Privacy Policy
Last updated: [LAUNCH DATE] Effective: [LAUNCH DATE] Version: 1.0
This Privacy Policy describes how Miragefield OÜ ("Miragefield", "we", "us") collects, uses, shares, and protects personal data when you use our website and services (the "Service"). It applies to users worldwide, with additional disclosures for users in the European Economic Area, United Kingdom, Switzerland, California, the Republic of Korea, and Japan.
1. Who we are
Miragefield OÜ is the data controller for personal data we collect through the Service.
Controller details Miragefield OÜ Registered office: [REGISTERED OFFICE ADDRESS, ESTONIA] Company number: [REGISTRATION NUMBER] Privacy contact: [PRIVACY EMAIL] EU representative (Article 27 GDPR, if appointed): [TBD]
2. Information we collect
2.1 Information you provide
- Account information: name, email address, password (stored as a one-way hash), profile picture if you choose to add one.
- Payment information: billing name, billing address, and the last four digits and expiration of your payment card. Full payment card data is collected and stored by our Payment Processors (Stripe, Paddle, or Cryptomus), not by us.
- Content you submit: text prompts, reference images, and other inputs you provide to the Service, along with the outputs generated for you.
- Communications: messages you send to our support team or community channels.
2.2 Information collected automatically
- Device and connection information: IP address, browser type and version, operating system, device identifiers, time zone, language preference.
- Usage information: pages viewed, features used, time and date of access, generation requests, error and diagnostic logs.
- Cookies and similar technologies: see Section 8 below.
2.3 Information from third parties
- Authentication providers: if you sign in with Google, GitHub, or another provider, we receive the profile information you authorize that provider to share, typically your name, email, and profile picture.
- Payment Processors: we receive transaction confirmations, billing country, and fraud signals.
3. How we use information
We use personal data for the following purposes:
| Purpose | Categories of data | Legal basis (GDPR) |
|---|---|---|
| Provide the Service: account creation, authentication, generating outputs, delivering them to you | Account info, content, device info | Performance of contract (Art. 6(1)(b)) |
| Process payments and prevent fraud | Payment info, IP address, device info | Performance of contract; legitimate interest in preventing fraud (Art. 6(1)(b) & (f)) |
| Content moderation and safety: prevent and detect CSAM, NCII, abuse, and policy violations | Inputs, outputs, account info, IP address | Legal obligation; legitimate interest in safety (Art. 6(1)(c) & (f)) |
| Maintain, improve, and secure the Service | Usage info, diagnostic logs, device info | Legitimate interest (Art. 6(1)(f)) |
| Customer support and communications | Account info, communications | Performance of contract; legitimate interest (Art. 6(1)(b) & (f)) |
| Service announcements and account notices | Account info | Performance of contract (Art. 6(1)(b)) |
| Marketing emails (with opt-in) | Account info | Consent (Art. 6(1)(a)), withdrawable at any time |
| Comply with legal obligations and respond to legal requests | Whatever is reasonably necessary | Legal obligation (Art. 6(1)(c)) |
3.1 We do not use your content to train AI models without your consent
We do not use your prompts, uploaded reference images, or generated outputs to train, fine-tune, or otherwise improve any generative AI model unless you have given us your separate, explicit, opt-in consent. This is a default protection, not a feature you have to enable.
4. How we share information
We share personal data only in these specific circumstances:
4.1 Service providers (data processors)
We use third-party service providers ("subprocessors") to operate the Service. Each subprocessor is bound by a data processing agreement that obliges them to process personal data only on our instructions and to maintain appropriate security measures.
| Subprocessor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Application hosting, API gateway | EU + US |
| Runpod | GPU inference for image generation | Multiple regions |
| Cloudflare | CDN, DDoS protection, object storage (R2) | Global |
| Auth0 (Okta) | Authentication and session management | EU + US |
| Supabase or AWS RDS | Application database | EU |
| Stripe | Card payments | US, with EU data residency where required |
| Paddle | Card payments and Merchant of Record (tax) | UK + US |
| Cryptomus | Cryptocurrency payments | EU |
| Resend or Postmark | Transactional email | US |
| Sentry, Better Stack | Error monitoring and uptime | EU + US |
| Intercom or Crisp | Customer support messaging | EU + US |
The full and current list of subprocessors is available on request to [PRIVACY EMAIL]. We will provide reasonable notice of changes.
4.2 Legal disclosures
We may disclose personal data if we believe in good faith that disclosure is necessary to: (a) comply with applicable law, regulation, legal process, or governmental request; (b) enforce our Terms and other policies, including investigating potential violations; (c) detect, prevent, or address fraud, security, or technical issues; or (d) protect the rights, property, or safety of Miragefield, our users, or the public.
4.3 Business transfers
If Miragefield is involved in a merger, acquisition, financing, or sale of assets, personal data may be transferred as part of that transaction. We will provide notice before personal data becomes subject to a different privacy policy.
4.4 No sale of personal data
We do not sell personal data. We do not share personal data with third parties for their own marketing purposes.
5. International transfers
Some of our subprocessors are located outside the European Economic Area, the United Kingdom, or your country of residence. When we transfer personal data internationally, we rely on appropriate safeguards including:
- The European Commission's Standard Contractual Clauses (Decision (EU) 2021/914);
- The UK International Data Transfer Addendum where applicable;
- Adequacy decisions where they exist (for example, transfers to countries with EU adequacy status);
- Additional technical and organizational measures, such as encryption in transit and at rest, where required by a transfer impact assessment.
You may request a copy of the relevant transfer mechanism by contacting [PRIVACY EMAIL].
6. How long we keep information
| Category | Retention |
|---|---|
| Account information | For the duration of your account, then deleted within 90 days of account closure |
| Inputs and outputs (your generated content) | 30 days after generation by default, longer if you save them to your library, deleted within 30 days of account closure |
| Payment records | 10 years from the transaction date (Estonian Accounting Act requirement) |
| Diagnostic logs | 90 days |
| Moderation and abuse records | Up to 2 years after the event, longer where required for legal proceedings |
| CSAM hash records | Retained indefinitely where required by law and reported to NCMEC or equivalent authorities |
| Marketing email subscriptions | Until you unsubscribe |
7. Your rights
7.1 Rights for everyone
Regardless of where you live, you may:
- Access your account information through your account settings;
- Update or correct your account information at any time;
- Download a copy of your generated content from your library;
- Delete your account, which deletes your personal data subject to the retention rules in Section 6;
- Unsubscribe from marketing emails using the link in any marketing email or in your account settings.
7.2 Rights for EEA/UK residents (GDPR)
If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the following additional rights under the General Data Protection Regulation:
- Right of access (Art. 15): obtain confirmation of whether we process your data and a copy of that data;
- Right to rectification (Art. 16): correct inaccurate or incomplete data;
- Right to erasure (Art. 17): request deletion in certain circumstances;
- Right to restriction (Art. 18): restrict processing in certain circumstances;
- Right to data portability (Art. 20): receive your data in a structured, machine-readable format;
- Right to object (Art. 21): object to processing based on legitimate interests, including direct marketing;
- Right to withdraw consent (Art. 7): where processing is based on consent, withdraw it at any time;
- Right to lodge a complaint: with your local supervisory authority (the Estonian Data Protection Inspectorate is www.aki.ee).
7.3 Rights for California residents (CCPA/CPRA)
If you are a California resident, you have the right to: (a) know what categories of personal information we collect and the purposes; (b) request access to specific pieces of personal information; (c) request deletion; (d) request correction; (e) opt out of any sale or "sharing" of personal information for cross-context behavioral advertising — note that we do not sell or share for these purposes; (f) limit use of sensitive personal information; and (g) not be discriminated against for exercising your rights.
7.4 Rights for Korean residents (PIPA)
If you are a Korean resident, you have the rights to access, correct, delete, and suspend the processing of your personal information under the Personal Information Protection Act. You may exercise these rights by contacting [PRIVACY EMAIL]. You may also file a complaint with the Personal Information Protection Commission (www.pipc.go.kr).
7.5 How to exercise your rights
To exercise any of these rights, contact [PRIVACY EMAIL]. We will respond within 30 days (extendable by 60 additional days for complex requests, with notice). We may need to verify your identity before fulfilling certain requests.
8. Cookies and similar technologies
We use cookies and similar technologies to operate the Service, authenticate you, remember your preferences, and analyze usage. Categories include:
- Strictly necessary: required for the Service to function (session, security, load balancing). Cannot be disabled.
- Functional: remember your preferences (language, theme).
- Analytics: measure how the Service is used so we can improve it. We aim to use privacy-preserving analytics (such as Plausible or self-hosted Umami) where possible.
- Marketing: none currently used; we will update this policy and obtain consent before introducing any.
You can manage non-essential cookies through our cookie banner or your browser settings. EEA/UK users will see a consent banner that requires opt-in for non-essential cookies before they are set.
9. Security
We implement appropriate technical and organizational measures designed to protect personal data, including: encryption in transit (TLS 1.3), encryption at rest for stored content and database records, two-factor authentication for staff accounts, principle-of-least-privilege access controls, regular security reviews, and an incident response plan. No system is perfectly secure. If a personal data breach affects you, we will notify you and the relevant supervisory authority as required by applicable law.
10. Children
The Service is not directed to children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, contact [PRIVACY EMAIL] and we will delete it.
11. Changes to this Privacy Policy
We may update this Privacy Policy. Material changes will be communicated by email or by prominent notice in the Service at least 30 days before they take effect, where reasonably practical. The "Last updated" date at the top of this Policy reflects the most recent revision.
12. Contact
Privacy questions or requests: [PRIVACY EMAIL] General contact: [SUPPORT EMAIL] Postal: Miragefield OÜ, [REGISTERED OFFICE ADDRESS]