Privacy Policy

Effective date: 28 May 2026 Last updated: 28 May 2026

This Privacy Policy describes how BL Apps Management AB ("Premium Mirror", "we", "us", "our") collects, uses, shares, and protects personal information when you use the Premium Mirror mobile application and related websites at mirrorpremium.com and mirrorpremium.app (collectively, the "Service").

We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Children's Online Privacy Protection Act (COPPA), and applicable App Store and Play Store policies.

If you do not agree with this Policy, please do not use the Service.

1. Who We Are (Data Controller)

The data controller responsible for your personal information is:

BL Apps Management AB A company incorporated in Sweden Contact: support@blmapp.se

For any privacy-related question, complaint, or rights request, email us at the address above with the subject line "Privacy Request".

2. Information We Collect

We collect only the information needed to operate the Service. Categories below describe what we collect, when, and why.

2.1 Account Information (when you sign in)

When you sign in with Apple or Google we receive:

Email address — used as your unique identifier and for security notices.
Display name (optional, from the provider) — used to suggest your initial alias.
Provider subject identifier — an opaque ID from Apple or Google that lets us recognise your account on future sign-ins. We do not receive your provider password.

You can use the Service in guest mode to use the camera, filters, frames, and brightness controls without signing in. Guest mode requires no account.

2.2 Profile Information (when you complete your profile)

After sign-in you can provide:

Alias — a public handle visible to other users.
Country (ISO country code).
Age (optional).
Gender (optional).
Bio (optional, up to 150 characters).
Avatar URL (optional, from your sign-in provider).

2.3 Photos and Posts (when you publish)

Captured photos stay on your device unless you choose to publish them to Rate My Look or share them externally.
When you publish, the photo is uploaded to our storage and a public post is created. The photo URL, applied filters and frames, and the country/age you provided at publish time become part of the post record.
Posts on Rate My Look expire after 24 hours, after which the photo and metadata are deleted from our active storage.

2.4 Social Interactions

When you like, follow, block, or report another user or post, we record the action with timestamps so the feature works. Likes are stored anonymously in counts — the identity of users who liked your post is not displayed to you.

2.5 Push Tokens

If you enable push notifications, your device generates a token via Apple Push Notification service (iOS) or Firebase Cloud Messaging (Android). We store this token so we can deliver notifications you have opted in to. You can disable notifications at any time in your phone's system settings.

2.6 Device and Log Data

When you use the Service we automatically collect:

IP address (used for security, abuse detection, and approximate region).
Device model, operating system version, and app version.
Crash logs (only if you opt in to crash reporting — see §6.6).
Server access logs (HTTP method, path, status code, timestamp).

Server logs are retained for 90 days for security and operations, then deleted.

2.7 Subscription Information (Premium users only)

If you upgrade to Premium we store:

Whether you are a Premium subscriber.
The expiry date of your subscription.

Payment processing happens through Apple App Store or Google Play. We do not see or store your card details — only the entitlement status reported by the store and (in the future) our subscription service provider RevenueCat.

2.8 Cashback Information (when launched)

If we offer cashback in the future, we will store your participation in cashback campaigns and the transactions linked to your account. We will update this Policy and ask for consent before any cashback feature collects new categories of data.

2.9 What We Do Not Collect

We do not collect your contacts, calendar, location coordinates, or browsing activity outside the Service.
We do not sell your personal information to anyone, ever.
We do not use your photos to train AI models.

3. How We Use Your Information

We use the categories above for these purposes:

Purpose	Categories used
Authenticate you and keep your account secure	Account info, device data, server logs
Display your profile to other users	Profile info, avatar, country, age
Host and display your photos on Rate My Look	Photos, post metadata
Show you the social feed and notifications	Profile, likes, follows, push tokens
Moderate content for safety	Photos, reports, server logs
Prevent abuse, spam, and fraud	All categories, where strictly necessary
Provide customer support when you contact us	Account info, the information you give us
Deliver in-app notifications you opt in to	Push tokens, notification preferences
Process Premium subscriptions	Subscription status, entitlements
Improve the Service (with your consent)	Aggregated analytics, crash reports
Comply with legal obligations	Any, as required by law

We do not use your information for advertising or behavioural profiling.

4. Legal Basis for Processing (GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases (GDPR Article 6):

Processing	Legal basis
Creating and operating your account	Performance of a contract (Article 6(1)(b))
Hosting your photos and serving Rate My Look	Performance of a contract
Sending you essential service notices	Performance of a contract
Moderating content, preventing abuse	Legitimate interests (Article 6(1)(f)) — protecting users and the Service
Security logs and fraud prevention	Legitimate interests
Optional analytics and crash reporting	Your consent (Article 6(1)(a)) — collected on first launch and revocable any time
Marketing communications (if any)	Your consent — opt-in only
Responding to legal requests	Compliance with a legal obligation (Article 6(1)(c))

You can withdraw consent for any optional processing at any time in Settings → Privacy & Consent without affecting your account or essential service.

5. How Photos Are Moderated

Photos you publish on Rate My Look are automatically scanned by a third-party content moderation service to detect nudity, violence, hate symbols, and other unsafe content. If a photo is flagged, it may be hidden pending review or removed.

The moderation provider processes the photo as our data processor and is contractually obliged to delete copies once moderation is complete. We do not authorise the provider to use your photos for any other purpose.

6. Sharing Your Information (Subprocessors)

We do not sell your personal information. We share limited information only with the service providers ("subprocessors") that help us operate the Service. Each subprocessor is bound by a data processing agreement and may only process your data on our instructions.

6.1 Identity providers

Apple Inc. (United States) — Sign In with Apple authentication.
Google LLC (United States) — Google Sign-In authentication.

6.2 Database and cache

Neon, Inc. (PostgreSQL hosting, EU region) — account, profile, post, social graph storage.
Upstash, Inc. (Redis hosting, EU region) — rate limits, session counters.

6.3 Photo storage and delivery

Cloudflare, Inc. (R2 object storage, global edge) — original photo storage and HTTPS delivery.
Cloudinary Ltd. (image transformation, global) — on-the-fly thumbnail and feed image transforms.
Backblaze, Inc. (B2, United States) — encrypted off-site backup of photo bucket (optional, when enabled).

6.4 Content moderation

Hive AI, Inc. (United States) — automated nudity / violence / hate detection on uploaded photos.

6.5 Push notifications

Apple Inc. — APNs for iOS push delivery.
Google LLC — Firebase Cloud Messaging for Android push delivery.

6.6 Analytics and crash reporting (opt-in, not enabled by default)

PostHog, Inc. — product analytics. Enabled only with your consent.
Sentry, Inc. — crash reports. Enabled only with your consent.

6.7 Transactional email (when wired)

Resend, Inc. (United States) — security and account notification emails.

6.8 Subscriptions and payments (when wired)

Apple App Store / Google Play — store-managed in-app purchases.
RevenueCat, Inc. (United States) — subscription state synchronisation.
Stripe, Inc. (United States) — payouts for cashback (future feature).

6.9 Cashback partners (when wired)

Adtraction AB (Sweden) and/or Tillo Limited (United Kingdom) — cashback affiliate network and reward fulfilment.

6.10 Hosting

Railway (backend) and Vercel (admin dashboard and website) — production hosting providers.

6.11 Other sharing

We may also share your information when required to:

Comply with a court order, subpoena, or other legal obligation.
Protect the rights, property, or safety of users, the Service, or the public.
In connection with a merger, acquisition, or sale of assets — in which case we will notify you and give you the chance to delete your account first.

7. International Data Transfers

We are based in Sweden (EU) and prefer EU-hosted subprocessors where available (Neon and Upstash use EU regions). Some subprocessors process data in the United States or other jurisdictions.

For transfers from the European Economic Area to countries that have not been recognised by the European Commission as providing an adequate level of data protection, we rely on Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and supplementary measures where appropriate.

You can request a copy of the relevant transfer mechanism by contacting us.

8. How Long We Keep Your Information

Category	Retention
Account record	Until you delete your account, or 24 months of inactivity
Profile data (alias, bio, country)	Same as account
Published photos on Rate My Look	24 hours, then permanently deleted
Photos saved locally on your device	Until you delete them — not stored by us
Likes, follows, blocks	Until you delete your account or remove them
Reports	12 months after resolution
Server access logs	90 days
Crash reports (if opted in)	90 days
Backups	Up to 30 days after deletion from primary storage

When you delete your account we erase your profile, photos, posts, social graph, and authentication records within 30 days. Backups containing residual copies are overwritten within an additional 30 days.

9. Your Rights

Under GDPR, UK GDPR, and similar laws (including CCPA for California residents) you have the right to:

Access the personal information we hold about you.
Rectify inaccurate or incomplete information (you can edit most fields in Settings).
Erase your account and all associated data ("right to be forgotten").
Restrict or object to certain processing.
Portability — receive a machine-readable export of your data.
Withdraw consent for optional processing at any time in Settings → Privacy & Consent.
Lodge a complaint with your local data protection authority. For users in Sweden, the supervisory authority is the Integritetsskyddsmyndigheten (IMY): https://www.imy.se.

To exercise any of these rights, email support@blmapp.se with the subject line "Privacy Request" and include enough information for us to identify your account. We will respond within 30 days.

For California residents we also confirm that we have not sold or shared personal information for cross-context behavioural advertising in the preceding 12 months.

10. Children's Privacy

The Service is not intended for users under the age of 13. We do not knowingly collect personal information from children under 13.

For users aged 13 to 15 in the European Economic Area, parental consent may be required by local law. We rely on the age you provide and on the App Store / Play Store age gates.

If you believe a child has provided us with personal information without parental consent, please contact support@blmapp.se and we will delete the account promptly.

11. Security

We protect your information with:

HTTPS for all client–server communication.
JWT access tokens (15-minute expiry) and Argon2-hashed refresh tokens.
At-rest encryption of database and storage at our hosting providers.
Rate limiting and abuse detection on sensitive endpoints.
Principle of least privilege for staff access to production systems.
Audit logging of administrator actions on user content.

No system is perfectly secure. If we ever experience a security incident affecting your personal information we will notify you and the relevant authorities as required by law.

12. Cookies and Local Storage

The mobile app does not use traditional web cookies. The app stores small amounts of data on your device using:

Apple Keychain / Android Keystore (via expo-secure-store) — authentication tokens.
App-private file storage — your saved captures (in My Pictures), the consent record, and small caches. This data never leaves your device unless you publish a photo or contact support.

The website at mirrorpremium.com may use strictly necessary cookies for session and security. We do not set advertising or third-party tracking cookies on the website.

13. Changes to This Policy

We may update this Policy from time to time. When we make material changes we will:

Update the "Last updated" date at the top.
Notify you in the app on next launch.
For changes that require it, ask for renewed consent.

Past versions of the Policy are available on request.

14. Contact

If you have any question about this Policy or want to exercise your rights, contact:

BL Apps Management AB Email: support@blmapp.se Subject line: "Privacy Request" Website: https://mirrorpremium.com

We aim to respond within 5 business days for general inquiries and within 30 days for formal rights requests.