Privacy Architecture

Most platforms promise privacy in a Terms of Service.
We enforce it in the database.

See how Mentor keeps individual mentoring data invisible to leadership. Not an access control someone in your org could quietly flip, but a database rule with no org-side override.

The Problem

Policy promises erode the moment someone has admin access.

NDAs can be overridden. Access controls can be escalated. When there is a technical path to view individual data, trust erodes — even if no one takes it. The existence of the path is the problem.

Policy-Based Privacy

  • Access controls (revocable)
  • NDAs and contracts
  • Trust-based promises
  • Org-admin override possible

Architecture-Based Privacy

  • Database-level enforcement
  • Minimum group size thresholds
  • No org-admin override by design
  • Blocked by the database, not by a setting

How We Enforce It

Three layers of architectural enforcement.

Privacy is not a feature we built on top. It is embedded in row-level security policies, minimum group size thresholds, and hierarchical scope rules.

What each person sees

How data flows through the privacy gate

Scope-based visibility by hierarchy level

The enforcement in pseudocode

Row-Level Security Policy
-- Users can only read their own mentoring data
CREATE POLICY user_isolation ON mentoring_data
  FOR SELECT USING (
    user_id = auth.uid()
  );

-- No org-side override. No org backdoor query.
-- The database rejects the request before
-- application code is involved.
Minimum Group Size Enforcement
FUNCTION enforce_minimum_group_size(data, group)
  IF group.member_count < MIN_CLUSTER_SIZE (8)
    RETURN null
    -- Data is hidden, not shown as zero.
    -- Leaders never know this group exists.

  RETURN aggregate(data)
  -- Only pre-computed averages and trends.
  -- Individual records never leave the table.
Hierarchical Scope Enforcement
FUNCTION resolve_visible_scope(leader, hierarchy)
  scope = leader.position_in_hierarchy

  -- Company-wide: aggregated across all departments
  -- Department: only teams within their department
  -- Team: only their direct reports (if 8+ members)

  RETURN filter_to_scope(scope)
  -- Leaders see only what their position permits.
  -- No escalation path. No request form.

What This Means

Privacy that serves everyone.

For Employees

  • Your mentoring stays yours

    Session content, personal patterns, and growth reflections are never visible to anyone in your organization. Not your manager. Not HR. Not the CEO.

  • No one in your organization can access your individual sessions

    There is no org admin panel, no manager view, and no HR export that returns individual mentoring data. Database row-level security rejects those reads before application code even runs.

  • Your growth is private by default

    Your personal data is isolated at the row level: your account can only ever read its own rows. Privacy from your organization is not a setting someone turns on. It is the architecture itself.

For Leaders

  • Real signal from real engagement

    Because employees know their privacy is protected architecturally, they engage honestly. Your aggregate data reflects reality, not performance theater.

  • Aggregate patterns you can act on

    See department-level themes, commitment follow-through rates, and engagement direction. Enough to lead well. Never enough to surveil.

  • Trust that compounds over time

    When people trust the system, participation deepens. Richer data produces sharper organizational signal. Privacy is not a constraint on leadership visibility. It is the foundation of it.

Built on verifiable commitments

Encrypted in transit (TLS) and encrypted at rest by our database provider
Row-level security on personal data: your account reads only its own rows
Org reporting is aggregate-only, and hidden entirely below 8 active members
Crisis support is handled between you and Mentor. Your organization is never notified
Delete your account in the app: 30-day reversal window, then removal
Full data export on request through support, until self-serve export ships

The honest boundary

What this page promises is the boundary between you and your organization, and that boundary is enforced in the database. Mentor itself runs the service, so Mentor's systems process your data to mentor you, and a small number of Mentor staff can access production data to operate the service and act on safety. That access lives at Mentor, under contract and policy. It is never available to your employer. Our full privacy policy spells out exactly what we store and who can read it.

Privacy your people can verify. Not just believe.

Deploy Mentor to a team of 25. See how architectural privacy changes the quality of engagement when people know their mentoring is genuinely theirs.