Skip to main content
Bespoke Mentis

Privacy Policy

Last Updated: March 11, 2026 · Version 2.0

Bespoke Mentis builds governance-first AI infrastructure. That same principle applies to how we handle your data: with transparency, specificity, and respect for your rights.

CPRA · CaliforniaGDPR · EUCalOPPACOPPA Compliant

Contents

§ 1Who We Are§ 2What We Collect§ 3How We Use Data§ 4Analytics & Tracking§ 5Third-Party Sub-processors§ 6Data Retention§ 7Automated Decision-Making§ 8California Rights (CPRA)§ 9Do Not Sell or Share§ 10EU/EEA Rights (GDPR)§ 11International Transfers§ 12Children's Data§ 13Security§ 14Storage Mechanisms§ 15Data Breach Notification§ 16Changes to This Policy§ 17Contact & Privacy Officer

§ 1 — Who We Are

Bespoke Mentis, Inc. ("Bespoke Mentis," "we," "us," or "our") is a California corporation that develops governance-first AI systems for enterprise and regulated industries.

Legal Entity: Bespoke Mentis, Inc.

State of Incorporation: California, United States

Principal Address: 20798 Hawthorne Blvd, Suite B, Torrance, CA 90503

Privacy Contact: — subject line: "Privacy Request"

This policy applies to the bespokementis.com website and all public-facing digital surfaces operated by Bespoke Mentis. It does not govern data handling within enterprise product deployments (MIOS, Agent Conexus, Foresight, Mentis Console), which are governed by separate Data Processing Agreements with each client.

§ 2 — What Data We Collect

We collect personal information only when you actively provide it or when it is technically necessary for website operation. We do not use behavioral advertising, tracking pixels, or retargeting.

2.1 — Contact and Inquiry Forms

When you submit a general inquiry, enterprise consultation, demo access request, or movement application, we collect:

  • First and last name
  • Email address (business email required for enterprise and demo forms)
  • Company name, company website, job title (enterprise and demo forms)
  • Industry, company size, region, deployment timeline (enterprise consultation form)
  • Products of interest and strategic needs (enterprise consultation form)
  • Your message or inquiry description
  • LinkedIn profile URL (movement application form — optional)
  • Professional background and essay responses (movement application form)

2.2 — Mentis AI Chat Interface

  • Conversation messages — each message you send is transmitted to our server and processed by OpenAI to generate a response (see §3 — Sub-processors); your conversation history is also cached in your browser's localStorage for continuity across page reloads
  • Anonymous session identifier — for rate limiting; not linked to your identity
  • IP address — for abuse prevention and rate limiting; purged after approximately 1 hour

2.3 — Meeting Scheduling

  • First and last name
  • Email address
  • Preferred meeting time
  • Calendar event details

2.4 — Technical and Analytics Data

  • Pages visited and navigation paths (anonymous)
  • Time spent on pages (anonymous)
  • CTA interaction events (anonymous click events — no content captured)
  • Click coordinates for heatmap analysis (x/y position only — no content, no form data)
  • Browser type, operating system (anonymous, aggregated)
  • Core Web Vitals performance metrics (anonymous)
  • IP address (processed by Vercel infrastructure; not stored by us beyond rate limiting)
  • Storage consent preference (whether you accepted or declined our privacy notice)

2.5 — Data We Do Not Collect

  • No cross-site tracking or behavioral advertising profiles
  • No third-party marketing pixels (no Google Ads, Meta Pixel, LinkedIn Insight Tag)
  • No biometric data
  • No financial information
  • No sensitive personal information as defined under CPRA (government IDs, health data, racial/ethnic origin, etc.) — we request that you do not submit this through our public forms or Mentis chat

§ 3 — How We Use Your Data

Responding to inquiries

Data: Contact form submissions

Legal basis: Legitimate interest / pre-contract

Enterprise sales and account management

Data: Enterprise form data, email correspondence

Legal basis: Legitimate interest / contract performance

Demo access evaluation and provisioning

Data: Demo request form data

Legal basis: Legitimate interest / pre-contract

Meeting scheduling and confirmation

Data: Name, email, meeting time

Legal basis: Contract performance

AI chat response generation

Data: Chat messages → processed by OpenAI GPT-4

Legal basis: Legitimate interest (anonymous session)

Abuse prevention and rate limiting

Data: IP address, session ID

Legal basis: Legitimate interest

Website performance and improvement

Data: Anonymous analytics events

Legal basis: Legitimate interest

Security monitoring and incident response

Data: Technical logs, IP addresses

Legal basis: Legitimate interest / legal obligation

Movement application review

Data: Application form data

Legal basis: Legitimate interest / pre-contract

We do not use personal data for automated individual profiling that produces legal or similarly significant effects without a separate, explicit consent and disclosure mechanism.

§ 4 — Analytics & Tracking

We operate a privacy-first analytics architecture. No behavioral advertising data is collected. No cross-site tracking occurs. Session tracking is anonymous and does not persist across browser sessions.

Vercel Analytics

Tracks anonymous page views. No cookies set. Data processed by Vercel, Inc. (San Francisco, CA). Compliant with GDPR (anonymized). Vercel Privacy Policy →

Vercel Speed Insights

Tracks Core Web Vitals (page load performance). Anonymous. No personal data collected. Processed by Vercel, Inc.

Bespoke Mentis First-Party Analytics

Our own privacy-first analytics system tracks: page views (with time-on-page), anonymous CTA interaction events, and click heatmap coordinates (x/y position only — no content captured, no form field data, no keystrokes). Session identity is a random anonymous UUID stored in sessionStorage — it expires when you close your browser tab and is never linked to your name or email. Admin pages are explicitly excluded. No cross-session tracking occurs. Data is stored in our own Vercel Postgres database.

We do not use Google Analytics, Google Ads, Meta Pixel, LinkedIn Insight Tag, Mixpanel, Segment, Amplitude, or any third-party behavioral analytics platforms.

§ 5 — Third-Party Service Providers (Sub-processors)

We share personal data only with the following service providers, for the purposes described. All sub-processors are contractually bound to process data only as instructed. Full sub-processor list: bespokementis.com/legal/subprocessors.

ProviderServiceData ReceivedLocation
Vercel, Inc.Hosting, CDN, analyticsPage view data, IP addressUSA (SOC 2 Type II)
Neon / Vercel PostgresDatabaseForm submissions, CRM records, analytics eventsUSA (SOC 2 Type II)
OpenAI, L.L.C.AI model inference (Mentis chat)Chat messages only (anonymous session)USA (SOC 2 Type II)
Resend / SendGrid (Twilio)Transactional email deliveryName, email address, message contextUSA (SOC 2 Type II)
Google LLCCalendar (meeting scheduling)Name, email, meeting timeUSA / Global (ISO 27001)
hCaptcha (Intuition Machines)Bot detectionIP address, browser fingerprint signalsUSA
LinkedIn Corp.OAuth (Strategic Signal Command — admin only)OAuth scopes granted by admin userUSA

§ 6 — Data Retention

Contact / inquiry form submissions

24 months from last contact, then deleted or anonymized

Enterprise consultation form submissions

36 months from last contact (active sales pipeline), then deleted or anonymized

Demo access request records

24 months from submission, then deleted or anonymized

Movement application records

24 months from submission, then deleted or anonymized

Mentis chat history

Conversation messages are processed server-side via OpenAI for each response. Your conversation history is cached in browser localStorage for continuity — cleared when you clear browser data. OpenAI does not train on API inputs by default (see §3).

Meeting / calendar data

Until the meeting occurs or is cancelled; email delivery logs up to 30 days (Resend/SendGrid)

IP address / session data (rate limiting)

Approximately 1 hour, then automatically purged

Anonymous analytics events

13 months rolling, then aggregated/anonymized

Security / audit logs

12 months, then archived or deleted

Storage consent preference

Until you clear your browser localStorage

You may request early deletion of your personal data at any time. See § 8 (California rights) or § 10 (EU/EEA rights) below. Requests processed within 45 days (CPRA) or 30 days (GDPR).

§ 7 — Automated Decision-Making

The Bespoke Mentis website itself does not use automated decision-making technology (ADMT) to make decisions that produce legal or similarly significant effects about you as a website visitor.

Within our commercial AI products (Agent Conexus, Foresight, MIOS, Mentis Console), automated intelligence systems assist in generating outputs, recommendations, and analyses. These products are sold to enterprise clients. All outputs from these systems are subject to mandatory human review gates as part of our constitutional governance architecture. No automated decision that could materially affect a person's rights, finances, health, or opportunities is made without a documented human oversight step.

California residents who interact with our products as data subjects in a client's deployment may submit ADMT inquiries or opt-out requests to with subject line "ADMT Request." We will route your request to the appropriate client controller within 10 business days.

§ 8 — California Consumer Rights (CPRA)

Applies to California residents. Separate from and in addition to EU/GDPR rights.

If you are a California resident, the California Privacy Rights Act (CPRA) grants you the following rights with respect to your personal information:

Right to Know

Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, business purposes for collection, and the categories of third parties with whom it is shared.

Right to Delete

Request deletion of personal information we have collected from you, subject to certain legal exceptions (e.g., completing a transaction, security purposes, legal compliance).

Right to Correct

Request correction of inaccurate personal information we maintain about you.

Right to Opt-Out of Sale or Sharing

We do not sell or share personal information for cross-context behavioral advertising. If this changes, we will update this policy and implement a Do Not Sell/Share mechanism.

Right to Limit Use of Sensitive Personal Information

We do not collect sensitive personal information (as defined by CPRA) in the ordinary course of operating this website. We request that you do not submit sensitive personal information through our forms or chat.

Right to Non-Discrimination

We will not discriminate against you for exercising any of your CPRA rights — no service denial, price changes, or reduced quality.

Right to Opt-Out of Automated Decision-Making

For any ADMT that produces significant effects. See § 7 above.

How to Exercise Your California Rights

Email with subject line "CPRA Privacy Request". Include your full name, the email address used when contacting us, and the specific right you are exercising. We will verify your identity and respond within 45 calendar days (extendable to 90 days with notice). You may designate an authorized agent to submit requests on your behalf.

§ 9 — Do Not Sell or Share My Personal Information

Bespoke Mentis does not sell personal information as defined under the California Privacy Rights Act (CPRA). We do not share personal information for cross-context behavioral advertising.

We share data only with the service providers listed in § 5 (sub-processors), strictly for the purposes of operating this website and fulfilling your requests. These transfers are governed by Data Processing Agreements (DPAs) that prohibit sub-processors from using your data for their own purposes.

If you wish to confirm our current data-sharing status or submit a Do Not Sell/Share request, email with subject line "Do Not Sell/Share Request". We will respond within 15 business days.

§ 10 — EU/EEA Data Subject Rights (GDPR)

Applies to individuals in the European Economic Area and United Kingdom.

If you are located in the EU, EEA, or UK, the General Data Protection Regulation (GDPR) and/or the UK GDPR grants you the following rights:

›
Right of Access (Article 15):Request a copy of the personal data we hold about you.
›
Right to Rectification (Article 16):Correct inaccurate or incomplete personal data.
›
Right to Erasure / "Right to Be Forgotten" (Article 17):Request deletion of your personal data where no overriding legal basis exists.
›
Right to Restriction of Processing (Article 18):Request that we restrict processing in certain circumstances.
›
Right to Data Portability (Article 20):Receive your data in a machine-readable format (JSON or CSV) for transfer to another controller.
›
Right to Object (Article 21):Object to processing based on legitimate interests, including profiling.
›
Right to Withdraw Consent:Where processing is based on consent, withdraw consent at any time without affecting the lawfulness of prior processing.
›
Right to Lodge a Complaint:File a complaint with your local supervisory authority. In the EU, the relevant authority is typically the DPA of your Member State.

How to Exercise Your GDPR Rights

Email with subject line "GDPR Privacy Request". We will respond within 30 calendar days (extendable to 60 days with notice for complex requests).

§ 11 — International Data Transfers

Bespoke Mentis is based in the United States. If you are located in the EU, EEA, or UK, your personal data will be transferred to and processed in the United States, which does not have an adequacy decision from the European Commission for all transfer mechanisms.

We rely on the following lawful transfer mechanisms for international data transfers from the EU/EEA/UK to the US:

  • Standard Contractual Clauses (SCCs): We use the European Commission's approved SCCs (2021) in our contracts with sub-processors that process EU personal data.
  • UK International Data Transfer Agreements (IDTAs): For transfers to the UK post-Brexit.
  • Adequacy decisions: Where the recipient country has an adequacy decision, we rely on that decision.

To request a copy of the applicable SCCs or transfer documentation, email with subject line "GDPR Transfer Mechanism Request."

§ 12 — Children's Data (COPPA)

Bespoke Mentis does not knowingly collect personal information from children under the age of 13 (or under 16 for California residents, pursuant to CPRA's protections for minors). Our website and services are intended for business professionals and enterprise users.

If you are a parent or guardian and believe a child has submitted personal information to us, please contact with subject line "COPPA — Minor Data Request." We will promptly delete such data upon verification.

§ 13 — Security

We implement technical and organizational measures designed to protect your personal data against unauthorized access, alteration, disclosure, or destruction.

All connections encrypted using HTTPS / TLS 1.3
Data at rest encrypted using AES-256
API keys and credentials stored as environment variables — never in source code
Access to personal data restricted to authorized personnel with documented need-to-know
Rate limiting and bot-prevention mechanisms active on all public endpoints
Admin infrastructure access requires multi-factor authentication
Security event logging and monitoring active across all services
Penetration testing conducted periodically by qualified third parties
Architecture designed to support SOC 2 Type II and ISO 27001 certification (in progress)

No system is 100% secure. We continuously monitor and improve our security posture. See our Trust & Security Center for current certification status.

§ 14 — Storage Mechanisms (localStorage & Cookies)

This website primarily uses browser localStorage rather than traditional HTTP cookies for client-side data storage. We do not set advertising cookies. See our Cookie & Storage Policy for a complete categorized table of all storage mechanisms used.

Mentis Chat History (bm_chat_*)Functional

Caches your conversation locally so you can continue across page reloads. Each message is also transmitted to our server and processed by OpenAI to generate responses (see §3 — Sub-processors).

Privacy Consent Preference (bm-privacy-consent)Essential

Records whether you have accepted our privacy notice. Version-controlled.

Anonymous Session ID (bm_anon_id)Analytics

Random UUID stored in sessionStorage (not localStorage). Expires when you close your browser tab. Used only for anonymous analytics session grouping. Not linked to your identity.

Human Verification StatusFunctional

Remembers that you have passed our human verification check on the Mentis chat, so you do not need to verify on every visit.

You can clear all localStorage data at any time through your browser settings (Settings → Privacy → Clear Site Data). This will reset your Mentis chat history and privacy consent preference.

§ 15 — Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, Bespoke Mentis will:

  • Notify the relevant supervisory authority (e.g., EU Data Protection Authority) within 72 hours of becoming aware of the breach, as required by GDPR Article 33
  • Notify affected individuals directly without undue delay where the breach is likely to result in high risk to their rights and freedoms (GDPR Article 34)
  • Notify California residents in accordance with California Civil Code § 1798.29 and § 1798.82 (California Data Breach Notification Law)
  • Maintain an internal record of all data breaches, their effects, and remedial actions taken

To report a suspected security vulnerability or data incident, email with subject line "Security Incident" or visit our Trust Center for our Vulnerability Disclosure Policy.

§ 16 — Changes to This Policy

We may update this Privacy Policy to reflect changes in our data practices, legal requirements, or product capabilities. When we make material changes, we will:

  • Update the "Last Updated" date and version number at the top of this page
  • For significant changes affecting your rights, provide notice via email where we have your contact information
  • Maintain a version history that documents material changes

Continued use of our website after the effective date of an updated policy constitutes acceptance of the revised terms, subject to applicable law. If you do not agree to the changes, please discontinue use of our website and contact us to delete your data.

§ 17 — Contact & Privacy Officer

For any questions about this Privacy Policy, to exercise your rights, or to submit a privacy-related request:

Privacy Contact:

Subject Lines:

  • "CPRA Privacy Request" — California consumer rights
  • "GDPR Privacy Request" — EU/EEA data subject rights
  • "Do Not Sell/Share Request" — opt-out of data sale/sharing
  • "ADMT Request" — automated decision-making inquiries
  • "COPPA — Minor Data Request" — children's data removal
  • "Privacy Request" — general inquiries
  • "Security Incident" — data breach or vulnerability reports
  • "GDPR Transfer Mechanism Request" — SCC documentation

Mailing Address:
Bespoke Mentis, Inc. — Privacy
20798 Hawthorne Blvd, Suite B
Torrance, CA 90503

Bespoke Mentis, Inc. · 20798 Hawthorne Blvd, Suite B, Torrance, CA 90503

Privacy Policy v2.0 · Effective March 11, 2026 · Supersedes all prior versions

Terms of ServiceCookie PolicyData Processing AddendumSub-processor ListAcceptable UseAI DisclosureTrust Center