Privacy Policy

Last updated: March 10, 2026

MVAT Studio ("we", "us", "our") operates the MVAT Mirror mobile application (the "App"). This Privacy Policy explains what data we collect, how we use it, the legal bases for processing, and your rights regarding that data. MVAT Studio is the data controller for the purposes of the EU General Data Protection Regulation ("GDPR"), the UK GDPR, the California Consumer Privacy Act ("CCPA"), and other applicable data protection laws.

1. Data Controller & Contact

The data controller responsible for your personal data is:

• Entity: MVAT Studio
• Privacy inquiries: privacy@mvat.ai

For privacy-related requests, we will acknowledge receipt within 5 business days and provide a substantive response within 30 days. If we require additional time (up to 60 additional days for complex requests), we will notify you of the extension and the reason within the initial 30-day period.

2. Our Privacy Commitment

MVAT Mirror is built on a core principle: your personal content never leaves your device. All natural language processing — reading and analyzing your posts — happens entirely on-device. Only the resulting personality profile (11 numeric dimensions) is ever transmitted to our servers. We cannot read your posts. We do not want to.

We are committed to the principles of data minimization and purpose limitation. We collect only the minimum personal data necessary to provide the App's functionality, and we process that data solely for the purposes described in this Privacy Policy. We do not repurpose your data for unrelated activities, sell your data, or use it for advertising.

3. Information We Collect

Account Data

When you sign in with Google or Apple, we receive:

• Your email address
• Your display name (if provided by the identity provider)
• A unique user identifier from the identity provider

Personality Profile Data

After on-device analysis of your connected social sources, we store in Firebase Firestore:

• Your personality vector: 11 numeric scores representing personality dimensions
• Source metadata: which platforms are connected, total post count analyzed, and date of last analysis
• Profile history: timestamped snapshots showing how your profile evolves over time

These are abstract numeric values — not summaries, quotes, or excerpts of your actual content.

Subscription Data

• Your current subscription tier (Free or Pro)
• Purchase receipts from Apple App Store or Google Play (processed server-side for validation)

4. What We Do NOT Collect

We are explicit about what we never collect or transmit:

• The text content of any social media posts, comments, or messages
• Names, handles, or identifiers of people you interact with
• Photos or media from your social accounts
• Direct messages or private communications
• Contact lists or follower/following lists
• Browsing history or activity outside the App
• Location data
• Device advertising identifiers

All post content fetched from connected sources is processed exclusively on your device and immediately discarded after personality calculation completes.

5. Legal Basis for Processing (GDPR Article 6)

We process your personal data under the following legal bases:

• Performance of a contract (Article 6(1)(b)): Processing your account data and personality profile is necessary to provide you the App's services as described in our Terms of Use.
• Consent (Article 6(1)(a)): When you connect a social media source, you explicitly consent to the App fetching your public posts for on-device analysis. You may withdraw consent at any time by disconnecting the source in Settings.
• Legitimate interests (Article 6(1)(f)): We process subscription and purchase validation data to prevent fraud and ensure service integrity. Our legitimate interest does not override your fundamental rights, given that we process only the minimum data necessary.
• Legal obligation (Article 6(1)(c)): We may process or retain data when required by applicable law, such as tax record-keeping for purchase transactions.

6. On-Device Processing & Automated Decision-Making

MVAT Mirror uses on-device NLP (Natural Language Processing) to analyze your public writing. This means:

• Your posts are fetched from connected social APIs directly to your device
• Analysis runs locally using on-device models — no cloud inference
• Raw text is held in encrypted device memory only during processing
• Only the numeric result (your personality vector) is sent to our servers
• OAuth access tokens for social sources are stored in expo-secure-store on your device and are never transmitted to MVAT servers

Even MVAT Studio employees cannot access your post content — it is never transmitted to us.

Automated Decision-Making Disclosure (GDPR Article 22)

The on-device NLP analysis constitutes automated processing that produces a personality profile. Important details about this processing:

• Nature: The App uses pre-trained language models running entirely on your device to score your public writing across 11 personality dimensions.
• Logic: The models analyze linguistic patterns, word choice, sentence structure, and thematic content to derive numeric personality scores. No single post determines your profile — scores are aggregated across all analyzed content.
• Significance: The resulting profile is for personal self-reflection only. It produces no legal effects and has no binding consequences. It is not used for automated decision-making that affects your rights or access to services.
• Limitations: The analysis is inherently approximate. Results may vary based on the volume and nature of analyzed content, device hardware, and model version. The profiles are not clinically validated and should not be treated as psychological assessments.
• Your rights: You have the right to obtain human intervention, express your point of view, and contest any profile result by contacting us at privacy@mvat.ai.

7. Third-Party Services

The App connects to the following third-party services. Each operates under its own privacy policy:

• Firebase Authentication (Google LLC) — user identity and session management. Privacy policy
• Cloud Firestore (Google LLC) — personality profile and subscription state storage. Privacy policy
• Apple Sign-In (Apple Inc.) — iOS authentication. Privacy policy
• Google Sign-In (Google LLC) — authentication. Privacy policy
• Facebook Graph API (Meta Platforms, Inc.) — optional source for your public Facebook posts. Privacy policy
• Instagram Graph API (Meta Platforms, Inc.) — optional source for your Instagram captions. Privacy policy
• X/Twitter API (X Corp.) — optional source for your public posts. Privacy policy
• Apple App Store / Google Play — in-app purchase processing

When you connect a social source, you authorize the App to fetch your public posts from that platform's API on your behalf. You can disconnect any source at any time from Settings. Disconnecting revokes our access token and removes that source's contribution from future analyses.

Data Processor Agreements

We maintain Data Processing Agreements (DPAs) with all third-party service providers who process personal data on our behalf, as required by GDPR Article 28. These agreements ensure our processors are contractually bound to process data only on our instructions, implement appropriate security measures, and assist with fulfilling data subject rights requests.

8. Social Media Platform API Compliance

Our use of social media platform APIs is subject to each platform's developer terms and data policies:

• We access only data you have explicitly authorized through each platform's OAuth consent flow.
• We request only the minimum API scopes necessary to fetch your public posts for on-device analysis.
• We do not store, cache, or retain the raw content retrieved from any platform API beyond the duration of on-device processing.
• We do not transfer platform data to third parties or use it for purposes beyond personality profile generation.
• If a platform revokes our API access or changes its data policies, we will promptly update the App and notify affected users.
• You may revoke the App's access to any connected platform at any time, both within our App (Settings) and through the platform's own app permissions settings.

9. Cookies & Tracking Technologies

The MVAT Mirror mobile application does not use cookies. Specifically:

• No advertising cookies or tracking pixels: We do not use any advertising or analytics SDKs that place cookies or tracking identifiers.
• No cross-app tracking: We do not track your activity across other apps or websites.
• No device fingerprinting: We do not collect device characteristics for the purpose of identifying you across services.
• Firebase session data: Firebase Authentication uses secure tokens (not cookies) stored on your device to maintain your login session. These are functional tokens necessary for the App to operate and are not used for tracking.
• Local storage: The App uses encrypted AsyncStorage on your device to cache your personality profile for offline access. This data never leaves your device except as the numeric personality vector transmitted to our servers.

10. Data Storage, Security & International Transfers

Personality profile data is stored in Google Cloud (Firebase) servers in the United States. Auth tokens for connected social sources are stored exclusively in expo-secure-store on your device — they are never transmitted to our servers. Personality data is cached locally using encrypted AsyncStorage. All data transmitted to our servers uses HTTPS/TLS. Firebase Security Rules ensure users can only access their own data.

International Data Transfers

If you are located outside the United States, your personality profile data will be transferred to and stored in the United States via Google Cloud (Firebase). We rely on the following safeguards for these transfers:

• EU-U.S. Data Privacy Framework: Google LLC is certified under the EU-U.S. Data Privacy Framework, providing adequate protection for transfers from the EU/EEA.
• Standard Contractual Clauses: Where the Data Privacy Framework does not apply, our Data Processing Agreement with Google incorporates the European Commission's Standard Contractual Clauses (SCCs) as an alternative transfer mechanism.
• Data minimization: Only numeric personality scores and basic account data are transferred — no raw content, no behavioral data, no sensitive personal data.

You can request a copy of the applicable transfer safeguards by contacting privacy@mvat.ai.

11. Data Retention

We retain your personality profile data for as long as your account is active. Profile history snapshots older than 12 months are automatically pruned. You may request deletion of your account and all associated data at any time. Subscription purchase records may be retained for up to 7 years after the transaction to comply with tax and financial reporting obligations.

12. Your Rights

Account & Data Deletion (GDPR Article 17)

You have the right to erasure of your data. You can delete your account directly from the App: Settings → Delete Account. This permanently and irreversibly removes:

• Your Firebase Auth account
• All Firestore data (personality profiles, history, source metadata, subscription state)
• Your profile from all MVAT Mirror systems

Processing completes within 30 days. This action cannot be undone. Raw post content was never stored on our servers, so no deletion of that content is necessary on our end.

Data Portability (GDPR Article 20)

You have the right to receive your data in a portable format. You can export your personality profile data from the App: Settings → Export Data. Your export includes your full personality vector history as a JSON file.

Additional Rights Under GDPR

If you are located in the EU/EEA or UK, you also have the right to:

• Access (Article 15): Request a copy of all personal data we hold about you.
• Rectification (Article 16): Request correction of inaccurate personal data.
• Restriction of processing (Article 18): Request that we limit how we use your data while a complaint is being resolved.
• Object to processing (Article 21): Object to processing based on legitimate interests.
• Withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
• Lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority.

To exercise any of these rights, contact privacy@mvat.ai. We will respond within 30 days. If we require additional time (up to 60 additional days for complex or numerous requests), we will inform you of the extension within the initial 30-day period, along with the reasons for the delay.

13. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
• Notify affected users without undue delay when the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34.
• Provide details of the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address the breach.

14. Children's Privacy

The App is not directed to children under 13 (or under 16 in jurisdictions where GDPR sets a higher age of consent for data processing). We do not knowingly collect personal information from children under these age thresholds. If you believe a child has provided us with personal information, contact us at privacy@mvat.ai and we will delete it promptly.

15. California Privacy Rights (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act and California Privacy Rights Act:

• Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it.
• Right to delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to correct: You may request correction of inaccurate personal information.
• Right to opt out of sale/sharing: We do not sell or share (as defined by CCPA/CPRA) your personal information. No opt-out is necessary.
• Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise your rights, contact privacy@mvat.ai. We will verify your identity and respond within 45 days (extendable by an additional 45 days with notice).

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date at the top of this page and, for significant changes, by providing notice through the App or via email. Continued use of the App after changes constitutes acceptance of the revised policy. If a change materially reduces your rights, we will seek your affirmative consent before applying the new policy to previously collected data.

17. Severability

If any provision of this Privacy Policy is held to be invalid, illegal, or unenforceable by a court of competent jurisdiction, the remaining provisions shall continue in full force and effect. The invalid provision shall be modified to the minimum extent necessary to make it valid and enforceable while preserving its original intent.

18. Contact

For privacy questions, data requests, or concerns, contact us at: privacy@mvat.ai