Privacy Policy

How we handle your data. Written to be readable, not to hide anything.

1. Controller

The controller responsible for the processing of personal data within the meaning of the General Data Protection Regulation (GDPR) is:

LaunchX GmbH
Lärchenstraße 12, 84032 Landshut, Germany
Email: info@launch-x.de
Phone: +49 160 5537240

Full company details (managing directors, commercial register, VAT ID) are available in the Imprint.

2. What data we process

When you use Miroir, the following personal data may be processed:

• Account data — your email address, name (if you provide one), and authentication identifiers, managed via our identity provider Clerk.
• Photographs you upload — selfies you send to receive a beauty reading. These are required to provide the core service.
• Analysis results — the textual readings, scores, and notes generated from your photographs, plus any tags or notes you add to your journal.
• Subscription and payment status — whether you have a paid subscription, billing periods, and entitlement, managed via RevenueCat. Payment itself is processed by Apple App Store / Google Play; we do not see your card details.
• Usage and technical data — anonymous analytics events (e.g. screen views), device type, OS version, and app version, via OpenPanel.
• Server logs — IP addresses, timestamps, and request metadata required for operating and securing the service.

3. Purposes and legal bases

• Providing the service (analysing your photos, storing your journal, managing your account) — Art. 6(1)(b) GDPR (performance of a contract).
• Processing payments and managing subscriptions — Art. 6(1)(b) GDPR.
• Operating, securing, and improving the service (logs, anonymous analytics) — Art. 6(1)(f) GDPR (legitimate interest in a stable, secure product).
• Legal obligations (e.g. tax records) — Art. 6(1)(c) GDPR.

4. Recipients and third-party processors

We use the following processors. Each is bound by a data-processing agreement (DPA, Art. 28 GDPR):

• Amazon Web Services (AWS) — hosting and image storage. Region: Frankfurt, Germany (eu-central-1). Photos are stored encrypted at rest (AES-256, server-side).
• OpenAI, L.L.C. (USA) — AI vision model used to analyse your photographs. Each photo you upload is sent to OpenAI to generate the reading. OpenAI may retain inputs for up to 30 days for abuse-monitoring purposes, as described in their API data-usage policy. OpenAI does not use API inputs to train its models.
• Clerk, Inc. (USA) — authentication and account management.
• RevenueCat, Inc. (USA) — subscription and entitlement management.
• OpenPanel — anonymous product analytics.
• Apple Inc. / Google LLC — payment processing via App Store / Play Store.

5. International data transfers

Some of our processors are located in the United States (OpenAI, Clerk, RevenueCat). Transfers are based on the EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR, and where applicable on the EU–US Data Privacy Framework (Art. 45 GDPR adequacy decision of 10 July 2023).

6. Storage period

• Photos and analyses — stored as long as your account exists. You can delete individual readings from within the app at any time. Deleting your account removes your photos and analyses from our systems.
• Account data — stored as long as your account exists.
• Server logs — up to 30 days, then deleted automatically.
• Invoices and tax-relevant records — 10 years (§ 147 AO).

7. Your rights

You have the following rights regarding your personal data:

• Right to access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object (Art. 21 GDPR)
• Right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (Art. 7(3) GDPR)
• Right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The competent authority for our company is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany.

8. How we secure your data

• All data transfer between the app and our servers is encrypted with TLS.
• Photographs are stored encrypted at rest in AWS S3 (AES-256, server-side encryption).
• Authentication is handled by Clerk using industry-standard practices (hashed passwords, JWT, optional MFA).
• We don't sell your data, and we don't use your photos to train AI models.

9. Children

Miroir is not intended for users under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

10. Delete your account

You can delete your Miroir account and the personal data associated with it at any time. There are two ways to do this:

In the app (recommended)

1. Open Miroir and sign in.
2. Go to Settings.
3. Tap Delete Account and confirm.

Your account and associated data are removed from our systems immediately.

By email

If you no longer have access to the app, send a deletion request from the email address you registered with to info@launch-x.de with the subject "Account deletion request". We process requests within 14 days and will confirm by email once your account has been removed.

What gets deleted

• Your account record (email, name, authentication identifiers)
• All photographs you uploaded (removed from AWS S3)
• All analyses, readings, journal entries, and tags
• Your subscription record on our side (your active subscription is managed by Apple / Google and must be cancelled separately in the App Store / Play Store)

What we retain

• Anonymised analytics — events that are no longer linked to your account or any identifier.
• Payment records held by Apple / Google — we cannot delete these; please contact the respective store.
• Invoices and tax-relevant records — kept for up to 10 years as required by § 147 AO.
• Server logs — automatically deleted within 30 days of the request being processed.

11. Changes to this policy

We may update this policy as the service evolves. Material changes will be communicated in-app or by email. The current version is always available at this URL.

Last updated: 7 May 2026