What personal data does MentionLab process?

MentionLab processes first name, last name, email, and phone number through contact forms and booking forms to ensure the execution and follow-up of contact requests and bookings.

How long does MentionLab retain personal data?

In accordance with GDPR regulations, MentionLab retains personal data only for the time reasonably necessary to fulfill the purposes for which they are processed, not exceeding 6 months.

What rights do users have regarding their personal data?

Users have the right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object, and right to lodge a complaint with data protection authorities.

What types of cookies does MentionLab use?

MentionLab uses three types of cookies: technical cookies necessary for site operation, statistical cookies for analytics and improvements, and functional cookies to remember user preferences.

Who is the Data Protection Officer at MentionLab?

Germain Deflandre is appointed as the Data Protection Officer (DPO) at MentionLab, responsible for ensuring proper implementation of data protection provisions.

Privacy Policy

Last updated: 21.05.2026

This Privacy Policy explains how MentionLab SRL collects, uses, shares, and protects personal data when you visit our website, create an account, or use the MentionLab platform. It covers both our website at https://www.mentionlab.io (the "Website") and our software-as-a-service platform for AI visibility and listening (the "Platform", together with the Website, the "Service").

We process personal data in accordance with Regulation (EU) 2016/679 (the "GDPR") and the Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data.

1. Who we are

MentionLab SRL, a company incorporated under Belgian law, is responsible for the processing described in this Policy where we act as controller.

Registered office: Rue Blanche-Eau 15, 6950 Nassogne, Belgium
Enterprise / VAT number: BE 1030.919.265
Privacy contact: legal@mentionlab.io
Data Protection Officer (DPO): Pierre-Stanislas Quievreux - legal@mentionlab.io

You can reach our DPO for any question about this Policy or to exercise your rights (see Section 10).

2. The roles we play (controller and processor)

Whether we are a "controller" (we decide why and how data is processed) or a "processor" (we process data on someone else's instructions) depends on the context:

Controller. We are the controller for personal data of Website visitors, people who contact us, account holders and their users, billing contacts, and for the analytics and security data we generate when operating the Service. We are also the controller for the processing involved in producing aggregated AI-visibility insights, as described in Section 4.
Processor. Where a business customer uploads or inputs personal data into the Platform to be processed on its behalf (its "Customer Data"), that customer is the controller and we act as its processor. We process such data only on the customer's documented instructions. For questions about Customer Data, please contact the customer that controls it.

3. The personal data we collect

Depending on how you interact with us, we may process:

Contact and enquiry data - when you use a contact or booking form or otherwise contact us: first name, last name, email address, phone number, and the content of your message.
Account and user data - when an account is created or used: name, business email, company name, job role, user role/permissions, and authentication data.
Billing data - billing name and address, VAT number, plan, and transaction records. Card details are handled by our payment provider; we do not store full card numbers.
Usage and technical data - log data, approximate location, IP address, device and browser information, pages viewed, and actions taken in the Service.
Cookie and analytics data - see Section 6 and our Cookie Policy.
Customer Data - the queries, brand and entity names, keywords, configurations, and other content that customers submit to the Platform, which may incidentally include personal data (for example, the name of an individual that a customer chooses to track). We process this as a processor (Section 2).
AI-visibility source data - content generated by third-party AI models and large language models, and related public web sources, that we analyse to produce visibility, sentiment, ranking, and citation insights. This may include personal data where an identifiable individual is mentioned (see Section 4).

We do not intentionally collect special categories of data (such as data revealing health, religion, or political opinions). Please do not submit such data to the Platform unless your DPA expressly provides for it.

4. Why we process personal data, and our legal bases

We process personal data for the following purposes, on the following legal bases (Article 6 GDPR):

To provide and operate the Service - creating and managing accounts, delivering features, and providing support. Legal basis: performance of a contract, or steps taken at your request before entering into one.
To handle enquiries and bookings - responding to messages and scheduling demos. Legal basis: your consent and/or our legitimate interest in responding to you.
To bill and take payment - invoicing and processing payments. Legal basis: performance of a contract and compliance with our legal (accounting and tax) obligations.
To secure and improve the Service - monitoring for abuse, debugging, analytics, and product development, using aggregated or de-identified data where possible. Legal basis: our legitimate interest in a secure, reliable, and improving Service.
To produce AI-visibility insights - analysing AI-generated outputs and public web sources to measure how brands, entities, and topics appear in AI systems. Where this involves personal data about an identifiable individual mentioned in those sources, our legal basis is our legitimate interest (and our customers' legitimate interest) in analysing publicly expressed information about brands and entities, balanced against the rights of the individuals concerned. You may object to this processing as described in Section 10.
For marketing - sending updates or commercial communications where permitted. Legal basis: your consent, or our legitimate interest for existing customers, and you can opt out at any time.
To comply with the law and defend our rights - meeting legal obligations and establishing, exercising, or defending legal claims. Legal basis: legal obligation and legitimate interest.

Where we rely on consent, you may withdraw it at any time without affecting processing already carried out.

5. AI models and automated processing

The Platform relies on automated systems and third-party AI models. Insights are generated automatically, but they do not produce legal or similarly significant effects about individuals within the meaning of Article 22 GDPR. We do not use Customer Data to train our own or third parties' AI models except as instructed by the relevant customer or as described in this Policy for aggregated and de-identified data.

6. Cookies and analytics

The Website uses cookies and similar technologies to operate the site, remember preferences, and measure usage. We use strictly necessary cookies on the basis of our legitimate interest, and analytics, functional, and marketing cookies on the basis of your consent, which you can manage at any time.

7. Who we share personal data with

We share personal data only as needed and with appropriate safeguards:

Service providers (processors) acting on our behalf - for example hosting and infrastructure, payment processing, email and communications, customer support, and analytics. They process data under written agreements that meet Article 28 GDPR.
Third-party AI and data providers whose models and sources the Platform draws on to generate insights.
Professional advisers such as accountants and lawyers, where necessary.
Authorities and others where required by law, or to establish, exercise, or defend legal claims.
In a corporate transaction such as a merger, acquisition, or sale of assets, subject to this Policy.

We do not sell your personal data.

8. International transfers

We aim to host and process personal data within the European Economic Area (EEA). Where a provider processes personal data outside the EEA, we ensure an appropriate safeguard applies, such as a European Commission adequacy decision, the EU-U.S. Data Privacy Framework where applicable, or Standard Contractual Clauses together with any additional measures required. You can request more information using the contact details in Section 1.

9. How long we keep personal data

We keep personal data only for as long as necessary for the purposes described, and then delete or anonymise it:

Enquiry and booking data - retained for the time needed to handle your request and for a limited period afterwards.
Account and usage data - retained for the duration of the account and a reasonable period after closure.
Billing and accounting data - retained for the period required by Belgian law (in principle seven years).
Customer Data - retained and deleted or returned in accordance with the applicable DPA and our agreement with the customer.
Cookie data - retained for 13 months (following GDPR and Belgian recommendation).

Specific retention periods are set in our internal retention schedule and may be adjusted to meet legal requirements.

10. Your rights

Subject to the conditions in the GDPR, you have the right to: access your personal data; have inaccurate data rectified; have data erased; restrict processing; data portability; object to processing based on legitimate interest (including for direct marketing); and withdraw consent where processing is based on consent.

To exercise your rights, contact us at legal@mentionlab.io, or by post to MentionLab SRL, Rue Blanche-Eau 15, 6950 Nassogne, Belgium. We may need to verify your identity. Where we process personal data as a processor on a customer's behalf, please direct your request to that customer; we will assist them as required.

You also have the right to lodge a complaint with the Belgian Data Protection Authority (Autorité de protection des données / Gegevensbeschermingsautoriteit), Rue de la Presse 35, 1000 Brussels - https://www.autoriteprotectiondonnees.be - or with the supervisory authority in your country of residence.

11. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or alteration, including access controls, encryption in transit, and regular review of our practices. No system can be guaranteed completely secure, but we work to protect your data and to notify you and the authorities of any breach as required by law.

12. Children

The Service is intended for users aged 18 or over and is not directed at children. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

13. Changes to this Policy

We may update this Policy from time to time. We will post the updated version here and change the "Last updated" date, and we will provide additional notice of material changes where required by law.

14. Contact

MentionLab SRL

Rue Blanche-Eau 15, 6950 Nassogne, Belgium

Enterprise / VAT number: BE 1030.919.265

Privacy contact and DPO (Pierre-Stanislas Quievreux): legal@mentionlab.io‍