MENTAT

privacy policy

privacy.

Effective 2026-05-08. Short version: we keep what we need to run the product, no more. We don't sell anything to anyone. There are no ad pixels, no third-party analytics on this site.

what we store on the server

  • League One: email, password hash (bcrypt), Telegram chat ID once you link, day-by-day curriculum progress, chat history with the curriculum agent.
  • Newsletter: email and confirmation timestamp. Unsubscribe is one click.
  • Operator request form: name, email, optional X handle, capital range, use-case description. Triaged manually by skyto.
  • Day 8 submissions: the content of your build submission. Email is kept private; only the display name you opt into appears on /learn/graduates.

what we don't store

  • Wallet private keys. Those live on the operator's own machine.
  • Real names, phone numbers, addresses (unless you put them in your operator request).
  • Credit-card numbers. Payments process via Stripe (when wired) — Stripe holds the card data, not us.
  • Browser fingerprints, behavioural analytics, ad-network IDs.

who sees your data

skyto, as the sole operator, has read access to the production database. Nobody else. The database lives on a Contabo VPS in Germany (full-disk-encrypted host). Backups are encrypted at rest.

Limited third parties handle specific functions:

  • Resend — outbound email (confirmation, capability-of-the-week). Sees your email address and the email body.
  • Telegram (BotFather) — the curriculum bot is delivered through Telegram; messages transit their servers.
  • Anthropic + NEAR AI — for the curriculum chat agent. They process your messages to generate replies; we do not pass your email to them.
  • Vercel + Cloudflare — host the marketing frontend and tunnel API traffic. They see IP addresses and request paths.

cookies and storage

We use localStorage to keep you signed in (League One JWT, operator deck key). No tracking cookies, no third-party cookies. The only first-party cookies are session helpers when you use the operator agency console.

your rights

  • Access — email us, we send you everything we have.
  • Deletion — email us or click delete-account in the dashboard. We purge within 7 days.
  • Correction — same channel.
  • Portability — we'll export your data as JSON on request.

security incidents

If we discover that data we hold has been exposed, affected users will hear from us within 72 hours of confirmation, with what we know and what to do. We'd rather over-communicate than not.

contact

hello@mentatai.xyz. Security disclosures: please use the same address with the subject line "security", we'll triage within 24 hours.

See also: /risk · /terms · /security.