Last updated: May 2026
1. Data Controller
The data controller for Mirkaso is:
Mirkaso
Email: support@mirkaso.com
For GDPR-related inquiries, including exercising your rights, please contact us at the email above.
2. What We Collect
- Account data: email address, username, password hash (bcrypt), avatar URL.
- Profile data: language preference, theme, timezone, notification settings.
- Usage data: IP address, user-agent, timestamps, page views, feature usage.
- Portfolio data: asset symbols and amounts (only if you enable portfolio sync).
- Payment data: PayPal transaction IDs, amounts, statuses, subscription history. We do not store credit card numbers.
- Communications: Telegram chat ID (if connected), email correspondence.
- Cookies: essential (authentication), preferences (language), and analytics (with consent).
3. Lawful Basis for Processing
| Purpose | Data | Legal Basis |
|---|---|---|
| Authentication | Email, password hash | Contract (Art. 6(1)(b) GDPR) |
| Security & fraud prevention | IP, user-agent, timestamps | Legitimate Interest (Art. 6(1)(f)) |
| Analytics | Usage patterns, page views | Consent (Art. 6(1)(a)) |
| Marketing emails | Email address | Consent (Art. 6(1)(a)) |
| Telegram alerts | Telegram chat ID | Consent (Art. 6(1)(a)) |
| Tax compliance | Payment records | Legal Obligation (Art. 6(1)(c)) |
4. How We Use Data
- To provide and maintain the Platform and its features.
- To personalize your experience (language, theme, dashboard layout).
- To send service notifications, security alerts, and billing reminders.
- To process payments and manage subscriptions through PayPal.
- To improve the Platform through analytics and user feedback.
- To ensure security, prevent fraud, and comply with legal obligations.
5. Data Retention
- Account data: Until you delete your account.
- Audit logs & security logs: 90 days.
- Analytics data (with consent): 26 months.
- Payment records: 7 years (tax compliance).
- Deleted accounts: 30-day grace period, then 90-day wipe period for permanent erasure (except payment records).
- Data exports: Download links expire after 24 hours.
6. Your Rights (GDPR)
You have the following rights regarding your personal data:
- Access: Request a copy of all data we hold about you (via Profile → Export Data).
- Rectification: Update your profile information at any time.
- Erasure ("Right to be forgotten"): Delete your account from Profile settings.
- Restriction: Request limited processing of your data.
- Portability: Download your data in JSON/CSV format.
- Objection: Unsubscribe from marketing emails at any time.
- Withdraw Consent: Disable analytics cookies or Telegram alerts in your profile.
To exercise any of these rights, visit your Profile or email us at support@mirkaso.com. We respond within 30 days.
7. Cookies & Tracking
We use cookies to provide essential functionality and improve your experience. Essential cookies (authentication) cannot be disabled. Preference cookies (language) can be managed in your profile. Analytics cookies require your explicit consent. For details, see our Cookie Policy.
8. Third-Party Processors
- PayPal — Payment processing (billing data, transaction IDs).
- Resend — Email delivery (transactional and marketing emails).
- Railway / Vercel — Cloud hosting and CDN (all data transits through their infrastructure).
- Telegram — Bot notifications (chat ID, message content).
- OpenRouter — AI insights (anonymized query data for analytics generation).
9. Sub-processors
We use the following sub-processors to provide AI-powered insights:
- OpenRouter, Inc. (US) — routes requests to AI model providers. Data transferred: anonymized portfolio composition and metrics. Safeguard: Standard Contractual Clauses (SCC) under GDPR Article 46. Note: We do not control whether underlying model providers (OpenAI, Anthropic, Google) use inputs for training.
We rely on explicit user consent before sending any data to AI model providers. Users may decline AI insights without affecting other platform features.
9.1. AI Data Processing
When you enable AI Insights, anonymized portfolio composition (percentages only, no dollar amounts) and selected metrics are sent to OpenRouter and underlying model providers (OpenAI, Anthropic, Google). We do not control whether these providers use inputs for model training. You can withdraw AI consent at any time in Profile > Privacy & Data.
9.2. Data Deletion Timeline
Upon account deletion:
- Personal data: erased within 30 days
- Payment records: retained for 7 years (tax compliance)
- Analytics data: anonymized immediately, no retention
- AI query logs: deleted within 7 days
10. International Transfers
Some of our processors are based in the United States (PayPal, Resend, OpenRouter). We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) where required by GDPR. Telegram data is processed outside the EU; by connecting Telegram, you acknowledge this transfer.
11. Security Measures
- All data transmitted over HTTPS/TLS 1.3.
- Passwords hashed with bcrypt.
- JWT tokens for authentication with secure, httpOnly cookies.
- Rate limiting on all API endpoints.
- HSTS headers enforced.
- Regular security audits and dependency updates.
12. Children's Privacy
The Platform is not intended for users under 18. If we discover that a minor has provided personal data, we will delete such data within 72 hours.
13. Breach Notification
In the event of a data breach affecting your rights, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of the breach.
14. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be communicated via email or in-app notice. The "Last updated" date at the top indicates the latest revision.
15. Contact
For privacy-related questions or to exercise your rights, contact us at support@mirkaso.com.