MIRRA
Privacy Notice
Last updated: July 14, 2026
1. Who is responsible for your data
The data controller is EVERSINCE, a French société par actions simplifiée with a share capital of €1,000, registered with the RCS of Bourges under number 999 875 461, registered office: Rue François Coillard, 18000 Bourges, France. For any privacy question or request, contact us at mirra@eversince.io. This notice describes how we process personal data in accordance with the EU General Data Protection Regulation (GDPR), the French Data Protection Act (Loi Informatique et Libertés) and, for United States residents, applicable US state privacy laws (see section 11).
2. Who this notice applies to
This notice applies to everyone who visits Mirra, takes the quiz, creates an account or purchases the service. It forms part of our Terms & Conditions.
3. The data we collect
- Account data: your email address, account identifiers and sign-in events (we use passwordless email links, so we never store a password).
- Quiz answers: your responses about yourself and your preferences (for example your date of birth, relationship goals and the qualities you value). These touch on your personal life, so we treat them with heightened care: they are stored encrypted at rest, are never sold, and are used only to create your portrait, reading and insights.
- Generated content: the portrait, optional realistic portrait and reading created for you, stored in a private storage bucket accessible only through your account. All portraits are AI-generated.
- Purchase data: your subscription status, trial and renewal dates, and payment events. Payments are handled by Stripe; we never see or store your full card number.
- Usage data: first-party funnel events (for example “question 4 answered”), basic technical logs and security data such as IP-based rate-limiting counters.
- Advertising data: if you arrive from an ad, we store the ad click identifiers and campaign parameters from the link in first-party cookies and on your account. To measure our advertising, we share conversion events (for example “signed up”, “purchased”) with the ad platform your click came from (Meta, Google, Pinterest or TikTok), including a hashed (unreadable) version of your email address, your IP address and browser type, and the click identifier. We never share your quiz answers, your portrait, your reading or your card details with ad platforms. You can opt out of this sharing at any time by writing to us.
- Compatibility checks: the first name and birth date of people you choose to check are provided by you, visible only to you, and deletable one by one from the app at any time.
- Support communications: messages you send us and our replies.
4. Why we process it, and on what legal basis
- To provide the service (create your account, generate your portrait and reading, deliver purchases, send transactional emails such as receipts, trial reminders and sign-in links) — performance of the contract (Art. 6(1)(b) GDPR).
- To bill you and keep required records (invoices, accounting, anti-fraud evidence) — legal obligation (Art. 6(1)(c)).
- To secure and improve the product (rate limiting, abuse prevention, first-party funnel analytics with no advertising use) — our legitimate interest (Art. 6(1)(f)) in running a safe, working service.
- Where we rely on consent (Art. 6(1)(a)) — for example if we ever introduce marketing emails — you can withdraw it at any time, as easily as it was given.
Your portrait and reading are generated automatically from your answers, but Mirra makes no automated decisions that produce legal or similarly significant effects about you (Art. 22 GDPR).
5. If you don't provide the data
The quiz answers and your email address are necessary to create your portrait, reading and account: without them we simply cannot deliver the service. Everything else is optional.
6. Who we share your data with
We never sell your personal data and we share it only with processors acting on our instructions under data-processing agreements:
- Vercel — hosting and content delivery for the web application; as host it processes technical request data such as IP addresses and server logs.
- Supabase — database, authentication and private file storage hosting your account, answers and portrait.
- Stripe — payment processing and billing portal (Stripe acts as an independent controller for the payment data it collects).
- AI infrastructure providers — used transiently to generate your portrait and reading from your answers; your data is not used to train their models on our instruction.
- Email delivery provider (Resend) — to send sign-in links and transactional emails.
Beyond processors, we may disclose data to professional advisers, to authorities when legally required, or as part of a merger or sale of assets — in which case this notice continues to apply to your data.
7. Where your data is processed
Our providers process data in the United States and/or the European Union. If you are in the US, your data may therefore be stored and processed in the US. For data originating in the EU/EEA, transfers outside the EEA are protected by an adequacy decision (such as the EU–US Data Privacy Framework, where the provider is certified) or by the European Commission's Standard Contractual Clauses, together with additional safeguards such as encryption at rest and in transit. You can request a copy of the relevant safeguards at mirra@eversince.io.
8. How long we keep your data
- Account, answers and generated content: for as long as your account exists. Deleting your account permanently removes your profile, answers, portrait file and reading — a real deletion, not a soft-delete.
- Billing records: kept for the period required by French commercial and tax law (up to 10 years), even after account deletion.
- Funnel events and technical logs: kept for a maximum of 25 months, and no longer linked to you once your account is deleted.
9. How we keep it secure
Data is encrypted in transit and at rest. Your portrait lives in a private bucket and is only ever served through short-lived signed links tied to your session. Access is restricted by row-level security so that each account can only ever read its own data. Sign-in uses one-time email links with secure, httpOnly cookies. In the event of a breach likely to result in a risk to you, we will notify the CNIL and, where required, you, within the legal timeframes.
10. Your rights
Wherever you live, you may at any time, free of charge (residents of the EU/EEA and UK hold these rights under the GDPR; US residents, see also section 11):
- access the data we hold about you and obtain a copy (portability);
- correct inaccurate data;
- erase your data — the fastest way is the delete-account button on your account page, which takes effect immediately;
- restrict or object to processing based on our legitimate interest;
- withdraw any consent, without affecting past processing;
- define directives on what happens to your data after your death (a right specific to French law).
To exercise a right, use your account page or write to mirra@eversince.io; we may ask you to confirm control of your account email, and we answer within one month. If you believe your rights have been infringed, you can lodge a complaint with the French supervisory authority, the CNIL (3 place de Fontenoy, 75007 Paris — www.cnil.fr), or with the authority of your country of residence.
11. Additional disclosures for United States residents
This section applies if you reside in a US state with a comprehensive privacy law (such as California, Colorado, Connecticut, Texas, Utah or Virginia). In the past 12 months we have collected the categories of personal information described in section 3: identifiers (email address, account IDs), customer records and commercial information (purchases, subscription status), internet activity (first-party funnel events and technical logs), and inferences reflected in the content generated for you. We collect them for the purposes in section 4 and disclose them only to the service providers in section 6.
We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We use no targeted-advertising cookies or trackers, so there is nothing to opt out of. We do not use sensitive personal information for purposes that would trigger a right to limit under California law, and we do not knowingly collect data from anyone under 18.
You have the right to:
- know and access the personal information we hold about you, in a portable format;
- correct inaccurate personal information;
- delete your personal information — the delete-account button on your account page takes effect immediately;
- not be discriminated against for exercising any of these rights.
To exercise these rights, use your account page or email mirra@eversince.io. We verify requests by confirming control of your account email, respond within 45 days (extendable once by 45 days where permitted), and accept requests from an authorized agent with signed proof of authority, subject to the same verification. If we refuse a request, you may appeal by replying to our decision; where your state provides it, you may also contact your state Attorney General.
12. Cookies
Mirra uses only cookies that are strictly necessary to run the service (session and security cookies). We use no advertising or cross-site tracking cookies. Details are in our Cookie Policy.
13. Children
Mirra is reserved for adults aged 18 or over. We do not knowingly collect data from minors; if you believe a minor has provided us data, contact us and we will delete it.
14. Changes to this notice
If we materially change this notice, we will inform you by email or through the service before the change takes effect, and update the date at the top of this page.