Privacy Policy

1. Data We Collect

We collect the following categories of personal data when you register and use Mirrora:

• ◆Account data: email address, hashed password, role (analyst or investor), registration timestamp
• ◆Profile data: display name, biography, fee structure (analysts only)
• ◆Subscription data: portfolio subscriptions, allocated amounts, IBKR account IDs
• ◆Transaction data: trade execution logs related to your subscriptions
• ◆Usage data: authentication events, API request logs (retained for 90 days)

2. How We Use Your Data

We use your data exclusively to:

• ◆Provide and operate the Mirrora platform
• ◆Authenticate your identity and secure your account
• ◆Facilitate subscription relationships between investors and analysts
• ◆Transmit portfolio change signals to your connected IBKR account
• ◆Process fee payments through Stripe
• ◆Respond to support requests and compliance obligations

We do not sell, rent, or share your personal data with third parties for marketing purposes.

3. Legal Basis (GDPR)

Where GDPR applies, our legal basis for processing is:

• ◆Contract performance: to provide the service you signed up for
• ◆Legitimate interests: fraud prevention, security, platform integrity
• ◆Consent: marketing communications (where applicable)

4. Data Retention

Account data is retained for the duration of your account plus 3 years for legal compliance purposes. Audit logs are retained for 7 years. You may request deletion at any time using the in-app data deletion feature.

5. Your Rights

Under GDPR and equivalent regulations, you have the right to:

• ◆Access: export all your personal data (available from Account Settings)
• ◆Rectification: correct inaccurate data via your profile settings
• ◆Erasure: delete your account and associated data
• ◆Portability: receive your data in a machine-readable format
• ◆Restriction: request that we limit processing of your data
• ◆Objection: object to processing based on legitimate interests

6. Cookies

We use strictly necessary cookies for session management (httpOnly, Secure). We do not use advertising or analytics cookies. You will be prompted to consent before any optional cookies are set.

7. Third-Party Services

Mirrora uses the following sub-processors: Stripe (payment processing), Interactive Brokers API (trade signal transmission). Each sub-processor is bound by data processing agreements compliant with applicable data protection law.

8. Security

We implement industry-standard security measures including bcrypt password hashing, HTTPS-only transport, JWT with short expiry, rate limiting, and security headers. We do not store payment card data (handled entirely by Stripe).

9. Contact

For privacy-related enquiries or to exercise your rights, contact our data protection team. We will respond within 30 days.