GDPR Compliance

How MentionFox complies with the EU General Data Protection Regulation

Last updated: April 2026

Our Role Under GDPR

MentionFox acts as a data controller for the personal data of our users (account holders). When our users use MentionFox to collect and process data about third parties (such as social media mentions, contact enrichment, and lead generation), MentionFox acts as a data processor on behalf of the user, who is the data controller for that data.

MentionFox is operated by Saul Fleischman, based in Osaka, Japan. While we are not EU-based, we fully comply with GDPR for all EU/EEA data subjects who use our service or whose data is processed through our platform.

Legal Basis for Processing

We process personal data under the following legal bases as defined in Article 6(1) of the GDPR:

Contractual Necessity (Art. 6(1)(b)) — Processing account data, billing information, and service data is necessary to provide the MentionFox service you signed up for.
Legitimate Interest (Art. 6(1)(f)) — Processing usage analytics to improve our product, detecting fraud and abuse, and maintaining platform security. We have balanced these interests against users' rights and determined the processing is proportionate and expected.
Consent (Art. 6(1)(a)) — Where required, such as for optional email communications. You may withdraw consent at any time.
Legal Obligation (Art. 6(1)(c)) — Retaining certain records as required by applicable tax and financial regulations.

Your Rights as a Data Subject

Under GDPR Articles 15–22, EU/EEA residents have the following rights regarding their personal data:

Right of Access (Art. 15) — Request a complete copy of all personal data we hold about you, including how it is processed and with whom it is shared.
Right to Rectification (Art. 16) — Request correction of any inaccurate or incomplete personal data we hold.
Right to Erasure (Art. 17) — Request permanent deletion of your personal data. See our Data Deletion page for details on the process and timeline.
Right to Restriction (Art. 18) — Request that we limit the processing of your data to storage only while a dispute or request is being resolved.
Right to Data Portability (Art. 20) — Receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV). You may also request we transmit it directly to another controller where technically feasible.
Right to Object (Art. 21) — Object to processing based on legitimate interest. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
Right Not to Be Subject to Automated Decision-Making (Art. 22) — MentionFox does not make solely automated decisions that produce legal effects concerning you. AI-powered features like enrichment and lead scoring are tools for human decision-making, not automated decision systems.

How to Exercise Your Rights

To exercise any of the rights listed above, contact us at legal@mentionfox.com with the subject line "GDPR Data Subject Request."

We will verify your identity before processing any request. We respond to all requests within 30 days. If a request is complex or we receive a high volume of requests, we may extend this by an additional 60 days, and we will inform you of the extension within the initial 30-day period.

All requests are handled free of charge unless they are manifestly unfounded or excessive.

International Data Transfers

MentionFox's infrastructure involves data processing in the following regions:

Database (Supabase/AWS) — Tokyo, Japan (ap-northeast-1)
Frontend (Vercel) — Edge network with global distribution
AI Processing (Anthropic, DeepSeek) — United States
Payment Processing (Stripe) — United States and EU

For transfers of personal data outside the EU/EEA, we rely on:

Standard Contractual Clauses (SCCs) — As adopted by the European Commission, included in our agreements with sub-processors.
Adequacy Decisions — Japan has received an adequacy decision from the European Commission (January 2019), meaning transfers to Japan are permitted under GDPR.

Data Protection Impact Assessment

We have conducted Data Protection Impact Assessments (DPIAs) for high-risk processing activities, including contact enrichment and automated lead scoring. These assessments evaluate the necessity, proportionality, and risks of processing, and identify mitigation measures.

Data Breach Notification

In the event of a personal data breach that poses a risk to individuals' rights, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware of the breach.
Notify affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
Document all breaches, their effects, and remedial actions taken.

Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. A list of EU Data Protection Authorities is available at edpb.europa.eu.

Privacy Policy — Full privacy policy
Data Processing Agreement — DPA for business customers
Cookie Policy — What cookies we use
Data Deletion — How to delete your data
CCPA — California privacy rights
Sub-processors — Third parties who process data
Security — Our security practices

Contact

GDPR and data protection inquiries: legal@mentionfox.com
Data deletion requests: support@mentionfox.com