This policy explains what we collect, how we use it, who we share it with, and how to get rid of it. It is written to satisfy BIPA, CUBI, GDPR / UK GDPR, CCPA / CPRA, and equivalent state laws.
PYME GLOBAL LLC, a Nevada limited liability company ("PYME GLOBAL," "we," "us," or "Aura Mirror"), operates Aura Mirror at auramirror.app and through the Aura Mirror mobile applications. For purposes of the EU General Data Protection Regulation and the UK GDPR, PYME GLOBAL LLC is the data controller of personal data processed through Aura Mirror.
02 · SCOPE AND MINIMUM AGE
This policy covers all use of Aura Mirror — the website, mobile apps, and any API endpoints we operate. Aura Mirror is intended for users aged 16 and older. We do not knowingly collect personal data from anyone under 16. Users aged 16 and 17 are placed in an under-18 reading mode that removes attraction, dating, and romantic-pull language. If you believe a person under 16 has provided us data, email Michael@auramirror.app and we will delete it.
03 · WHAT AURA MIRROR IS — AND IS NOT
Aura Mirror is an interpretive self-reflection product. Readings draw on traditional face-reading frameworks (Mian Xiang, classical physiognomy) and AI pattern interpretation. We do not provide medical, psychological, psychiatric, legal, employment, security, surveillance, or law-enforcement services. We do not perform biometric identification, person matching, identity verification, or any 1:N facial recognition. Our biometric processing exists solely to generate an interpretive reading for the individual depicted in the photo.
04 · BIOMETRIC DATA — REQUIRED NOTICE
This section is a required notice under the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act (CUBI), Washington HB 1493, the California CPRA's sensitive-personal-information provisions, and GDPR / UK GDPR Article 9. Read it carefully.
What we collect today. When you take a reading, you submit a photograph of your face. From that photograph, we and our AI subprocessor (currently OpenAI) derive a structured interpretive reading. On supported devices, we additionally compute up to 478 facial landmark coordinates on your device using Google MediaPipe FaceLandmarker; these coordinates are stored alongside your reading so that visual markers appear over the correct features in your dossier.
What we plan to collect. We expect to introduce short video capture (a few seconds, no audio) to read micro-expressions. Video, if and when collected, will be treated as biometric data under the same protections and retention rules described in this section, will be transmitted to our AI subprocessor for analysis, and may be persisted alongside your dossier on the same retention schedule as photographs. We will update this policy and surface in-app consent before any video processing goes live.
What counts as biometric data here. The photograph itself, any future video capture, and the landmark coordinates derived from either constitute "biometric identifiers" or "biometric information" under one or more of the laws cited above.
Purpose. Biometric data is processed only to generate, store, display, and personalize your Aura Mirror readings. We do not use biometric data to identify you across services, to match against any external database, for surveillance, for advertising, for AI model training, or for any law-enforcement purpose.
No sale. We do not sell, lease, trade, or otherwise profit from biometric data. We have never done so.
Consent. By creating an account, submitting a photograph, or completing a reading, you grant PYME GLOBAL LLC your written release (under BIPA), your informed consent (under CUBI and Washington HB 1493), and your explicit consent (under GDPR Article 9 and UK GDPR Article 9) to collect, store, process, and disclose to our subprocessors your biometric data for the limited purposes stated in this policy. You may withdraw this consent at any time by deleting your account from Settings or by emailing Michael@auramirror.app. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal.
05 · BIOMETRIC RETENTION SCHEDULE
We retain biometric data only for as long as needed for the purposes stated above, subject to these hard limits:
•
Paying members: photographs and landmark coordinates persist alongside your dossiers for the duration of your account, plus up to 30 days after an account-deletion request to allow backup rotation and dispute resolution. After that window, biometric data is permanently destroyed.
•
Free / anonymous reads: photographs are transmitted to OpenAI for one-shot processing and may be cached transiently during the read. They are not durably persisted by us and are not linked to an identified user account.
•
In all cases, biometric data is destroyed within three (3) years of the most recent interaction with our service or upon fulfillment of the purpose for which it was collected, whichever occurs first — as required by BIPA § 15(a).
06 · OTHER PERSONAL DATA WE COLLECT
•
Account data: email address, Clerk-issued user ID, sign-up timestamp.
•
Payment data: Stripe customer ID, subscription tier, last 4 digits and brand of payment card (these live in Stripe; we never see or store full card numbers).
•
Calendar data (Living, opt-in): read-only access to events from Google Calendar or Microsoft Outlook to generate event-aware briefs. OAuth refresh tokens are encrypted at rest with AES-256-GCM. Revoke from Settings or directly from Google / Microsoft at any time.
•
Voice data (Living, opt-in): voice features processed through OpenAI's voice models. Transcripts may be stored as part of your persistent memory. Raw audio is not durably stored by us.
•
Memory facts (Living, opt-in): short-text facts derived from your readings, organized into HOT, WARM, and COLD layers. Purge from Settings.
•
Reading outputs: the structured dossier we generate, persisted alongside your account.
•
Push notification tokens: Expo-issued device tokens, if you enable notifications.
•
Marketing email signups: if you submit your email to a waitlist, we store the email, the source, and the signup timestamp. We do not sell this list.
•
Usage telemetry: reading attempts, screen views, and error events, used to fix bugs and enforce free-tier rate limits.
•
Anonymous rate-limit fingerprint: a SHA-256 hash of your IP combined with your user-agent string. Used solely to cap free deep reads at one per fingerprint per 30 days. The hash is not reversible.
•
Server logs: request IP, user-agent, path, and status code, retained up to 30 days for security and debugging.
07 · COOKIES AND SIMILAR TECHNOLOGIES
We use only cookies necessary to operate the service: a Clerk-issued session cookie (__session) for authentication, and Stripe's checkout session cookie during purchase flows. We do not use third-party advertising cookies, cross-site tracking pixels, or analytics SDKs that place persistent identifiers on your device.
08 · LAWFUL BASES (EU / UK)
For users in the EU, UK, or Switzerland, our lawful bases under GDPR / UK GDPR are:
•
Performance of a contract (Article 6(1)(b)) — to deliver readings, subscriptions, calendar integrations, and memory features you have activated.
•
Explicit consent (Article 9(2)(a)) — for processing biometric data, voice data, and any other special-category data.
•
Legitimate interests (Article 6(1)(f)) — for fraud prevention, rate limiting, security, and debugging.
•
Legal obligation (Article 6(1)(c)) — for tax records, anti-fraud checks, and responses to lawful requests.
We share personal data only with the following subprocessors, each bound by data-processing terms and permitted to use the data only to provide their service to us:
Clerk (Clerk, Inc., US)
Authentication. Email, user ID, session metadata.
Stripe (Stripe, Inc., US)
Payments. Email, customer ID, payment metadata.
Supabase (Supabase Inc., US)
Application database. All durably stored data.
OpenAI (OpenAI, L.L.C., US)
AI inference — vision, text, voice, TTS, embeddings. Photographs at time of reading, prompts, derived embeddings, voice streams.
Resend (Resend Inc., US)
Transactional and marketing email delivery. Email addresses and message content.
Vercel (Vercel Inc., US / global edge)
Application hosting. All request traffic in transit.
Google LLC (US)
Optional Google Calendar integration. OAuth tokens, calendar event metadata.
Microsoft Corporation (US)
Optional Outlook Calendar integration. OAuth tokens, calendar event metadata.
Apple Inc. (US)
iOS App Store delivery, when applicable. Account purchase metadata.
We do not share personal data with advertising networks, data brokers, or any party for advertising, behavioral profiling, or surveillance purposes. We do not sell personal data within the meaning of CCPA or CPRA. OpenAI specifically: under our API agreement, data we submit is not used to train OpenAI's general models, and we do not opt in to model improvement on submitted content.
9A · GOOGLE USER DATA — LIMITED USE
Aura Mirror's use of information received from Google APIs adheres to the Google API Services User Data Policy (https://developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements. We access Google Calendar data through the read-only scope (https://www.googleapis.com/auth/calendar.readonly) solely to provide the in-app calendar-aware reading feature the member explicitly requested: we read the titles and start times of upcoming events to compose that member's own daily reading and pre-event briefs. We do not transfer this Google user data to others except as necessary to provide or improve that user-facing feature (transient processing by our AI provider, OpenAI, to generate the member's reading), to comply with applicable law, or as part of a merger or acquisition. We do not use Google user data for advertising, and we do not use it to train, develop, or improve generalized or standalone AI/ML models. Members connect Google Calendar from inside the app and can disconnect it at any time from Settings, which deletes the stored OAuth tokens.
10 · INTERNATIONAL DATA TRANSFERS
PYME GLOBAL LLC is based in the United States, and most of our subprocessors are US-based. If you access Aura Mirror from the EU, UK, Switzerland, or another jurisdiction with cross-border transfer restrictions, your personal data will be transferred to the United States. We rely on the European Commission's Standard Contractual Clauses (or the UK International Data Transfer Addendum) with our subprocessors as our transfer mechanism, supplemented by encryption in transit and at rest. Email Michael@auramirror.app to request a copy of our transfer mechanism.
•
All data in transit is encrypted via TLS.
•
Application database (Supabase) encrypts data at rest.
•
Calendar OAuth refresh tokens are encrypted at the application layer with AES-256-GCM using a key not stored in the database.
•
Server-side authentication is enforced on every authenticated API request.
•
Card numbers are never transmitted to or stored on our servers; they live inside Stripe's PCI-DSS environment.
•
Stripe webhooks are verified by HMAC signature on every event.
No system is perfectly secure. If we become aware of a personal-data breach, we will notify affected users and supervisory authorities as required by GDPR Article 34, CCPA, and applicable state breach-notification laws, without undue delay.
Regardless of where you live, you can do all of the following at any time, from Settings or by emailing Michael@auramirror.app:
•
See what data we hold about you.
•
Delete your account and all associated data (subject to the 30-day backup window and any legal retention requirements set out in § 13).
•
Receive a portable copy of your data.
•
Withdraw any consent you previously gave (biometric, voice, calendar, marketing).
If you live in the EU, UK, or Switzerland, you additionally have the rights to access, rectification, erasure, restriction of processing, data portability, objection to processing, and the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects about you (we do not perform such automated decisions). You may also lodge a complaint with your local supervisory authority. If you live in California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, or another US state with a comprehensive privacy statute, you have rights to know, access, correct, delete, port your personal information; opt out of any sale or sharing (we do neither); limit the use of sensitive personal information including biometric; and not be discriminated against for exercising any of these rights. We respond to verifiable consumer requests within 45 days. We do not currently process Global Privacy Control signals; we expect to add support during the current calendar year.
Biometric data (photos, landmarks)
Account lifetime + 30 days; hard maximum 3 years from last interaction.
Reading dossiers
Account lifetime + 30 days.
Memory facts
Account lifetime + 30 days, or until you purge them.
Voice transcripts
Account lifetime + 30 days, or until you purge them. Raw audio is not retained.
Calendar OAuth tokens & events
Until you revoke access, then deleted within 7 days.
Account data
Account lifetime + 30 days.
Payment records
Up to 7 years (US tax and Stripe records-retention requirements).
Marketing email list
Until unsubscribe.
Anonymous rate-limit fingerprint
30 days.
Aura Mirror is not directed to children under 16. We do not knowingly collect personal data from anyone under 16, and we do not knowingly retain biometric data of anyone under 18 unless the account was created with verified parental consent. If you become aware that a person under 16 has used Aura Mirror, email Michael@auramirror.app — we will delete any data we hold for that person.
15 · MARKETING AND WAITLIST
If you submit your email to a waitlist or any marketing form on our site, we use it only to send Aura-Mirror-related updates from PYME GLOBAL LLC. We do not share or sell the list. Every marketing email includes an unsubscribe mechanism. You may also unsubscribe by replying to any marketing email or by emailing Michael@auramirror.app.
16 · AUTOMATED DECISIONS AND AI DISCLOSURES
Readings are generated by AI models (currently provided by OpenAI). Outputs are interpretive — symbolic prompts for self-reflection — and do not constitute professional judgment about you. We do not use your data to make automated legal or similarly significant decisions about you (such as creditworthiness, employment, insurance eligibility, or law-enforcement risk). Readings should not be treated as factual claims about you or anyone else.
17 · CHANGES TO THIS POLICY
We will post any material change to this policy on this page and update the effective date above. For material changes that affect biometric-data processing or your rights, we will notify you by email or by in-app notice at least 14 days before the change takes effect.
PYME GLOBAL LLC
Attn: Privacy
Email: Michael@auramirror.app
Web: auramirror.app
For any privacy question, complaint, or rights request, email Michael@auramirror.app. EU and UK residents may also lodge a complaint with their local supervisory authority. We do not currently have an appointed representative under GDPR Article 27 or UK GDPR Article 27; if our user base in those jurisdictions grows materially, we will appoint one and update this policy.
© 2026 PYME GLOBAL LLC. Aura Mirror is a product of PYME GLOBAL LLC.