Privacy Policy
Effective Date: June 6, 2026 Version: 1.0
에스클리시 (Esklisy) ("we," "us," or "our") operates mirroo.me (the "Service"). This Privacy Policy explains how we collect, use, and protect your information when you use our Service.
By using mirroo.me, you agree to the practices described in this policy.
1. Who This Policy Applies To
This policy applies to:
- Questioners — registered users who create anonymous feedback links and receive AI-distilled insights.
- Respondents — anyone who follows a shared link and submits an anonymous response (no account required, no PII collected).
2. Information We Collect
2.1. Information You Provide (Questioners)
| Category | Examples | Purpose |
|---|---|---|
| Account identifiers | Email address, nickname | Authentication, communication |
| Demographic data | Date of birth (self-reported) | Age verification (19+) |
| Social login data | Kakao ID/email, Google ID/email (if OAuth used) | Authentication |
| Optional profile data | Industry or profession | Insight personalization |
We do not collect payment card numbers directly. All payment processing is handled by our payment processor (Toss Payments / 토스페이먼츠).
2.2. Information Collected Automatically (All Visitors)
| Category | Method | Purpose |
|---|---|---|
| Usage events | PostHog SDK (anonymized) | Service improvement |
| Error logs | Sentry SDK (PII masked) | Bug detection |
| Session cookies | Browser storage | Login state |
2.3. Respondent Data — Zero PII Policy
We collect no personally identifiable information from respondents. We only process the following technical signals to prevent abuse (duplicate submissions, spam):
| Signal | Format | Retention |
|---|---|---|
| IP address hash (one-way) | SHA-256 hash, not reversible | 30 days, then deleted |
| User-Agent hash (one-way) | SHA-256 hash | 30 days, then deleted |
| Device fingerprint hash | Hashed, not reversible | 30 days, then deleted |
Raw response text from respondents is encrypted (AES-256) and never shown to anyone, including the questioner. After AI processing, only aggregated, AI-distilled insights are displayed. Raw responses are automatically deleted 12 months after collection.
3. How We Use Your Information
| Purpose | Data Used |
|---|---|
| Account creation and authentication | Email, nickname, date of birth, social login ID |
| Delivering the Service (question links, response collection, AI insights) | Email, question content, AI-processed insights |
| Payment processing and refunds | Email, transaction records |
| Notifications (email, web push, KakaoTalk business messages for Pro subscribers) | Email, Kakao ID |
| Abuse prevention and report handling | IP hash, fingerprint hash |
| Service analytics and improvement | Anonymized usage events |
We do not sell, rent, or trade your personal information to third parties for marketing purposes.
4. Disclosure to Third Parties
4.1. Service Processors
We share data only with service providers that help us operate mirroo.me. These parties may only process data on our instructions.
| Processor | Country | Data Shared | Purpose |
|---|---|---|---|
| Supabase Inc. | South Korea (Seoul region) | Account data, encrypted responses | Database, auth, server |
| Cloudflare Inc. | USA | Network traffic, images/assets | Web hosting (Workers), CDN, asset storage (R2) |
| OpenAI LLC | USA | Response text (no PII) | AI insight generation |
| Anthropic PBC | USA | Response text (no PII) | AI insight generation |
| Resend Inc. | USA | Email address | Transactional email |
| Toss Payments (토스페이먼츠) | South Korea | Payment records | Domestic payment processing |
| Polar Inc. | USA | Payment info | International USD payment (Merchant of Record) |
| Aligo (알리고) | South Korea | KakaoTalk message delivery (Pro subscribers only) | Kakao notification |
| Sentry Inc. | USA | Error logs (PII masked) | Error monitoring |
| PostHog Inc. | USA | Anonymized usage events | Analytics |
| Microsoft (Clarity) | USA | Anonymized usage events, session replay | Analytics |
OpenAI and Anthropic process response text solely to generate insights. They do not use this data to train their models (per their API terms). Response text contains no respondent PII.
4.2. Legal Disclosures
We may disclose information when required by law, court order, or government authority with valid legal process.
5. Data Transfers Outside South Korea
Our primary database is hosted in South Korea (Supabase Seoul). However, some processors listed above operate servers in the United States. By using our Service, you consent to these cross-border transfers. Data transferred to US-based processors is protected by contractual obligations.
6. Data Retention
| Category | Retention Period |
|---|---|
| Account data (email, nickname, etc.) | 30-day grace period after deletion request, then permanently deleted |
| Payment records | 5 years (required by Korean e-commerce law) |
| Raw response content | 12 months from receipt, then automatically deleted |
| Respondent device hashes | 30 days, then automatically deleted |
| Abuse logs (IP hashes) | 30 days |
| Usage logs | 6 months |
7. Your Rights
7.1. All Users
You have the right to:
- Access — request a copy of personal data we hold about you
- Correct — request correction of inaccurate data
- Delete — request deletion of your account and associated data (account settings or email request)
- Portability — request your data in a structured format
- Withdraw Consent — withdraw consent to data processing at any time (may limit Service access)
How to exercise: Use /account/settings in the app or email support@mirroo.me. We respond within 45 days (CCPA standard). Korean users receive a response within 10 days (PIPA standard).
7.2. California Residents (CCPA)
Under the California Consumer Privacy Act, you have the right to:
- Know what personal information we collect, use, and share
- Delete your personal information (subject to legal exceptions)
- Opt-Out of Sale — we do not sell your personal information. No opt-out action is needed.
- Non-Discrimination — we will not discriminate against you for exercising your rights
To submit a CCPA request, email support@mirroo.me with subject "CCPA Request."
Do Not Sell My Personal Information: mirroo.me does not sell personal information. This link serves as acknowledgment of that commitment.
8. Children's Privacy (COPPA)
mirroo.me is intended for users aged 19 and older. We do not knowingly collect personal information from users under 13. Because our minimum age is 19, we exceed COPPA requirements.
If we discover that a user under 13 has provided information, we will delete it immediately. If you believe a child has provided us information, contact support@mirroo.me.
9. AI Processing Disclosure
This Service uses AI models (OpenAI gpt-4o-mini and Anthropic Claude Haiku 4.5) to process anonymous response text and generate insights.
Key disclosures:
- No raw responses are shown to you or anyone else. The AI output you receive is a distilled, reframed summary.
- AI insights are for informational purposes only and do not constitute professional advice (psychological, legal, or otherwise).
- AI-generated insights may contain inaccuracies, including false positives or false negatives. We apply an automatic content moderation layer (threshold: 0.92) and a secondary review step, but errors remain possible.
- Response text sent to AI APIs contains no respondent PII. Neither OpenAI nor Anthropic uses API-submitted data for model training.
10. Security
We implement appropriate technical and organizational measures:
- AES-256 encryption for raw response storage
- HTTPS for all data transmission
- Row-level security (RLS) policies — raw responses are accessible only by our system-level service role, not by any user (including the questioner)
- Anomaly detection and rate limiting for abuse prevention
11. Cookies
| Type | Purpose | How to Opt Out |
|---|---|---|
| Session cookies | Maintain login state | Browser settings (may break Service) |
| Analytics cookies (PostHog) | Anonymized usage analysis | PostHog opt-out or contact support@mirroo.me |
| Analytics cookies (Microsoft Clarity) | Anonymized session replay & heatmaps | Browser cookie settings |
12. Contact / Privacy Officer
| Name | 김응수 |
| Role | Privacy Officer |
| support@mirroo.me | |
| Response Time | Within 45 days (CCPA) / 10 days (PIPA) |
13. Changes to This Policy
We may update this policy to reflect changes in our practices or applicable law. We will provide at least 14 days' notice via in-app notice and email before changes take effect. Material changes that are adverse to you will receive 30 days' notice.
14. Change Log
| Date | Version | Change |
|---|---|---|
| 2026-06-06 | 1.0 | Initial publication |