← BACK

PRIVACY POLICY

Last updated: June 3, 2026

TL;DR

What this Privacy Policy says, in 5 lines:

  • We collect: email, date of birth, country, and the photos you take inside the app.
  • We don't use your photos to train AI models. They're sent to a third-party vision API for analysis — see Section 2.2 for details.
  • Minimum age: 16 years old worldwide (aligned with Brazil's Lei Felca).
  • You can delete your account from in-app Settings — full deletion within 30 days.
  • We never sell your data.
DATA CONTROLLER

The data controller for Mirokami is currently:

Renato Sousa (operating personally — Mirokami is not yet incorporated as a legal entity)

Contact: renato@mirokami.com

When Mirokami is incorporated as a legal entity (CNPJ), this section will be updated with the company name, address, and tax ID.

DATA PROTECTION OFFICER (DPO / ENCARREGADO)

Per LGPD Article 41 and GDPR Article 37, the person responsible for handling data subject requests and communicating with the data protection authority is:

Renato Sousa

renato@mirokami.com

We respond to data subject requests within the legal timeframes — 15 business days under LGPD, 30 days under GDPR.

1. INTRODUCTION

Welcome to Mirokami! This Privacy Policy describes how we collect, use, store, and protect your personal information when you use our mobile application.

Mirokami respects your privacy and is committed to protecting your personal data. This policy complies with the Brazilian General Data Protection Law (LGPD), the European General Data Protection Regulation (GDPR), and Brazilian Law 15.211/2025 (Digital ECA, also known as Lei Felca).

2. DATA WE COLLECT

2.1. Account Information

  • Username
  • Email
  • Password (hashed and salted with bcrypt)
  • Date of birth (used only for age verification — see Section 7)
  • Country of residence (ISO 3166-1 alpha-2, used for jurisdiction-specific rules)
  • Age verification source (self-declared, Apple, or Google) and whether you are flagged as a minor

2.2. Photos and Images

The app captures photos taken with the device camera inside the app. We do not access your photo library — only photos you capture in Mirokami are sent to us. They are used for:

  • Interactions with your virtual character (Mirokami)
  • Content analysis by Artificial Intelligence
  • Calculation of character attributes (hunger, energy, fitness, mental, knowledge)

Important — Storage and Control:

Photos are processed by AI to identify content (food, physical activities, etc.). Each photo is sent via API to OpenRouter and analyzed by a Google Gemini model. The image is then stored securely and privately on AWS S3 (region us-east-1). Your photos are NEVER made publicly available. Only you and the AI analysis pipeline have access to your photos.

We do not use your photos to train AI models. Each photo is sent to a third-party vision API (OpenRouter routing to Google Gemini) for on-demand analysis. How those providers handle API inputs is governed by their own terms — we recommend reviewing OpenRouter's and Google's policies. If our own practice ever changes, we will notify you in advance and respect your right to object or delete your account.

Retention and Control:

  • Photos are stored while your account exists, listed in your interaction history
  • You can delete individual photos manually at any time
  • Deletion is permanent and immediate (no trash or recovery)
  • When you delete your account, all photos are deleted within 30 days

2.3. Technical and Usage Data

To run the service and improve it, we also collect:

  • Device model, operating system, app version, and preferred language
  • A push notification token (Firebase Cloud Messaging) so we can send character status reminders. You can disable push notifications in your device settings.
  • Anonymous analytics events through Firebase Analytics (e.g. sign-up, character interactions, feature usage) — used to understand engagement and fix bugs
  • Ad consent state, when you are in a jurisdiction that requires it (GDPR/CCPA). Collected via Google's User Messaging Platform (UMP)

For users flagged as minors (under 18), we do not associate analytics events with a user_id. Events are recorded without identifying you across sessions.

2.4. PROCESSING ACTIVITIES

Per LGPD Art. 9 and GDPR Art. 13, here is each data processing activity, its legal basis, retention, and recipients:

Data: Email, password, username

Purpose: Create and authenticate your account

Legal basis: Performance of contract (LGPD Art. 7, V; GDPR Art. 6(1)(b))

Retention: While account exists

Recipients: AWS (database)

Data: Date of birth, country, age verification source

Purpose: Verify minimum age per jurisdiction (Lei Felca / ECA Digital)

Legal basis: Legal obligation (LGPD Art. 7, II; GDPR Art. 6(1)(c))

Retention: While account exists

Recipients: AWS (database); Apple / Google native age signal APIs (coarse range only)

Data: Photos captured in-app

Purpose: Generate interactions and character attributes via AI

Legal basis: Performance of contract (LGPD Art. 7, V; GDPR Art. 6(1)(b))

Retention: While account exists; deleted within 30 days after account deletion

Recipients: AWS S3 (us-east-1); OpenRouter and Google (Gemini model) for analysis

Data: Analytics events (without user_id for minors)

Purpose: Understand engagement and fix bugs

Legal basis: Legitimate interest (LGPD Art. 7, IX; GDPR Art. 6(1)(f))

Retention: 14 months (Firebase default)

Recipients: Google Firebase

Data: Push notification token (FCM)

Purpose: Send character status reminders

Legal basis: Performance of contract (LGPD Art. 7, V; GDPR Art. 6(1)(b))

Retention: Rotated by the device; discarded on app uninstall

Recipients: Google Firebase Cloud Messaging

Data: Verification code (6-digit, sent by email)

Purpose: Confirm sensitive actions (account deletion)

Legal basis: Performance of contract (LGPD Art. 7, V; GDPR Art. 6(1)(b))

Retention: 5 minutes

Recipients: Transactional email provider

Data: Server logs

Purpose: Operations, debugging, abuse prevention

Legal basis: Legitimate interest (LGPD Art. 7, IX; GDPR Art. 6(1)(f))

Retention: 90 days

Recipients: AWS

Data: Database backups

Purpose: Disaster recovery

Legal basis: Legitimate interest (LGPD Art. 7, IX; GDPR Art. 6(1)(f))

Retention: 30 days

Recipients: AWS

Data: Ad consent state (UMP)

Purpose: Comply with GDPR/CCPA consent requirements

Legal basis: Legal obligation (LGPD Art. 7, II; GDPR Art. 6(1)(c))

Retention: While account exists

Recipients: Google AdMob / User Messaging Platform

3. HOW WE USE YOUR DATA
  • Functionality: Create account, process photos with AI, calculate character attributes, deliver experiences and seasonal packs
  • Improvements: Develop new features, fix bugs, and prioritize what works
  • Communication: Send push notifications about your character (e.g. low energy, hunger), respond to support requests
  • Advertising: Display rewarded ads through Google AdMob. Users under 18 receive non-personalized ads (npa=1)
  • Age compliance: Verify and enforce minimum-age requirements per jurisdiction, in line with Lei Felca / ECA Digital and equivalent foreign laws
4. DATA SHARING

We never sell your data.

We share specific data with the following providers and parties:

  • Amazon Web Services (S3, region us-east-1): Secure image storage and backend infrastructure
  • OpenRouter and Google (Gemini model): Each photo you submit is sent via API for content analysis (food detection, activity classification, etc.). Their handling of API inputs is governed by their own terms — see Section 2.2 for what we commit to on our side
  • Google Firebase: Anonymous analytics (Analytics) and push notification delivery (Cloud Messaging)
  • Google AdMob and User Messaging Platform: Rewarded ads and consent management
  • Sign in with Apple and Google Sign-In: Authentication, only when you choose these login methods
  • Apple Declared Age Range API and Google Play Age Signals: When available, used to verify the age range declared at signup. We request a coarse age signal only, not your date of birth
  • Meta / Instagram: Only when you explicitly share an experience to Instagram Stories. The handoff is performed by your device's native share sheet
  • Legal requirements: When compelled by law, court order, or regulatory request

International data transfers:

Your data is processed in the United States (AWS us-east-1) and on Google servers. For users in Brazil, we base international transfers on LGPD Art. 33, V (performance of contract). For users in the European Union, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission.

5. SECURITY
  • Encrypted HTTPS connections
  • Hashed and salted passwords (bcrypt)
  • JWT tokens with expiration
  • Servers behind access controls
  • Regular backups
6. YOUR RIGHTS (LGPD/GDPR)

You have the right to:

  • Access: View all data we have about you
  • Rectification: Update incorrect information
  • Erasure: Delete your account and data
  • Portability: Receive your data in a structured format
  • Objection: Object to processing

How to exercise your rights:

  • Account deletion is available in-app: tap the help icon (?) → Settings → Delete Account. You receive a 6-digit confirmation code by email; once confirmed, your account, character, interactions, and photos are permanently removed.
  • For all other requests (access, correction, portability, objection), write to renato@mirokami.com. We respond within the timelines required by the applicable law.
  • You may also reach out to your data protection authority (ANPD in Brazil, your national DPA in the EU).
7. RETENTION PERIODS

We keep each category of data for the minimum time needed:

  • Photos: while the account exists; deleted within 30 days after account deletion
  • Account fields (email, password, DOB, country): while the account exists
  • FCM push token: rotated by the device; discarded on app uninstall
  • Firebase Analytics events: 14 months (Firebase default)
  • Verification codes (6-digit): 5 minutes
  • Server logs: 90 days
  • Database backups: 30 days
8. AGE-BASED PROTECTIONS (LEI FELCA / ECA DIGITAL)

Minimum age to create a Mirokami account:

  • Brazil: 16 years old, per Law 15.211/2025 (Digital Statute of the Child and Adolescent — Lei Felca)
  • All other countries: 16 years old. We apply the same minimum globally as a more protective policy, in addition to any higher minimum age set by your local law

How we verify age:

  • At signup we collect your self-declared date of birth and country.
  • When available, we request a coarse age signal from your operating system (Apple Declared Age Range API on iOS, Google Play Age Signals on Android).
  • If signals disagree, we apply the most restrictive one. Accounts that fail the check are suspended and may be permanently deleted.

For users under 18:

  • Ads are non-personalized (npa=1). No behavioral profiling.
  • No sharing of personal data with third parties for marketing.
  • Analytics events are recorded without a user_id, so we cannot identify a minor across sessions.
  • We encourage parental or guardian involvement. By creating an account as a minor, you confirm that you have a parent or guardian who is aware of your use of Mirokami.

We do not knowingly collect personal data from anyone below the minimum age. If we identify such a registration, the account is closed and the data deleted.

9. CHANGES TO THIS POLICY

We may update this policy periodically. Significant changes will be announced through an in-app notice or by email.

VERSION HISTORY

Changes to this policy over time:

2026-06-03: Added data controller and DPO identification; added processing activities table with legal bases; named OpenRouter + Google Gemini as the AI vision provider with note that their handling of inputs is governed by their own terms; added our own no-training commitment; added international transfer mechanism; documented retention periods per category; clarified that analytics events are unlinked from user_id for minors; raised minimum age to 16 years worldwide (previously 13 outside Brazil).

CONTACT

If there is any conflict between language versions of this Privacy Policy, the Brazilian Portuguese (PT-BR) version prevails.

By using Mirokami, you agree to this Privacy Policy.