PRIVACY POLICY
Last updated: June 3, 2026
What this Privacy Policy says, in 5 lines:
- We collect: email, date of birth, country, and the photos you take inside the app.
- We don't use your photos to train AI models. They're sent to a third-party vision API for analysis — see Section 2.2 for details.
- Minimum age: 16 years old worldwide (aligned with Brazil's Lei Felca).
- You can delete your account from in-app Settings — full deletion within 30 days.
- We never sell your data.
The data controller for Mirokami is currently:
Renato Sousa (operating personally — Mirokami is not yet incorporated as a legal entity)
Contact: renato@mirokami.com
When Mirokami is incorporated as a legal entity (CNPJ), this section will be updated with the company name, address, and tax ID.
Per LGPD Article 41 and GDPR Article 37, the person responsible for handling data subject requests and communicating with the data protection authority is:
Renato Sousa
We respond to data subject requests within the legal timeframes — 15 business days under LGPD, 30 days under GDPR.
Welcome to Mirokami! This Privacy Policy describes how we collect, use, store, and protect your personal information when you use our mobile application.
Mirokami respects your privacy and is committed to protecting your personal data. This policy complies with the Brazilian General Data Protection Law (LGPD), the European General Data Protection Regulation (GDPR), and Brazilian Law 15.211/2025 (Digital ECA, also known as Lei Felca).
2.1. Account Information
- Username
- Password (hashed and salted with bcrypt)
- Date of birth (used only for age verification — see Section 7)
- Country of residence (ISO 3166-1 alpha-2, used for jurisdiction-specific rules)
- Age verification source (self-declared, Apple, or Google) and whether you are flagged as a minor
2.2. Photos and Images
The app captures photos taken with the device camera inside the app. We do not access your photo library — only photos you capture in Mirokami are sent to us. They are used for:
- Interactions with your virtual character (Mirokami)
- Content analysis by Artificial Intelligence
- Calculation of character attributes (hunger, energy, fitness, mental, knowledge)
Important — Storage and Control:
Photos are processed by AI to identify content (food, physical activities, etc.). Each photo is sent via API to OpenRouter and analyzed by a Google Gemini model. The image is then stored securely and privately on AWS S3 (region us-east-1). Your photos are NEVER made publicly available. Only you and the AI analysis pipeline have access to your photos.
We do not use your photos to train AI models. Each photo is sent to a third-party vision API (OpenRouter routing to Google Gemini) for on-demand analysis. How those providers handle API inputs is governed by their own terms — we recommend reviewing OpenRouter's and Google's policies. If our own practice ever changes, we will notify you in advance and respect your right to object or delete your account.
Retention and Control:
- Photos are stored while your account exists, listed in your interaction history
- You can delete individual photos manually at any time
- Deletion is permanent and immediate (no trash or recovery)
- When you delete your account, all photos are deleted within 30 days
2.3. Technical and Usage Data
To run the service and improve it, we also collect:
- Device model, operating system, app version, and preferred language
- A push notification token (Firebase Cloud Messaging) so we can send character status reminders. You can disable push notifications in your device settings.
- Anonymous analytics events through Firebase Analytics (e.g. sign-up, character interactions, feature usage) — used to understand engagement and fix bugs
- Ad consent state, when you are in a jurisdiction that requires it (GDPR/CCPA). Collected via Google's User Messaging Platform (UMP)
For users flagged as minors (under 18), we do not associate analytics events with a user_id. Events are recorded without identifying you across sessions.
2.4. PROCESSING ACTIVITIES
Per LGPD Art. 9 and GDPR Art. 13, here is each data processing activity, its legal basis, retention, and recipients:
Data: Email, password, username
Purpose: Create and authenticate your account
Legal basis: Performance of contract (LGPD Art. 7, V; GDPR Art. 6(1)(b))
Retention: While account exists
Recipients: AWS (database)
Data: Date of birth, country, age verification source
Purpose: Verify minimum age per jurisdiction (Lei Felca / ECA Digital)
Legal basis: Legal obligation (LGPD Art. 7, II; GDPR Art. 6(1)(c))
Retention: While account exists
Recipients: AWS (database); Apple / Google native age signal APIs (coarse range only)
Data: Photos captured in-app
Purpose: Generate interactions and character attributes via AI
Legal basis: Performance of contract (LGPD Art. 7, V; GDPR Art. 6(1)(b))
Retention: While account exists; deleted within 30 days after account deletion
Recipients: AWS S3 (us-east-1); OpenRouter and Google (Gemini model) for analysis
Data: Analytics events (without user_id for minors)
Purpose: Understand engagement and fix bugs
Legal basis: Legitimate interest (LGPD Art. 7, IX; GDPR Art. 6(1)(f))
Retention: 14 months (Firebase default)
Recipients: Google Firebase
Data: Push notification token (FCM)
Purpose: Send character status reminders
Legal basis: Performance of contract (LGPD Art. 7, V; GDPR Art. 6(1)(b))
Retention: Rotated by the device; discarded on app uninstall
Recipients: Google Firebase Cloud Messaging
Data: Verification code (6-digit, sent by email)
Purpose: Confirm sensitive actions (account deletion)
Legal basis: Performance of contract (LGPD Art. 7, V; GDPR Art. 6(1)(b))
Retention: 5 minutes
Recipients: Transactional email provider
Data: Server logs
Purpose: Operations, debugging, abuse prevention
Legal basis: Legitimate interest (LGPD Art. 7, IX; GDPR Art. 6(1)(f))
Retention: 90 days
Recipients: AWS
Data: Database backups
Purpose: Disaster recovery
Legal basis: Legitimate interest (LGPD Art. 7, IX; GDPR Art. 6(1)(f))
Retention: 30 days
Recipients: AWS
Data: Ad consent state (UMP)
Purpose: Comply with GDPR/CCPA consent requirements
Legal basis: Legal obligation (LGPD Art. 7, II; GDPR Art. 6(1)(c))
Retention: While account exists
Recipients: Google AdMob / User Messaging Platform
- Functionality: Create account, process photos with AI, calculate character attributes, deliver experiences and seasonal packs
- Improvements: Develop new features, fix bugs, and prioritize what works
- Communication: Send push notifications about your character (e.g. low energy, hunger), respond to support requests
- Advertising: Display rewarded ads through Google AdMob. Users under 18 receive non-personalized ads (npa=1)
- Age compliance: Verify and enforce minimum-age requirements per jurisdiction, in line with Lei Felca / ECA Digital and equivalent foreign laws
We never sell your data.
We share specific data with the following providers and parties:
- Amazon Web Services (S3, region us-east-1): Secure image storage and backend infrastructure
- OpenRouter and Google (Gemini model): Each photo you submit is sent via API for content analysis (food detection, activity classification, etc.). Their handling of API inputs is governed by their own terms — see Section 2.2 for what we commit to on our side
- Google Firebase: Anonymous analytics (Analytics) and push notification delivery (Cloud Messaging)
- Google AdMob and User Messaging Platform: Rewarded ads and consent management
- Sign in with Apple and Google Sign-In: Authentication, only when you choose these login methods
- Apple Declared Age Range API and Google Play Age Signals: When available, used to verify the age range declared at signup. We request a coarse age signal only, not your date of birth
- Meta / Instagram: Only when you explicitly share an experience to Instagram Stories. The handoff is performed by your device's native share sheet
- Legal requirements: When compelled by law, court order, or regulatory request
International data transfers:
Your data is processed in the United States (AWS us-east-1) and on Google servers. For users in Brazil, we base international transfers on LGPD Art. 33, V (performance of contract). For users in the European Union, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission.
- Encrypted HTTPS connections
- Hashed and salted passwords (bcrypt)
- JWT tokens with expiration
- Servers behind access controls
- Regular backups
You have the right to:
- Access: View all data we have about you
- Rectification: Update incorrect information
- Erasure: Delete your account and data
- Portability: Receive your data in a structured format
- Objection: Object to processing
How to exercise your rights:
- Account deletion is available in-app: tap the help icon (?) → Settings → Delete Account. You receive a 6-digit confirmation code by email; once confirmed, your account, character, interactions, and photos are permanently removed.
- For all other requests (access, correction, portability, objection), write to renato@mirokami.com. We respond within the timelines required by the applicable law.
- You may also reach out to your data protection authority (ANPD in Brazil, your national DPA in the EU).
We keep each category of data for the minimum time needed:
- Photos: while the account exists; deleted within 30 days after account deletion
- Account fields (email, password, DOB, country): while the account exists
- FCM push token: rotated by the device; discarded on app uninstall
- Firebase Analytics events: 14 months (Firebase default)
- Verification codes (6-digit): 5 minutes
- Server logs: 90 days
- Database backups: 30 days
Minimum age to create a Mirokami account:
- Brazil: 16 years old, per Law 15.211/2025 (Digital Statute of the Child and Adolescent — Lei Felca)
- All other countries: 16 years old. We apply the same minimum globally as a more protective policy, in addition to any higher minimum age set by your local law
How we verify age:
- At signup we collect your self-declared date of birth and country.
- When available, we request a coarse age signal from your operating system (Apple Declared Age Range API on iOS, Google Play Age Signals on Android).
- If signals disagree, we apply the most restrictive one. Accounts that fail the check are suspended and may be permanently deleted.
For users under 18:
- Ads are non-personalized (npa=1). No behavioral profiling.
- No sharing of personal data with third parties for marketing.
- Analytics events are recorded without a user_id, so we cannot identify a minor across sessions.
- We encourage parental or guardian involvement. By creating an account as a minor, you confirm that you have a parent or guardian who is aware of your use of Mirokami.
We do not knowingly collect personal data from anyone below the minimum age. If we identify such a registration, the account is closed and the data deleted.
We may update this policy periodically. Significant changes will be announced through an in-app notice or by email.
Changes to this policy over time:
2026-06-03: Added data controller and DPO identification; added processing activities table with legal bases; named OpenRouter + Google Gemini as the AI vision provider with note that their handling of inputs is governed by their own terms; added our own no-training commitment; added international transfer mechanism; documented retention periods per category; clarified that analytics events are unlinked from user_id for minors; raised minimum age to 16 years worldwide (previously 13 outside Brazil).
Email: renato@mirokami.com
If there is any conflict between language versions of this Privacy Policy, the Brazilian Portuguese (PT-BR) version prevails.
By using Mirokami, you agree to this Privacy Policy.