Privacy Policy
Last Updated: December 17, 2025
1. Introduction
Mirror ("we", "our", "us") respects your privacy. This Privacy Policy explains how we collect, use, and protect your personal data in compliance with GDPR (EU) and CCPA (California).
2. Data We Collect
Account Information
- Email address
- Name
- Password (encrypted)
- Payment information (processed by Stripe, not stored by us)
Interview Data
- Voice recordings: Temporary storage for processing
- Transcripts: Text versions of your spoken responses
- Feedback reports: AI-generated evaluations
- Progress metrics: Interview history, scores, improvement trends
Usage Data
- Login times and session duration
- Features used and pages visited
- Device type, browser, IP address
- Error logs and performance data
3. Voice Data Retention
Voice Audio Files: Automatically deleted after 180 days
Text Transcripts: Retained indefinitely for your historical review and service improvement
We delete voice recordings after 180 days to allow you to review your practice sessions. Transcripts are kept to provide you with feedback history and improve our AI models.
4. How We Use Your Data
- Provide the Service: Process interviews, generate feedback, track progress
- Improve AI Models: Train and refine our interview algorithms (using anonymized data)
- Communication: Send account updates, feedback summaries, and (with consent) marketing emails
- Security: Detect fraud, prevent abuse, enforce Fair Use Policy
5. Third-Party AI Providers & Data Transfers
Service Providers:
- Google Gemini (Google LLC, Mountain View, CA)
- OpenAI API (OpenAI Inc., San Francisco, CA)
What Gets Shared:
When you use our service, your interview questions and responses are sent to these AI providers for real-time processing.
GDPR Compliance (EU Data Transfers):
- We use Standard Contractual Clauses (SCCs) for EU→US data transfers
- AI providers do NOT use your data to train their public models (enterprise agreement)
- You can object to specific providers (we'll use fallback AI models)
CCPA Notice:
We do not "sell" your personal information as defined by CCPA. We share data with service providers under strict contractual obligations.
6. Data Storage & Security
- Voice files: Google Cloud Storage (US-West region)
- Transcripts & user data: Firebase (EU & US regions with automatic replication)
- Encryption: Data encrypted in transit (TLS) and at rest (AES-256)
- Access controls: Limited employee access, logging all data access
7. Cookies & Tracking
Essential Cookies (Always On):
- Authentication session (1 hour, auto-refreshes while active)
- User preferences (365 days)
Analytics Cookies:
- Google Analytics for usage patterns
- Sentry for error tracking
Manage Preferences: Settings → Privacy. Disabling analytics does not affect core functionality.
8. Your Privacy Rights
For All Users:
- Delete: Request account deletion at mirror.dev.01@gmail.com
- Change Password: Update via Profile → Security
🇪🇺 EU/EEA Residents (GDPR Rights):
- Right to Access: Request a copy via mirror.dev.01@gmail.com
- Right to Rectification: Update display name in Profile settings
- Right to Erasure: Request deletion via mirror.dev.01@gmail.com
- Right to Restriction: Request via mirror.dev.01@gmail.com
- Right to Portability: Request data export via mirror.dev.01@gmail.com
- Right to Object: Request via mirror.dev.01@gmail.com
- Right to Lodge Complaint: File with your Data Protection Authority
Legal Basis: Contract performance, legitimate interests, consent (marketing)
🇺🇸 California Residents (CCPA Rights):
- Right to Know: Request via mirror.dev.01@gmail.com
- Right to Delete: Request via mirror.dev.01@gmail.com
- Right to Opt-Out: Request to limit sharing via mirror.dev.01@gmail.com
- Non-Discrimination: We won't charge different prices for exercising rights
How to Exercise: Email mirror.dev.01@gmail.com with "California Privacy Request"
Authorized Agent: You may designate someone to submit requests on your behalf
9. Data Protection Officer
For GDPR requests or privacy concerns, contact:
Privacy Contact: mirror.dev.01@gmail.com
Response Time: We aim to respond within 30 days
10. Children's Privacy
Mirror is not intended for users under 18. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us immediately.
11. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of material changes via email and update the "Last Updated" date.
12. Contact Us
For privacy questions or to exercise your rights:
Email: mirror.dev.01@gmail.com
Response Time: We aim to respond within 5 business days