MirupaMirupa
FRENStart →
Privacy

Privacy policy

Last updated: April 27, 2026

At Mirupa, your privacy is a priority. This policy explains what data we collect, why, for how long, and what your rights are — in accordance with the General Data Protection Regulation (GDPR) and French law.

Data we collect

We only collect data strictly necessary to produce your analysis:

  • Declarative data: age, sex, height, weight, goal, activity level, eating habits, constraints, history. You choose what to share.
  • Photos (front + back, required): used by the AI for the body-zone map and your personalized heatmap. Stored encrypted, never shared with third parties, deletable on request.
  • Email: to send you your report and an optional premium follow-up email.
  • Technical data: IP address, browser, pages visited (basic server logs, no advertising pixels).

No advertising cookies

Mirupa does not use advertising tracking cookies, Google Analytics, Meta Pixel, or any retargeting tools. We only use cookies strictly necessary for the site to work.

Why we process your data

  • Generate your personalized report (legal basis: contract performance)
  • Send you your report by email (legal basis: contract performance)
  • Improve the quality of our analyses, using anonymized data (legal basis: legitimate interest)
  • Meet our legal and accounting obligations (legal basis: legal obligation)

Retention

  • Active reports: as long as your account exists, or 36 months after last use
  • Photos: 12 months maximum, unless immediate deletion is requested
  • Payment data: kept by Stripe, never on our servers (Mirupa never sees any banking data)
  • Technical logs: 12 months

Processors and transfers

Your data is processed by the following sub-processors:

  • Vercel — application hosting (United States, standard contractual clauses)
  • Supabase — database (European Union, eu-west-1)
  • OpenAI and Google Gemini — AI analysis (United States, data sent transiently to generate the analysis, not used for model training)
  • AWS S3 — temporary photo storage (Europe region)
  • Stripe — payment processing (Ireland, PCI-DSS compliant)
  • Resend — transactional email delivery (Germany)

Your rights

Under GDPR, you have the following rights, exercisable at any time at contact@mirupa.com:

  • Right of access to your data
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object
  • Right to lodge a complaint with a supervisory authority (in France: CNIL)

Security

Your data is encrypted in transit (TLS 1.3) and at rest. Access is restricted to strictly authorized personnel. In the event of a data breach, you would be informed within 72 hours.

Contact

For any question about this policy: contact@mirupa.com.