Overview
WhiteMirror Technologies (“WhiteMirror Technologies”, “we”, “us”, or “our”) operates Mira, an accounts-receivable automation service that helps businesses follow up on overdue invoices via WhatsApp. We are committed to protecting your personal data and being transparent about how we use it.
This Privacy Policy explains what information we collect, why we collect it, how we use and share it, and the rights you have over it. It applies to everyone who visits our website, creates an account, or uses any part of the Mira platform.
We are a data controller for the personal data of our business customers (account holders). Where you upload data about your own clients, you remain the data controller for that client data and we act as your data processor.
Data We Collect
We collect the following categories of personal data:
Account & Identity Data
When you sign up we collect your name, email address, business name, and the password you create (stored as a secure hash — we never see it in plain text). If you sign in via Google, we receive your name and email from Google’s OAuth service.
Business & Invoice Data
To send follow-ups on your behalf, you provide details about your clients (name, phone number, email), the invoices they owe (amount, currency, due date), and any private notes you attach to a client. This data is stored securely and used only to operate the service for your account.
Voice Constitution Data
During onboarding you answer questions about your communication style. We analyse these answers to build a “voice constitution” — a structured profile of how you write — so that Mira’s follow-up messages sound like you. This profile does not leave our systems except to generate messages on your behalf via our AI inference partner (see “Third-Party Services” below).
Message & Conversation Data
We store the WhatsApp messages Mira sends on your behalf and any replies your clients send back. We use this thread history to inform future messages (e.g. not repeating information already acknowledged) and to surface reply summaries in your dashboard.
Client Memory Data
Mira builds a memory of patterns it observes about each client — for example, that a particular client consistently pays on the 15th, or that they prefer a certain tone. This memory is associated with your account and is used only to personalise future follow-ups for that client.
Usage & Technical Data
We automatically collect standard web analytics data including your IP address, browser type, pages visited, and timestamps. We use this to monitor platform health and improve the service. We do not sell or share this data with advertisers.
Billing Data
Payment card and bank details are collected and stored exclusively by Razorpay, our payment processor. We receive only non-sensitive billing metadata (e.g. last four digits, card brand, subscription status). We never see or store your full card or bank account number.
How We Use Your Data
We use your data for the following purposes, each of which has a legal basis under UK GDPR:
- Providing the service — Sending follow-up messages to your clients, routing replies to your dashboard, and storing conversation history. Legal basis: contract performance.
- Generating messages — Passing your voice constitution and invoice context to our AI inference provider to draft follow-up messages in your voice. Legal basis: contract performance. We strip personally identifiable details before sending context to the AI; only structured voice rules are shared.
- Improving Mira’s accuracy — Using message performance signals (reply rates, payment outcomes) in aggregate to improve our timing and tone algorithms. Legal basis: legitimate interest. This analysis never identifies individuals.
- Billing and account management — Processing payments, issuing receipts, enforcing plan limits, and communicating about your subscription. Legal basis: contract performance and legal obligation.
- Security and fraud prevention — Detecting unusual account activity, rate-limiting API calls, and preventing abuse. Legal basis: legitimate interest.
- Legal compliance — Retaining records we are legally required to keep (e.g. financial records for HMRC purposes). Legal basis: legal obligation.
- Marketing communications — If you opt in, sending you product updates and tips. Legal basis: consent. You can unsubscribe at any time.
Third-Party Services
We share data with the following third parties to operate Mira. All processors are bound by data processing agreements and are prohibited from using your data for their own purposes.
- Supabase — Our database and authentication provider. All data at rest is encrypted. Supabase processes data in the EU and is ISO 27001 certified.
- OpenRouter / AI inference providers — We use OpenRouter to access large language models for message generation and reply classification. We send only structured, de-identified context (never client phone numbers, full names, or financial account details) to these models. Outputs are returned to us and not retained by the provider for training purposes under our agreement.
- Meta (WhatsApp Business API) — To send and receive WhatsApp messages, we pass message content through Meta’s Cloud API. Meta processes this data in accordance with their Business Data Policy. You and your clients are subject to WhatsApp’s Terms of Service for any messages sent through the platform.
- Razorpay — Our payment processor. Razorpay is PCI-DSS compliant. We share only the billing information necessary to process your subscription.
- Vercel — Our hosting provider. Application code and server-side rendering run on Vercel’s infrastructure in the EU/US.
We do not sell, rent, or trade your personal data with any third party for advertising or marketing purposes.
Data Retention
We retain your data for as long as your account is active. Specific retention periods are:
- Account and business data — Retained for the lifetime of your account plus 30 days after deletion, to allow for account recovery. After 30 days, it is permanently deleted.
- Invoice and client data — Retained while your account is active. Deleted within 30 days of account deletion.
- Message logs — Retained for 12 months from the date of sending, then automatically purged. You can delete individual threads from your dashboard at any time.
- Client memory data — Retained while your account is active. You can clear memory for any individual client from the dashboard.
- Billing records — Retained for 7 years to comply with UK financial record-keeping requirements (HMRC).
- Usage and technical logs — Retained for 90 days for security monitoring, then deleted.
To request early deletion of your data, see “Your Rights” below or contact us at privacy@whitemirror.io.
Your Rights
Under UK GDPR and the Data Protection Act 2018, you have the following rights. To exercise any of them, email privacy@whitemirror.io — we will respond within 30 days.
- Right of access — You can request a copy of all personal data we hold about you.
- Right to rectification — You can ask us to correct inaccurate or incomplete data. Most account and client data can be updated directly from your dashboard without contacting us.
- Right to erasure (“right to be forgotten”) — You can ask us to delete your personal data. We will do so unless we are legally required to retain it (e.g. billing records).
- Right to restriction — You can ask us to pause processing of your data while a dispute is resolved.
- Right to data portability — You can request your data in a structured, machine-readable format (JSON/CSV).
- Right to object — You can object to processing based on legitimate interests (e.g. analytics). We will stop unless we can demonstrate compelling grounds that override your interests.
- Right to withdraw consent — Where processing is based on consent (e.g. marketing emails), you can withdraw at any time via the unsubscribe link in any email or by contacting us.
- Right to complain — If you believe we have mishandled your data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.
Security
We take the security of your data seriously. Our measures include:
- All data in transit is encrypted using TLS 1.2 or higher.
- All data at rest is encrypted using AES-256.
- Passwords are hashed using bcrypt and never stored in plain text.
- Row-level security (RLS) is enforced at the database layer — every query is scoped to the authenticated user’s account. No cross-account data access is possible.
- Webhook payloads from Meta are verified using HMAC-SHA256 signature checks before processing.
- Access to production systems is restricted to authorised personnel only, via multi-factor authentication.
Despite these measures, no system is perfectly secure. If you believe you have discovered a security vulnerability, please report it responsibly to security@whitemirror.io.
International Data Transfers
Some of our third-party service providers operate outside the UK or EEA (notably OpenRouter and Meta, which process data in the United States). Where we transfer data internationally, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner’s Office.
- Transfers to countries with UK adequacy decisions where applicable.
- Data minimisation — we transfer only what is strictly necessary for the service to function.
You can request a copy of the relevant transfer safeguards by emailing privacy@whitemirror.io.
Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address on your account) at least 14 days before the changes take effect, and update the “Last updated” date at the top of this page.
Continued use of Mira after the effective date of a change constitutes your acceptance of the updated policy. If you disagree with a change, you may delete your account before it takes effect.
Contact Us
For any privacy-related questions, data subject requests, or concerns, contact our data protection team:
- Email: privacy@whitemirror.io
- Response time: Within 30 days (we aim for 5 business days)
- Postal address: WhiteMirror Technologies, England, United Kingdom
If you are not satisfied with our response, you have the right to complain directly to the Information Commissioner’s Office (ICO): ico.org.uk/make-a-complaint.
Email us at legal@whitemirror.io and we'll get back to you within 2 business days.