MIRROR | MIRROR® Privacy Policy
MIRROR | MIRROR Privacy Policy
Last Updated: July 12, 2026
Introduction
MIRROR | MIRROR® Technologies, Inc. ("MIRROR | MIRROR®," "we," "us," or "our") operates DOROTA®, an emotionally intelligent AI styling companion. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the rights you have over your own data.
DOROTA® is not a simple chatbot. She builds an ongoing understanding of you across weeks and months, learning patterns in your mood, your identity, and the clothing choices you make and how you feel about them.
Because of this, MIRROR | MIRROR® holds data of unusual sensitivity: photographs of how you look, records of how you feel, and records of how you see yourself. We designed our data practices around that responsibility, and this policy is written to reflect what we actually do, not generic language.
Information We Collect
Photographs and Visual Data | This includes body photographs, outfit photos, selfies, and any digital body model or virtual representation you create or upload.
Emotional and Mood Data | This includes mood check-ins, your emotional state at the start and end of sessions, and, where you engage with DOROTA®'s care features, distress signals and care-mode activations.
Identity and Self-Description Data | This includes identity self-descriptions, archetype survey responses, values statements, and style confidence ratings.
Government Identity Verification Data | If you complete identity verification, we work with a third-party identity verification vendor to confirm your identity and age. We do not store your government ID document, the image of it, or your full ID number. Our verification vendor processes your document directly and we retain only the verification outcome (verified, failed, pending), the verification method used, the document's country and type, and the date it was verified.
Camera-Based Emotional Inference Data (only if you separately opt in) | If we introduce camera-based sentiment analysis, this feature requires its own separate, explicit consent, distinct from your general account consent. You will be told specifically what is being inferred before this feature operates, and you may decline it without losing access to the rest of DOROTA®. Raw video is never stored; only a derived emotional-signal category is retained if you consent.
Account and Usage Data | This includes your account settings, session activity, and technical data such as device information, app version, and general usage patterns.
How We Use Your Information
We use your information to:
- Provide personalized styling suggestions and emotional support through DOROTA®
- Track your identity and emotional patterns over time, so DOROTA®'s understanding of you deepens rather than resetting with each conversation
- Verify your identity and age where required
- Improve and train our AI models, only where you have separately consented to this specific use
- Maintain the safety and integrity of the platform, including detecting and responding to safety-relevant signals
- Communicate with you about your account and our services
- Meet our legal and regulatory obligations
Your Consent and What "Granular Consent" Means Here
We do not use a single blanket consent for everything. Styling personalization, emotional intelligence features, camera-based sentiment analysis, and AI model training each require their own separate, specific consent. You may give consent to some of these and decline others. You can withdraw any consent at any time in your account settings, and we will stop the processing tied to that consent as soon as you do.
When we materially change how we use your data, we will ask you to review and, where required, re-confirm your consent under the updated terms.
Special Category Data
Some of the information we collect is treated as a special, higher-protection category under applicable law, including:
Emotional and mental health signals, including mood data, distress signals, and anything from which conclusions about your psychological state could be drawn.
Biometric data, including facial expression data used for emotional inference and any body measurement or digital body model data
Identity attributes you choose to share with us, which may include gender identity or sexual orientation
We collect and process this category of data only with your explicit, specific consent, and we apply heightened access controls and security measures to it internally.
Identity Verification
If MIRROR | MIRROR® requires identity verification, we work with a third-party verification provider to confirm your government-issued identification and, where relevant, your age. This process may involve a liveness check that compares your face to your ID photo, which is a form of biometric processing and requires your explicit consent before it occurs.
We are built around a simple principle here: we do not store your raw identification document. Our vendor processes it, confirms the outcome, and that document is not retained in our systems. We keep only the confirmation of that outcome and an audit reference to it.
Camera-Based Sentiment Analysis
If and when this feature is available, using it is entirely optional. Before it operates for the first time, we will tell you specifically that camera input is being used to infer your emotional state, not offer a vague reference to "AI." You must give separate, explicit consent for this feature before it activates, and you can turn it off at any time. Raw video from this feature is never stored. Only a derived emotional signal category is retained, and only if you have consented.
Clinician-Adjacent Data
MIRROR | MIRROR® is designed with the future possibility that you may choose to generate a structured report of your emotional and stylistic data to share with a licensed therapist, counselor, or other mental health professional. This sharing is entirely voluntary and controlled by you. We hold data that may eventually support this feature to a higher standard of care in anticipation of that use.
How We Share Your Information
We do not sell your personal data. We share information only with:
- Service providers who process data on our behalf (such as our database and hosting provider, our identity verification vendor, and our AI model providers), each of whom is bound by a data processing agreement limiting their use of your data to the services they provide us
- Licensed professionals you personally choose to share a report with, if and when that feature is available
- Law enforcement or regulators, only where required by law
- A successor entity, in the event of a merger, acquisition, or sale of assets, subject to the same commitments described in this policy
Every third party who processes your data on our behalf is recorded in our internal vendor registry along with the categories of data they can access and the status of our data processing agreement with them. No vendor receives your special category data without a signed agreement governing that access.
International Data Transfers
If you are located in the European Union or European Economic Area, your data may be transferred to and processed in the United States. Where this occurs, we rely on Standard Contractual Clauses or another legally recognized transfer mechanism with each vendor involved in that processing.
Data Retention and Deletion
We retain your data for as long as your account is active, and for a limited period after that as needed to meet legal, safety, or regulatory obligations. When you request deletion of your data, that request is honored across our systems, including backups, except where we are subject to a documented legal obligation to retain specific records, such as an active legal hold or a safety-related record that must be retained under a separate legal basis. Where such an exception applies, we will tell you.
Your Privacy Rights
Depending on where you live, you may have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Delete your data, subject to the limited exceptions described above
- Receive your data in a portable, machine-readable format
- Restrict certain processing of your data without deleting it entirely
- Object to processing that is based on our legitimate interests
- Withdraw consent at any time for any processing that relies on your consent, without affecting the lawfulness of processing that occurred before your withdrawal
If you are a resident of Illinois, Texas, Washington, or California, you may have additional rights specific to biometric data under your state's law, including the right to specific, informed, written consent before we collect biometric identifiers, and, where applicable under state law, a private right of action for certain violations.
To exercise any of these rights, contact us using the information below.
Children's Privacy
MIRROR | MIRROR® is not directed to children, and we do not knowingly collect personal data from anyone under the age of 16 without age verification and, where required, parental consent. If we learn that we have collected data from a child under 16 without appropriate consent, we will take steps to delete that data.
Data Security
We apply role-based access controls, encryption of data at rest and in transit, and audit logging on access to our most sensitive data categories. We are building our security and privacy program toward independent third-party audit standards, including SOC 2 Type 2.
Changes to This Policy
We may update this policy from time to time. When we make a material change, particularly one that affects how we use special category data, we will notify you and, where required, ask you to reconfirm your consent before that change applies to you. Each version of this policy is dated at the top of the page.
Contact Us
If you have questions about this policy or want to exercise any of your privacy rights, contact us at:
167 Madison Avenue, Suite 205 #1182 New York, New York 10016