privacy policy
we built mira so you could be honest. so we're going to be honest about your data.
the short version: everything you tell me lives on your phone and in our private database. i don't sell it. i don't share it for ads. you can wipe everything in one tap. the long version is below — written in plain english, on purpose.
what's in here
- who we are
- what we collect
- how we use it
- who we share it with
- where it lives
- how long we keep it
- your privacy rights
- children's privacy
- push notifications & analytics
- apple's app tracking transparency
- subscriptions & payments
- security
- international transfers
- california privacy rights
- changes to this policy
- contact us
01who we are
Mira ("Mira", "we", "our", "us") is a private AI companion app operated by RiekApps. This Privacy Policy explains what personal information we collect when you use the Mira mobile app or our website, why we collect it, how we use it, who we share it with, and the rights you have.
For privacy questions or requests, write to riekapps@gmail.com. For everything else, contact us.
02what we collect
We try to collect as little as possible. Here's the complete list:
information you give us directly
| data | where it comes from |
|---|---|
| Your name or nickname | You enter it during onboarding. |
| Your chosen tone, purposes & intent | You pick these in onboarding so Mira can speak to you the way you want. |
| Your current mood | Optional. You set it during onboarding and can update it any time. |
| Your email address | Only if you sign in with Google (used for backup / device-switching) or contact us. |
| Your chat messages | What you send to Mira. Stored so the next conversation remembers the last one. |
| Your "memories" | Facts Mira saves about you (the people, dates, and details you tell her). You can review, edit, and delete these. |
| Your life follow-ups | For paid users, ongoing goals, habits, people, routines, or situations Mira follows so she can remember and check in later. You can pause or delete these. |
| Photos you share in chat | If you upload an image while chatting, it's stored alongside that message. |
| Reminder preferences | If you ask Mira to remind you of something, we store the reminder and its schedule. |
information collected automatically
| Anonymous device identifier | Generated on first launch so Mira can recognize the device on subsequent sessions without requiring an account. |
| Push notification token (FCM) | Used to send the notifications you've enabled. We can revoke this when you uninstall or sign out. |
| Time zone | So reminders fire at the right local time. |
| Subscription state | Whether you're on the free or paid plan. Receipts are verified with Apple / Google, not stored from your wallet. |
| Crash reports & performance data | Anonymized stack traces and device metadata via Firebase Crashlytics, used only to fix bugs. |
| Basic analytics events | Anonymized events (e.g. "app opened", "chat sent") via Firebase Analytics. We do not collect advertising identifiers. |
information we don't collect
- We do not collect your contacts, calendar, microphone, or location.
- We do not track you across other apps or websites.
- We do not sell your data to anyone, ever.
- We do not use your chat content to train third-party AI models for purposes unrelated to answering you.
03how we use it
Everything we collect is used to provide and improve Mira. Concretely:
- To talk back to you. Your messages, any photos you share, name, tone, memories, life follow-ups, and recent context are sent to the third-party AI providers listed in §4 so Mira can respond in a way that remembers you. We ask for your explicit consent before any of this is sent, on the first screen of the app.
- To remember you across sessions. Memories, life follow-ups, and message history are stored in our database so a new chat picks up where the last one left off.
- To send you the notifications you asked for. Reminders, gentle check-ins, and (if you opt-in) proactive emotional or life follow-ups.
- To process your subscription. Verifying receipts with Apple or Google and unlocking paid features.
- To diagnose crashes and improve the app. Anonymized crash and analytics data.
- To prevent abuse and keep the service safe. Basic rate-limiting and security signals.
- To respond to your requests. Customer support and data-rights requests.
04who we share it with
We share data only with the third-party "subprocessors" we need to run the service. Each of them is bound by their own privacy and security commitments. They are:
| service | what it does |
|---|---|
| Google Firebase (Authentication, Cloud Messaging, Crashlytics, Analytics) | User authentication (including anonymous and Google sign-in), push delivery, crash reporting, and anonymized usage analytics. |
| Neon (Postgres database) | Stores your account, memories, life follow-ups, messages, and reminders. |
| OpenRouter (LLM gateway) | Routes your messages, any photos you share, and the necessary context to the large-language-model providers that generate Mira's replies. OpenRouter relays to OpenAI and DeepSeek; under our agreement these providers do not retain your messages or photos to train their models. |
| RevenueCat (subscription management) | Verifies App Store / Play receipts and keeps your subscription entitlement in sync across devices. Receives an anonymous user identifier and purchase events; no payment-card details. |
| Cloudflare R2 (media storage) | Stores photos you choose to share with Mira in chat. Files are stored encrypted at rest and accessible only with a short-lived signed URL. |
| Apple App Store / Google Play | Subscription processing, receipt validation, and payments. |
We do not share, sell, rent, or trade your personal information with advertisers, data brokers, or any other third party for marketing purposes.
We may disclose information if we are required to by law (e.g., a valid court order from a competent authority), to protect the safety of a user or the public, or in connection with a merger, acquisition, or sale of assets — in which case we will give you notice before your information becomes subject to a different privacy policy.
05where it lives
Your data is stored in managed cloud infrastructure provided by the subprocessors above. The primary database is operated by Neon and may be hosted in regions including the United States and Europe. Firebase services are operated by Google globally. Where you are accessing the service from a country other than the country of storage, your information will be transferred internationally — see §13.
06how long we keep it
- Chat messages, memories, and life follow-ups — kept until you delete them or delete your account.
- Account & profile — kept while your account is active. Deleted within 30 days of an account-deletion request (see §7 and the delete-data page).
- Push tokens — invalidated when you sign out, uninstall, or revoke push permission.
- Crash and analytics records — retained for up to 14 months by Firebase.
- Billing & receipt records — retained for the period required by tax and financial regulations (typically up to 7 years), even after account deletion.
- Support correspondence — kept for up to 2 years after the last interaction.
07your privacy rights
Subject to applicable law, you have the right to:
- Access a copy of the personal information we hold about you.
- Correct information that is inaccurate or out of date.
- Delete your information — entirely, or just specific memories, life follow-ups, or messages.
- Port your information — receive it in a structured, commonly used format.
- Object to or restrict certain processing.
- Withdraw consent at any time where processing is based on consent.
- Lodge a complaint with your local data-protection authority.
To exercise any of these rights, visit the delete-data page or email riekapps@gmail.com. We respond within 30 days. We will not discriminate against you for exercising your rights.
legal basis for processing (EEA / UK)
If you are in the European Economic Area, United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR (and the UK GDPR) to process your personal data:
- Performance of a contract (Art. 6(1)(b)) — to provide the core Mira service: storing your messages and memories, generating replies, syncing your subscription, and otherwise delivering features you ask for.
- Legitimate interests (Art. 6(1)(f)) — to keep the service safe, prevent abuse, fix crashes, and understand which features are working through anonymized analytics. You can object to this processing at any time.
- Consent (Art. 6(1)(a)) — for push notifications you have opted in to, and for any optional features that ask for permission. You can withdraw consent at any time without affecting earlier processing.
- Legal obligation (Art. 6(1)(c)) — to retain billing records and respond to lawful requests from authorities.
08children's privacy
Mira is intended for users aged 17 and older (or the minimum digital-consent age in your country, whichever is higher). We do not knowingly collect personal information from anyone under that age. If you believe a child has provided information to Mira, contact us at riekapps@gmail.com and we will delete it.
09push notifications & analytics
Push notifications are sent via Firebase Cloud Messaging using a token that your device generates. We use them only for the categories you've enabled in Settings → Notifications (reminders, check-ins, etc.). You can disable any category in the app, or revoke push permission entirely from your device settings.
Analytics use Firebase Analytics with advertising identifiers turned off. We collect aggregated, anonymized event counts to understand which features people use and where the app breaks. To opt out of analytics, write to riekapps@gmail.com.
10apple's app tracking transparency
On iOS, Mira does not track you across other companies' apps or websites for advertising or measurement, so we do not present the App Tracking Transparency permission prompt. If this ever changes, we will update this policy and request permission first.
11subscriptions & payments
Our paid subscription Mira Pro is processed by Apple (App Store In-App Purchase) or Google (Google Play Billing), depending on the platform you used. We never see your full payment card details. We receive only the receipt/transaction identifier necessary to validate your purchase and unlock paid features. We use RevenueCat as a subscription management service to verify receipts and keep your entitlement state in sync across devices; RevenueCat receives your anonymous user identifier and purchase events but no payment details. Refunds and cancellations are handled through your Apple or Google account, in accordance with their refund policies.
12security
We protect your information with industry-standard measures, including transport encryption (HTTPS/TLS) for all network requests, encrypted storage at rest in our database, and strict access controls for the small number of people on our team who can administer the service. No method of electronic transmission or storage is 100% secure, but we treat the trust you place in us seriously and will notify you and the relevant authorities promptly if a breach affecting your data ever occurs.
13international transfers
Because our subprocessors operate globally, your information may be transferred to, and processed in, countries other than your own — including the United States and member states of the European Union. Where required by applicable data-protection law (e.g., GDPR), we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses to protect your information during transfer.
14california privacy rights
If you are a California resident, the California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA"), gives you specific rights regarding your personal information. This section uses California-specific terms and supplements the rest of this policy.
categories we collect
In the past twelve months we have collected the following categories of personal information from California consumers, all of which are described in §2 above:
- Identifiers — anonymous device ID, push notification token, email address (if you sign in with Google).
- Customer records — your name or nickname.
- Commercial information — subscription state and purchase events.
- Internet or other electronic activity — anonymized analytics events about how you use the app, crash and performance data.
- Geolocation — time zone only, derived from your device. We do not collect precise location.
- Inferences — your preferred tone and mood profile, drawn from onboarding answers and chat content, used solely to personalize Mira's responses to you.
- Other — the content you create in Mira (messages, memories, life follow-ups, photos you upload).
sources, purposes, and disclosures
We collect this information from you directly, automatically from your device, and through the subprocessors listed in §4. We use it for the purposes described in §3. We disclose it only to the subprocessors listed in §4, and only for those same purposes. Each subprocessor is bound by contract to use the information solely on our behalf.
we do not sell or share your personal information
We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We have not done so in the past twelve months, and we do not knowingly sell or share the personal information of California consumers under the age of 16. We do not use or disclose sensitive personal information for purposes other than those permitted under CCPA §7027(m).
your california rights
- Right to know — request the specific pieces and categories of personal information we have collected about you, the sources, purposes, and categories of recipients.
- Right to delete — request that we delete personal information we have collected from you.
- Right to correct — request that we correct inaccurate personal information.
- Right to portability — receive a copy of your personal information in a structured, commonly used format.
- Right to limit use of sensitive personal information — we already limit use to permitted purposes, but you may request confirmation in writing.
- Right to non-discrimination — we will not deny service, charge different prices, or provide a different level of quality because you exercise your rights.
To exercise any of these rights, visit the delete-data page or email riekapps@gmail.com. We will verify your request using information already associated with your account and respond within 45 days (extendable once by an additional 45 days where reasonably necessary). You may designate an authorized agent to make a request on your behalf; we will require written authorization and verification of the agent's identity.
15changes to this policy
If we make a material change to this policy, we will update the "last updated" date at the top and notify you inside the app, by email (if we have one for you), or both, before the change takes effect. Continued use of Mira after a change means you accept the updated policy.
16contact us
Questions, requests, or complaints? Write to riekapps@gmail.com and a real person on our team will reply.