MentAgent
Privacy Policy
Effective date: May 6, 2026 · Last updated: May 30, 2026 · Version: 2026-05-30
1. Overview
MentAgent, Inc. ("MentAgent," "we," "us," or "our") operates the MentAgent platform at mentagent.ai (the "Service"), an AI-powered assistant for licensed real estate agents. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Service. By accessing or using MentAgent, you agree to this Privacy Policy. If you do not agree, please do not use the Service.
MentAgent is designed for use by adults (18+) who are licensed real estate professionals in the United States.
2. Information We Collect
2.1 Information You Provide
When you create an account and use MentAgent, you may provide:
• Account information — your name, email address, phone number, and profile photo. • Professional information — your real estate license number and state, brokerage name, market area, specialty neighborhoods and zip codes, property types, years of experience, team structure, and CRM platform. • Communication preferences — your preferred tone, email signatures, phrases to avoid, and spoken languages. • Payment information — processed by Stripe; we store only your Stripe customer ID, not your card details. • Custom content — custom skills, prompts, and configurations you create within the platform. • Group participation — messages and posts you contribute to group channels.
2.2 Information from Connected Services
MentAgent's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy (https://developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements.
When you enable specific skills, MentAgent may request access to third-party services through OAuth authorization:
• Google Gmail — email content used to generate summaries, draft responses, and triage your inbox. • Google Calendar — calendar events used to prepare daily briefings and coordinate showings. • Google Drive — read and write files (listing PDFs, photos, generated documents) for skills you have enabled that produce or reference Drive content.
Account creation with Google requests only basic profile information (name, email, profile photo). The Gmail, Calendar, and Drive scopes are requested only when you enable the Google Connector — not at signup. Once the connector is enabled, all Google-backed skills you run share that connection. You can disconnect at any time in Settings → Connectors.
We use Google user data only to provide the features you have enabled (skill execution, summaries, drafts). We do not transfer this data to third parties except as needed to provide and improve those features — currently the AI provider (Anthropic) for inference, which processes the data under contractual terms that prohibit training on customer data — or as required by law. We do not use Google user data for advertising. Human reading of Google user data is limited to: (a) the AI agent processing your skill on your behalf, (b) authorized MentAgent staff acting under your support request or in response to a security incident (see Section 7), and (c) what you yourself read in the Service.
Raw email and calendar content is fetched on demand and is not stored as a separate searchable copy; only the generated outputs you produce (summaries, drafts) and the conversation history that produced them are retained, subject to the retention periods in Section 8.
2.3 Information Collected Automatically
When you use MentAgent, we automatically collect:
• Device and browser information — IP address, browser type, operating system, and device identifiers. • Usage data — features used, skills enabled, pages visited, and interaction timestamps. • Firebase Analytics — anonymized usage patterns to improve the Service. • Push notification tokens — Firebase Cloud Messaging tokens for delivering alerts to your device.
3. How We Use Your Information
We use the information we collect to:
• Operate and improve the Service — execute skills, generate AI-powered outputs, and personalize your experience. • Communicate with you — send transactional emails (via Resend), daily briefings, alerts, and account notifications. • Process payments — manage subscriptions and billing through Stripe. • Ensure security — authenticate your identity, prevent fraud, and enforce our Terms of Service. • Develop new features — analyze anonymized usage patterns to improve existing skills and build new ones.
We do not sell your personal information. We do not use your data to train AI models.
4. AI Processing
MentAgent uses third-party AI models (currently Anthropic Claude) to power skills such as email drafting, listing descriptions, daily summaries, and document automation. When a skill executes:
• Relevant context (e.g., your profile data, calendar events, email content) is sent to the AI model as part of the prompt. • The AI model processes the request and returns generated content. • We do not use your data to train or fine-tune AI models. Your data is processed under Anthropic's commercial API terms, which prohibit training on customer data.
If you use the Bring Your Own Key (BYOK) option and provide your own Anthropic API key, AI requests are made using your key and are subject to your own agreement with Anthropic. Your API key is stored server-side with the same security protections as OAuth tokens and is never exposed to the client.
Browser automation. When you enable the browser-driving feature, the assistant can open a hosted Chromium browser through Browserbase (see Section 10) to interact with third-party websites that don't expose an API. The default behavior is for the assistant to fill in a draft and hand off to you to review and submit on the destination site; for sites without a save mechanism, the assistant will pause and ask you to approve any submit-class action (Submit, Publish, Send, Pay, etc.) via an in-app confirmation before the click happens. The assistant never presses submit, publish, send, pay, or delete on your behalf without your explicit approval through the confirmation dialog.
Site credentials. To log into third-party sites on your behalf, you may store per-site credentials (username, password, and optionally a 2FA seed) under your account. These are stored in Google Secret Manager with envelope encryption, the same store used for your other API keys. Credentials are NEVER returned to the assistant in plaintext: when the assistant calls the login tool, the backend resolves the credential, computes the current 2FA code if applicable, and types the values directly into the browser session via Chrome DevTools Protocol. The AI model only ever sees that login succeeded or failed; it never sees the values themselves. The backend refuses to inject credentials when the current page hostname does not match the credential's stored login URL, blocking a common phishing-style attack.
5. How We Share Your Information
We share your information only in the following circumstances:
• With service providers — we use third-party services to operate the platform (see Section 10: Third-Party Subprocessors). These providers access your data only to perform services on our behalf and are contractually obligated to protect it. • Within groups — if you join a group (brokerage or team), your profile information (name, skills enabled, activity metrics) and group messages are visible to group administrators and members according to group settings. If your group uses group billing (the brokerage pays for your subscription), the brokerage administrator has additional visibility into your skill usage and group activity. You are informed of this visibility when joining and must acknowledge it before proceeding. • With your consent — we may share information when you explicitly direct us to, such as when sending emails on your behalf or coordinating with another agent's MentAgent. • For legal purposes — we may disclose information if required by law, legal process, or government request, or to protect the rights, safety, or property of MentAgent, our users, or the public.
Brokerage administrators do NOT have access to your agent-to-agent private messages, raw email or calendar content, or personal custom skills created outside the group context.
6. Data Storage & Security
MentAgent stores your data in two tiers, reflecting the different sensitivity and residency requirements of different data types.
6.1 Platform Data — Stored in the United States
The following data is stored and processed in the United States on Google Cloud Platform (GCP) regardless of your business jurisdiction, because it supports global platform operation:
• Authentication and login credentials (Firebase Authentication). • Account and profile information (name, email, license number, brokerage). • Billing and subscription records (Stripe customer data). • Platform-wide skill definitions and community skill library.
6.2 Interaction Data — Stored in Your Business Jurisdiction
Data generated through your use of AI agent skills is stored in the jurisdiction that matches your business activity. This includes:
• AI agent logs and interaction history. • Generated content (email drafts, summaries, listing descriptions). • OAuth tokens for connected services (Gmail, Calendar, Drive). • Custom skills and prompts you create. • Group messages and agent-to-agent communications.
At launch, MentAgent supports United States residency (GCP us-west1, Firestore nam5). Canadian and European Union residency are planned as we expand internationally. When you create your account, we ask you to confirm your primary jurisdiction of business; this determines where your interaction data is stored. If you operate across multiple jurisdictions, your data is stored in the jurisdiction where you are primarily licensed.
6.3 Infrastructure
• Cloud Firestore for user profiles, skills, groups, and interaction logs (region varies by tier as described above). • GCP Cloud Run for application hosting. • GCP Secret Manager for API keys and sensitive configuration.
6.4 Security Measures
• OAuth tokens and API keys are stored server-side only and are never exposed to the client application. • Firestore security rules enforce role-based access control — users can only read and write their own data. • Role and plan fields are protected and cannot be modified by users through the client. • Firebase Authentication handles identity verification with support for Google Sign-In and email/password. • All data is transmitted over HTTPS/TLS encryption. • Firebase API keys are restricted to authorized domains only.
7. Internal Access & Support
MentAgent strictly limits internal access to your account data. Day-to-day operation requires no human reading of your data — skills run autonomously through the AI agent. Two narrow exceptions exist:
• Support and troubleshooting at your request. When you ask us to investigate a problem with your account, authorized MentAgent staff with the super-admin permission may temporarily "adopt" your account — meaning they sign in to a session that reads and acts as your account would. They use this access only for the support task you requested.
• Security investigations. If we detect signs of account compromise, abuse, or a security incident, super-admins may adopt your account to investigate. We will tell you about a security investigation that affects your account, unless prohibited by law or unless notifying you would interfere with the investigation.
Every "adopted" session is:
• Capability-gated — only accounts with the super-admin permission can adopt another account; adopting another admin requires an additional level of trust on top. • Multi-factor protected — the adopting staff member must complete a fresh hardware-key (passkey) re-authentication before each adoption. • Time-boxed — sessions expire automatically after one hour; longer investigations require re-authentication. • Logged — each session, and every action taken inside it, is recorded with both the staff member's identity and your account's identifier. Logs are retained for compliance review and are inspected on a recurring cadence by the platform team. • Disclosed — actions taken under an adopted session are tagged in your account's audit history, distinguishable from actions you took yourself.
Adopted sessions are not used for product analytics, training data, or any commercial purpose unrelated to the support or investigation that triggered them. We do not adopt accounts for advertising, sales, or marketing.
If you would like to see the audit log for your own account or learn whether your account has ever been adopted, contact privacy@mentagent.ai.
8. Data Retention
We retain your information as follows:
• Account and profile data — retained for the life of your account. • AI agent logs — may be retained for up to 90 days. • Generated content (email drafts, summaries, listing descriptions) — may be retained for up to 30 days unless you explicitly save it. • OAuth tokens — retained until revoked by you or expired. • Payment records — retained as required by law and Stripe's data retention policies.
When you delete your account:
• Your personal information is removed within 30 days. This includes email, phone, address, business profile, license details, integration tokens, and any API keys you have stored. • Your name and @handle are retained so that messages you previously sent in groups remain attributed to you. Your @handle stays reserved against your closed account; if you later re-register with the same email you may reclaim it during signup. • Past chats with the AI assistant are retained as part of the platform's operational and audit record. Group messages you authored are retained with their original attribution. We do not modify or anonymize past message content. • Personal skills you created are removed from active use; their outputs follow the 30-day generated-content TTL above. • Audit-log entries about your account activity are retained for compliance purposes.
9. Your Rights
Depending on your jurisdiction, you may have the following rights:
• Access — request a copy of the personal data we hold about you. • Correction — request that we correct inaccurate or incomplete data. • Deletion — request that we delete your personal data. • Portability — request your data in a structured, machine-readable format. • Opt-out — disconnect any integrated service (Gmail, Calendar, Drive) at any time by revoking OAuth access. Disabling a skill immediately stops data access for that skill. • Do Not Sell — we do not sell your personal information. No opt-out is necessary.
California residents have additional rights under the California Consumer Privacy Act (CCPA). To exercise any of these rights, contact us at privacy@mentagent.ai.
We will respond to verified requests within 30 days.
10. Third-Party Subprocessors
| Subprocessor | Purpose | Region |
|---|---|---|
| Google (Firebase, GCP) | Authentication, database, application hosting, email/calendar/drive access | United States |
| Anthropic | AI model inference for skill execution | United States |
| Browserbase | Hosted browser sessions for agent-driven third-party site automation | United States |
| Resend | Transactional email delivery | United States |
| Stripe | Payment and subscription processing | United States / European Union |
| Telegram | Inbound user messages to the assistant | Global (user-routed) |
12. Children's Privacy
MentAgent is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from minors. If we learn that we have collected information from a person under 18, we will delete it promptly. If you believe a minor has provided us with personal information, please contact us at privacy@mentagent.ai.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through a prominent notice on the Service at least 30 days before the changes take effect. Your continued use of MentAgent after changes become effective constitutes your acceptance of the revised policy.
14. Contact Us
If you have questions about this Privacy Policy or our data practices, contact us at:
MentAgent, Inc. Email: privacy@mentagent.ai Legal: legal@mentagent.ai
For data access, correction, or deletion requests, please email privacy@mentagent.ai with the subject line "Privacy Request."
© 2026 MentAgent, Inc. All rights reserved.
Questions? Reach us at privacy@mentagent.ai