Your data stays yours.

Mirror exists to read behaviour for the person it belongs to. The data we read is yours; the readings we produce are yours.

We will never sell behavioural data, transactional data, or any derived signal to third parties. We will never use your data to train models that are sold or shared outside Mirror.

We collect the minimum needed to read behaviour well, and we delete what we no longer need.

Account information you give us — name, email, the institutions and accounts you connect.

Read-only financial activity routed through regulated data providers — transactions, balances, account metadata. Mirror does not store credentials; we use revocable, scoped access tokens issued by your bank or its data partner.

Behavioural readings we derive from your activity — the six-layer reading, drift signals, persona membership. These are produced by Mirror and remain yours.

Product telemetry — anonymised, aggregated usage and reliability signals. We do not link telemetry to identifiable behavioural readings.

To produce your behavioural reading and the next-best actions Mirror surfaces to you.

To run the service, fix bugs, prevent abuse, and meet our regulatory obligations.

To improve Mirror in aggregate. Research and improvement is always done on anonymised, aggregated readings — never on identifiable data.

When Mirror powers an institution's product (a bank, lender, or insurer), the institution is the data controller for what they receive. We act as a processor on their behalf, under contract.

In that mode, the institution sees only what their policy allows: behavioural readings co-designed with us, scoped to the decision being made. They do not receive the raw transactional history that produced the reading.

Partners are bound to use Mirror readings fairly — no proxy discrimination, no resale, no secondary use without your explicit consent.

Regulated data providers (e.g. open-banking aggregators) that route the read-only access you authorise.

Infrastructure providers (cloud, security, analytics) operating under data-processing agreements equivalent to ours.

Authorities, when compelled by law. We will tell you when we are legally permitted to.

No advertisers. No data brokers. No exceptions.

Access — request a copy of the data we hold and the readings we have produced.

Correction — ask us to fix anything inaccurate.

Deletion — disconnect any account, revoke access, and ask us to delete what we hold.

Portability — export your behavioural reading in a structured format.

Objection — withdraw consent for any non-essential processing.

Active accounts: for as long as you use Mirror.

After deletion: we remove identifiable data within 30 days, except where law requires us to retain specific records longer (typically transactional or tax records).

Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Access is least-privilege, logged, and reviewed.

We run continuous vulnerability scanning, third-party penetration tests, and an incident response plan with mandatory notification timelines.

We will tell you before a material change takes effect. The version date below always reflects the current policy.