Privacy Policy

Last updated: April 4, 2026

Summary: We collect and use personal data to operate the platform, provide mentoring services, prevent fraud, and meet legal obligations. We retain verification documents for up to 60 days by default, unless a longer period is required by applicable law in India. Where a mentor authorises Google Calendar access, we use limited Google API scopes solely to create mentorship session events and generate Google Meet links.

Contents 1. Scope 2. Data We Collect 3. How We Use Data 4. Google API Services — Limited Use Disclosure 5. How We Share Data 6. Retention 7. Security 8. Law Enforcement & Government Data Requests 9. Your Choices and Requests 10. Contact

1. Scope

This Privacy Policy applies to personal data processed in connection with your use of the platform (mentor or mentee). This document is intended to describe our practices; it is not legal advice.

2. Data We Collect

2.1 Account and profile data

Name, date of birth, gender (optional), email, phone number.
Profile details such as education, institution, languages, skills, and interests.

2.2 Session and platform activity

Session requests, scheduling details, and communications (messages) on the platform.
Device and usage data (for example: IP address, user-agent) for security and abuse prevention.

2.3 Google account data (mentors only)

When a mentor authorises the platform through Google OAuth 2.0 to schedule sessions on their behalf, we receive and store the following from Google:

OAuth tokens — an access token (short-lived, typically ~1 hour) and a refresh token (long-lived) that allow the platform to create calendar events on the mentor's primary Google Calendar.
Token expiry timestamp — used to determine when the access token needs to be refreshed.

We do not receive, read, or store the mentor's existing calendar events, contacts, Gmail messages, Google Drive files, or any other Google account data.

2.4 Payments and transaction data

Payment identifiers (such as payment ID, transaction reference) and payment status.
We do not intend to store full card/UPI credentials; payment rails may process them directly.

2.5 Verification documents (mentors)

If you choose to get verified, you may upload images of documents (for example, certificates, ID cards, employment proof). This content may contain sensitive personal data. See the Document Verification Policy for instructions and details.

3. How We Use Data

Provide the service: account creation, matching, scheduling, communications, and support.
Safety and fraud prevention: authentication, abuse detection, verification workflows, audit trails.
Payments: payment initiation, reconciliation, and dispute handling.
Legal and compliance: responding to lawful requests, enforcing policies, and record-keeping where required.

4. Google API Services — Limited Use Disclosure

This section describes how the platform accesses, uses, stores, and shares Google user data obtained through Google API services. Our use of Google API data complies with the Google API Services User Data Policy, including the Limited Use requirements.

4.1 Google API scopes we request

When a mentor initiates the Google OAuth flow (by accepting a mentoring request and choosing to schedule a session), we request the following scopes:

https://www.googleapis.com/auth/calendar.app.created — allows the platform to create and manage a dedicated MentzyGo Sessions calendar in the mentor's Google Calendar account and generate Google Meet video-conference links for booked sessions. We do not access any other calendars.

We request these scopes only from mentors, and only when a mentoring session needs to be scheduled. Mentees are never asked to grant Google Calendar access.

4.2 How we use Google Calendar data

We use the authorised calendar access exclusively to:

Create a single calendar event on the mentor's primary calendar for each confirmed mentorship session, containing the session title, date/time, and the mentor and mentee as attendees.
Automatically generate a Google Meet link attached to that event so both parties can join the video call.

We do not:

Read, list, search, or access any existing events on the mentor's calendar.
Modify or delete any calendar events (including events we previously created).
Access any calendar other than the mentor's primary calendar.
Use calendar data for advertising, analytics, market research, or any purpose unrelated to scheduling the mentorship session.

4.3 How we store Google data

OAuth access tokens, refresh tokens, and token expiry timestamps are stored in the mentor's database record.
The Google Calendar event ID and the generated Google Meet link for each session are stored in the meetings table so the platform can display the link to both parties.
Tokens are used solely to create calendar events on the mentor's behalf and are not shared with any third party.

4.4 Token refresh

Access tokens expire approximately every hour. When the platform needs to create a new session event for a mentor whose token has expired, we use the stored refresh token to obtain a new access token from Google. The updated token is saved back to the database. This happens automatically and does not require the mentor to re-authorise.

4.5 Revoking Google access

A mentor may revoke the platform's access to their Google Calendar at any time by visiting Google Account > Third-party apps & services and removing the platform. Once revoked, the platform will no longer be able to create calendar events or Meet links for that mentor until the mentor re-authorises.

4.6 Gmail and email sending

The platform sends transactional emails (session confirmations, reminders, cancellation notices, password-reset codes, and similar operational messages) using Gmail's SMTP relay service authenticated with an application-specific password on the platform's own Gmail account.

This means:

We do not use the Gmail API (gmail.send or any other Gmail REST endpoint) on behalf of any user.
We do not read, access, or store any user's Gmail messages, drafts, labels, or mailbox data.
Emails are sent from the platform's own email address, not from any user's account.
Recipients receive these emails at the address they provided during registration.

4.7 Limited Use compliance

The platform's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

We only use Google data for providing and improving the session-scheduling functionality described above.
We do not transfer Google data to third parties except as necessary to provide the service (i.e., sending the calendar event creation request to Google), as required by law, or as part of a merger/acquisition with adequate data-protection obligations.
We do not use Google data for serving advertisements.
Human access to Google user data (OAuth tokens) is limited to platform administrators for debugging or support purposes, with the user's consent or as needed to comply with applicable law or for security investigations.

With other users: limited profile information necessary to facilitate mentoring (as configured by the platform).
Service providers: hosting, storage, messaging, email/WhatsApp, and payment processors as needed to run the platform.
Legal: if required to comply with law, lawful requests, or to protect users and the platform.

6. Retention

We retain data only as long as needed for the purposes described above, unless a longer period is required by law or needed for disputes.

Verification documents: up to 60 days from submission by default, then deleted as part of an automated retention process.
Consent/audit logs: may be retained longer for compliance, fraud prevention, and dispute resolution.

7. Security

We use reasonable administrative, technical, and organizational safeguards appropriate to the nature of the data. No system can be guaranteed 100% secure.

8. Law Enforcement & Government Data Requests

We are an Indian platform and operate under Indian law. We may disclose user data to law enforcement agencies, regulatory bodies, courts, or other government authorities when we receive a lawful, valid legal process or are otherwise legally obligated to do so under applicable Indian legislation. This section describes how we handle such requests.

7.1 Legal framework we operate under

The following Indian laws may require or authorize us to disclose user data to government or law enforcement:

Digital Personal Data Protection Act, 2023 (DPDPA) — Section 7(b) permits processing of personal data to comply with a legal obligation. Section 17 exempts the platform from certain obligations (such as erasure) where data is required for law enforcement, national security, or judicial proceedings. Section 36 empowers the Central Government to direct a Data Fiduciary to provide information or take action in the interest of sovereignty, security, or public order.
Information Technology Act, 2000 (IT Act) —
- Section 69: Authorizes the Central or State Government to issue directions for interception, monitoring, or decryption of information through any computer resource in the interest of sovereignty, security, public order, or prevention of offences.
- Section 69A: Authorizes the Central Government to issue directions for blocking access to information in the interest of sovereignty, security, or public order.
- Section 69B: Authorizes the Central Government to monitor and collect traffic data or information generated, transmitted, received, or stored in computer resources.
- Section 70B: Empowers CERT-In (Indian Computer Emergency Response Team) to call for information from intermediaries and service providers for cybersecurity incident response and analysis.
- Section 79: Intermediary safe harbour is conditional on complying with government directions and not interfering with legal processes.
IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 — Rule 3(1)(j) requires intermediaries to provide information or assistance to government agencies for lawful purposes within 72 hours of a written direction.
IT (Procedure and Safeguards for Interception, Monitoring and Decryption) Rules, 2009 — Govern the form, authentication, and procedure for Section 69 directions.
CERT-In Directions, April 28, 2022 — Require platforms to report certain cybersecurity incidents within 6 hours and to retain system and network logs for a rolling period of 180 days.
Bharatiya Nagarik Suraksha Sanhita, 2023 (BNSS) (in force from July 1, 2024; replaces the Code of Criminal Procedure, 1973) — Chapters XII–XIV govern searches, seizures, and production orders applicable to digital data and electronic records.
Bharatiya Sakshya Adhiniyam, 2023 (BSA) (in force from July 1, 2024; replaces the Indian Evidence Act, 1872) — Sections 57–61 govern admissibility of electronic records and may require us to produce certified copies of digital evidence.
Prevention of Money Laundering Act, 2002 (PMLA) — Section 50 authorizes the Enforcement Directorate and Financial Intelligence Unit–India (FIU-IND) to summon persons and call for records. As a platform that facilitates payments, we may be obligated to share transaction data with FIU-IND or ED pursuant to lawful directions.
Income Tax Act, 1961 — Sections 131–133 empower Income Tax authorities to requisition information relating to transactions, accounts, and persons relevant to tax investigations.
Protection of Children from Sexual Offences Act, 2012 (POCSO) — Any information relating to sexual offences against children must be reported to police. We are mandated to provide relevant data without awaiting a formal production order.
Other central or state legislation that lawfully compels disclosure, including directions from the Reserve Bank of India (RBI) or other financial regulators where applicable.

7.2 Types of legal process we respond to

Court orders / judicial warrants issued by a High Court or Sessions Court of competent jurisdiction under the BNSS or other applicable law.
Production orders / summons issued under the BNSS (e.g., Section 94), PMLA (Section 50), or Income Tax Act by an authorized authority.
Government directions issued under Sections 69, 69A, or 69B of the IT Act by a competent authority at the Central or State Government level.
CERT-In directions for incident response or information under Section 70B of the IT Act and the 2022 CERT-In Directions.
Intermediary compliance directions under Rule 3(1)(j) of the IT (Intermediary Guidelines) Rules, 2021.
DPDPA Section 36 directions from the Central Government.
Mandatory POCSO reports to police without requiring a formal production order.

7.3 What data may be disclosed

We limit disclosure strictly to what the legal process requires. Depending on the request, this may include:

Account and profile information (name, email address, phone number, date of birth).
IP addresses, login history, device identifiers, and user-agent information.
Transaction and payment records (payment IDs, amounts, timestamps, payment status).
Session booking records and in-platform communication metadata.
Verification documents (if still within the 60-day retention window; see Section 5).
System and network logs retained under CERT-In Directions (up to 180 days).
Consent and audit records.

We do not provide data that is beyond the scope of the request, and we do not create data that does not already exist in our systems.

7.4 Our review process

Each request is reviewed to confirm: (a) it originates from a competent authority, (b) it cites the applicable legal provision, and (c) it is specific and not manifestly overbroad.
We may seek clarification or legal advice before responding to ambiguous or novel requests.
Requests that appear legally deficient, lack requisite authorizations, or are overbroad may be declined or narrowed after review.
We maintain an internal register of all government/law enforcement data requests received, actions taken, and data disclosed, for audit and compliance purposes.

7.5 User notification

Where we are legally permitted to do so and where there is no risk of harm or evidence destruction, we will make reasonable efforts to notify the affected user(s) before disclosing their data, so that they may seek appropriate legal remedies.

We will not notify users when:

Notification is expressly prohibited by the legal process or the applicable law (for example, gag orders under Section 69 or Section 69A IT Act directions).
Notification could obstruct an ongoing investigation or lead to destruction of evidence.
The request relates to national security or defence.
The matter involves a child safety offence (POCSO).

7.6 Emergency disclosure

In exceptional circumstances involving an imminent, credible threat to the life or physical safety of a person, or an ongoing child safety emergency, we may voluntarily disclose limited information to Indian law enforcement (Police, CBI, or other competent agencies) without waiting for a formal legal process. Any such disclosure is limited to information necessary to address the emergency, logged internally, and subject to subsequent legal review.

7.7 Data preservation requests

Pending the issuance of formal legal process, we may honour a preservation request from a competent law enforcement authority to retain specified user data. Such preservation is typically for up to 90 days and may be renewed once upon receipt of a further written request. Preserved data is not disclosed without a separate, valid legal process.

7.8 Cybersecurity incident reporting obligations

Pursuant to the CERT-In Directions of April 28, 2022, we are required to report certain cybersecurity incidents (including unauthorized access, data breaches, and identity theft) to CERT-In within 6 hours of detection. System, network, and access logs are retained for a rolling 180 days to comply with this obligation. This retention period operates independently of other retention periods described in Section 5 of this policy.

9. Your Choices and Requests

You can update certain profile details within the platform.
You may request access, correction, or deletion of personal data, subject to legal and operational constraints.

10. Contact

To submit a request or regarding Privacy Questions, contact: support.mentzygo@gmail.com.