Privacy Policy | Mirrora

Last updated: 17-Nov-2025

This Privacy Policy explains how MIRRORA L.P. ("MIRRORA", “Mirrora”, “we”, “us” or “our”) collects and processes personal data in connection with:

the website www.mirrora.ai (the “Website”), and
the marketing, sale and provision of the Mirrora Autonomous Shopper product and related services (the “Services”).

We are committed to processing personal data in accordance with applicable data protection laws, including the EU General Data Protection Regulation (“GDPR”), Greek data protection law and, where applicable, certain U.S. state privacy laws (such as the California Consumer Privacy Act as amended by the CPRA).

1. Who we are and how to contact us

The Website and Services are operated by:

MIRRORA L.P.
Praxitelous 24
35131, Lamia
Greece

Email: hello@mirrora.ai
Website: www.mirrora.ai

For any questions or requests concerning this Privacy Policy or our handling of personal data, contact us at: hello@mirrora.ai.

We do not currently appoint a Data Protection Officer, as this is not required for our activities. If this changes, we will update this Policy.

2. Scope and our roles (controller vs processor)

This Privacy Policy applies to:

visitors to www.mirrora.ai;
individuals who contact us via the Website or otherwise about Mirrora;
representatives and contact persons of our customers, prospects, suppliers and partners; and
users who access a Mirrora dashboard or similar interfaces under a contract with us (where applicable).

2.1 When we act as controller

For the data described in this Policy (Website usage data, contact details of leads and clients, account metadata, billing-related data, etc.), MIRRORA L.P. acts as a data controller, meaning we decide the purposes and means of processing.

2.2 When we act as processor / service provider

When our Autonomous Shopper is deployed on a customer’s e-commerce site, Mirrora typically processes data about that site and its flows on behalf of the customer. In that context:

the customer is the data controller (or equivalent under non-EU laws), and
MIRRORA, acts as a processor / service provider, following the customer’s documented instructions.

The details of that relationship (including categories of data, security measures, retention, and sub-processors) are governed by the data processing agreement (DPA) or similar terms in our service contracts with each customer. This Privacy Policy does not replace the privacy notices that our customers must provide to their own users.

If you are an end-user of a site that uses Mirrora, please consult that site’s own privacy notice.

3. Personal data we collect

3.1 Data you provide directly

When you contact us, request a demo, register interest, or communicate with us, we may collect:

Identification and contact details
- First and last name
- Business email address
- Job title and role
- Company / organisation name
- Business telephone number (if provided)
Business and communication data
- The content of your messages, requests, support tickets or feedback
- Information about your company’s use of or interest in Mirrora
- Preferences (e.g. language, communication preferences)

If you are a user of a Mirrora dashboard (if applicable), we may also process:

Account details: login identifier (e.g. email), role, permissions, team or organisation association
Usage metadata: access times, pages or features used, configuration of projects or journeys, audit logs

Please avoid including unnecessary or sensitive information (e.g. health data, political opinions) in free-text fields.

3.2 Data we collect automatically (Website and dashboard)

When you visit the Website or use an online Mirrora interface, we automatically collect certain technical and usage information, such as:

IP address and approximate location derived from it
Device identifiers and device type
Browser type, version and settings
Operating system and platform
URLs visited, date and time of access, referrer URL
Interaction data (e.g. pages viewed, clicks, scrolls, time spent)
Error logs, performance metrics and diagnostic data

This information is collected through server logs and through cookies and similar technologies (pixels, tags, SDKs). For details, see our Cookies Policy and cookie banner. Under EU law, non-essential cookies (e.g. analytics, advertising) require your prior consent.

3.3 Data processed by Mirrora Autonomous Shopper for our customers

The Autonomous Shopper is an automated agent that navigates customer-defined flows on e-commerce sites (e.g. search, product pages, add-to-cart, checkout steps) to assess UX, performance and user journey quality.

In the course of providing the Services to a customer, we may process, on that customer’s behalf:

Journey and UX data
- Pages visited, navigation paths, response times, errors
- DOM events and selected UI elements
- Logs of steps taken and outcomes (success/failure)
Reports and artifacts
- Synthetic journey statistics and scores
- Aggregated metrics (e.g. load times, error rates, funnel drop-off)
- Screenshots, recordings or snippets showing parts of the user flow, depending on configuration

The Service is designed to work primarily with synthetic journeys and test data. However, depending on how a customer configures and deploys Mirrora on their own site:

the system may incidentally encounter or capture personal data displayed on pages (for example product reviews containing names, or address fields used in test accounts);
we instruct customers, via our contracts and documentation, to avoid configuring flows that process real individuals’ highly sensitive data (e.g. full payment card data, official IDs) and to use test accounts where possible;
we apply technical and organisational measures (e.g. logs and screenshots scoping, access controls, retention limits) to minimise any personal data collected and retained.

In all such cases, we process that data solely on the customer’s documented instructions and in accordance with our DPA with them.

4. Purposes and legal bases of processing (GDPR)

We only process personal data where we have a valid legal basis under the GDPR. Depending on how you interact with us, we may process your data for the following purposes:

4.1 Operating the Website and ensuring security

Purposes
- Provide and maintain the Website
- Ensure network and information security (e.g. detect abuse, prevent fraud, handle errors)
- Generate aggregate statistics about Website usage
Legal basis
- Our legitimate interests (Article 6(1)(f) GDPR) in operating a secure, reliable website and understanding how it is used.

4.2 Managing leads, demos and business relationships

Purposes
- Respond to contact and demo requests
- Qualify leads and follow up on business opportunities
- Manage contracts, accounts, invoices and project communication with customers, suppliers and partners
Legal basis
- Pre-contractual steps and performance of a contract (Article 6(1)(b) GDPR), where your request or relationship relates to entering into or performing a contract with us (or your organisation), and
- Our legitimate interests (Article 6(1)(f) GDPR) in building and maintaining our B2B relationships.

4.3 Providing and improving the Mirrora Services

Purposes
- Provide, configure and support the Mirrora Autonomous Shopper and related dashboards to our customers
- Record and analyse technical logs and usage data to ensure availability, performance, reliability and security
- Develop, test and improve features, models and UX (for example, improving navigation strategies or scoring algorithms on anonymised/aggregated data)
Legal basis
- Performance of a contract with the customer (Article 6(1)(b) GDPR) for processing required to deliver the Services;
- Our legitimate interests (Article 6(1)(f) GDPR) in improving and securing the Services, to the extent such processing is compatible with individuals’ rights and reasonable expectations.

Where we rely on legitimate interests, we perform a balancing test to ensure those interests are not overridden by individuals’ rights and freedoms.

4.4 Cookies and analytics / marketing

Purposes
- Use strictly necessary cookies for basic site functions (e.g. security, session management, cookie-consent storage);
- Use analytics and, where implemented, advertising or social media cookies to understand our audience and the effectiveness of our marketing.
Legal basis
- For strictly necessary cookies: our legitimate interests (Article 6(1)(f) GDPR) to provide a functional Website;
- For all other cookies in the EU/EEA (e.g. analytics, advertising): your consent (Article 6(1)(a) GDPR), obtained via our cookie banner / preference tool. Consent must be freely given, specific, informed and unambiguous, and you can withdraw it at any time.

4.5 Compliance, risk management and legal claims

Purposes
- Comply with legal obligations (e.g. tax, accounting, regulatory requirements)
- Establish, exercise or defend legal claims
- Respond to lawful requests from authorities
Legal basis
- Compliance with legal obligations to which we are subject (Article 6(1)(c) GDPR);
- Our legitimate interests (Article 6(1)(f) GDPR) in protecting our rights, interests, and the security of our operations.

We do not use your personal data for automated decision-making producing legal effects concerning you or similarly significantly affecting you (including profiling), within the meaning of Article 22 GDPR.

5. Recipients of personal data

We treat personal data as confidential. Within MIRRORA, data is accessed only by personnel who need it for their job and are bound by confidentiality.

We may share personal data with the following categories of recipients, where necessary:

Service providers (processors)
- Hosting and cloud infrastructure providers
- Analytics, logging, monitoring and error-tracking providers
- Email, CRM and collaboration tools
- Payment, billing and accounting providers (for customers)
- Professional advisers (e.g. lawyers, auditors, accountants)

These parties process personal data only on our instructions and under data protection agreements that meet GDPR requirements.

Customers, suppliers and partners
- When reasonably necessary in the context of a specific project or business relationship (for example, references to named contacts in multi-party projects).
Public authorities and courts
- Where required by law, regulation or court order, or to protect our rights or the rights of others.

We do not sell personal data in the ordinary sense of “sale”. For the broader “sale” or “share” terminology under certain U.S. laws, see Section 11.

6. International data transfers

We are established in Greece and generally store data within the European Economic Area (EEA). However, some of our service providers and partners may be located, or may process data, outside the EEA (for example, in the United States).

When we transfer personal data to a country that does not provide an EU-level adequacy decision, we implement appropriate safeguards, such as:

Standard Contractual Clauses (SCCs) approved by the European Commission, and
supplementary technical and organisational measures where needed (e.g. encryption, access controls).

You can request more information or a copy of the relevant safeguards (with redactions as necessary) by contacting us at hello@mirrora.ai

7. Data retention

We retain personal data only for as long as necessary for the purposes described above and to comply with applicable legal, accounting and reporting obligations.

Indicative retention periods (which may vary depending on specific circumstances):

Website contact and lead data
- Typically retained for up to 1 year after the last meaningful interaction, unless a longer period is needed (e.g. where a lead converts to a customer, or for evidence in legal claims).
Customer, supplier and partner data (including contracts, invoices, communications)
- Retained for the duration of the business relationship and thereafter for the period required under Greek law for tax and accounting (often up to 10 years) and for applicable limitation periods.
Service logs and Autonomous Shopper artifacts
- Technical logs and artifacts (e.g. journey reports, screenshots) are retained for the period necessary to provide the Services to the customer, troubleshoot issues and improve reliability, typically within a defined retention window agreed with each customer or configured in the Service (e.g. 90–365 days), unless a longer period is legally required or justified (e.g. security investigations).
Cookies
- Stored for the periods indicated in our Cookies Policy or cookie-consent interface.

Once the relevant retention period has expired, personal data is securely deleted or anonymised.

8. Security

We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. Measures include, where appropriate:

secure hosting environments and network protections;
encryption in transit (e.g. TLS) and, where appropriate, at rest;
access controls, least-privilege principles and logging;
internal policies and procedures for data handling;
vendor due diligence.

No system is completely secure, and we cannot guarantee absolute security of data transmitted over the internet. However, we aim to maintain a level of security appropriate to the risks associated with our processing activities.

9. Your rights under the GDPR (EU/EEA)

If you are in the EU/EEA or otherwise protected by the GDPR, you have the following rights, subject to the conditions and limitations set out in the law:

Right of access – to obtain confirmation whether we process your personal data and to access that data and certain related information.
Right to rectification – to have inaccurate personal data corrected and incomplete data completed.
Right to erasure – to request deletion of your personal data in certain circumstances (e.g. where data is no longer needed or processing is unlawful).
Right to restriction – to request restriction of processing in specific situations (e.g. while we verify accuracy or handle an objection).
Right to object –
- to object at any time, on grounds relating to your particular situation, to processing based on our legitimate interests; and
- to object at any time to processing for direct marketing (if and where we engage in such marketing).
Right to data portability – to receive the personal data you provided to us in a structured, commonly used and machine-readable format and to have it transmitted to another controller where technically feasible.
Right to withdraw consent – where processing is based on your consent (e.g. for non-essential cookies), you can withdraw your consent at any time, without affecting the lawfulness of processing before withdrawal.

To exercise your rights, contact us at hello@mirrora.ai and clearly describe your request. We may need to verify your identity before acting on it.

We will respond within one month of receipt. This period may be extended by up to two further months for complex or numerous requests; if so, we will inform you of the extension and reason.

You also have the right to lodge a complaint with a supervisory authority. In Greece, this is:

Hellenic Data Protection Authority (HDPA)
Website: www.dpa.gr

You may also contact your local authority in the EU/EEA.

10. Mirrora Autonomous Shopper and AI transparency

Mirrora’s Autonomous Shopper uses AI techniques and automation to simulate user journeys and generate insights about UX, performance and purchasing flows.

In line with the EU AI Act’s approach to limited-risk AI systems, we provide clear information on the nature, capabilities and limitations of our AI-enabled features to our customers, so they can deploy them transparently and appropriately.

Key points:

Autonomous Shopper performs automated navigation and evaluation of e-commerce journeys; it does not make automated decisions about individual persons that have legal or similarly significant effects on them (e.g. lending, hiring, access to essential services).
Any profiling is at the level of sites, flows and UX patterns, not at the level of individual user profiles.
Where our customers use Mirrora in a way that has AI-related transparency obligations toward their own users (e.g. informing them that AI-based tools are used in testing or monitoring), it is the customer’s responsibility to meet those obligations; we support this with product documentation.

If you have questions about how AI is used in our Services, contact us at hello@mirrora.ai.

11. Additional information for residents of certain U.S. states

This section applies only to residents of certain U.S. states (such as California, Colorado, Connecticut, Utah, Virginia) to the extent that we are subject to the relevant state law (collectively, “U.S. State Privacy Laws”). If there is a conflict between this section and the rest of the Policy for such residents, this section prevails.

11.1 Categories of personal information

Over the last 12 months, in connection with mirrora.ai and our Mirrora Services, we may have collected:

Identifiers – name, business contact details, IP address, device identifiers;
Internet / network activity information – browsing history on our Website, interaction with pages, cookies and similar technologies;
Professional or employment information – job title, employer, role, business relationship details.

We do not intentionally collect sensitive personal information (as defined under these laws) via the Website.

11.2 Sources and purposes

We collect this information from:

you directly (forms, emails, calls, contracts);
your device and browser (cookies, logs, telemetry);
our customers, where you are their representative.

We use it for the business purposes described in Sections 4–8 (operation, security, service provision, communication, analytics, legal compliance).

11.3 “Sales”, “sharing” and targeted advertising

We do not sell personal information in exchange for money. However, some U.S. State Privacy Laws treat certain disclosures via cookies or similar technologies (especially for targeted advertising or cross-context behavioural advertising) as a “sale” or “sharing” of personal information, even if no money changes hands.

To the extent our use of advertising or analytics cookies is considered a “sale” or “sharing” under those laws:

you may have the right to opt out of such sales or sharing; and
we will honour browser-based signals (such as Global Privacy Control) and/or “Do Not Sell or Share My Personal Information” mechanisms where required.

You can manage your preferences via our cookie banner / cookie settings and, where applicable, dedicated opt-out links.

We do not knowingly sell or share the personal information of consumers under 16.

11.4 Your U.S. state privacy rights

Subject to exceptions and verification, you may have the right to:

access / know what personal information we collect, use, disclose, sell or share about you;
request deletion of your personal information;
request correction of inaccurate personal information;
opt out of sale or sharing of personal information and of targeted advertising;
not be discriminated against for exercising your privacy rights.

To exercise these rights, contact hello@mirrora.ai and state that your request is made under your applicable U.S. state privacy law and indicate your state of residence. We may require additional information to verify your identity and your request. You may also designate an authorised agent, subject to verification and applicable legal requirements.

12. Children’s data

The Website and Mirrora Services are aimed at business and professional users, not children. We do not knowingly collect personal data from children under 16.

If you believe a child has provided us with personal data, please contact hello@mirrora.ai so that we can investigate and, where appropriate, delete the data.

13. Cookies and similar technologies

Our use of cookies and similar technologies on mirrora.ai is described in detail in our Cookies Policy, which forms part of this Privacy Policy. That policy explains:

what cookies and similar technologies are;
which types we use (necessary, analytics, advertising, etc.);
the providers, purposes and lifetimes of each; and
how you can manage or withdraw your consent, including via your browser settings and our cookie-consent tool.

Non-essential cookies are only used where permitted by law and, in the EU/EEA, only with your prior consent.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example to reflect changes in our processing activities, Services or applicable laws.

The latest version is always available on the Website and is indicated by the “Last updated” date at the top. Changes take effect upon publication, unless otherwise stated. If changes are material, we may provide additional notice (e.g. a banner on the Website, or direct communication to customers) and, where required, seek your consent.

15. Contact and complaints

For questions, requests, or concerns about this Privacy Policy or our data practices, contact:

MIRRORA L.P.
Email: hello@mirrora.ai
Website: www.mirrora.ai

If you believe we have not handled your personal data lawfully, you may lodge a complaint with a data protection authority (see Section 9).

​