Mirorly

Privacy Policy

How Mirorly handles your data.

Plain language. Real scope. No buried clauses, no data-broker carve-outs, no dark patterns. The detailed version of what we promise on every other page.

Last updated: May 6, 2026

Plain-language summary

Mirorly is built around the idea that personal feedback is intimate; data privacy follows from that. We collect as little as we can. We keep it as briefly as we can. We share it only with the technical providers we need to run the service. We do not run a newsletter, we do not sell data, we do not enrich profiles, and we do not run third-party advertising on this site.

If you only read one section, read Your rights under GDPR. Everything else is the detailed version of why we're confident saying that summary.

1. Who we are

The controller of the personal data described in this policy is Jerzy Kurgan, sole proprietor, registered at ul. Niedźwiedzia 29B, 02-737 Warszawa, Poland, Polish tax ID (NIP) 872-219-93-92, operating under the Mirorly brand. References to "Mirorly", "we", "us", and "our" throughout this policy mean Jerzy Kurgan in that capacity.

For any privacy-related question, request, or complaint, use our contact form or write to us at the postal address above. For requests that require identity verification (for example, a subject access request), the postal address is the preferred channel.

2. What we collect, why, and how long we keep it

We organize this by the situation in which we collect data, rather than by category. That way you can see exactly what happens at each step.

When you submit the contact form ( /contact)

What we collect:

  • The email address you provide
  • The category you select (general, support, refund, press, other)
  • The message you write
  • The timestamp of submission
  • The fact that you ticked the consent checkbox

Why: to read your message and reply to it. That is the only purpose.

Legal basis (GDPR Article 6): consent (Article 6(1)(a)) — you tick the consent checkbox before submitting, and your consent is the basis for processing.

How long we keep it:

  • If you receive a reply and the conversation closes: up to 12 months from the last reply, then deleted.
  • If a refund or other ongoing matter is in progress: as long as needed to complete it, then deleted.
  • If you ask us to delete sooner: deleted within 7 days of your request.

When you email us directly (or reply to our message)

What we collect:

  • Your email address (visible in the From field)
  • The contents of your email
  • Any attachments you send

Why: to handle the conversation you started or continued.

Legal basis: legitimate interest (Article 6(1)(f)) — handling correspondence you initiated.

How long we keep it: same as the contact form above. Once a topic is closed, the email thread is deleted within 12 months of the last exchange.

When you visit the site (technical logs)

Our hosting provider keeps short-term technical logs for security and reliability:

  • IP address (anonymized after 24 hours)
  • Request method (GET, POST), URL requested, response code
  • User-agent string (browser identifier)

Why: security (detecting attacks, abuse) and reliability (debugging failures).

Legal basis: legitimate interest (Article 6(1)(f)) — running the site securely.

How long we keep it: the hosting provider retains technical logs for up to 30 days, then deletes them automatically.

When you create a Mirorly account

What we collect:

  • The email address you sign up with
  • An optional display name (you can leave it blank)
  • The timestamps of your sign-up and last sign-in

We use a passwordless authentication flow — you receive a magic link by email and clicking it signs you in. We do not store passwords, and we do not collect security questions or similar "recovery" data.

Why: to give you an account, identify you on return visits, and let you access your own surveys and results.

Legal basis: performance of a contract (Article 6(1)(b)) — providing the service you signed up for.

How long we keep it: as long as your account is active. If you delete your account or if your account is closed after a refund, the account record is deleted within 30 days.

When you use the product (surveys, answers, action plans)

What we collect:

  • The surveys you set up: title, the template you chose, whether the survey is anonymous, the planned recurrence (one-off or repeating), and the email addresses or names you optionally entered for invited respondents
  • Your own answers in self-360 surveys
  • The action plans, executive summaries, and "keep-doing" lists you write
  • Aggregated results, charts, and round-over-round comparisons computed from the above

Why:to provide the core product functionality. Without this data, the service can't show you anything useful.

Legal basis: performance of a contract (Article 6(1)(b)).

How long we keep it: as long as your account is active. You can delete individual rounds, responses, or action plans at any time from your dashboard. Deleting your whole account removes all of this data within 30 days.

When someone fills in a survey you sent (their data)

If you send a peer-360 survey link to colleagues, mentors, or other people, here's what we hold about them:

  • If the survey is anonymous(a choice you make when setting it up): just their answers and the timestamp of submission. No identifying information at all — we technically can't link an anonymous answer back to a specific person, even if asked.
  • If the survey is non-anonymous: the email address and/or name they choose to enter on the survey form (both are optional fields), plus their answers and the submission timestamp.

Respondents are shown the anonymity setting clearly before answering, so they know what is and isn't shared with you. Respondents who provided identifying data can ask us to delete it by emailing privacy@mirorly.com — we'll honour that even if it removes their answer from your dashboard.

Why: to deliver the feedback you asked for, while giving the respondent control over what gets shared.

Legal basis: consent (Article 6(1)(a)) for identifying data the respondent voluntarily enters; legitimate interest (Article 6(1)(f)) for the answer content itself, since the respondent has chosen to engage with the survey.

How long we keep it:as long as the survey round it belongs to is kept by the survey owner, and no longer than the survey owner's account itself.

When you subscribe (billing data)

Payments are processed by LemonSqueezy, who acts as the merchant of record (see Terms § 4). LemonSqueezy collects the data needed to take payment and comply with tax law:

  • Your name and billing address
  • Card or other payment method details (held by LemonSqueezy and their payment partners; we never see card numbers)
  • The country used to calculate VAT or sales tax
  • The transaction record itself (amount, date, status)

On Mirorly's side, we receive only what we need to operate your subscription:

  • Your subscription status (active, past-due, cancelled, refunded)
  • The renewal date and the amount of the last payment
  • An identifier that lets us match your Mirorly account to your LemonSqueezy customer record

Why: to know who has access to the service and to honour refunds.

Legal basis: performance of a contract (Article 6(1)(b)) for the subscription itself; legal obligation (Article 6(1)(c)) for keeping records that tax law requires.

How long we keep it: for the lifetime of your subscription, and afterwards for the period required by Polish accounting and tax law (currently 5 years from the end of the tax year in which the transaction occurred). LemonSqueezy retains its own records under its own retention policy.

3. Cookies

Mirorly itself does not set any cookies. The hosting provider may set short-lived technical cookies (anti-bot, load balancing) that contain no personally identifying information. Under ePrivacy regulations, strictly-necessary cookies of this kind don't require consent.

If we add cookies in the future — for example, to remember preferences or run analytics — we'll update this policy and add a cookie consent banner. Until then, there's no cookie banner because there's nothing to consent to.

What we don't have

There is no Facebook Pixel, no LinkedIn Insight Tag, no Google Ads conversion tag, no third-party ad-network tracker, no affiliate cookie, no marketing automation snippet on this site. We don't run advertising or marketing automation, so we don't need them. We also don't currently run any analytics — that may change after we launch the product, at which point this policy will be updated.

4. Third parties we share data with (sub-processors)

We use the following providers to run the service. Each receives only the data it needs and is contractually obligated to protect that data under GDPR-compliant data processing agreements.

  • Vercel Inc. — web hosting (the site itself). Headquartered in the United States, with EU edge regions used for performance.
  • Supabase, Inc. — database and authentication. Holds your account data, your survey setups, the answers in your self-360 surveys, the action plans you write, and the responses people submit to your peer-360 surveys. Our project is hosted in a European Union region; the data itself stays in the EU. Supabase the company is headquartered in the United States and may access infrastructure for support and operational purposes.
  • LemonSqueezy LLC — payment processing and merchant of record. Handles checkout, takes payment, calculates and remits taxes for your jurisdiction, and manages refunds. Headquartered in the United States. See Terms § 4 for the full picture of how this works.
  • Resend, Inc. — sends emails on our behalf: magic-link sign-in emails, survey-invitation emails, notifications from the contact form, and product notifications. Mail is processed in the eu-west-1 region (Ireland).
  • ImprovMX (Bornaix Ltd.) — forwards inbound emails sent to addresses on the mirorly.com domain to our internal mailbox. Headquartered in the United States.

We do not sell, rent, or share your data with anyone outside this list. We do not use data brokers, ad networks, or "data enrichment" services.

5. International data transfers

Several of the providers above process data outside the European Economic Area, mainly in the United States. For these transfers, we rely on the EU-U.S. Data Privacy Framework where the provider is certified, and on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for transferring personal data outside the EEA.

If you'd like to see the specific certification or clauses that apply to a specific provider, email privacy@mirorly.com and we'll send the relevant documents.

6. Your rights under GDPR

You have the following rights regarding your personal data:

  1. Right of access — ask us what personal data we hold about you, and receive a copy.
  2. Right to rectification — ask us to correct inaccurate or incomplete data.
  3. Right to erasure ("right to be forgotten") — ask us to delete your data. We'll do so within 30 days unless we have a legal obligation to keep it (rare in our case).
  4. Right to restrict processing — ask us to pause processing while we resolve a question.
  5. Right to data portability — receive your data in a structured, machine-readable format (JSON), so you can move it to another service.
  6. Right to object — object to processing based on legitimate interest.
  7. Right to withdraw consent — for any processing based on consent (analytics, contact form), you can withdraw it at any time. Withdrawal does not affect processing that already happened lawfully before the withdrawal.
  8. Right to lodge a complaint — with the relevant data protection authority (see Complaints below). You can lodge a complaint without going through us first.

How to exercise your rights

Email privacy@mirorly.com with the request. We'll respond within 30 days; in practice, much faster. We do not charge any fee for these requests.

If you're asking us to delete or export data, we may ask you to verify the email address — to make sure no one else is requesting deletion of your data.

7. Children

Mirorly is not intended for users under 16 years of age, and we do not knowingly collect data from anyone under 16. If you believe a child has submitted data to us, email privacy@mirorly.com and we'll delete it.

8. Changes to this policy

When we change something material — a new sub-processor, a new data category, a change in retention — we update this policy and bump the "Last updated" date at the top.

For significant changes that affect existing users, we'll also notify you directly via email if we have an active conversation with you.

Historical versions of this policy are not currently published on the site. If you'd like a previous version, email privacy@mirorly.com.

9. Complaints

If we've handled your data in a way you believe violates GDPR or Polish data protection law, you have two paths:

  1. Email us first: privacy@mirorly.com — we'll investigate and reply within 30 days.
  2. Lodge a complaint with the supervisory authority. In Poland, this is the Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa. uodo.gov.pl. If you reside in another EU country, you may also lodge a complaint with the data protection authority in your country of residence.

You can use either path or both. Going through UODO first is your right; you don't need to email us before doing so.