The one-pager, if you only read this
We connect to your messaging inboxes (WhatsApp, IG, FB, iMessage, email) to read and reply on your behalf. We store the conversation history so the agent has context. We never train on it. We share data with a small list of subprocessors (Stripe, AWS, OpenAI for inference). You can export everything as JSON and delete your account in one click — your data is wiped within 30 days.
1 · What we collect
Three buckets, plainly:
| Bucket | What's in it | How long we keep it |
|---|---|---|
| Account data | Your name, email, phone, business name, billing details, login activity, account preferences. | Life of account + 90 days |
| Conversation data | Messages exchanged on connected channels — both customer-sent and Mira-sent. Phone numbers, handles, attachments, timestamps. | 24 months · or until you delete |
| Operational data | Browser, IP, page views, button clicks, errors. Used for support and product improvement. | 13 months |
2 · Why we collect it
- To run the agent. Without conversation history, Mira can't reply in context.
- To tune your voice. The first 90 days of your past replies teach Mira how you talk. That model is yours — siloed to your account.
- To bill you fairly. Performance plan needs per-thread tracking to compute the 6%.
- To support you. When you email about a thread that went sideways, we need to be able to find it.
- To improve the product. Operational metrics (no message contents) tell us where the UI's broken.
3 · Who we share data with
Only the people who help us run the service. No advertisers, no data brokers, ever:
| Subprocessor | What for | Where |
|---|---|---|
| Amazon Web Services | Hosting, storage, encryption | us-east-1 · eu-west-1 |
| Stripe | Payments & Stripe Connect deposit links | US |
| OpenAI | AI replies (no training on API data; retained ≤30 days for abuse review then deleted) | US |
| Postmark | Transactional email (audits, briefs) | US |
| Plain | Customer support inbox | US |
The current list is also published in the DPA. We notify you 30 days before adding or removing one.
4 · Training & AI — the part everyone asks about
Your conversations are not used to train, fine-tune, or improve any AI model that another Mira customer uses. Period. This is a contractual obligation with our model providers, not a vibe.
What we do do:
- Send the relevant slice of a thread to our inference provider so the model can write a reply. It is not retained.
- Build a small, account-private "voice profile" from your past replies. Yours only. Deleted when you delete your account.
- Aggregate, fully anonymized metrics ("median reply time across all operators") for our public stats. No content, no identifiers.
5 · Your rights (and your customers')
Wherever you are in the world, you can:
Access
See everything we have on you and your customers, in JSON or CSV.
/app/account → exportCorrect
Fix anything that's wrong, including a misspelled name or a wrong phone number.
/app/account → editDelete
One button. We start the wipe in 24 hours, finish within 30 days.
/app/account → deleteObject & restrict
Pause processing for any specific thread or contact you don't want Mira touching.
privacy@sibuor.comPort
Take your data to a competitor. We won't make you uninstall before we let you export.
/app/account → exportComplain
If we got it wrong, tell your supervisory authority. We'd rather you tell us first.
privacy@sibuor.com6 · Children
Mira is for businesses. We don't knowingly collect data about anyone under 13 (or under 16 in the EU/UK). If a customer messaging your business is a minor, the relationship is between you and them — but ping us if you spot something concerning and we'll help you handle it.
7 · International transfers
Data lives in AWS us-east-1 by default, with the option to keep EU customers' data in eu-west-1 (turn it on in Settings → Privacy). Cross-border transfers are covered by Standard Contractual Clauses and the UK IDTA. The DPA spells out the details.
8 · Changes to this policy
Material changes: 30 days' email notice + a banner in the app. You can refuse and cancel before they take effect. Cosmetic clarifications: we just publish them, with the date stamp at the top of this page bumped.
9 · How to reach us
Our Data Protection Officer is Karim Aleem.
- Email: privacy@sibuor.com
- Mail: Mira Labs, Inc. — Attn: DPO, 568 Bergen St, Brooklyn NY 11217, USA
- EU representative: Mira Europe Lda, R. da Boavista 41, 1200-066 Lisbon, Portugal
This Privacy Notice is provided in accordance with Articles 12 — 14 GDPR, the California Consumer Privacy Act as amended ("CCPA/CPRA"), and applicable Brazilian, UK, and Canadian privacy law.
1 · Controller & Categories
Mira Labs, Inc. ("Controller") processes the following categories of Personal Data: (a) Identifiers including but not limited to name, email address, phone number, business name, and IP address; (b) Commercial Information including transaction histories and Performance-tier metrics; (c) Internet or Network Activity Information including device identifiers, browser type, and interaction logs; (d) Communications Content including messages exchanged via integrated channels; (e) Inferences derived therefrom, including the per-Account voice profile described in Section 4.
2 · Legal Bases for Processing
Where the EU/UK GDPR applies, processing is conducted on the following legal bases: performance of contract (Art. 6(1)(b)) for delivery of the Service; legitimate interests (Art. 6(1)(f)) for service security, product improvement, and fraud prevention; consent (Art. 6(1)(a)) for optional features; and compliance with legal obligations (Art. 6(1)(c)) for tax, audit, and recordkeeping requirements.
3 · Disclosure & Subprocessors
Personal Data is disclosed only to processors retained by Controller and bound by written data processing agreements consistent with Article 28 GDPR. The current list of Subprocessors is published at /dpa.html and updated with not less than thirty (30) days' prior notice.
4 · No Sale of Personal Information
Pursuant to the CCPA, Mira has not sold and will not sell Personal Information. Mira does not engage in cross-context behavioral advertising. Customer Data is not used to train any model accessible to any other Mira customer.
5 · Data Subject Rights
Data subjects may exercise rights of access, rectification, erasure, restriction, portability, and objection by emailing privacy@sibuor.com or via in-product controls. Mira shall respond within thirty (30) calendar days, with one possible extension as permitted by law. Data subjects also have the right to lodge a complaint with a supervisory authority.
6 · International Data Transfers
Transfers of Personal Data from the EEA, UK, or Switzerland to jurisdictions not deemed adequate are made pursuant to (i) the EU Standard Contractual Clauses adopted by Commission Decision (EU) 2021/914, (ii) the UK International Data Transfer Addendum, and (iii) supplemental measures including encryption in transit (TLS 1.3) and at rest (AES-256).
7 · Retention
Personal Data is retained for the periods set forth in Section 1 of the Plain English summary, after which it is irreversibly deleted or anonymized, subject to legal hold or regulatory retention requirements.
8 · Children
The Service is not directed to children under the age of thirteen (13), or sixteen (16) in the European Economic Area and United Kingdom. Mira does not knowingly collect Personal Data from such individuals.
9 · Amendments & Contact
Material amendments to this Privacy Notice shall be communicated to Customer not less than thirty (30) days prior to effectiveness. The Data Protection Officer is Karim Aleem, contactable at privacy@sibuor.com or by mail at 568 Bergen Street, Brooklyn, NY 11217, USA. The EU representative is Mira Europe Lda, R. da Boavista 41, 1200-066 Lisbon, Portugal.