privacy policy

• palm photos — the image you upload to be read.
• generated readings — the text the AI produces from your palm.
• account info — if you subscribe: email address (via Google sign-in or a one-time email code) and a Stripe customer id.
• session data — an anonymous user id so you keep your reading across page reloads.
• technical data — IP address, browser, device type, and basic usage events (which pages you visited, when you tapped key buttons). this is to make the product better.

• generate, render, and store your reading.
• bill you and manage your subscription.
• send service emails (sign-in codes, receipts, important updates).
• measure how the funnel performs so we can improve it.
• investigate fraud and abuse.

we don't sell your personal data. we don't train AI models on your palm photos or readings. we don't use your data for ad targeting on other platforms.

we use a small number of trusted vendors. each only sees the data it needs:

• Supabase — auth, database, palm photo storage.
• Stripe — payment processing (we never see your card details).
• Google Gemini — generates the reading from your palm photo. images are sent to Google's API and processed per Google's privacy policy. we do not opt your data into Google's training.
• Resend — delivers our transactional emails (sign-in codes, receipts) from our own domain.
• PostHog — anonymized product analytics on the funnel.
• Vercel — application hosting and edge logs.

• palm photos — kept until you delete your account or 12 months from upload, whichever comes first.
• readings — kept until you delete your account.
• subscription records — kept for 7 years to meet tax/accounting obligations.
• analytics events — kept up to 12 months in aggregate form.

you can:

• access a copy of the data we hold about you;
• correct inaccurate data;
• delete your account and associated data;
• export your readings in a portable format;
• opt out of analytics (we'll add an in-app toggle; in the meantime install a tracker-blocker or email us).

email support@mirapalms.com and we'll handle it within 30 days.

we use cookies for three purposes:

• session cookie — Supabase sets a cookie so we know which anonymous user you are between page loads.
• analytics — PostHog sets a cookie to count unique visitors and stitch your funnel together.
• billing — Stripe sets cookies during checkout to secure the payment session.

we don't use third-party advertising cookies. there is no retargeting pixel on this site.

mira is not directed at children under 16. if we learn we've collected data from someone under 16, we'll delete it.

our vendors are primarily in the United States. if you're in the EU/UK and use the service, your data is transferred to and processed in the US under standard contractual clauses with our processors.

palm photos are stored in a private bucket reachable only with short-lived signed URLs. payments are tokenized by Stripe. database access is gated by row-level security. we use TLS everywhere. that said, no system is perfectly secure — keep your login email protected on your end.

we'll post material changes here and email subscribers at least 14 days before they take effect.

questions or requests? email support@mirapalms.com.