Privacy Policy

• We collect email + account info + what you track in Menra (brands, prompts, competitors) • We share billing data with our payment processor (Paddle, MoR) • We do NOT sell data to third parties • You can export or delete your data anytime via Settings → Privacy • GDPR + KVKK rights honored for EU + Turkish residents

Account data: email, name, organization, role. Provided during signup. Subscription data: plan, payment-method metadata (card last-4, expiry - full number never touches our servers; it's Paddle's). Received from payment provider webhooks. Product data: brands, competitors, prompts, AI responses we've scanned for you. Usage data: page views, feature usage, error logs. Collected for product improvement. Technical data: IP address, user agent, cookies (see Cookie Policy below).

• Running the Service (executing scans, generating reports, sending alerts) • Billing and customer support • Detecting abuse and debugging bugs • Aggregated, anonymized product analytics to improve the Service • Transactional email (subscription events, alerts you've opted into) We do NOT use your data to train AI models. We do NOT sell your data to third parties.

• **Paddle** - Merchant of Record for payments. Handles tax calculation, invoicing, subscription management. See paddle.com/legal. • **Stripe** - secondary payment processor (if enabled per env). See stripe.com/legal. • **Resend / SendGrid** - transactional email delivery. • **Neon / PostgreSQL** - primary database (EU region for EU customers). • **Upstash Redis** - session + queue cache. • **Fly.io / Vercel** - compute + static hosting. • **OpenAI, Anthropic, Google, Perplexity, etc.** - the AI platforms we query on your behalf. We send your prompts to them; their privacy policies apply to that interaction. • **Sentry** - error monitoring (PII scrubbed before upload). • **OneSignal** - optional push notifications. Full Data Processing Agreements available on request: legal@menra.ai.

• Account data: kept while account is active, deleted 30 days after account closure • Product data: same - 30 days grace period after closure to request export, then permanent deletion • Billing records: retained 10 years to comply with tax law (cannot shorten even on deletion request) • Aggregated analytics: retained indefinitely in anonymized form

You have the right to: • Access: request a copy of your data • Correct: fix inaccuracies • Delete: remove your account and associated data (Settings → Privacy → Delete Account) • Port: export your data in a machine-readable format • Object: opt out of specific processing (non-essential email, analytics) • Withdraw consent: at any time for features that require it Exercise rights via Settings → Privacy or by emailing privacy@menra.ai. We respond within 30 days.

Essential cookies only: auth session, CSRF token, locale preference. No third-party analytics cookies without consent (cookie banner shown on first visit where required by law). menra_auth_token - apex-scoped, httpOnly - is the primary auth cookie. NEXT_LOCALE is a language preference. All essential.

• All data in transit: TLS 1.3 • Passwords: bcrypt, 12 rounds • Database: encrypted at rest • Access: principle of least privilege, audit logged, quarterly review Report security issues: security@menra.ai (GPG key on request).

Menra is not directed to users under 18. We do not knowingly collect data from minors. If you believe a child has created an account, contact us and we'll remove it.

We may update this policy. Material changes notified by email at least 14 days in advance.

Data Protection Officer: privacy@menra.ai Legal: legal@menra.ai Supervisory authority (EU): data protection authority of your EU member state Supervisory authority (TR): Kişisel Verileri Koruma Kurumu (KVKK)