Terms of Use

About Mirrorly

Mirrorly is a self-assessment and self-training tool for cosmetic, grooming, and charisma decisions. It uses on-device face measurement (Apple ML Kit on iOS, Google ML Kit / MediaPipe on Android) plus AI image generation and analysis (Replicate, OpenAI) to show you measurements of your own face and generate illustrative "after" previews of grooming changes applied to your photo. The Eyes and Game tabs add real-time gaze drills, voice-delivery scoring, and a voice-driven roleplay coach ("Lucien") that uses the OpenAI Realtime API for live conversation practice. Mirrorly is not a medical device and does not provide medical, dental, psychological, or surgical advice.

Who can use this app

You must be at least 13 years old to use Mirrorly. If you are under 18, you represent that your parent or legal guardian has reviewed and agreed to these terms on your behalf.

Accounts

Mirrorly does not require an account. Purchases and saved scans live on your device and are tied to your App Store or Google Play account for billing purposes only.

Subscriptions & auto-renewal

Mirrorly offers auto-renewing subscriptions:

• Mirrorly Pro Monthly — $4.99 USD per month (or local equivalent), billed monthly until cancelled.
• Mirrorly Pro Annual — $29.99 USD per year (or local equivalent), with a 7-day free trial for new subscribers, billed annually until cancelled.

Subscription terms:

• Payment is charged to your Apple ID or Google Play account at confirmation of purchase.
• Your subscription automatically renews for the same term at the same price unless you cancel at least 24 hours before the current period ends.
• Your account is charged for renewal within 24 hours of the period ending.
• You can manage or cancel subscriptions in your Apple ID or Google Play account settings at any time. Uninstalling the app does NOT cancel the subscription.
• Any unused portion of a free trial period is forfeited when you purchase a subscription.
• No refund is issued for the unused portion of the current period. Partial refunds, where offered, are handled by Apple or Google directly, not by Mirrorly.

One-time credit packs

Credit packs are non-subscription, one-time purchases. Mirrorly Rescue Pack — $9.99 USD (or local equivalent) — grants 20 AI-rendered "after" image credits. Credits do not expire, but they are non-refundable and non-transferable between accounts or devices.

What we render — and what we do not

Mirrorly renders illustrative previews of grooming and styling changes applied to your photo. These images are approximations, not photographs of real outcomes, and may differ from the real-world result you would get from a barber, surgeon, or dermatologist. Never use a Mirrorly rendering as the sole basis for a medical, dental, or surgical decision. Consult a licensed professional.

Your content

You retain all rights to photos you take inside Mirrorly. By scanning a photo and granting in-app permission in the AI data consent dialog, you grant Mirrorly a limited, revocable, royalty-free licence to process that photo on your device and transmit it to our AI providers (OpenAI and Replicate) solely to produce your measurements, score, and rendered outputs. We do not sell your photos. We do not train AI models on your photos.

AI data permission — every detail of what gets sent, where, and why

At the end of onboarding, before any photo bytes leave your device, Mirrorly displays a full-screen permission dialog ("PERMISSION TO SHARE YOUR PHOTO WITH AI PROVIDERS"). The same dialog is also shown the first time you reach any other AI-firing path (Mirror chat, try-on render, maximise) if it has not already been answered. You must tap ALLOW for any photo bytes to be transmitted; tapping CANCEL keeps the photo entirely on your device and aborts the analysis.

Exactly what is sent

1. The selfie photo you captured (JPEG, compressed, base64-encoded inside an HTTPS POST body).
2. Sixteen geometric measurements computed on-device by Apple ML Kit (iOS) or Google ML Kit (Android) before transmission: canthal-tilt angle (degrees), jaw apex angle (degrees), face width-to-height ratio, facial-symmetry score (0–100), facial-thirds split (top/mid/lower percentages), eye-spacing ratio, lip fullness, brow-to-eye gap, philtrum ratio, interpupillary-distance ratio, nose-length ratio, face-length ratio, head-shape category (long / oval / square / broad / round).

Not sent: name, email, phone, postal address, location, contacts, IP-based tracking IDs, advertising IDs, social-login data — none leave your device.

Exact route the photo takes

Step 1 — your phone → Mirrorly's backend at https://mirrorly-production.up.railway.app, encrypted by HTTPS / TLS 1.3. Mirrorly's backend does NOT persist photo bytes; it forwards in-memory and returns the response.

Step 2 — Mirrorly's backend → AI provider:

• POST /analyse and POST /rate → OpenAI GPT-4o Vision (api.openai.com) for analysis text and honest-looks rating.
• POST /maximize and POST /tryon → Replicate (api.replicate.com) — Google Nano Banana renders the "maximised" preview, cdingram/face-swap locks identity.
• POST /chat → OpenAI for the Mirror advisor's face-specific responses.

Who receives it, by name

• OpenAI, L.L.C. (San Francisco, CA, USA) — GPT-4o Vision endpoint.
• Replicate, Inc. (San Francisco, CA, USA) — Nano Banana + cdingram/face-swap endpoints.
• Mirrorly's own backend on Railway — transient routing only.

No other party receives your photo or geometry data.

How long each party keeps it

• On your phone — until you delete the scan inside the app or uninstall.
• In flight — TLS 1.3 encrypted.
• On Mirrorly's backend — bytes not persisted; only timestamps + HTTP status codes logged, auto-expiring after 30 days.
• On OpenAI — duration of one request; excluded from training and long-term retention.
• On Replicate — duration of one inference request; excluded from training and not retained long-term.

Why your photo is sent

Sole purpose: produce the analysis text, the honest-looks score, and the rendered preview that you see inside the app. Never used for advertising, profiling, identity matching, facial recognition, biometric template building, AI model training, or resale.

How to revoke

Settings → Revoke AI permission. The consent flag is cleared and the dialog is re-shown on your next AI-firing action. Settings → Delete all data wipes every on-device scan, render, and protocol.

Voice & training data — Eyes and Game tabs

The Eyes and Game tabs use the device microphone for charisma training. Microphone access is requested at the iOS / Android system level the first time you enter a voice drill; you may deny it and the rest of the app still works.

When audio is captured

Only when you explicitly tap a record / talk button inside a voice drill. The app does NOT listen passively, NOT in the background, NOT outside an active drill. Recording stops the moment you finish the drill.

Exactly what is sent

1. The short audio clip you just recorded (PCM or compressed WAV / M4A, base64-encoded inside an HTTPS multipart body), OR — for live "Free Flow" and "Council" voice sessions — a live PCM16 audio stream over a secure WebSocket.
2. Lesson metadata: lesson id, target line, target words-per-minute band, expected warmth flag. No personal identifiers.

Not sent: name, email, phone, location, contacts, advertising IDs, ambient or background audio (the mic is only live during an active drill).

Exact route the audio takes

Recorded drills (Eyes voice, Arena, rhetoric scoring):

Phone → Mirrorly's AURALAY backend at https://auralayai-production-65c2.up.railway.app, encrypted by HTTPS / TLS 1.3 → backend forwards to OpenAI in-memory for one request → response (transcript text + reply audio) returns to phone. The AURALAY backend does NOT persist audio bytes; only timestamps and HTTP status codes are logged for diagnostics, auto-expiring after 30 days.

Live voice (Free Flow, Council):

Phone requests a short-lived ephemeral OpenAI Realtime API token from the AURALAY backend (HTTPS) → phone opens a TLS-encrypted WebSocket directly to api.openai.com → live audio streams to OpenAI and replies stream back, never traversing Mirrorly servers.

OpenAI models used

• whisper-1 — transcribes your recorded audio to text for scoring.
• gpt-4o — produces in-character text replies for Lucien and the Arena women.
• gpt-4o-mini-tts — synthesises Lucien's and the Arena characters' voice replies.
• gpt-realtime — drives the live Free Flow and Council voice sessions via direct WebSocket.

Who receives it, by name

• OpenAI, L.L.C. (San Francisco, CA, USA) — receives the audio for transcription, language modelling, and voice synthesis.
• Mirrorly's AURALAY backend on Railway — transient routing and Realtime token minting only.

No other party receives your voice data.

Retention

• On your phone — clips are written to a temporary directory during the drill and deleted when the drill ends or the app is closed; transcripts are not stored.
• In flight — TLS 1.3 encrypted.
• Mirrorly AURALAY backend — bytes not persisted; only HTTP status + timestamp logs, auto-expiring after 30 days.
• OpenAI — duration of one API request (or one live Realtime session); excluded from training and long-term retention under OpenAI's standard API terms.

Why your voice is sent

Sole purpose: transcribe what you said, score your delivery (pace, conviction, warmth, presence), and play back the in-character reply. Never used for voice-print biometrics, speaker identification, advertising, profiling, AI model training, or resale.

How to stop it

Skip the Eyes and Game tabs, or deny microphone permission at the iOS / Android system level. Settings → Delete all data wipes any on-device training history.

Creator mode

Settings → CREATOR is a password-gated, off-by-default switch that swaps Lucien and the Arena characters into a sharper, less filtered persona for the Game tab's voice surfaces. It is intended for adult users who want a less polished coaching tone.

Even when CREATOR is ON, the underlying OpenAI policy guardrails are enforced server-side: no sexually explicit content, no instructions for real-world harassment, coercion, or harm, and no targeting of protected groups. Output remains within OpenAI's and the App Store / Play Store's content policies.

CREATOR is OFF until you explicitly enter the password. Turning it ON only affects this device. Tapping the same tile again, or deleting the app, re-locks everything.

Face data — what we collect, why, who receives it, how long we keep it

What face data Mirrorly collects:

Mirrorly collects two related pieces of face data:

1. The selfie photograph captured with the in-app scan camera.
2. Sixteen scalar geometric measurements derived from that photograph, computed entirely on your device by Apple ML Kit (iOS) or Google ML Kit (Android). These measurements are plain numbers describing facial shape — canthal-tilt angle in degrees, jaw angle in degrees, face width-to-height ratio, facial symmetry score (0–100), facial-thirds proportions, eye spacing ratio, lip fullness, brow-to-eye gap, philtrum ratio, interpupillary ratio, nose length ratio, face length ratio, and a head-shape category. They are NOT a biometric template, a face print, or anything that could be used to recognise or identify you.

How Mirrorly uses face data:

• Compute and display your geometry-derived score, trait badges, and archetype match on screen, on-device.
• Generate a written analysis of your facial proportions — the photo is sent to OpenAI's GPT-4o Vision API for one request; the response is returned to the app.
• Generate an illustrative "maximised" preview image — the photo is sent to Replicate's Nano Banana and cdingram/face-swap APIs for one request; the rendered image is returned to the app.
• Persist the photo and the geometry numbers in the app's sandboxed local storage so you can revisit prior scans inside the app.

Mirrorly does NOT use face data for: facial recognition, identity matching, authentication, ARKit Face ID, advertising, profiling, training AI models, building a biometric template, or any cross-app tracking purpose.

Who receives face data, and where it is stored:

The selfie photo is sent over HTTPS to two third-party AI providers, solely to deliver app functionality:

• OpenAI (GPT-4o Vision) — to generate analysis text and cosmetic rating. OpenAI's standard API endpoints (which Mirrorly uses) exclude API inputs from model training and from long-term retention.
• Replicate (Google Nano Banana model + cdingram/face-swap model) — to render the "maximised" preview image. Replicate's API terms similarly exclude API inputs from training and provide for transient processing only.

No other third party receives face data. Mirrorly does NOT share face data with advertisers, data brokers, analytics providers, social-login providers, or any other party. The geometry numbers are not transmitted off-device except as part of the photo-bearing API request used for analysis.

Storage locations:

• On your device — the app's sandboxed documents directory, until you uninstall the app.
• Transiently in OpenAI's and Replicate's request-processing infrastructure — for the seconds required to return a response.
• On Mirrorly's own backend — request timestamps and response status codes only (no photo bytes, no face data) for operational diagnostics; logs auto-expire after 30 days.

How long face data is retained:

• On your device: indefinitely, until you uninstall the app or delete the scan from inside the app.
• On Mirrorly's servers: face data is never retained.
• On OpenAI's and Replicate's infrastructure: only for the duration of one API call, per their default API terms.

The Privacy Policy contains a dedicated section titled "FACE DATA — WHAT IT IS, WHAT IT ISN'T" plus related sections "WHAT WE COLLECT", "WHO PROCESSES YOUR PHOTOS", "WHAT WE DO NOT COLLECT", "YOUR RIGHTS", and "SECURITY". You can stop the app from collecting any face data at any time by deleting it.

Third-party protection parity

Per App Store guideline 5.1.2(i), any third party that receives Mirrorly user data must provide the same or equal privacy protection as Mirrorly itself. Both AI providers we transmit photos to meet this bar:

• OpenAI — under the standard API terms, customer inputs are excluded from model training, encrypted in transit (TLS) and at rest, processed transiently for the single request, and not used for advertising, profiling, or sale to third parties.
• Replicate — under the standard API terms, model inputs are excluded from training, processed for the duration of one inference request, not retained long-term, and not used for advertising, profiling, or sale to third parties.

Mirrorly does not transmit user photos to any other third party.

Acceptable use

You agree not to use Mirrorly to scan, analyse, or render a face that is not your own without that person's explicit consent. You agree not to use Mirrorly outputs to harass, demean, or defame any person.

Termination

We may suspend or terminate access for conduct that violates these terms, harms other users, or violates applicable law. You may stop using the app at any time by deleting it.

Disclaimers & liability

Mirrorly is provided "as is" without warranty of any kind, express or implied. To the maximum extent permitted by law, Mirrorly's total liability for any claim is limited to the amount you paid Mirrorly in the twelve months preceding the claim.

Changes to these terms

We may update these terms. Material changes will be surfaced inside the app before they take effect. Continued use after an update constitutes acceptance.

Contact

Questions? Email info@m2mb.co.uk.