← Home
Legal

Privacy Policy

Last updated: June 17, 2026

This Privacy Policy explains how MindMirror AI ("we", "us", "our") collects, uses, discloses, and protects personal data when you use our website and AI assessment (the "Service"). We are committed to handling your data in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and other applicable data-protection laws.

1. Data Controller

The data controller responsible for your personal data is MindMirror AI. You can reach us at privacy@mindmirror.ai.

2. Data We Collect

  • Assessment responses. Your answers to the 20-question assessment. These are stored in your browser's session storage and transmitted to our AI provider only to generate your report.
  • Generated report. The AI-generated report produced from your responses. A copy may be stored briefly on our backend to deliver and re-display the report to you.
  • Payment information. If you purchase the full report, payment is processed by Lemon Squeezy. We do not receive or store your full card details; we receive only transaction metadata (e.g. order reference, email if you provided one to the payment provider, country, amount).
  • Technical data. IP address, device and browser information, language, timestamps, and basic logs collected automatically to operate and secure the Service.
  • Cookies and similar technologies. See Section 6 below.

We do not knowingly collect special categories of personal data (e.g. health, biometric, or political data). Please do not submit such information through free-text fields.

3. Purposes and Legal Bases

  • To provide the Service — performance of a contract (Art. 6(1)(b) GDPR).
  • To process payments — performance of a contract (Art. 6(1)(b) GDPR).
  • To secure the Service and prevent abuse — legitimate interests (Art. 6(1)(f) GDPR).
  • To comply with legal obligations — e.g. tax and accounting (Art. 6(1)(c) GDPR).
  • To use non-essential cookies or analytics — your consent (Art. 6(1)(a) GDPR), which you may withdraw at any time.

4. AI Processing

Your assessment responses are sent to our AI provider (operating through the Lovable AI Gateway, which routes requests to large-language-model providers such as OpenAI) for the sole purpose of generating your personalized report. We instruct our providers not to use your data to train their models. AI output is generated automatically and may be inaccurate; you are not subject to a decision producing legal effects within the meaning of Article 22 GDPR.

5. Recipients and International Transfers

We share personal data only with trusted processors strictly to operate the Service, including:

  • Hosting and database providers (e.g. Supabase, Cloudflare);
  • AI inference providers accessed through the Lovable AI Gateway;
  • Payment processor: Lemon Squeezy Inc.;
  • Email and customer-support tools, where applicable.

Some recipients are located outside the European Economic Area, including in the United States. Where required, transfers are protected by Standard Contractual Clauses adopted by the European Commission and/or other appropriate safeguards under Chapter V GDPR.

6. Cookies

We use the following categories of cookies and similar technologies:

  • Strictly necessary — required to operate the Service, remember your cookie choice, and process payments. These do not require consent.
  • Analytics / performance (optional) — to understand how the Service is used and improve it. Loaded only with your consent.

You can accept or reject non-essential cookies through the consent banner shown on first visit. You may withdraw or change your choice at any time by clearing the cookie consent stored in your browser.

7. Data Retention

  • Assessment responses in your browser are cleared when you end your session or clear site data.
  • Generated reports stored on our backend are retained for no longer than 90 days, unless a longer period is required for legal or fraud-prevention reasons.
  • Payment and invoicing records are retained for the period required by applicable tax law (typically up to 10 years).
  • Technical logs are retained for up to 12 months.

8. Your Rights (GDPR)

Subject to applicable conditions, you have the right to:

  • access your personal data and obtain a copy;
  • rectify inaccurate or incomplete data;
  • erase your data ("right to be forgotten");
  • restrict or object to processing;
  • data portability;
  • withdraw consent at any time, without affecting the lawfulness of prior processing;
  • lodge a complaint with your local data-protection authority.

To exercise these rights, contact privacy@mindmirror.ai. We will respond within the time limits set by applicable law.

9. Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

10. Children

The Service is not directed to children under 18. We do not knowingly collect personal data from minors. If you believe a minor has provided personal data, please contact us so we can delete it.

11. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be indicated by an updated "Last updated" date.