Mira — Privacy Policy
Last updated: 2026-05-12
Publisher / Editor
This privacy policy is published by UnVale [legal form TBD — to be filled with the formal corporate entity name once registered] in respect of the Mira product. UnVale operates under the domain unvale.so (corporate site); the Mira product is one of several in the UnVale portfolio. Questions: support@unvale.so.
Controller / Responsable
- Name: Raul Padilla (operating Mira via UnVale)
- Contact: support@unvale.so (subject "GDPR request" routes the message to the controller)
- Country: Spain
- Legal basis: GDPR Regulation (EU) 2016/679 + LOPDGDD (LO 3/2018)
What Mira collects
| Category | Purpose | Legal basis | Retention |
|---|---|---|---|
| Email + hashed password | Account authentication | Contract (art. 6.1.b) | Until account deletion |
| Scan history (product + timestamp) | Show the user their own history; improve detection coverage anonymously | Legitimate interest (art. 6.1.f) | 12 months, then anonymised |
| Cabinet contents (medications + cosmetics the user added) | Cross-mode interaction checks; recall matching against AEMPS Alertas (Spanish medication recalls) and EU Safety Gate (cosmetic recalls) | Contract + explicit consent for health data (art. 9.2.a) | Until user removes the item or deletes account |
| Health profile (age, gender, skin type, Fitzpatrick phototype, sensitivities, conditions, weight) | Personalise ingredient alerts | Explicit opt-in via health_data_consent (art. 9.2.a) | Until user clears it or deletes account |
| Selfie analysis image | Estimate Fitzpatrick / oiliness / dryness | Strictest opt-in via skin_data_consent (art. 9.2.a) | Never stored — bytes are discarded after the vision call; only the structured estimate is retained |
| Voice input (microphone audio) | Hands-free entry of a cabinet item or search term | Consent at OS-permission level (no app-level toggle) | Never sent to Mira — recognised on-device by the OS's speech-recognition framework (see "Voice input" below) |
| Subscription state (tier, status, current period end, transaction id) | Enforce paid-feature entitlements; restore purchases across devices | Contract (art. 6.1.b) | Until account deletion |
What Mira never collects
- Precise location data.
- Payment card data (no payments in beta).
- Contacts, photo library beyond the images you explicitly pick to scan.
Minors
Minimum age 14 per LOPDGDD art. 7. Age is verified via self-declared date of birth at registration. Accounts that report DoB < 14 are refused.
Data subjects' rights (GDPR art. 15-22)
- Access + portability:
GET /api/v1/users/me/exportin-app ("Export my data" on Profile) returns the full account + cabinet + scan history as JSON. - Deletion:
DELETE /api/v1/users/mein-app ("Delete my account" on Profile). Cabinets + scan history are removed immediately; the account row is purged within 30 days (anti-abuse buffer). - Rectification: Profile settings; contact the controller for fields the UI doesn't expose.
- Object / restrict processing: email the controller.
- Withdraw consent: toggle off in Profile → Privacy & data. Health-data processing stops immediately; existing data stays until you delete it or the account.
Third-party data sources (read-only, public)
Mira queries these to enrich scans. We do not share user-specific data with them.
- AEMPS CIMA (Spain's medication registry, AEMPS / Ministry of Health)
- Open Beauty Facts (open-data cosmetic product database)
- EU CosIng (European Commission cosmetic ingredient database)
- WHO ATC/DDD Index (World Health Organisation drug classification)
Vision API (Sprint 11+)
Mira sends three image types to a vision vendor for processing:
| Image type | Vendor (current) | Image retained by Mira? | Derived data retained by Mira | Consent tier |
|---|---|---|---|---|
| Cosmetic product label | Anthropic Claude | No — bytes discarded immediately after the API response | INCI list + extracted text, in scan history | Health-data consent |
| Medication box | Anthropic Claude | No | Medication ID + extracted text, in scan history | Health-data consent |
| Selfie (skin profile) | Anthropic Claude | No | Structured estimate only — Fitzpatrick phototype + oiliness + dryness numerics + skin flags | Skin-data consent (strictest tier) |
| Barcode-only product image | (decoded on-device) | n/a — image never leaves the device | Cabinet entry | Standard GDPR consent |
Anthropic's retention. Anthropic does not use API inputs to train its models. Operational logs (for safety/abuse monitoring) are typically retained up to 30 days. See Anthropic's Privacy Policy and Commercial Terms of Service for the authoritative terms.
Mira-side retention. Mira never retains raw image bytes server-side — for any image type. Only the structured/derived data above is persisted, and only until you remove the relevant cabinet item, clear your skin profile, or delete the account.
Future vendors. GPT and Gemini adapters exist in Mira's codebase as future-flagged options but are not currently routed. If we ever route an image type to a different vendor, we will (a) update this policy in the same release, (b) update the in-app consent dialog to name the new vendor, and (c) send an in-app material-change notification to existing users.
Subscriptions and payments
Mira offers paid tiers (Pro, Family) via Apple's App Store in-app purchase. Three parties touch subscription data; Mira's relationship with each is distinct under GDPR.
| Party | Role | What they see |
|---|---|---|
| Apple App Store | Payment processor + storefront. Not Mira's processor — Apple is the buyer's counterparty for the transaction. | Payment card, billing address, purchase intent. Mira receives only the anonymised transaction outcome. |
| RevenueCat (sub-processor) | Subscription-state aggregator. Receives Apple's transaction events and forwards a normalised webhook to Mira. | Mira's user UUID (app_user_id), product id (e.g. mira_pro_monthly), original transaction id, period start/end timestamps. No health data, scan history, or cabinet contents. See RevenueCat Privacy Policy. |
| Mira backend | Stores derived subscription state per the table above. | Tier + status + period end + external transaction id, keyed by user UUID. |
Mira never receives or stores card numbers, CVVs, or billing addresses. Apple's payment flow is opaque to Mira by design.
Email correspondence
GDPR-related correspondence at support@unvale.so is delivered via Resend (sub-processor) using Mira's verified unvale.so domain. Cloudflare Email Routing forwards inbound replies to the controller's mailbox. See Resend's Privacy Policy for their handling terms; messages are processed under EU/US Data Privacy Framework cover where US-based.
Recall alerts
Mira polls public regulatory feeds daily and joins the parsed alerts against each user's cabinet to surface affected items in-app. The cabinet-vs-recall match runs server-side on Mira's own data; no user data is sent to any regulator.
Active feeds:
- AEMPS Alertas (Spain — medication recalls)
- EU Safety Gate (European Commission — cosmetic recalls)
- MHRA Drug & Device Alerts (UK — medication recalls + device safety information)
- ANSM safety information (France — medication safety alerts)
- EMA news + withdrawn applications (EU-wide — centrally-authorised medication pharmacovigilance)
The five feeds cover Mira's six launch markets (Spain, France, Germany, Italy, Portugal, United Kingdom) — EMA's EU-wide coverage substitutes for the three EU markets where Mira does not run a national-only adapter today.
Push notification of new matches is planned and will require a separate disclosure here when it ships (Apple Push Notification service is a future sub-processor). It is not active today.
Voice input
Mira accepts voice input as an alternative to typing when adding a cabinet item or running a search. The speech recognition runs through the operating system's own framework — Apple's SFSpeechRecognizer on iOS and Android's SpeechRecognizer on Android — via the expo-speech-recognition library.
- Mira never receives the audio bytes. The OS framework returns only the final recognised text to the app.
- Where the device supports on-device recognition, audio stays on the device. On older or less-capable devices the OS framework may use its vendor's cloud (Apple or Google) — that flow is governed by the OS vendor's own privacy policy, not by Mira.
- iOS surfaces two permission prompts on first use (microphone + speech recognition); both can be revoked from Settings at any time. Denying either disables voice input but leaves text entry working.
Markets and data subjects
Mira's launch scope covers six countries: Spain (primary), France, Germany, Italy, Portugal, and the United Kingdom. EU users are covered by GDPR; UK users are covered by the UK GDPR + Data Protection Act 2018 (the two regimes remain materially equivalent post-Brexit). Data subject rights below apply identically to all six markets. The controller is Spain-based and acts as Data Protection Officer at this stage (Mira pre-launch / early-launch, no separate DPO designation required under GDPR Art. 37). This may change as Mira's user base scales past the "large scale" threshold for special-category health data, at which point a separate DPO will be designated and named here. Cross-border requests are routed via support@unvale.so.
Data transfers
The vision API (Anthropic Claude) is hosted in the United States. Transfers rely on the EU-US Data Privacy Framework; Anthropic is a self-certified DPF participant (list). RevenueCat (subscription sub-processor, see above) and Resend (email sub-processor) operate under the same DPF cover for any US-based processing legs. No other transfers outside the EEA.
Security
- TLS 1.3 for all API traffic.
- bcrypt-hashed passwords (cost factor 12+).
- JWT access tokens (15 min TTL) + refresh tokens (7 day TTL).
- Encryption at rest via the hosting Postgres (AES-256, transparent).
Changes to this policy
We'll notify users via in-app message for material changes (anything that expands data collection or adds a new processor). Minor clarifications will be versioned below.
Version history
| Date | Change |
|---|---|
| 2026-05-12 | S033 drift audit. Recall sources expanded from 2 to 5 to match production (added MHRA, ANSM, EMA). Voice input disclosed (S031): on-device speech recognition via the OS framework; Mira never receives audio bytes. "Markets and data subjects" section names the six launch countries and confirms UK GDPR equivalence. Controller-acts-as-DPO wording tightened. |
| 2026-05-04 | DPO-readiness pass. Controller contact moved to support@unvale.so on the verified company domain. New "Subscriptions and payments" section names Apple App Store + RevenueCat + Mira-side derived state. New "Email correspondence" section names Resend as the email sub-processor under DPF cover. New "Recall alerts" section discloses the AEMPS Alertas + EU Safety Gate cabinet-match processing purpose. |
| 2026-04-30 | Vision API section expanded with per-image-type retention table; "Future vendors" clause added; Data transfers section names Anthropic's DPF self-certification with a link. |
| 2026-04-22 | First draft for Sprint 14 beta — covers Mira's catalog, scan history, cabinet, health profile, and selfie analysis paths. |
Contact
For any GDPR / privacy question, email support@unvale.so with subject "GDPR request". We respond within 30 days per art. 12.3.