MIRKASO
Privacy Policy·Версія 2026-05-15·Набирає чинності: 2026-05-15
Українська версія

Privacy Policy

Version: 1.0

Effective Date: May 15, 2026

Data Controller: FOP Haitan Kyrylo Oleksandrovych (Sole Proprietor)

DPO Contact: support@mirkaso.com

Website: https://mirkaso.com

1. Introduction

1.1. This Privacy Policy (hereinafter — "Policy") defines the procedures for processing personal data of users of the Mirkaso platform (hereinafter — "Platform", "Service"), owned by FOP Haitan Kyrylo Oleksandrovych (hereinafter — "Data Controller", "we", "us"), a sole proprietor registered in Ukraine.

1.2. Mirkaso is a SaaS platform providing analytical tools, IT analytics, market data analysis, data analytics, and market research tools. The Platform is NOT a financial institution, broker, or investment advisor. All analytics are provided for informational purposes only and do NOT constitute investment advice.

1.3. We are the controller of personal data under the Law of Ukraine No. 2297-VI "On Personal Data Protection" and the data controller under the GDPR for users from the European Union.

1.4. Data Protection Officer (DPO): support@mirkaso.com

2. Legal Basis

This Policy is developed in accordance with:

| Legislation | Applicability | |---|---| | Law of Ukraine No. 2297-VI "On Personal Data Protection" | Primary law for all users | | Law of Ukraine No. 524-IX dated 04.03.2020 | Clarification of No. 2297-VI, GDPR-aligned provisions | | GDPR (EU) 2016/679 | For users from the European Union | | ePrivacy Directive 2002/58/EC | Regarding the use of cookies and electronic communications | | Law of Ukraine "On Ensuring the Functioning of the Ukrainian Language as the State Language" | Primary language of the document is Ukrainian |

3. What Data We Collect

3.1. Account Data

  • Email address
  • Name and/or display name
  • Hashed password
  • Account identifier (UUID)
  • Registration date and last login date

3.2. Payment Data

  • Transaction history (date, amount, subscription type)
  • Billing address (if provided)
  • We DO NOT store payment card data. All payment data is processed exclusively by licensed payment providers (Payoneer, PayPal, Stripe).

3.3. Technical Data

  • IP address (with last octet masking for analytics)
  • Browser User-Agent
  • Device type and operating system
  • Interface language preference

3.4. Analytics Data (cookies)

  • Platform usage data (events, page views)
  • Sessions and interface interactions
  • Heatmaps and session recordings (with consent)

3.5. Usage Data

  • System activity logs (date, time, action type)
  • Generated analytical reports and portfolio data
  • Profile settings and personalization preferences

3.6. Age-Related Data

  • The Service is intended for users aged 18 and over.
  • Users aged 16–17 may use the Service only with written consent from a parent or legal guardian.

4. Purposes of Data Processing

| No. | Purpose of Processing | Legal Basis | |---|---|---| | 1 | Providing access to Platform functionality (authentication, authorization) | Contract performance | | 2 | Processing subscription payments | Contract performance | | 3 | Usage analytics for service improvement | Legitimate interest / Consent | | 4 | Communication with users (notifications, updates) | Contract performance / Consent | | 5 | AI processing of anonymized portfolio data for generating insights | Explicit consent | | 6 | Compliance with legal requirements (tax, accounting) | Legal obligation | | 7 | Ensuring system security | Legitimate interest | | 8 | Sending email notifications (transactional and marketing with consent) | Contract performance / Consent |

5. Legal Bases for Processing

In accordance with Article 6 of the Law of Ukraine No. 2297-VI and Article 6 GDPR, we process personal data on the following bases:

5.1. Consent of the Data Subject

  • Use of analytics cookies (PostHog, GA4, Clarity)
  • AI processing of portfolio data (via OpenRouter)
  • Marketing communications
  • The user has the right to withdraw consent at any time via profile settings or by contacting the DPO.

5.2. Contract Performance

  • Registration and maintenance of user account
  • Providing access to Platform functionality
  • Payment processing
  • Sending transactional emails

5.3. Legitimate Interest

  • Ensuring system security (logs, IP addresses)
  • Technical support
  • Product improvement analytics (subject to proper anonymization)

5.4. Legal Obligation

  • Retention of payment records in accordance with the Tax Code of Ukraine (7 years)
  • Compliance with fiscal legislation requirements

6. Cookies

6.1. The Platform uses cookies in accordance with the Separate Cookie Policy, available at /cookies.

6.2. Categories of cookies used:

| Cookie | Category | Purpose | Duration | |---|---|---|---| | session_id | Essential | Authentication | Session | | __stripe_mid | Essential | Stripe payment processing | 1 year | | __stripe_sid | Essential | Stripe payment processing | 30 minutes | | theme | Preferences | Dark/light theme | 1 year | | locale | Preferences | Interface language | 1 year | | _ga | Analytics | Google Analytics ID | 2 years | | _gid | Analytics | Google Analytics session | 24 hours | | ph_* | Analytics | PostHog events | 1 year | | _clck | Analytics | Microsoft Clarity | 1 year | | _fbp | Marketing | Meta Pixel | 3 months |

6.3. Essential cookies are set automatically. Analytics and Marketing cookies are set only after obtaining consent through the cookie consent banner.

6.4. Users can change cookie preferences at any time via the settings panel or browser settings.

7. Third Parties and Subprocessors

7.1. We engage third parties (subprocessors) for the processing of personal data. Full register of subprocessors:

| Subprocessor | Purpose | Region | Data Types | Privacy URL | |---|---|---|---|---| | Payoneer | Primary payment processor | US / EU | Payment records, billing address | https://www.payoneer.com/privacy-policy/ | | PayPal | Reserve payment processor | US / LU | Payment records | https://www.paypal.com/ua/legalhub/privacy-full | | Stripe | Payment processing | US / IE | Payment records, card data | https://stripe.com/privacy | | PostHog | Product analytics | EU / US | Usage events, page views | https://posthog.com/privacy | | Google Analytics 4 | Marketing analytics | US | Page views, sessions, demographics | https://policies.google.com/privacy | | Microsoft Clarity | UX analytics (heatmaps, session recordings) | US | Interactions, session recordings | https://privacy.microsoft.com/privacystatement | | OpenRouter | AI processing of portfolio data | US | Anonymized portfolio composition | https://openrouter.ai/privacy | | Railway | Backend hosting infrastructure | US | User data, application logs | https://railway.app/legal/privacy | | Vercel | Frontend hosting infrastructure | US | Application logs, deployment data | https://vercel.com/legal/privacy-policy | | Resend | Email delivery | US | Email addresses, email content | https://resend.com/legal/privacy |

7.2. We enter into Data Processing Agreements (DPA) with each subprocessor that comply with the requirements of Law No. 2297-VI and, for subprocessors outside the EEA, the EU Standard Contractual Clauses (SCC).

7.3. Essential subprocessors (Payoneer, PayPal, Stripe, Railway, Vercel, Resend) are necessary for service provision and do not require separate consent. Analytics subprocessors (PostHog, GA4, Clarity, OpenRouter) are activated only with user consent.

7.4. We reserve the right to update the subprocessor register. Users will be notified of material changes no later than 30 days before they take effect.

8. AI Data Processing

8.1. The Platform uses artificial intelligence via the subprocessor OpenRouter (region: US) to generate analytical insights based on user portfolio data.

8.2. AI Processing Principles:

  • Anonymization: Only percentage allocations of portfolio composition are transmitted to OpenRouter. Dollar amounts in USD or any other currency are NOT transmitted.
  • Example: instead of "0.5 BTC (~$50,000)", we transmit "BTC — 40% of portfolio".
  • Non-identifiability: OpenRouter does not receive email, user name, or any other identifiers.
  • Non-reconstructability: Percentage data alone cannot be used to reconstruct actual amounts without access to the user's original data.

8.3. AI processing occurs only with explicit user consent, which is requested separately upon first use of AI functionality and can be disabled in profile settings.

8.4. If a user withdraws consent for AI processing, all subsequent requests to OpenRouter are terminated, and the history of AI interactions is deleted within 30 days.

9. International Data Transfers

9.1. User data may be processed outside Ukraine, including in the United States (US) and the European Union (EU).

9.2. Legal mechanisms for international transfers:

| Mechanism | Application | |---|---| | Adequacy Decision | For data transfers to EU countries (recognized as adequate under GDPR) | | EU Standard Contractual Clauses (SCC) | For data transfers to the US under EC Decision 2021/914 | | Data Processing Agreements (DPA) | Entered into with all subprocessors |

9.3. For users from the EU, we ensure that their data is protected at a level equivalent to the GDPR, regardless of the physical location of the servers.

9.4. Payment data processed through Payoneer (US/EU), Stripe (US/IE), and PayPal (US/LU) is protected by these payment systems' own security mechanisms, including PCI DSS certification.

10. Data Retention Periods

| Data Category | Retention Period | Basis | |---|---|---| | Account data (email, profile, settings) | Until account deletion by user | Contract performance | | Payment data (transaction history, billing) | 7 years | Tax Code of Ukraine, Art. 44 | | Analytics data (cookies) | Per cookie table in Section 6 | User consent | | System activity logs | 1 year | Law No. 2297-VI, Art. 11 | | Backups (after account deletion) | 30 days | Technical necessity, then full deletion | | AI interactions (OpenRouter queries/responses) | Until consent withdrawal + 30 days | User consent | | Email communication | 2 years | Legitimate interest / Evidentiary basis |

10.1. After the expiration of retention periods, data is subject to complete deletion or irreversible anonymization (transformation into a form that does not allow identification of the data subject).

11. Data Subject Rights

In accordance with the Law No. 2297-VI and the GDPR, every user has the following rights:

11.1. Right of Access

The user has the right to obtain confirmation as to whether their personal data is being processed, as well as a copy of all stored data.

11.2. Right to Rectification

Users may request correction of inaccurate or incomplete personal data through profile settings or by contacting the DPO.

11.3. Right to Erasure ("Right to be Forgotten")

Users have the right to request deletion of their personal data when:

  • the data is no longer necessary for the purposes of processing;
  • the user withdraws consent;
  • the processing was unlawful;
  • the data must be erased under applicable law.

Exceptions: data retained under legal obligation (payment records — 7 years) is not subject to deletion until the statutory retention period expires.

11.4. Right to Restriction of Processing

Users may request the suspension of processing of their data in case of contesting the accuracy of data or the lawfulness of processing.

11.5. Right to Data Portability

Users have the right to receive their data in a structured, machine-readable format (JSON, CSV) and transfer it to another controller.

11.6. Right to Object

Users may object to processing of their data based on legitimate interests. In such cases, we will cease processing unless we demonstrate compelling legitimate grounds.

11.7. Right to Withdraw Consent

Consent for data processing may be withdrawn at any time via:

  • Profile settings on the Platform;
  • Contacting the DPO at support@mirkaso.com;
  • Cookie consent banner (for analytics cookies).

Withdrawal of consent does not affect the lawfulness of processing that occurred before the withdrawal.

11.8. Right to Lodge a Complaint with the Ukrainian DPA

Users have the right to file a complaint with the Authorised Human Rights Representative of the Verkhovna Rada of Ukraine:

  • Website: https://ombudsman.gov.ua
  • Address: 01008, Kyiv, Rylskyi Lane, 3
  • Email: hotline@ombudsman.gov.ua

11.9. Right to Judicial Remedy

Users have the right to appeal to court to protect their personal data rights.

11.10. Right to Lodge a Complaint with an EU Supervisory Authority

For users from the EU — the right to file a complaint with the supervisory authority of their country of residence or location.

11.11. Response Timeframe

We consider all requests regarding data subject rights within 30 calendar days from receipt. In complex cases, this period may be extended by 60 days with mandatory notification to the user.

12. Account Deletion Procedure

12.1. Initiating Deletion

Users may initiate account deletion through profile settings or by contacting the DPO.

12.2. Soft Delete

  • The account is deactivated (soft delete).
  • The user loses access to the Platform.
  • Data is marked as "pending deletion".

12.3. Cooling Period — 30 Days

  • For 30 days, the user may restore their account by contacting support@mirkaso.com.
  • During this period, data is NOT permanently deleted.

12.4. Permanent Deletion

  • Upon expiration of the 30-day period:
    • Account data is subject to irreversible deletion.
    • Payment data is retained in the minimum necessary scope for 7 years (tax requirement).
    • Analytics data is subject to anonymization.
    • Backups are deleted within 30 days.

12.5. Immediate Deletion

Users may request immediate permanent deletion without a cooling period by providing explicit confirmation in their request to the DPO.

13. Data Export

13.1. Users have the right to export their data in a machine-readable format.

13.2. Available formats: JSON, CSV.

13.3. Delivery method: via profile settings on the Platform or by request to the DPO.

13.4. Data included in the export:

  • Account information (email, name)
  • Transaction history
  • Saved settings and preferences
  • Generated analytical reports (if any)

13.5. Delivery timeframe: within 30 days from the date of request.

14. Security Measures

14.1. We ensure an appropriate level of personal data protection through the implementation of the following technical and organizational measures:

| Measure | Description | |---|---| | TLS 1.3 | All connections between the user and the platform are encrypted | | Encryption at rest | Data on servers is encrypted using AES-256 | | Password hashing | Passwords are stored as cryptographic hashes (bcrypt/Argon2) | | Access restriction | Only authorized personnel have access to data, following the principle of least privilege | | Access logging | All actions involving personal data are recorded in audit logs | | Regular backups | Encrypted, with a 30-day retention period | | Software updates | Regular installation of security updates | | Monitoring | Continuous monitoring for suspicious activity |

14.2. In the event of a personal data breach, we notify:

  • The Authorised Human Rights Representative of the Verkhovna Rada of Ukraine within 72 hours of discovery (if the breach poses a risk to data subjects' rights).
  • The affected data subjects themselves — without undue delay, if the breach poses a high risk to their rights.

15. Changes to the Policy

15.1. We reserve the right to make changes to this Policy.

15.2. Users will be notified of material changes via:

  • Email to the address associated with their account;
  • Notification in the Platform interface;
  • No later than 30 days before the changes take effect.

15.3. If changes are material and affect users' rights (including regarding new categories of data, new subprocessors, or new processing purposes), we may require re-consent (forced re-consent) before continuing use of the Service.

15.4. Continued use of the Platform after changes take effect constitutes acceptance of the updated Policy.

16. Contact Information

16.1. Data Protection Officer (DPO)

  • Email: support@mirkaso.com
  • Subject line: "DPO / Privacy Request"

16.2. Response Timeframe

  • Standard requests: 30 calendar days
  • Breach complaints: 72 hours

16.3. Data Controller Details

FOP Haitan Kyrylo Oleksandrovych (Sole Proprietor)

  • ITN: 3097700915
  • Registration address: Ukraine, 65037, Odeska obl., Odeskyi r-n, s. Lymanka, vul. Malynova, bud. 20A
  • NACE: 62.01 — Computer programming
  • NACE: 62.02 — IT consulting
  • NACE: 62.09 — Other IT and computer systems activities
  • NACE: 63.11 — Data processing, web hosting and related activities
  • NACE: 63.12 — Web portals
  • Country of registration: Ukraine
  • Website: https://mirkaso.com
  • Email: support@mirkaso.com

This Privacy Policy is effective as of May 15, 2026.

In case of discrepancies between the Ukrainian and English versions of this Policy, the Ukrainian version shall prevail.