Privacy Policy
Last updated: February 7, 2026
At PatternMentor, your privacy matters. This Privacy Policy explains what data we collect, how we use it, who we share it with, and what rights you have. We've written this in plain language — no legalese walls. If you have questions, contact us.
1. Overview
PatternMentor (“the Service”, “we”, “us”, “our”) is a SaaS platform that provides AI-powered content analysis and growth tools for Twitter/X. This Privacy Policy applies to all users of our Service, regardless of location.
Key principles we follow:
- We collect only what we need to provide the Service
- We never sell your data to anyone
- We do not use third-party tracking or advertising cookies
- You can export or delete your data at any time
- Your Twitter/X tokens are encrypted at rest (AES-256-GCM)
For GDPR purposes, PatternMentor is the data controller for personal data collected through the Service. Our legal basis for processing personal data is outlined in each section below, in accordance with Article 6 of the General Data Protection Regulation (EU) 2016/679.
2. Data We Collect
2.1 Account Data
When you create an account, we collect:
- Email address — used for authentication, password recovery, and important service notifications
- Name (optional) — used for personalization within the Service
- Password — stored as a one-way hash using scrypt (we never store your plain-text password)
Legal basis: Contract performance (GDPR Art. 6(1)(b)); Necessary for providing the Service.
2.2 Twitter/X Data
When you connect your Twitter/X account via OAuth 2.0, we access and store:
- Profile information — username, display name, bio, follower/following counts, profile image URL
- Your tweets — text, engagement metrics (likes, retweets, replies, impressions), timestamps
- Daily metric snapshots — follower counts captured daily for growth tracking
- OAuth tokens — access and refresh tokens, stored encrypted (AES-256-GCM) and never exposed via our API
Legal basis: Consent (GDPR Art. 6(1)(a)); You explicitly authorize access during the OAuth flow.
2.3 Usage Data
We collect basic usage data to operate and improve the Service:
- Feature usage — which tools you use and how often (e.g., number of AI analyses per month for quota tracking)
- Analysis records — a count of analyses performed (used for rate limiting, not content storage)
- User preferences — onboarding status, daily goal settings, gamification progress
We do not track your browsing behavior across other websites. We do not use analytics services like Google Analytics, Mixpanel, or similar tools.
Legal basis: Legitimate interest (GDPR Art. 6(1)(f)); Necessary for service operation and improvement.
2.4 Payment Data
If you subscribe to our Pro plan, payment processing is handled entirely by Stripe. We:
- Do NOT store your credit card number, CVV, or full billing details
- Store only your Stripe Customer ID and Subscription ID (for linking your payment to your account)
- Store your subscription status (active, canceled, past_due) to manage feature access
Legal basis: Contract performance (GDPR Art. 6(1)(b)); Necessary for processing payments.
2.5 User-Generated Content
Content you create within the Service:
- Voice Profiles — custom writing style configurations (tone, vocabulary, style)
- Inspiration Library — tweets you save for reference, along with your notes and tags
- Tweet metadata — notes, tags, and evergreen flags you add to your synced tweets
- Article drafts — stored locally in your browser (localStorage), not on our servers
Legal basis: Contract performance (GDPR Art. 6(1)(b)); Necessary for providing the Service features you use.
3. How We Use Your Data
We use your data for the following purposes:
🛠 Providing the Service
Authenticating you, displaying your dashboard, running AI analyses on your content, calculating metrics, tracking your gamification progress, and enabling all Service features.
🤖 AI Content Analysis
Sending your tweet text (without personal identifiers) to our AI provider for scoring, coaching, rewriting, and generation. See Section 4 for details on how our AI provider handles this data.
📧 Transactional Emails
Sending password reset emails via Resend. We do not send marketing emails, newsletters, or promotional content.
📊 Service Improvement
Understanding aggregate usage patterns (not individual behavior) to improve features, fix bugs, and plan development. This is done using our own internal data — no third-party analytics.
🚫 What we do NOT do with your data:
- We never sell your personal data to anyone (CCPA Section 1798.120)
- We do not share your data with advertising networks
- We do not build behavioral profiles for targeted advertising
- We do not use third-party tracking pixels, fingerprinting, or analytics scripts
4. Data Sharing & Third Parties
We share data only with the following service providers, strictly as needed to operate the Service:
We send your tweet text and content drafts to our AI provider's API for AI analysis, scoring, and generation. We do not send your email, name, X handle, or other personal identifiers to our AI provider. The content is processed in the context of a single API call.
Data shared: Tweet text, draft content (anonymized).
Stripe processes all payments for Pro subscriptions. Stripe receives your email address (for receipts) and payment information (card details) directly. We never see or store your full card number. Subject to Stripe's Privacy Policy.
Data shared: Email address, payment details (direct to Stripe).
When you connect your Twitter/X account, we communicate with the Twitter/X API using your authorized OAuth tokens to read your profile and tweets. This access is authorized by you during the OAuth flow and can be revoked at any time. Subject to X's Privacy Policy.
Data shared: OAuth tokens (to authenticate), API requests for your data.
Resend is used solely for sending password reset emails. We send your email address and the reset link content to Resend for delivery. No marketing emails are sent through this service. Subject to Resend's Privacy Policy.
Data shared: Email address, password reset content.
We do not share your data with any other third parties, advertisers, data brokers, or analytics providers.
5. Data Security
We implement appropriate technical and organizational measures to protect your personal data, in accordance with GDPR Article 32:
Passwords are hashed using scrypt (cryptographic one-way function). We cannot recover or read your password.
Twitter/X OAuth tokens are encrypted at rest using AES-256-GCM with a key derived from our application secret via scrypt.
All data in transit is encrypted via HTTPS/TLS. Unencrypted HTTP connections are not accepted.
Data is stored in PostgreSQL with restricted access. Database connections use TLS encryption and are limited to the application server.
We use security headers including X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, and Content Security Policy.
All API responses are automatically stripped of sensitive fields (tokens, passwords, internal IDs) to prevent accidental data leaks.
While we take reasonable measures to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to responding promptly to any security incident.
6. Your Rights
Depending on your location, you have rights under data protection laws including the GDPR (EU/EEA), CCPA (California), and LGPD (Brazil). These rights include:
Right of Access (GDPR Art. 15 / CCPA §1798.100)
You can request a copy of all personal data we hold about you. In the Service, use Settings → Export Data to download your data at any time. This includes your profile, tweets, voice profiles, analysis history, and preferences.
Right of Rectification (GDPR Art. 16)
You can update your account information (name, email) through the Settings page. For Twitter/X data, re-syncing will update your information from the source.
Right of Erasure (GDPR Art. 17 / CCPA §1798.105)
You can delete your account and all associated data through Settings. Upon deletion, your data is removed from our active database within 30 days and from backups within 90 days.
Right to Data Portability (GDPR Art. 20)
You can export your data in a machine-readable format (JSON) via Settings → Export Data. This export includes all data associated with your account.
Right to Object (GDPR Art. 21)
You can object to specific data processing activities. Contact us at the email below and we will assess your request. If we have no overriding legitimate grounds, we will stop the processing.
Right to Withdraw Consent (GDPR Art. 7(3))
Where processing is based on consent (e.g., Twitter/X integration), you can withdraw consent at any time by disconnecting your Twitter/X account in Settings. Withdrawal does not affect the lawfulness of processing before withdrawal.
Right to Non-Discrimination (CCPA §1798.125)
We will not discriminate against you for exercising your privacy rights. You will receive the same service quality and pricing regardless of privacy choices.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (or sooner as required by applicable law). For EU residents, you also have the right to lodge a complaint with your local Data Protection Authority.
California Residents — Additional CCPA Disclosures
In the preceding 12 months, we have collected the categories of personal information described in Section 2. We do not sell personal information as defined by the CCPA (Cal. Civ. Code §1798.140(ad)). We do not share personal information for cross-context behavioral advertising. You may submit a “Do Not Sell or Share My Personal Information” request, though we do not engage in those activities.
7. Data Retention
We retain your personal data only as long as necessary to provide the Service and fulfill the purposes described in this policy:
| Data Type | Retention Period |
|---|---|
| Account data | While account is active |
| Twitter/X data | While account is active and X connected |
| Analysis records | While account is active (used for quota tracking) |
| Payment records | As required by tax/financial regulations (typically 7 years) |
| After account deletion | Data removed within 30 days |
| Backups after deletion | Removed within 90 days |
9. Children's Privacy
The Service is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete that data promptly. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at [email protected].
10. International Data Transfers
Your data may be transferred to and processed in countries outside your country of residence. Our third-party service providers may process data in different jurisdictions:
- AI Provider — United States
- Stripe (Payments) — United States
- Twitter/X (API) — United States
- Resend (Email) — United States
For transfers from the EU/EEA, we rely on appropriate safeguards as required by GDPR Chapter V, including Standard Contractual Clauses (SCCs) and the service providers' certifications under applicable data transfer frameworks.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes:
- We will notify you via email at least 15 days before the changes take effect
- We will update the “Last updated” date at the top of this page
- We will provide a summary of significant changes
For minor, non-material changes (e.g., formatting, clarification), we may update the policy without individual notification but will always update the “Last updated” date.
12. Contact & Data Protection
For any privacy-related questions, data requests, or concerns:
Privacy inquiries & data requests:
General inquiries:
Response time:
Within 30 days of receiving your request
EU/EEA residents: If you are not satisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority. A list of EU Data Protection Authorities is available at edpb.europa.eu.
© 2026 PatternMentor. All rights reserved.