Privacy Policy

This Privacy Policy explains how Mentix Ltd collects, uses, and shares personal data in connection with the website at www.mentix.world (the "Website") and the Mentix mentorship platform (together, the "Services"). It applies to Website visitors, Mentees, Mentors, Industry Partner representatives, and other individuals whose personal data we process.

Mentix operates under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and, where applicable, the EU General Data Protection Regulation (EU GDPR). Our Services are designed for users in the United Kingdom and the European Economic Area, although we also engage with partners and users in other jurisdictions.

The controller of personal data processed through the Services is:

Mentix Ltd

Company number 16521574

9 Upper Wimpole Street

London W1G 6LJ

United Kingdom

Email: amyn@mentix.world

In certain scenarios, we process personal data on behalf of an Industry Partner, a host institution, or another controller (for example, when Patient Data is routed through the Platform under a data processing agreement). In those cases, the originating organisation is the controller of that data, and Mentix acts as processor. The Services-related processing we carry out as a controller is described in this Policy.

Account and identity data: name, professional title, specialty, regulatory or licence number (where required), employer or host institution, and role (Mentee, Mentor, Industry Partner representative).

Contact data: business email address, phone number, and business postal address.

Authentication and security data: hashed credentials, session tokens, multi-factor authentication identifiers, IP address, device identifiers, and log records.

Usage data: pages visited on the Website, features used on the Platform, Session activity, time spent, assessment results, and feedback submitted.

Clinical training content: procedural video, still images, structured feedback, competency scores, and related metadata generated by Mentors and Mentees during Sessions.

Patient data (special category): where Patient Data is transmitted through the Platform, it may include clinical images, video of internal anatomy, and limited clinical metadata. Patient Data is ordinarily processed by Mentix as a processor on behalf of the treating institution under a separate data processing agreement.

Commercial data: order forms, billing contacts, invoice details, sponsorship allocations, and payment records for Industry Partners and Mentors.

Correspondence data: communications with Mentix, including support enquiries and meeting notes.

We do not knowingly collect personal data from children. The Services are not intended for individuals under 18.

We collect personal data from:

(a) you, when you register, sign in, use the Services, or correspond with us;

(b) your employer or host institution, when it sponsors your participation or integrates its systems with the Platform;

(c) Industry Partners, when they nominate Mentees to receive sponsored access;

(d) Mentors, when they submit feedback or assessments relating to a Session;

(e) our sub-processors, including authentication, hosting, and analytics providers that generate log and telemetry data in the ordinary course of providing their services to us;

(f) publicly available sources, such as professional registers, where we need to verify that a clinical User holds appropriate credentials.

Performance of a contract (UK GDPR Art. 6(1)(b)): to create and manage accounts, deliver Sessions, process payments, provide support, and otherwise perform the Terms of Service, the mentor engagement agreement, or an order form with an Industry Partner.

Legitimate interests (UK GDPR Art. 6(1)(f)): to operate and secure the Services, prevent fraud and abuse, maintain quality and safety, communicate with business contacts, develop and improve the Services (including through de-identified analytics), and defend legal claims. We have assessed these interests against the rights and freedoms of data subjects and concluded that our processing is proportionate. You may object to processing based on legitimate interests (see Section 10).

Legal obligation (UK GDPR Art. 6(1)(c)): to meet obligations under tax, accounting, corporate, data protection, and clinical governance law.

Consent (UK GDPR Art. 6(1)(a)): where we rely on your consent for a specific activity, for example where a Mentee consents to a particular use of identifiable training material for a named research project. You may withdraw consent at any time by contacting us; withdrawal does not affect processing carried out before withdrawal.

Special category conditions (UK GDPR Art. 9): Patient Data and other health data are processed under Art. 9(2)(h) (health and social care), Art. 9(2)(i) (public health and safety of medicinal products or medical devices, where relevant), or Art. 9(2)(a) (explicit consent), in each case under appropriate contractual, security, and governance controls in line with the Data Protection Act 2018.

We use personal data to:

(a) authenticate Users and provide secure access to the Platform;

(b) match Mentees and Mentors, schedule Sessions, and deliver the three Session Types (A, B, and C);

(c) capture, store, review, and replay procedural recordings for training, feedback, and competency tracking purposes;

(d) administer sponsorship packages and session credits for Industry Partners;

(e) handle invoices, payments, and Mentor fees;

(f) provide customer support and respond to enquiries;

(g) monitor, test, secure, and improve the Services, including the prevention and detection of fraud and abuse;

(h) produce de-identified analytics and aggregated performance metrics for Mentix, Industry Partners, and, where agreed, research collaborators;

(i) comply with law and respond to lawful requests from regulators, courts, and professional bodies;

(j) communicate operational, security, and service-related information to registered Users.

We do not use personal data for automated decision-making that produces legal or similarly significant effects about you without human involvement.

Mentors, Mentees, and Industry Partners as necessary to deliver Sessions and administer sponsorship. Identifiable Patient Data is not shared with Industry Partners except in de-identified or aggregated form.

Our processors and sub-processors, which provide hosting, video streaming, authentication, storage, customer support, payments, and analytics services. Each processor is engaged under a written contract that imposes UK GDPR-compliant confidentiality, security, and sub-processing obligations.

Hardware and integration partners, including Surgease Innovations Ltd in connection with the CHIP and CHIP-lite teleproctoring devices, under a data processing agreement that addresses ownership, storage, retention, and data residency of procedural material.

Professional and regulatory bodies, where disclosure is required to verify credentials or to respond to a lawful request.

Legal and professional advisers, such as auditors, insurers, and lawyers, where reasonably necessary for legitimate business purposes.

Actual or prospective purchasers in connection with a merger, acquisition, reorganisation, or asset transfer, subject to appropriate confidentiality and data protection safeguards.

We do not sell personal data, and we do not share personal data with advertising networks.

Personal data processed through the Services is hosted primarily within the United Kingdom and the European Economic Area. Some of our sub-processors operate in other jurisdictions. Where personal data is transferred outside the UK or EEA:

(a) we rely on UK or EU adequacy decisions where available;

(b) otherwise, we use the International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or the EU Standard Contractual Clauses as appropriate, together with supplementary technical and organisational measures;

(c) we assess the legal environment of the destination country and apply additional safeguards where required.

You may request a copy of the transfer safeguards relating to your personal data by contacting us.

We retain personal data only for as long as necessary for the purposes for which it was collected:

(a) Account data: for the life of the account and for a reasonable period after closure to handle legal, audit, or dispute resolution requirements.

(b) Procedural video and related training content: by default, 24 months from the date of recording, consistent with our partnership arrangements. Longer periods apply where a Mentee, host institution, research protocol, or law requires it, and shorter periods apply where the treating institution instructs earlier deletion.

(c) Commercial records: for the period required by tax, accounting, and corporate law (typically six years in the United Kingdom).

(d) Security logs: for the period needed for operational and security purposes, generally not exceeding 12 months unless a specific investigation requires otherwise.

At the end of the applicable period, personal data is deleted or anonymised using appropriate measures.

Subject to the conditions set out in UK and EU data protection law, you have the right to:

(a) access the personal data we hold about you and receive a copy;

(b) ask us to correct inaccurate or incomplete personal data;

(c) ask us to delete personal data where we no longer have a lawful basis to hold it;

(d) ask us to restrict processing while a concern is being resolved;

(e) object to processing based on legitimate interests;

(f) request the personal data you have provided to us in a structured, commonly used, machine-readable format, and ask us to transmit it to another controller (data portability);

(g) withdraw consent at any time, where we rely on consent;

(h) lodge a complaint with a supervisory authority.

The United Kingdom supervisory authority is the Information Commissioner's Office (ICO), https://ico.org.uk. In the EEA, you may complain to the supervisory authority of the member state in which you live, work, or where the alleged infringement took place.

To exercise a right, please contact us at amyn@mentix.world. We will respond within one month, or notify you within that period if we need a longer time to handle a complex request.

We apply appropriate technical and organisational measures to protect personal data, including encryption in transit and at rest, role-based access controls, multi-factor authentication for administrative access, logging and monitoring, secure software development practices, regular vulnerability management, and restricted access for sub-processors. We review these measures and update them as the Services evolve.

No internet transmission or storage system is completely secure. If we become aware of a personal data breach that meets the applicable notification threshold, we will notify regulators and affected individuals as required by law.

The Website uses only essential first-party cookies and similar technologies required for security, load balancing, authentication sessions, and basic site functionality. We do not use analytics, advertising, or cross-site tracking cookies. The Cookie Policy provides further detail.

The Website and Platform may contain links to third-party sites. We are not responsible for the content or privacy practices of those sites. We encourage you to read the privacy policies of any third-party site you visit.

We may update this Policy from time to time. The version number and effective date at the top of the Policy will be updated. Where changes are material, we will notify registered Users by email or through the Platform in advance of the change taking effect.

For any data protection enquiry or to exercise a right under this Policy, please contact:

Mentix Ltd

9 Upper Wimpole Street

London W1G 6LJ

United Kingdom

Email: amyn@mentix.world