legal compliance.
Where Mentage acts as a Business Associate under a signed BAA, retention of PHI is governed by the terms of that agreement and applicable HIPAA requirements. See Section 14.
To request deletion of your account or personal information, contact info@mentage.com. Deletion requests will be processed in accordance with applicable law, subject to legal, contractual, or operational retention obligations.
Section 9
Mentage implements commercially reasonable administrative, technical, and organizational safeguards to protect information in its possession. These measures include:
Encryption of data in transit using TLS 1.2 or higher;
Encryption of data at rest using AWS Key Management Service (KMS)-managed keys;
Account authentication managed through AWS Cognito using unique email and password credentials;
Data hosted on AWS RDS across multiple availability zones with automated backups and long-term archival; and
CloudFront access logs retained with S3 Object Lock COMPLIANCE mode.
NO METHOD OF TRANSMISSION OVER THE INTERNET OR METHOD OF ELECTRONIC STORAGE IS 100% SECURE. MENTAGE CANNOT GUARANTEE ABSOLUTE SECURITY AND IS NOT RESPONSIBLE FOR UNAUTHORIZED ACCESS RESULTING FROM YOUR FAILURE TO PROTECT YOUR ACCOUNT CREDENTIALS, ACTS OR OMISSIONS OF THIRD PARTIES, OR EVENTS BEYOND MENTAGE'S REASONABLE CONTROL.
Section 10
Based on current operational facts confirmed by internal audit (April 13, 2026), Mentage does not embed third-party tracking scripts, third-party analytics tools, or third-party data collection software within the user-facing application.
Authentication Session Storage
The Service uses AWS Cognito for authentication. Upon sign-in, the amazon-cognito-identity-js SDK stores the following data in your browser's local storage: session tokens (ID token, access token, and refresh token), your username (email address), and a clock drift value. The ID token and access token expire approximately one hour after issuance and are silently refreshed while your session is active. The refresh token persists for up to thirty (30) days. All session data stored in local storage is cleared upon sign-out. This storage is first-party, scoped to the Mentage application domain, and is used solely for authentication and session management — not for advertising, analytics, or tracking.
Stripe Checkout
Subscription and token purchases are processed through Stripe's hosted checkout, which operates exclusively on Stripe's own domain (checkout.stripe.com). When you are redirected to Stripe's checkout page, Stripe may set its own cookies or storage entries on its domain in accordance with Stripe's privacy policy. Those technologies are scoped to Stripe's domain and are not accessible to or controlled by Mentage. No Stripe cookies or storage entries are set on the Mentage application domain.
Server-Side Technical Data
The Service collects limited technical data through standard server-side processes as described in Section 2, including IP address, User Agent and browser details, and CloudFront access logs. This data is collected server-side and does not involve browser cookies or client-side tracking technologies.
Section 11
The Service is not directed to children under 13 years of age. Mentage does not knowingly collect personal information from children under 13. If Mentage learns that a child under 13 has provided personal information through the Service, Mentage will take commercially reasonable steps to delete that information promptly. If you believe a child under 13 has provided personal information to Mentage, contact us at info@mentage.com.
Section 12
Account Information
You may review and update certain account information by accessing your account settings or by contacting info@mentage.com.
Deletion Requests
You may request deletion of your account and associated personal information by contacting info@mentage.com. On account deletion, personally identifiable fields in your account record are erased and your account status is set to deleted; however, consent records are preserved in anonymized form (with IP address and User Agent stripped) as described in Section 8. Deletion is subject to applicable legal, contractual, and operational retention obligations.
Communications
You may opt out of promotional communications by following the unsubscribe instructions in those messages. You may not opt out of transactional or account-related communications necessary for account management and service delivery.
Section 13
Certain U.S. state privacy laws — including the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), the Virginia Consumer Data Protection Act ("VCDPA"), the Colorado Privacy Act ("CPA"), and the Connecticut Data Privacy Act ("CTDPA"), among others — may provide residents of those states with specific rights regarding their personal information, including the right to know what personal information is collected, to request correction or deletion, to opt out of the sale or sharing of personal information for targeted advertising, and to not be discriminated against for exercising these rights.
Mentage does not sell personal information as that term is defined under applicable state privacy laws.
If you are a resident of a state with an applicable privacy law and wish to exercise rights available to you, contact us at info@mentage.com. Mentage will respond in accordance with applicable law.
Section 14
This Section applies only in arrangements where Mentage acts as a Business Associate under a signed Business Associate Agreement.
In certain provider-facing arrangements, Mentage may receive, store, or transmit PHI on behalf of a covered entity pursuant to a signed BAA. In those limited circumstances, Mentage acts as a Business Associate as defined under HIPAA and will use and disclose PHI only as permitted under the applicable BAA and HIPAA.
The direct-to-consumer MEVA platform is not presented as HIPAA-regulated by default. Information submitted by a direct-to-consumer user who is not associated with a covered entity's BAA arrangement is not intended to be treated as PHI under HIPAA solely because it is submitted through the Service.
Nothing in this Policy is intended to expand or limit Mentage's HIPAA obligations beyond what is required by applicable law and any applicable BAA.
Section 15
Mentage may update this Policy from time to time. If Mentage makes material changes, it will post the updated Policy on the Service with a new Effective Date and may provide additional notice by email or in-app notification. Your continued use of the Service after the effective date of any revised Policy constitutes your acknowledgment of the revised practices.
Section 16
Questions or concerns regarding this Policy should be directed to:
Mentage LLC
Email: info@mentage.com
