Privacy

Short version,
no legal wall

Last updated: April 2026 · Applies to everything under frac.mirrorfractal.com · Written to satisfy the EU GDPR (Regulation 2016/679) and the UK GDPR. If anything is unclear, write to info@mirrorfractal.com.

CONTROLLER (Art. 4(7))
Aleksei Solonskii, operating as Mirror Fractal · European Union. Email: info@mirrorfractal.com

1. What we collect

  • Account data: email, display name, a bcrypt hash of your password. We never see the raw password.
  • Files you upload: the bytes themselves (stored in Vercel Blob, EU region), plus metadata — filename, size, domain tag, timestamp, visibility, view counter.
  • Share events: when a link is opened we increment a counter. No IP, no user-agent, no fingerprint.
  • Billing: if you buy a paid plan, Stripe receives your card details. We receive a customer id, the event (paid / refunded / cancelled) and the line items — never the card number.
  • Session cookie: a signed JWT, HttpOnly, SameSite=Lax, 30-day lifetime. Details in the cookie policy.
  • Minimal server logs: Vercel keeps request logs for 7 days for debugging and security. We don't combine them with account data.

2. Why we collect it (lawful basis — Art. 6)

  • Contract (Art. 6(1)(b)): account data, files you upload, share events — all necessary to provide the service.
  • Contract + legal obligation (Art. 6(1)(c)): billing data, kept for the period required by EU tax law (10 years).
  • Legitimate interest (Art. 6(1)(f)): server logs for security and debugging.
  • Consent (Art. 6(1)(a)): optional analytics and marketing cookies, only when you opt in.

3. What we don't do

  • No Google Analytics, no Meta Pixel, no Hotjar, no advertising networks.
  • No selling or sharing your data with data brokers.
  • No training AI models on the contents of your drawings, boards or scans.
  • No automated decision-making with legal or significant effect (Art. 22).

4. Where data lives

  • Database: Neon (PostgreSQL, EU region).
  • File storage: Vercel Blob (EU region, public access policy with unguessable URLs plus row-level visibility controls).
  • Hosting: Vercel (EU edge, Frankfurt and Paris).
  • Payments: Stripe (EU entity, transfers handled under Stripe's SCC-based DPA).

We don't transfer your personal data outside the EEA except through Stripe's processing of payments, covered by EU Standard Contractual Clauses.

5. How long we keep it

  • Account + files: until you delete the account. Deletion is immediate and cascades (files, invoices, API keys).
  • Links on Free plan: auto-expire 30 days after creation.
  • Billing records: 10 years (EU tax law).
  • Backups: 7 days rolling, fully encrypted.
  • Server logs: 7 days.

6. Your rights (Art. 15–22)

  • Access: email us and we send you a JSON export of everything we hold about you, within 30 days.
  • Rectification: change your name in-app; change your email via email (to prevent takeover).
  • Erasure ("right to be forgotten"): delete your account from /account → Danger zone or email us.
  • Restriction + objection: tell us to stop specific processing — we reply within one business day.
  • Portability: included in the access export, machine-readable JSON.
  • Withdraw consent: turn analytics / marketing off in the cookie banner, any time, without losing service.
  • Complain: your local Data Protection Authority — in Spain the AEPD, in France the CNIL, in Germany the BfDI, etc. If unsure we can point you to the right one.

7. Children

Mirror Fractal is not intended for anyone under 16. We do not knowingly process data from children. If you believe we hold data about a minor, write to us and we'll delete it immediately.

8. Security

  • Passwords stored as bcrypt hashes (cost factor 10).
  • Session cookies signed with HS256 and 32-byte server secret.
  • All traffic over HTTPS, HSTS enforced.
  • Role-based access control on admin endpoints.
  • Hosts, database and storage reside in the EU.

9. Breach notification

If a personal-data breach affects you and presents a risk to your rights, we notify you within 72 hours of becoming aware, in plain language, with what happened, what data was affected and what we're doing about it. We also notify the supervisory authority as required by Art. 33.

10. Cookies

Summarised here, listed in full in the cookie policy. Two essential first-party cookies (session, theme) plus two operational ones (consent, landing intent). Nothing third-party by default. Analytics and marketing are off unless you opt in.

11. Processors

Sub-processors we use to run the service:

  • Vercel — hosting, build and edge runtime.
  • Neon — managed PostgreSQL database.
  • Stripe — payments (only for paid plans).
  • Google Fonts (self-hosted via next/font) — font files are downloaded at build time; no runtime request to Google.

Each operates under a DPA. Contact us if you need the list of sub-processors for your own compliance file.

12. Changes

Material changes to this policy are announced by email to every active account at least 14 days before they take effect. Non-material edits (clarifications, typos) are noted in the "Last updated" line at the top.

QUESTIONS OR REQUESTS
Write to info@mirrorfractal.com. A human replies within one business day.

MMXXVI · Aleksei Solonskii · Mirror Fractal