Legal Document

Privacy Policy

📅 Effective: June 28, 2026 🔄 Last updated: June 28, 2026 🌍 Applies globally

Plain English summary: Mirror Diary stores your selfies privately and uses AI to give you a personal score. We do not sell your data, share photos with advertisers, or use your face to train any model. You can delete your account and every photo at any time, from inside the app.

Contents

Who We Are
Information We Collect
Selfies, Photos, and Biometric Data
How We Use Your Information
How We Share Your Information
Data Retention and Deletion
Your Rights and Choices
Push Notifications
Children's Privacy
Security
International Data Transfers
Third-Party Services
Beauty Standards and Body Image
California Privacy Rights (CCPA)
EEA & UK Residents (GDPR)
Changes to This Policy
Contact Us

1. Who We Are

Mirror Diary ("we," "us," or "our") is a mobile application that uses artificial intelligence to analyze daily selfies and provide users with a personal self-care and glow-up tracking experience. The app is operated as an independent product.

This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use the Mirror Diary mobile application (iOS) and our website at mirrordiary.app.

By using Mirror Diary, you agree to the practices described in this policy. If you do not agree, please discontinue use of the app.

2. Information We Collect

2.1 Information You Provide Directly

Onboarding inputs: Your selected goals (e.g., skin, confidence, posture), age range, and gender. These are used to tailor your in-app experience and AI prompts.
Selfies: Photos you capture using the in-app camera for analysis. See Section 3 for detail on how these are handled.
Account information: If you sign in with Apple, we receive your name and email address (or an anonymized relay email if you use Apple's "Hide My Email" feature). Mirror Diary may also operate in anonymous mode using a device-bound identifier, in which case no name or email is collected.

2.2 Information Collected Automatically

Device information: Device type, operating system version, app version, and a vendor-scoped device identifier (Apple's identifierForVendor) used for anonymous session continuity.
Usage data: Which screens you visit, how often you scan, session duration, and feature usage.
Crash reports: Error logs to help us diagnose and fix bugs.
Subscription status: Whether you are on a free trial or paid plan. Managed via RevenueCat.
Website analytics: When you visit mirrordiary.app (not the mobile app), we use Google Analytics 4 to measure aggregate website traffic — only if you accept the cookie consent banner. IP addresses are anonymized. No analytics data is collected without your consent.

2.3 Information We Do NOT Collect

We do not collect your precise location or require location permissions.
We do not access your microphone, contacts, or photo library (beyond what you actively capture with the in-app camera).
We do not collect payment card details (handled entirely by Apple App Store).
We do not create or store biometric templates such as face geometry maps (see Section 3).
We do not track you across other apps or websites.

Data Category	Collected	Purpose
Selfie photos	Yes (you capture)	AI analysis, your private history
AI score & analysis	Yes (generated)	Display to you, track your trend
Onboarding preferences	Yes (you provide)	Personalize tips and prompts
Name & email	Optional (Apple Sign-In)	Account, support, restore purchases
Device & usage data	Yes (anonymized)	App improvement, analytics
Payment data	No	Handled by Apple App Store
Location	No	Not required
Face geometry / biometric templates	No	We do not create these

3. Selfies, Photos, and Biometric Data

Because Mirror Diary's core function involves analyzing photos of your face, this section is critically important. Please read it carefully.

3.1 How Selfies Are Captured

You capture selfies using the in-app camera. We do not access your existing photo library, and we do not read photos you have taken outside of Mirror Diary. The first time you tap the camera button, iOS will prompt you for camera permission. You can revoke this permission at any time via your device's Settings app.

3.2 Where Selfies Are Stored

When you complete a scan, the selfie is uploaded to a private, access-controlled cloud bucket on Supabase Storage (hosted in the United States, region us-east-1). Each file is stored under a path that only your account can access, enforced by row-level security policies at the database layer. We never publish, link, or expose your selfies on a public URL. Inside the app, photos are displayed via short-lived, signed URLs that expire automatically.

3.3 AI Analysis

To generate your mirror score, your selfie is sent over an encrypted (TLS/HTTPS) connection to OpenAI's API (specifically, the GPT-4o Vision model). OpenAI returns a structured analysis: category scores, an overall score, and tips. We do not send your name, email, or any other identifying information alongside the photo. Per OpenAI's API data usage policy in effect at the time of writing, content submitted via the API is not used to train OpenAI's models by default.

The structured analysis text is then stored in our database alongside the photo path. The selfie itself remains in our Supabase storage; it is not stored on OpenAI's servers beyond the brief processing window.

3.4 Biometric Data — Important Clarification

Mirror Diary does not create, store, or use biometric identifiers. We do not generate a face geometry map, a face template, or any form of unique mathematical fingerprint of your face. We do not perform facial recognition (i.e., we do not attempt to identify who you are by comparing your face to any database). The AI analyzes general visual qualities of the photo — clarity, lighting, color tones, perceived symmetry — and returns a subjective score. This is appearance analysis, not biometric identification.

Because of the above, Mirror Diary does not fall under the definition of "biometric data processing" under the EU GDPR Article 9 or the Illinois Biometric Information Privacy Act (BIPA). However, we treat your selfies with the same level of care and confidentiality as biometric data would require.

3.5 Sharing and Visibility

Your selfies are visible only to you, while signed in on your device.
We do not share photos with advertisers, data brokers, or any third party for marketing.
We do not publish, display, or feature your photos anywhere — including in marketing materials, social media, or app store screenshots.
Mirror Diary employees and contractors do not view individual users' selfies. Engineers access aggregated, depersonalized metrics only.

3.6 Deleting Your Selfies

You can delete individual scans or your entire account from inside the app. Deletion is permanent — the photo file is removed from our storage backend and the database record is purged within 30 days. Cached signed URLs expire on their own within one hour and cannot be regenerated after deletion.

4. How We Use Your Information

We use the information we collect for the following purposes:

Providing the service: Generating your AI mirror score, daily tips, history, and trend charts.
Account management: Maintaining your session, authenticating you across app reinstalls, and supporting restore-purchases flows.
Subscription management: Checking your premium status to unlock or restrict features.
Push notifications: Sending one daily reminder at approximately 7:30 PM local time, only if you grant permission.
Personalization: Tailoring tips and prompts based on your onboarding preferences.
Analytics: Understanding how users interact with Mirror Diary to improve the product. We work with aggregated, anonymized data — no individual photo or score is reviewed by a human as part of analytics.
Safety and compliance: Detecting fraud, abuse, or violations of our Terms of Use.
Customer support: Responding to inquiries and resolving issues.

We do not use your information to serve you ads. We do not sell your data to any third party for marketing purposes. We do not use your selfies to train AI models, ours or anyone else's.

5. How We Share Your Information

We share your information only in the following limited circumstances:

5.1 Service Providers

We work with trusted third-party vendors who process data on our behalf under their respective data processing terms:

Supabase (Supabase Inc., USA): Authentication, database (PostgreSQL), and private file storage. Stores your account session, selfies, scan records, and preferences.
OpenAI (OpenAI, L.L.C., USA): AI-powered selfie analysis. Your selfie image and a system prompt are sent via API. Your name, email, and account ID are not included.
Apple Inc.: Sign-in with Apple, App Store subscriptions, push notification delivery via Apple Push Notification Service.
RevenueCat (RevenueCat, Inc., USA): Subscription state management and in-app purchase verification.

If we add new service providers in the future, we will update this policy and the table in Section 12.

5.2 Legal Requirements

We may disclose your information if required to do so by law, court order, or governmental authority, or if we believe disclosure is necessary to protect the rights, property, or safety of Mirror Diary, our users, or others.

5.3 Business Transfers

If Mirror Diary is acquired, merged, or its assets are transferred, your information may be transferred as part of that transaction. We will notify you via email or in-app notice if this occurs and the new owner's privacy practices materially differ from ours.

5.4 With Your Consent

We may share your information in other ways if you give us explicit consent to do so.

We never sell your data. Mirror Diary's revenue comes exclusively from subscriptions, not advertising or data sales. Your personal information, including your selfies, is never sold, rented, licensed, or traded to third parties.

6. Data Retention and Deletion

We retain your data for as long as your account is active or as needed to provide you with the service.

Account data: Retained until you delete your account.
Selfies and scan history: Retained until you delete the individual scan or your entire account.
Analytics data: Anonymized and aggregated; retained for up to 24 months.
Support communications: Retained for up to 2 years after resolution.

When you delete your account through the app, all your personal data — including every selfie, every scan record, your preferences, and your onboarding inputs — is permanently deleted within 30 days. Anonymized, aggregated analytics data that cannot identify you may be retained.

7. Your Rights and Choices

You have the following rights regarding your personal information:

Access: Request a copy of the personal data we hold about you.
Correction: Update or correct inaccurate information through the in-app Settings screen.
Deletion: Delete individual scans or your entire account using the in-app options. This is permanent and cannot be undone.
Portability: Request an export of your personal data in a machine-readable format.
Opt-out of notifications: Disable push notifications at any time through your device settings or the in-app notification toggle.
Withdraw camera permission: You may revoke camera access at any time via your device's Settings app. The app will continue to work, but you will not be able to take new scans.

To exercise any of these rights, contact us at mirrordiaryapp@gmail.com or use the in-app options.

8. Push Notifications

Mirror Diary sends one push notification per day at approximately 7:30 PM local time to remind you to take your daily mirror. This is the only scheduled notification category.

We will request your permission to send notifications after you complete your first scan. You may:

Grant or deny notification permission at the system prompt.
Toggle notifications on or off inside the app (Settings → Notifications).
Disable notifications entirely through your device's Settings app at any time.

We do not send marketing or promotional push notifications without your explicit consent.

9. Children's Privacy

Mirror Diary is intended for users aged 16 and older. We do not knowingly collect personal information from children under 16. If you are between 16 and 18, you must have the consent of a parent or legal guardian to use the Service.

If you are a parent or guardian and believe your child under 16 has provided us with personal information or uploaded a selfie, please contact us at mirrordiaryapp@gmail.com and we will promptly delete the information.

10. Security

We take the security of your personal information — especially your selfies — seriously. We implement the following measures:

All data in transit is encrypted using TLS/HTTPS.
Selfies are stored in a private, access-controlled Supabase storage bucket. They are never publicly accessible.
Database access is enforced by row-level security policies, so users can only ever read or write their own records.
Photos are served via short-lived signed URLs that expire within one hour.
Access to production infrastructure is restricted to authorized personnel only, using multi-factor authentication.
API keys and secrets are never exposed in client code.

No method of electronic transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security. If you suspect unauthorized access to your account, contact us immediately at mirrordiaryapp@gmail.com.

11. International Data Transfers

Mirror Diary operates primarily in the United States. Our Supabase infrastructure is hosted in the us-east-1 region. OpenAI's API endpoints are also located in the United States. If you access Mirror Diary from outside the United States, your information — including your selfies — will be transferred to and processed in the United States.

For EEA and UK users, such transfers are made pursuant to the European Commission's Standard Contractual Clauses or equivalent safeguards offered by our processors.

12. Third-Party Services

Mirror Diary integrates with the following third-party services. Each operates under its own privacy policy:

Service	Purpose	Privacy Policy
Supabase	Auth, database, file storage	supabase.com/privacy
OpenAI	AI selfie analysis	openai.com/policies/privacy-policy
RevenueCat	Subscriptions	revenuecat.com/privacy
Apple	Sign-in, App Store, push delivery	apple.com/legal/privacy
Google Analytics	Anonymous website analytics (mirrordiary.app only)	policies.google.com/privacy

We are not responsible for the privacy practices of these third-party services and encourage you to review their policies.

13. Beauty Standards and Body Image

Important: Mirror Diary's AI score is a subjective signal generated by a general-purpose vision model. It is not a clinical assessment, a medical evaluation, or an objective measure of your attractiveness, health, or worth. The score reflects what the AI's training data has learned to associate with concepts like "clarity," "symmetry," and "radiance" — which themselves reflect cultural beauty standards that are neither universal nor neutral.

Mirror Diary is built to help you track personal change over time. It is not designed to:

Provide a definitive judgment of your appearance.
Compare you against any standard, benchmark, or other person.
Support, treat, or evaluate eating disorders, body dysmorphic disorder, or any mental health condition.
Replace any form of professional mental health support.

If you have a history of eating disorders, body dysmorphic disorder, low self-esteem related to appearance, or any condition where appearance-focused content is contraindicated for your wellbeing, we strongly encourage you to consult a qualified mental health professional before using Mirror Diary. Resources include the National Alliance for Eating Disorders (allianceforeatingdisorders.com) in the United States and similar national bodies elsewhere.

By using Mirror Diary, you acknowledge that the AI score is subjective, may be wrong, and should not be interpreted as a measurement of personal value.

14. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
Right to Delete: Request deletion of your personal information (use the "Delete Account" feature in the app).
Right to Correct: Request correction of inaccurate personal information.
Right to Opt-Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioral advertising. No opt-out is needed, but you may contact us to confirm.
Right to Non-Discrimination: We will not discriminate against you for exercising your California privacy rights.

To exercise your California rights, contact us at mirrordiaryapp@gmail.com with the subject line "California Privacy Request."

Categories of personal information collected in the past 12 months: Identifiers (device ID, optional name and email), Internet activity (usage data), commercial information (subscription status), visual content (selfies you capture), inferences drawn from the above (AI-generated scores and tips).

Business or commercial purpose: Service provision, analytics, subscription management. We do not sell personal information.

15. EEA & UK Residents (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR) or UK GDPR:

Legal Bases for Processing

Contract performance: Processing necessary to provide you the Mirror Diary service you signed up for.
Legitimate interests: Analytics to improve the app, security monitoring, fraud prevention.
Consent: Push notifications and camera permission (you may withdraw consent at any time).
Legal obligation: Compliance with applicable laws.

Your GDPR Rights

Right of access (Article 15)
Right to rectification (Article 16)
Right to erasure / "right to be forgotten" (Article 17)
Right to restriction of processing (Article 18)
Right to data portability (Article 20)
Right to object (Article 21)
Right to lodge a complaint with your local supervisory authority

To exercise these rights, contact us at mirrordiaryapp@gmail.com. We will respond within 30 days.

16. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by:

Updating the "Last updated" date at the top of this page.
Displaying an in-app notification when you next open Mirror Diary.
Sending an email to the address associated with your account for significant changes.

Your continued use of Mirror Diary after the effective date of the updated policy constitutes acceptance of the changes. If you do not agree with the updated policy, please delete your account before the effective date.

17. Contact Us

Get in touch

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

📧 Email: mirrordiaryapp@gmail.com

🌐 Website: mirrordiary.app

We aim to respond to all privacy-related inquiries within 5 business days and to data deletion requests within 30 days.