Legal

Subprocessor categories.

The categories of providers we rely on to run menthra — what they do, and what data (if any) they touch.

Version: 1.0.0Last updated: April 17, 2026

In plain English

We use third-party providers under contract to run menthra. For operational and security reasons we do not publish vendor names here. We list the categories and the data each touches. Corporate and clinical customers receive the full vendor list under NDA. Material category changes are notified at least 30 days in advance.

1. How We Use Subprocessors

menthra contracts with third-party providers ("subprocessors") to operate specific parts of the platform. Every subprocessor signs a Data Protection Agreement — plus a Business Associate Agreement where they may access Protected Health Information under HIPAA. Subprocessors may only use data to deliver the service they are contracted for.

2. Subprocessor Categories

2.1 Cloud hosting

What they do: provide compute, storage, databases, and backup infrastructure.
Data touched: all platform data, encrypted at rest and in transit.
BAA: yes.

2.2 AI infrastructure

What they do: provide the language processing that powers AI companion conversations.
Data touched: conversation content in de-identified form, under the HIPAA Safe Harbor standard (45 CFR §164.514(b)). No Protected Health Information and no direct identifiers are sent.
BAA: not required — the data is de-identified before transmission.

2.3 Voice and avatar rendering

What they do: convert text to speech, render companion avatars, and generate video for Evoke digital twins.
Data touched: content being rendered (not raw user conversations).
BAA: yes where PHI may be rendered.

2.4 Communications

What they do: deliver transactional and marketing email, SMS, and push notifications.
Data touched: contact details (email address, phone number), message content.
BAA: yes for health-related transactional messages.

2.5 Payments

What they do: process payments, manage subscriptions, and calculate tax for US and India billing.
Data touched: billing details, payment method metadata, invoice records. Full card numbers are handled entirely by the payment processor — menthra never stores them.
BAA: not applicable (financial data, not health data).

2.6 Analytics

What they do: product analytics, error monitoring, performance telemetry.
Data touched: de-identified usage events only. Never conversation content.
BAA: not applicable (de-identified).

2.7 Background verification

What they do: credentialing checks for Evoke clinicians and Sage coaches (license verification, malpractice insurance, basic background screening where required).
Data touched: professional identity and credentialing data of providers. Never end-user data.
BAA: not applicable (provider data, not end-user PHI).

3. Material Changes

We may add, remove, or change subprocessor categories. Material changes — for example, adding a new data-touching category or significantly changing what an existing category does — are notified to corporate and clinical customers at least 30 days in advance via direct communication. For consumer users, we update this page and flag significant changes in the Privacy Policy update notice.

4. Full Vendor List (NDA)

Corporate, clinical, and partner customers can request the current vendor list under NDA. Contact legal@menthra.ai with your organization name, account, and the purpose of the request.

5. Related Documents

Privacy Policy — full detail on what we collect and why.
Security Overview — how we protect data across subprocessors.

Contact

Privacy / data requests: privacy@menthra.ai
India DPDP / Data Protection Officer: dpo@menthra.ai
Legal: legal@menthra.ai
Support: support@menthra.ai

Ready?

Start your wellness journey.

From a simple conversation to deep healing — Menthra meets you wherever you are.

No credit card · HIPAA-aligned · Your data is yours