Privacy Policy

Your desires are yours.
Always.

Privacy is not a compliance checkbox at Velvet Mirror. It is a founding principle. We collect only what is necessary to deliver your experience. We never sell, share, or profile your data for advertising. Everything you explore inside Velvet Mirror stays between you and us.

Effective date: April 25, 2026

This Privacy Policy explains how Velvet Mirror (“we,” “us,” or “our”) collects, uses, stores, shares, and protects your personal information when you use the Velvet Mirror mobile application, website at myvelvetmirror.com, and any related services (collectively, the “Service”).

By creating an account or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this policy. If you do not agree, please do not use the Service.

Velvet Mirror is an adult platform. You must be at least 18 years of age to create an account, access content, or use any feature of the Service. We do not knowingly collect information from anyone under 18. If you are under 18, you may not use Velvet Mirror in any capacity.

This policy applies to all users globally, including those located in the European Union, the European Economic Area, the United Kingdom, California, and all other jurisdictions. Where specific regional laws grant you additional rights, those rights are addressed in the relevant sections below.

We collect information in three ways: information you provide directly, information generated through your use of the Service, and information received from third-party platforms.

2.1 Account Information

When you create an account, we collect your email address, display name (if you choose to set one), and authentication credentials. If you sign in through a third-party provider (such as Apple or Google), we receive limited profile information as permitted by that provider and your settings.

2.2 Usage & Preference Data

As you use the Service, we collect data about your activity and choices. This includes:

• Listening history— which stories you listen to, how far you progress, and replay patterns.
• Preference selections— themes, tones, intensity levels, and content preferences you set within the app.
• Mood and emotion data— mood selections, emotional reflections, and any inputs you provide within Mirror Within, our emotional guidance feature.
• Quiz and archetype results— responses to personality quizzes, archetype assessments, and onboarding questionnaires.
• Library and favourites— stories you save, mark as favourites, or add to playlists.

2.3 AI Interaction Data

Velvet Mirror includes AI-powered features. When you use these features, we collect the data you provide to them:

• Aurora conversations— messages, prompts, and responses exchanged with Aurora, our AI companion.
• Mirror Within reflections— journal entries, emotional check-ins, and guided reflection responses.
• Desire Weaver inputs— creative prompts, scenario descriptions, and customisation selections you provide when generating personalised stories.

2.4 Device & Technical Information

We automatically collect certain technical information, including your device type, operating system and version, app version, screen resolution, language settings, time zone, and IP address. This information helps us deliver a stable experience and diagnose technical issues.

2.5 Analytics Data

We collect analytics data to understand how the Service is used and to improve it. This includes page views, feature usage frequency, session duration, navigation paths, and performance metrics. We use self-hosted analytics tools (see Section 5) to minimise data leaving our infrastructure.

2.6 Payment Information

We do not directly collect or store your payment card details, bank account information, or other financial data. All payments are processed through Apple’s App Store, Google Play, or other authorised third-party payment processors. We receive only a confirmation of your subscription status, the plan you selected, and transaction identifiers — never your full payment credentials.

2.7 Cookies & Similar Technologies

On our website (myvelvetmirror.com), we use cookies and similar technologies. These are described in detail in Section 11 below.

We use the information we collect for the following purposes:

3.1 Delivering the Service

To create and maintain your account, authenticate your identity, deliver audio content, manage your subscription, and provide the core functionality of Velvet Mirror.

3.2 Personalising Your Experience

To recommend stories aligned with your preferences, tailor the listening experience based on your mood and history, personalise Aurora’s responses and emotional intelligence, and surface content that matches your archetype and stated interests.

3.3 AI-Powered Features

Aurora, Mirror Within, and Desire Weaver use your interaction data to generate personalised responses, emotional insights, and custom content. Your conversation history with Aurora may be used to improve the relevance and depth of future interactions within your own account. We do not use your personal AI interactions to train general-purpose AI models.

3.4 Analytics & Improvement

To understand usage patterns, identify bugs and performance issues, measure feature adoption, and make informed decisions about product development. Analytics data is processed in aggregate wherever possible.

3.5 Email Communication

If you opt in to email communications, we use your email address to send product updates, new content announcements, and personalised recommendations through our email marketing provider (MailerLite). You can unsubscribe at any time via the link in any email or through your account settings. We will always send transactional emails necessary for account operation (such as password resets and subscription confirmations) regardless of your marketing preferences.

3.6 Security & Fraud Prevention

To protect the Service, our users, and our infrastructure from unauthorised access, abuse, fraud, and other harmful activity. This includes monitoring for suspicious login patterns, enforcing rate limits, and maintaining audit logs of security-relevant events.

We maintain a presence on social media platforms, including TikTok, to engage with our community and share content related to Velvet Mirror.

We may access TikTok account data, including comments and direct messages on our own account, solely to facilitate community management. This means we read and respond to messages and comments directed at our official account in order to provide support, answer questions, and participate in conversations with our audience.

Our use of TikTok data complies with TikTok’s Terms of Service and Privacy Policy (https://www.tiktok.com/legal/page/us/privacy-policy).

We may also access Facebook and Instagram account data, including comments, direct messages, and engagement metrics on our own accounts, solely to facilitate community management and respond to our audience. We do not collect, store, or process personal data from Facebook or Instagram users beyond what is necessary for direct community interaction on our own pages. Our use of Meta platform data complies with the Meta Platform Terms and Meta Privacy Policy (https://www.facebook.com/privacy/policy/).

We do not scrape, harvest, or collect personal data from social media users who have not directly engaged with our official accounts. We do not use social media data to build user profiles, target advertising, or enrich the data of existing Velvet Mirror accounts unless you explicitly link your social media presence to your Velvet Mirror account.

Any information you share with us through social media direct messages or public comments is subject to the privacy policies of those platforms in addition to this policy.

We work with carefully selected third-party service providers to operate and improve the Service. Each provider receives only the minimum data necessary to perform its function. We do not sell your personal data to any third party.

5.1 Infrastructure & Hosting

• Supabase— database hosting and authentication services. Your account data and application data are stored in Supabase-managed infrastructure.
• Cloudflare— content delivery network (CDN), object storage (R2), and serverless compute (Workers). Audio files, images, and static assets are served through Cloudflare.
• Vercel— website hosting and deployment for myvelvetmirror.com.

5.2 Payment Processors

• Apple App Store & Google Play— handle all in-app purchase transactions. We receive subscription status and transaction identifiers but never your payment credentials.

5.3 Email Marketing

• MailerLite— processes opt-in email marketing communications. Your email address and subscription preferences are shared with MailerLite only if you consent to receive marketing emails.

5.4 Analytics

• PostHog— product analytics. We may self-host PostHog to keep analytics data within our own infrastructure, minimising third-party data exposure.
• Microsoft Clarity— we may use Clarity for session replay and heatmap analysis on the website to understand how visitors interact with our pages. Clarity does not collect personal identifiers.

5.5 Content Generation

• ElevenLabs— text-to-speech audio generation for stories. No user personal data is shared with ElevenLabs. Only story scripts (created by us, not by users) are processed through their service.
• Leonardo AI— image generation for cover art and visual assets. No user personal data is shared with Leonardo AI.

5.6 AI Models

• Anthropic (Claude)— powers Aurora conversations and is used in our content generation pipeline. When you interact with Aurora, your messages are processed through Anthropic’s API with appropriate safeguards. Anthropic does not use API inputs to train their models. See Anthropic’s privacy policy for their data handling practices.
• Google (Gemini)— used in our internal content generation pipeline. Gemini does not process user-facing interactions or personal data. Only editorial content created by our team passes through this service.

We require all third-party processors to maintain appropriate security standards and to process your data only as instructed by us. We review our processor relationships regularly to ensure compliance with applicable data protection laws.

We retain your personal data only as long as necessary to provide the Service and fulfil the purposes described in this policy.

• Account data— retained for the lifetime of your account and for up to 30 days after account deletion to allow for recovery if the deletion was accidental.
• Usage and preference data— retained while your account is active. Deleted or anonymised within 90 days of account deletion.
• AI interaction data— Aurora conversations, Mirror Within reflections, and Desire Weaver inputs are retained while your account is active to enable personalisation. This data is permanently deleted within 90 days of account deletion.
• Analytics data— aggregated analytics data that cannot identify individual users may be retained indefinitely for product improvement purposes.
• Security logs— retained for up to 12 months for fraud prevention and security purposes.

You may request deletion of your account and associated data at any time through the app settings or by emailing aurora@myvelvetmirror.com. Upon receiving a verified deletion request, we will initiate the deletion process within 30 days and complete it within the timeframes specified above.

Certain data may be retained beyond these periods where required by law, such as financial transaction records or data necessary to resolve disputes or enforce our agreements.

We take the security of your data seriously and implement industry-standard technical and organisational measures to protect it.

• Encryption in transit— all data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
• Encryption at rest— personal data stored in our databases is encrypted at rest using AES-256 or equivalent encryption.
• Access controls— access to user data is restricted to authorised personnel on a need-to-know basis. We enforce role-based access controls and multi-factor authentication for administrative access.
• Regular review— we regularly review our security practices, update dependencies, and monitor for vulnerabilities.

In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users without undue delay and within the timeframes required by applicable law (72 hours under GDPR where feasible). We will also notify the relevant supervisory authorities as required.

While we work diligently to protect your data, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, but we commit to promptly addressing any security incident.

Depending on where you are located, you have specific rights regarding your personal data. We honour these rights regardless of where you live, except where a right is explicitly tied to a particular jurisdiction.

8.1 Rights Available to All Users

• Right to access— you may request a copy of the personal data we hold about you.
• Right to correction— you may request that we correct inaccurate or incomplete personal data.
• Right to deletion— you may request that we delete your personal data, subject to any legal retention obligations.
• Right to data portability— you may request your data in a structured, commonly used, machine-readable format.
• Right to withdraw consent— where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.
• Right to object— you may object to processing of your personal data in certain circumstances, including processing for direct marketing purposes.

8.2 Additional Rights Under GDPR (EU/UK)

If you are located in the European Union, the European Economic Area, or the United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR) and the UK GDPR, including:

• Right to restriction of processing— you may request that we limit how we use your data in certain circumstances, such as when you contest the accuracy of the data.
• Right to lodge a complaint— you have the right to lodge a complaint with your local data protection supervisory authority if you believe we have violated your data protection rights.
• Legal bases for processing— we process your data under the following legal bases: performance of a contract (to deliver the Service), legitimate interest (analytics, security, product improvement), and consent (marketing communications, optional personalisation features).

8.3 Additional Rights Under CCPA/CPRA (California)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to know— you may request details about the categories and specific pieces of personal information we have collected, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share data.
• Right to opt out of sale or sharing— we do not sell your personal information. We do not share your personal information for cross-context behavioural advertising. There is nothing to opt out of, but we honour this right explicitly.
• Right to non-discrimination— we will not discriminate against you for exercising any of your privacy rights. You will not receive a different level of service or pricing.
• Right to limit use of sensitive personal information— given the nature of our Service, certain data (such as emotional reflections or content preferences) may qualify as sensitive personal information. We use this data only as necessary to deliver the features you have chosen to use. You may request that we limit our use of sensitive personal information to what is strictly necessary for the Service.

To exercise any of these rights, contact us at aurora@myvelvetmirror.com. We will verify your identity before processing your request and respond within the timeframes required by applicable law (generally within 30 days, or 45 days for CCPA requests with a possible 45-day extension for complex requests).

You may also designate an authorised agent to make requests on your behalf. If you use an authorised agent, we may require proof of authorisation and still verify your identity directly.

Velvet Mirror is not intended for, and may not be used by, anyone under the age of 18. We do not knowingly collect personal information from children or minors. This is a strict requirement, not a suggestion.

In compliance with the Children’s Online Privacy Protection Act (COPPA) and equivalent international regulations, we do not target children, we do not collect data from children, and we do not design any feature of the Service for use by children.

If we become aware that we have inadvertently collected personal information from anyone under 18, we will delete that information immediately and terminate the associated account. If you believe a minor has created an account or provided information to us, please contact us at aurora@myvelvetmirror.com so we can take prompt action.

Velvet Mirror is operated globally, and your data may be processed in countries other than your own, including the United States and other jurisdictions where our service providers operate.

When we transfer personal data outside of the European Economic Area, the United Kingdom, or Switzerland, we ensure that appropriate safeguards are in place. These may include:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Adequacy decisions where the European Commission has determined that a country provides an adequate level of data protection.
• Other lawful transfer mechanisms recognised under applicable data protection law.

By using the Service, you acknowledge that your data may be processed in jurisdictions with different data protection standards than your own. We take reasonable steps to ensure your data receives equivalent protection regardless of where it is processed.

Our website (myvelvetmirror.com) uses cookies and similar technologies. Our mobile app does not use browser cookies but may use equivalent local storage mechanisms for functionality purposes.

11.1 Essential Cookies

These are necessary for the website to function. They enable core features such as authentication, session management, and security protections. You cannot opt out of essential cookies without disabling core functionality.

11.2 Analytics Cookies

We may use analytics cookies (through PostHog and/or Microsoft Clarity) to understand how visitors interact with our website. These cookies collect information such as pages visited, time spent on page, and navigation patterns. Where we self-host our analytics platform, this data never leaves our infrastructure.

11.3 Marketing Cookies

We do not currently use third-party advertising or retargeting cookies. If this changes in the future, we will update this policy and provide clear opt-in or opt-out mechanisms before deploying such cookies.

11.4 Managing Cookies

You can manage your cookie preferences through your browser settings. Most browsers allow you to block or delete cookies. Please note that blocking essential cookies may impair website functionality. Where required by law (such as under the EU ePrivacy Directive), we will present a cookie consent banner before placing non-essential cookies.

Velvet Mirror uses artificial intelligence to enhance your experience. We believe in transparency about how AI interacts with your data.

12.1 How AI Processes Your Data

Aurora, our AI companion, processes your messages in real time to generate personalised responses. Your conversation history within Aurora is used to maintain context and improve the relevance of future interactions within your account. Mirror Within uses your emotional reflections to identify patterns and provide guided insights. Desire Weaver uses your creative inputs to generate custom story content.

12.2 No Fully Automated Consequential Decisions

We do not make fully automated decisions that produce legal effects or similarly significant effects on you. AI is used for content personalisation, recommendation, and creative features — not for decisions about your account standing, access rights, pricing, or eligibility for services.

12.3 AI Data Safeguards

• Your personal AI interactions are not used to train general-purpose AI models.
• AI processing providers (Anthropic) are contractually bound not to use API inputs for model training.
• You can delete your AI interaction history at any time through account settings or by contacting us.
• AI-generated content and insights are provided for personal enrichment and entertainment, not as professional advice of any kind.

12.4 Your Rights Regarding AI Processing

Under GDPR, you have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. While our AI features do not make such decisions, you may request human review of any automated process that affects your account. You may also opt out of AI-powered personalisation features by contacting us.

Certain features of Velvet Mirror allow you to create or contribute content, including Desire Weaver stories, Aurora conversations, Mirror Within journal entries, and any other user-generated inputs.

13.1 Ownership

You retain ownership of the original creative inputs you provide (such as prompts, descriptions, and personal reflections). However, the AI-generated outputs produced from those inputs (such as completed stories, Aurora responses, or emotional insights) are produced using our technology and are subject to our terms of service.

13.2 How We Use Your Content

Your personal content is used solely to deliver the features you choose to use. We do not publish, share, or redistribute your personal creative inputs or journal entries. We do not use your private content to create stories for other users. We do not mine your conversations or reflections for commercial purposes beyond delivering the Service to you.

13.3 Deletion of Content

You may delete your Aurora conversation history, Mirror Within reflections, and Desire Weaver creations at any time through the app. Deleting your account will delete all associated content within the timeframes specified in Section 6.

We may disclose your personal information if required to do so by law, regulation, legal process, or governmental request. We may also disclose information when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request. Where permitted by law, we will notify you of such requests before disclosure. We will resist overly broad or legally deficient requests to the extent we are able.

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law.

When we make material changes, we will notify you through one or more of the following methods: a prominent notice within the app, an email to the address associated with your account, or an update posted on our website with the revised effective date clearly displayed.

We will always indicate the date of the most recent revision at the top of this policy. For material changes that affect how we process your personal data, we will provide at least 30 days’ notice before the changes take effect, giving you time to review the updated policy and, if necessary, delete your account before the new terms apply.

Your continued use of the Service after the effective date of a revised policy constitutes your acceptance of the updated terms. If you do not agree with the changes, you should discontinue use and request deletion of your account.

For any privacy-related questions, concerns, data access requests, or deletion requests, contact us at:

Email: aurora@myvelvetmirror.com

Website: myvelvetmirror.com

We aim to respond to all privacy inquiries within five business days. For formal data subject access requests under GDPR or CCPA, we will respond within the legally required timeframes (30 days under GDPR, 45 days under CCPA).

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority. EU residents may find their relevant authority through the European Data Protection Board. UK residents may contact the Information Commissioner’s Office (ICO). California residents may contact the California Attorney General’s office.