Privacy Policy
Last updated: 12 May 2026
Who we are
PM Mentor is operated by Joe Houghton, Houghton Consulting, Lucan, County Dublin, Ireland (the Data Controller). Contact: joe.houghton@gmail.com.
PM Mentor is an independent product. It is not affiliated with, endorsed by, or authorised by PMI, APM, AXELOS, the Agile Alliance, the Scrum Alliance, or any other standards body.
What data we collect and why
- Account data — name and email address from your Google account, collected to identify you and provide the service.
- Project data — project records, descriptions, methodology, phase information, and ECCSR commitments you enter, used to power AI adviser responses.
- Conversation data — messages you send and AI responses, stored to maintain conversation history and decision logs.
- Decision records — AI messages you mark as a decision basis, with your notes, retained as your project audit trail.
- Feedback — helpful/not helpful ratings and optional notes, used to improve the service.
- Usage data — message counts and subscription status, used to apply fair-use limits.
- Session data — an httpOnly session cookie, essential for authentication.
Legal basis
Processing is necessary for the performance of the contract (your subscription) and for our legitimate interests in operating the service. Where you give optional information (ECCSR commitments, decision notes), the basis is your consent.
AI training prohibition
Your project data and conversation content are never used to train AI models. This is stated in our agreement with Anthropic (our AI provider) and enforced contractually.
Message immutability and your right to erasure
Conversation messages are immutable within an active account — they cannot be edited or deleted individually. However, your right to erasure under GDPR Art. 17 applies to your account as a whole. Deleting your account removes all your data, including all messages, within 30 days.
Retention periods
- User account: active duration, plus 30 days after cancellation.
- Projects and conversations: active duration, plus 60-day recovery window.
- Conversation history: 90 days (Individual), 12 months (Team), unlimited (Organisation).
- Decision records: same as the linked project.
- Feedback: anonymised aggregates retained indefinitely; personal link removed on account deletion.
- Escalation records: 12 months.
- Server logs: 30 days (Vercel).
Sub-processors
| Provider | Role | Location |
|---|---|---|
| Anthropic | AI processing (Data Processor) | USA (DPA in place) |
| Supabase | Database hosting (Data Processor) | EU West |
| Vercel | Web hosting (Data Processor) | Global edge / EU |
| Resend | Transactional email (Data Processor) | USA |
| Paddle | Payment processing (separate Data Controller) | Global |
| Plausible | Privacy-first analytics — no personal data, no cookies | EU |
Your rights
- Access — request a JSON export of all your data from Settings.
- Rectification — update your profile in Settings.
- Erasure — delete your account in Settings. All data removed within 30 days.
- Portability — JSON export plus PDF decision log export.
- Object / Restrict — contact joe.houghton@gmail.com. We respond within 30 days.
No automated decisions are made about you. The AI adviser provides guidance; all decisions remain yours.
Cookies
One essential session cookie only — required for authentication. No tracking cookies. No cookie consent banner required. Plausible analytics uses no cookies and collects no personal data.
Data breaches
In the event of a personal data breach, we will notify the Irish Data Protection Commission within 72 hours (GDPR Art. 33) and affected users without undue delay where there is a high risk to their rights and freedoms.
Supervisory authority
You have the right to lodge a complaint with Ireland's Data Protection Commission: www.dataprotection.ie