Privacy Policy

MentionLayer is operated by Miji Australia Pty Ltd (ACN to be added), trading as MentionLayer ("we", "us", "our"). Registered office in New South Wales, Australia.

For privacy enquiries, contact our founder Joel House at [email protected]. We respond within 30 days as required by the GDPR, CCPA, and Australian Privacy Principles.

We collect three categories of data:

• Account data — the name, email address, agency name, and password hash you provide at signup. Required to create your account.
• Brand workspace data — the client brand briefs, website URLs, keywords, competitor names, and team-member emails you add inside the product. This is the working content of your subscription.
• Operational telemetry — usage events, IP address, browser type, error logs, and pages visited. Used to keep the service running and to diagnose problems. Marketing-attribution events (ad clicks, signups, conversions) are sent to Google Ads / Analytics via our cookie banner.

We do not collect special-category data (health, ethnicity, religion, biometric identifiers, etc.). The Reddit, Quora, and Facebook Group content the platform discovers is public-web content and is not associated with any private user account on our side.

Under the GDPR Art. 6, our lawful bases are:

• Contract — we need account and workspace data to deliver the service you've subscribed to.
• Legitimate interests — operational telemetry, fraud prevention, and product analytics. We've weighed these against your rights and consider them proportionate.
• Consent — advertising and marketing cookies fire only after you accept them via the cookie banner. You can withdraw consent at any time from the cookie settings in the footer.
• Legal obligation — certain billing and tax records are retained for compliance with Australian Taxation Office and EU VAT rules.

We use the third-party services below to deliver MentionLayer. Each handles a specific slice of your data and is contractually bound to protect it. By using MentionLayer you authorise these subprocessors.

International transfers to subprocessors outside the EEA / UK rely on Standard Contractual Clauses. We do not sell personal data to any third party.

We use three categories of cookies, distinguished in our consent banner:

• Strictly necessary — session, CSRF, and authentication cookies. Required for the site to work. Set without consent.
• Analytics — PostHog, Google Analytics 4. Set only after you accept analytics cookies.
• Marketing — Google Ads remarketing, conversion pixels via Google Tag Manager. Set only after you accept marketing cookies.

Until you accept, Google Tag Manager runs in Consent Mode v2 with ad_storage=denied and analytics_storage=denied, so no identifiers are written. You can withdraw consent at any time by clearing cookies for this site or by emailing us.

• Account data — kept while your subscription is active. Deleted within 90 days of account closure unless we are required to retain it for legal reasons.
• Workspace data — same as account data; deleted within 90 days of closure.
• Billing records — retained for 7 years to satisfy ATO and EU VAT requirements.
• Telemetry & logs — retained for 30 days, then aggregated. Sentry error events follow Sentry's 30-day default.

You have the right to:

• Access the data we hold about you.
• Correct data that's inaccurate or incomplete.
• Delete your data ("right to be forgotten" / GDPR Art. 17). Cancels your subscription and removes all workspace data within 90 days.
• Export your data in a portable format (GDPR Art. 20).
• Restrict or object to processing.
• Withdraw consent for marketing or analytics cookies.
• Lodge a complaint with a supervisory authority. For Australia: the OAIC. For the EU: your local Data Protection Authority.

To exercise any of these, email [email protected]. We will verify your identity and respond within 30 days.

Workspace data is stored in Supabase with row-level security policies that isolate each agency. All connections are TLS 1.2+. Passwords are hashed with bcrypt. Service-role credentials are scoped to server-side processes only.

We do not currently hold SOC 2 certification ourselves. Our primary infrastructure providers (Supabase, Vercel, Cloudflare, Stripe, Anthropic) are independently SOC 2 Type II audited.

MentionLayer is a B2B product. We do not knowingly collect data from anyone under 18. If you believe a child has registered, email us and we will delete the account.

We will update this page when we materially change how we handle data, and the "Last updated" date above will change with it. For account holders, material changes will also trigger an email.

Privacy enquiries: [email protected]
Postal: Miji Australia Pty Ltd, New South Wales, Australia (postal address available on request).

See also: Terms of Service.