Loading
Loading
Effective 16 May 2026
Your photo is analyzed and deleted immediately. It never touches our servers beyond the instant of processing. Everything about your skin — observations, routine, progress — stays on your device unless you choose to create an account. If you do, it syncs to a database hosted in Frankfurt (EU). We do not sell your data. We do not share it with anyone who is not essential to running the service.
MIRU is an independent, privacy-first skin companion. For the purposes of the EU General Data Protection Regulation (GDPR) and the UK GDPR, the data controller is the operator of MIRU. For any privacy matter — including a request for the controller’s registered details — write to privacy@miru.skin and we will respond within 30 days, the statutory maximum under Article 12(3).
When you use the scan feature, you upload a photo. That photo is sent directly to our AI provider (OpenAI) for analysis and deleted from our servers immediately after the response is returned — typically within a few seconds. We never store, cache, or log your photo. OpenAI processes it under their data processing agreement and does not use it to train their models (via our API agreement).
Legal basis: legitimate interests (Article 6(1)(f) GDPR) — you asked for a skin analysis, which requires processing the photo to provide it. The photo is deleted immediately, so retention is zero.
The result of your scan — focus area, observations, suggested routine — is stored in your browser’s local storage on this device only. It does not leave your device unless you are signed in, in which case it syncs to our Supabase database (Frankfurt, EU).
Legal basis: contract performance (Article 6(1)(b)) for signed-in users; legitimate interests for device-only storage.
If you choose to create an account, we store your email address, your skin profile (skin type, concerns, onboarding answers), and your scan history in Supabase. This lets your data survive a device change.
We use magic-link email authentication — no password is created or stored. Legal basis: contract performance.
Payments are handled by Stripe. MIRU never sees or stores your card details. Stripe is the data controller for payment information; their privacy policy applies. We store only your subscription status (active / cancelled / trial) and its renewal date.
If you choose to receive a scan summary by email, we store your email address to send it. You can ask us to delete it at any time by emailing privacy@miru.skin.
We use PostHog in a cookieless, anonymous mode to understand how people use MIRU — which pages are visited, where people drop off, which features are used. No cookies are set, no persistent device identifier is stored, and we never call any “identify” function — each visit is an anonymous session that is not linked to you or to other sessions. No photos. No skin observations. No name or email. No cross-site tracking.
Because there is no persistent identifier, this measurement does not single you out, so we run it by default without a consent pop-up. You can switch it off any time in Settings → Data & privacy. When you do, only a small set of anonymous, cookieless counts (e.g. a scan completed, a checkout completed) keeps running so we can keep the product working — these carry no personal data.
We use Sentry to capture technical errors so we can fix them. Before any error is reported, our code strips photos, skin observations, and email addresses. Sentry receives only technical crash data (stack traces, route names, browser version). Legal basis: legitimate interests.
When you click a product link, the affiliate network receives a click identifier embedded in the URL. This is standard for affiliate links and is disclosed in our affiliate disclosure. No profile data, no photo, no questionnaire answers are shared with affiliate networks.
We share data only with the service providers listed below, all of whom act as data processors under our agreements:
We do not sell your data. We do not share your data with data brokers, advertisers, or any party for the purpose of targeted advertising.
If you are in the UK or EU, you have the following rights:
If you believe we have handled your data incorrectly, you have the right to lodge a complaint with your national data protection authority (in the UK: the Information Commissioner’s Office; in the EU: your member-state DPA).
MIRU uses browser local storage (not cookies) to store your profile and scan history on your device. This is essential for the service to work; it does not require consent.
We do notuse analytics cookies. Product analytics (PostHog) run cookieless and anonymous, with no persistent identifier — so there is no consent banner. You can switch analytics off at any time in Settings → Data & privacy.
Affiliate networks that set their own cross-site cookies (such as Skimlinks) are strictly opt-in and remain off unless you explicitly enable them.
OpenAI is hosted in the United States. Transfers from the EU/UK are covered by Standard Contractual Clauses (SCCs) under our API agreement with OpenAI. All other processors listed above either operate within the EU/UK or are covered by SCCs or adequacy decisions.
MIRU is intended for users aged 18 and over. We do not knowingly collect data from children under 18. If you believe a child has used MIRU, contact privacy@miru.skin and we will delete the data.
We will update this page when our data practices change. If the change is material, we will notify signed-in users by email at least 14 days before it takes effect. Continued use of MIRU after the effective date constitutes acceptance.