PLEN
SoulMirror
HomePricingTerms
Privacy Policy

Your data and photos are treated as private by design.

SoulMirror treats your moments, photos, and reflections as a space for you only. We don't sell data and we don't use it to train AI models without your consent.

In short

What you should know in 30 seconds.

  • • Your photos and moment descriptions are used exclusively to deliver your AI analysis.
  • • We work with trusted technology providers (Anthropic, OpenAI, ElevenLabs, Supabase, Stripe, Google Play Billing, Vercel) who process data only on our behalf or as separate controllers for their own payment services.
  • • If you accept analytics cookies, we use Google Analytics 4 to measure traffic — you can withdraw consent at any time.
  • • We do not sell data. We do not use it to train our own AI models.
  • • You can export a copy of your data or request account deletion with full history at any time.
  • • You have the right to lodge a complaint with a supervisory authority if your rights are violated.

1. Data controller

The controller of your personal data is Krzysztof Wieczorek, a natural person operating under Polish "unregistered activity" rules, correspondence address: ul. Ogniskowa, 93-329 Łódź, Poland.

For matters related to personal data processing, contact the controller at: kontakt@soulmirror.pl. We respond to all requests within 30 days (extendable by an additional 60 days in complex cases — you will be informed if this happens).

SoulMirror is in early-access (beta). After business registration, this section will be updated with full company details (registered name, tax ID, registered seat address) — the current version of this policy will always be available at this URL.

2. What data we process, for what purpose, on what basis

Account data

Scope: email address, display name, optionally first name, language and display settings. Purpose: account creation and operation, authentication, technical contact. Basis: art. 6(1)(b) GDPR (performance of a contract). Retention: for the duration of the account + 30 days after deletion.

Photos and moment descriptions

Scope: photos you upload, moment descriptions, optionally event date and location. Purpose: generating the AI analysis (teaser + full report + optional audio). Basis: art. 6(1)(b) GDPR. Retention: until you delete the moment or your account.

AI analysis results (teasers, reports, audio)

Scope: textual interpretations, audio files, metadata (generation time, AI model used). Purpose: delivering your analysis + making it available in your moment library. Basis: art. 6(1)(b) GDPR. Retention: as with photos and descriptions.

Payment data — web (Stripe)

Scope: Stripe transaction identifiers, subscription identifiers, payment status, plan, amount, currency. We do not store your card data — payments are handled entirely by Stripe. Purpose: handling purchases, subscriptions, and refunds in the web app. Basis: art. 6(1)(b) and (c) GDPR (tax obligations). Retention: 5 years (accounting obligations).

Payment data — Android app (Google Play Billing)

Scope: Google Play purchase token, product/subscription ID, order ID, subscription state (active/cancelled/grace/on-hold), renewal date and acknowledgement metadata. We do not receive your card data or Google account — payments are handled entirely by Google Play. Purpose: verifying purchases in the Android app, activating entitlements and handling subscription lifecycle. Basis: art. 6(1)(b) and (c) GDPR. Retention: 5 years (accounting obligations); subscription state updated in real time through Google Play Real-Time Developer Notifications (RTDN).

Analytics data (only if you consent)

Scope: pseudonymous device/browser identifiers, web-app usage events, technical parameters; in Consent Mode v2 with IP anonymised on Google's side. Purpose: measuring traffic and improving the service (Google Analytics 4). Basis: art. 6(1)(a) GDPR (consent) and art. 173 of the Polish Telecommunications Law (ePrivacy). Retention: up to 14 months (GA4 default); you can withdraw consent at any time via the cookie banner. We do not use Google Ads, remarketing, or personalised advertising in this version.

Technical and security logs

Scope: IP address, browser type, request timestamp, session ID, application errors. Purpose: security, diagnostics, abuse prevention. Basis: art. 6(1)(f) GDPR (legitimate interest). Retention: up to 90 days.

Consents (cookies, communication)

Scope: your cookie choices, marketing email preferences, location settings. Purpose: demonstrating compliance (accountability). Basis: art. 6(1)(c) + art. 7 GDPR. Retention: while consent is active + 3 years after withdrawal.

3. Who processes your data

To deliver SoulMirror we use trusted technology providers. All of them act exclusively on our instructions (as processors under art. 28 GDPR), based on Data Processing Agreements (DPAs) and only for the purposes described in section 2.

Anthropic, PBC (USA)

Photo and moment description analysis (Claude models). Data: photo + description. Anthropic privacy policy.

OpenAI, L.L.C. (USA)

Fallback for AI analysis when the primary model is unavailable. Data: photo + description. OpenAI privacy policy.

ElevenLabs, Inc. (USA)

Audio generation (text-to-speech). Data: audio script. ElevenLabs privacy policy.

Supabase Inc. (USA, data in EU)

Database, authentication, storage for photos and audio. Data: accounts, moments, analysis results, audio. Supabase privacy policy.

Stripe Payments Europe Ltd. (Ireland) and Stripe, Inc. (USA)

Payment and subscription processing in the web app. Data: transaction details, payment status. Stripe acts as a separate controller of payment data. Stripe privacy policy.

Google Ireland Ltd. / Google LLC — Google Play Billing

One-time and subscription payments in the Android app distributed via Google Play. Data: purchase token, product/subscription ID, order ID, subscription state and metadata. Google acts as merchant of record and separate controller of payment data. Google privacy policy.

Google Ireland Ltd. / Google LLC — Google Analytics 4 (conditional)

Web-app traffic and event measurement. Loaded only after analytics-cookie consent (Consent Mode v2). Data: pseudonymous identifiers, events, technical parameters; IP anonymised. We do not use Google Ads, remarketing, or personalised advertising in this version. Google privacy policy.

Vercel, Inc. (USA, EU infrastructure)

Web application hosting, CDN, edge functions. Data: network traffic, logs, page content. Vercel privacy policy.

The list of providers is current as of 26 May 2026 and may change as the product evolves — all material changes will be communicated in advance.

4. Data transfers outside the EEA

Some of our providers (Anthropic, OpenAI, ElevenLabs, Stripe Inc., Google LLC, Vercel) are based in the United States. As a result, your data may be transferred outside the European Economic Area.

Such transfers rely on safeguards ensuring an adequate level of data protection under Chapter V of the GDPR: Standard Contractual Clauses (SCC) issued by the European Commission and, where applicable, the Data Privacy Framework (DPF) for certified providers. You may obtain a copy of the applicable clauses by contacting the controller.

5. Cookies and similar technologies

We use the following cookie categories:

  • Strictly necessary: user session (HMAC), language preference (SM_LOCALE), CSRF protection. Without these the app does not work — consent not required.
  • Payment: set by Stripe during web checkout, required to complete a transaction.
  • Functional: theme and interface settings — require your consent.
  • Analytics (Google Analytics 4): loaded only after consent in the cookie banner, in Consent Mode v2 with IP anonymisation on Google's side. You can withdraw consent at any time by clicking „Cookie settings” in the footer.
  • Marketing / advertising: not used in this version of the app (no Google Ads, no remarketing, no personalised advertising). Should this change, this policy will be updated at least 14 days before activation.

You can delete cookies at any time in your browser settings. Deleting strictly necessary cookies may cause the app to stop working correctly.

6. Your rights

Under the GDPR you have the following rights:

  • Right of access (art. 15) — to know what data we process about you and to receive a copy.
  • Right to rectification (art. 16) — to correct inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten", art. 17) — to request deletion of your account and all related data. Path: email the controller (kontakt@soulmirror.pl) with your deletion request. Processed within 30 days per art. 12.
  • Right to restriction of processing (art. 18) — in specified situations you can request temporary suspension of processing.
  • Right to data portability (art. 20) — receive your data in a structured format and transfer it to another controller.
  • Right to object (art. 21) — object to processing based on legitimate interest.
  • Right not to be subject to automated decision-making (art. 22) — see section 7.
  • Right to withdraw consent at any time (without affecting the lawfulness of processing before withdrawal).
  • Right to lodge a complaint with a supervisory authority (in Poland: President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl).

To exercise any of these rights, write to kontakt@soulmirror.pl. We respond without undue delay, no later than within 30 days.

7. Automated decisions and AI

SoulMirror uses AI models to generate interpretations of your photos and moment descriptions. The AI analysis result is not a decision producing legal effects concerning youand does not significantly affect you within the meaning of art. 22 GDPR. It is a tool for personal reflection.

AI-generated content is supportive only and does not constitute psychological, medical, or therapeutic advice. It does not replace consultation with a professional. The AI analysis result is labelled in the app as AI-generated (in compliance with art. 50(2) of the EU AI Act).

We do not use your data to train our own AI models or those of our providers. Anthropic, OpenAI, and ElevenLabs are bound by DPAs not to use customer data for model training (zero data retention).

8. Security

We apply organisational and technical measures to keep data secure: encrypted transmission (TLS 1.2+), HMAC session authentication, database-level access control (Row Level Security in Supabase), per-user file isolation, regular dependency and permission audits. Administrative access is limited and monitored.

9. Changes to this policy

This policy may be updated as the product evolves or due to technological or regulatory changes. Material changes will be communicated by email or in-app at least 14 days in advance. Version history is available on request from the controller.

Effective date of the current version: 26 May 2026.