Mirayti Privacy Policy

Last updated: 31 May 2026
Version: 1.0

1. Introduction

This Privacy Policy explains how Mirayti (مرايتي) ("Mirayti", "we", "us", or "our") collects, uses, discloses, transfers, retains, and protects your personal data when you use the Mirayti mobile application and related services (the "App" or "Service").

Mirayti is an AI-powered virtual try-on application for modest fashion, designed primarily for users in the Middle East and North Africa (MENA) and Gulf region. The App allows you to upload photographs of your face and body so that artificial intelligence can generate images showing how garments may look on you.

Because the App processes photographs of your face and body — which we treat as sensitive and biometric personal data — please read this Policy carefully before using the Service. We will not process these photographs without your explicit, separate, and freely given consent, captured through a dedicated in-app consent screen before any photograph leaves your device.

This Policy is designed to comply with the data protection laws of the jurisdictions in which our users are located, including:

Where the EU General Data Protection Regulation (GDPR) or the EU AI Act applies to processing carried out by our infrastructure providers, we apply equivalent safeguards.

2. Data Controller and Privacy Contact

Data Controller

Mirayti, operated by an individual developer (Mirayti is not a registered company).
Jurisdiction: the United Arab Emirates
Contact email: privacy@miraya.app

The Controller determines the purposes and means of processing your personal data and is responsible for this processing under the applicable laws listed above.

Privacy Contact

Mirayti is operated by an individual developer, so a separate Data Protection Officer has not been appointed. Mirayti is responsible for data protection and is the designated contact for data subjects and supervisory authorities.

Privacy contact: Mirayti
Email: privacy@miraya.app

You may contact us at any time to exercise your rights, withdraw consent, raise a concern, or ask questions about this Policy.

3. How We Collect Your Data and Its Sources

We collect personal data directly from you when you create an account, grant the App access to your device camera or photo library, upload photographs, request a try-on, or contact support. Photographs are collected only through the camera or photo-library permissions you grant on your device; we do not access your camera or photos without that permission and without your action.

We also receive a limited amount of data from third parties in connection with your use of the App, namely: purchase, subscription-status, and transaction identifiers from Apple, Google, and RevenueCat (we do not receive your full payment-card details, which are handled by the app stores). We do not buy personal data about you from data brokers.

4. Categories of Personal Data We Process

CategoryExamplesClassification
Face photographsImages of your face uploaded for try-on / AI model generationSensitive / biometric personal data
Body photographsImages of your body uploaded for try-on / AI model generationSensitive / biometric personal data
Generated try-on imagesAI-generated images derived from your face/body photos and a garmentSensitive / biometric personal data (derived)
Garment imagesPhotos of clothing you upload to try onTreated to the sensitive-data standard (because such images may incidentally reveal you, another person, or your surroundings)
Content-safety signalsAutomated indicators generated when scanning uploaded and generated images for prohibited content (e.g., nudity, minors, illegal content)Sensitive (derived from photographs)
Account dataEmail address, user ID (UID), authentication identifiersPersonal data
Purchase & subscription dataSubscription tier (Starter / PRO), credit balance and ledger, transaction identifiers, purchase historyPersonal data
Technical & usage dataDevice type, app version, crash/diagnostic logs, timestamps of inference requestsPersonal data

We do not intentionally collect special categories of data beyond the photographs and derived data described above, and we do not request religious, political, health, or financial-instrument data.

5. Photographs Are Sensitive / Biometric Data

We classify the face and body photographs you upload, the try-on images generated from them, and the garment images you upload, as sensitive personal data of a biometric nature. Facial images in particular can constitute biometric data capable of uniquely identifying you.

We apply the highest (sensitive-data) protection standard to ALL users and ALL photographs, regardless of the user's country of residence and regardless of whether a given jurisdiction would technically classify the data as "sensitive", "special-nature", or "biometric." This means heightened consent, minimized retention, restricted access, and additional transfer safeguards as described below.

5.1 Data Protection Impact Assessment (DPIA)

Because we conduct large-scale processing of sensitive biometric data, we have carried out — and maintain on a living basis — a Data Protection Impact Assessment (DPIA) that identifies the risks of this processing to your rights and freedoms and the measures adopted to mitigate them (consistent with Article 35 GDPR and good practice under the UAE PDPL and KSA PDPL). The DPIA is reviewed whenever processing or sub-processors materially change.

6. Lawful Basis: Explicit, Granular, Withdrawable Consent

Our lawful basis for processing your face and body photographs, garment images, and generated try-on images is your explicit consent, obtained in compliance with UAE PDPL, KSA PDPL, Qatar Law 13/2016, Egypt Law 151/2020, Bahrain PDPA, and Kuwait CITRA regulations.

This consent is:

For non-sensitive data (account, purchase, technical data), our lawful bases are performance of a contract (providing the Service you signed up for) and our legitimate interests in operating, securing, and improving the App, as well as compliance with legal obligations.

7. How and Why We Use Your Data

PurposeData usedLawful basis
Generate AI virtual try-on imagesFace/body photos, garment imagesExplicit consent
Generate an AI model of you for repeated try-onsFace/body photosExplicit consent
Optional image enhancement of resultsGenerated try-on imagesExplicit consent
Automated content-safety / Trust & Safety scanning of uploaded and generated images to detect and block prohibited content (nudity, sexual content, imagery of minors, and other illegal or abusive content)Face/body photos, garment images, generated images, content-safety signalsExplicit consent + legal obligation (child-protection) + legitimate interest (platform safety)
Create and authenticate your accountEmail, user IDContract
Manage subscriptions, credits, and IAPPurchase/subscription data, user IDContract
Prevent fraud, abuse, and secure the ServiceTechnical/usage data, user IDLegitimate interest / legal obligation
Provide customer supportAccount data, relevant logsContract / legitimate interest
Comply with legal and regulatory obligationsAs requiredLegal obligation

We do not use your data for behavioral advertising, and we do not sell your personal data.

7.1 No Automated Decisions With Legal or Significant Effects

The generation of a try-on image is an automated process, but it does not constitute automated decision-making producing legal effects concerning you or similarly significantly affecting you within the meaning of Article 22 GDPR and equivalent MENA provisions. Automated content-safety scanning may block a specific upload or output, and you may contact us to have any such action reviewed by a human.

8. Processing Photographs of Other People

You may only upload a photograph that depicts another person if that person is an adult who has given you their explicit, informed consent to upload and process their image through the Service. When you upload such a photograph, you act as the source of that person's image and you represent to us that you hold their consent; we rely on your representation.

The depicted person is also a data subject and has the same rights described in Section 13. If you are a person depicted in an image uploaded by another user and you wish to exercise your rights — including erasure of your image — contact us at privacy@miraya.app and we will act on your request, including by deleting the relevant images and instructing our processors accordingly.

9. Processors, Sub-Processors, and the Countries They Operate In

To deliver the Service we share data with the following processors and sub-processors. Each processes data only on our documented instructions, under a written data processing agreement (DPA). Photographs are processed on our servers and transmitted to the AI processors below — try-on generation is performed server-side and your images leave your device for this purpose.

ProcessorRoleData sharedLocation / Country
FASHN AIAI virtual try-on generation and AI model generationFace/body photos, garment images, generated resultsUnited States of America
Replicate (optional)AI image enhancement of generated resultsGenerated try-on imagesUnited States of America
SupabaseAuthentication, database (Postgres), and storageAccount data, purchase data, photo/result storage, ledgerEuropean Union (Frankfurt, Germany)
RevenueCatSubscription and IAP managementPurchase/subscription data, user IDUnited States of America
Apple (App Store) / Google (Play)Payment processing and IAP billingTransaction dataUnited States of America / global

Important transfer notice: FASHN AI, Replicate, RevenueCat, Apple, and Google are located in or operate from the United States, and Supabase hosts our core infrastructure in the European Union. None of these countries is currently on the "adequate jurisdiction" whitelist maintained by the relevant MENA data protection authorities (e.g., the UAE Data Office, SDAIA in KSA). We therefore rely on appropriate safeguards and your separate explicit consent for cross-border transfers, as described in Section 10.

We do not share your face/body photographs, garment images, or generated try-on images with any party other than the processors named above for the purposes stated. We do not disclose them to advertisers, data brokers, or unrelated third parties.

9.1 Notification of New Sub-Processors

We maintain the list above as our current set of processors. If we engage a new sub-processor that will process your photographs or other personal data — particularly one that changes the countries to which your data is transferred — we will notify you in-app before the change takes effect and, where the change affects sensitive-data processing or cross-border transfer, request renewed consent. Copies of our DPAs and the Standard Contractual Clauses we rely on are available on request from our DPO.

10. Cross-Border (International) Data Transfers

Because your photographs and other data are transferred outside the MENA region (principally to the United States and the European Union), the following safeguards apply:

If you withdraw your consent to international transfer, we can no longer provide the AI try-on feature, because the generation is performed by processors located outside MENA.

11. No AI Model Training — Single-Use for Inference

We give you the following firm assurance regarding your photographs:

12. Data Retention — Specific Periods

We retain personal data only for as long as needed for the purpose for which it was collected, using the following concrete schedule:

DataRetention period
Source face/body photographsRetained only for the duration of the inference request and deleted as soon as the result is delivered, and in no case later than 24 hours after upload. We instruct our AI processors to delete the input immediately after returning the result.
Garment uploadsAutomatically deleted approximately 72 hours after upload.
Generated try-on results (unsaved)Automatically deleted 48 hours after generation.
Generated try-on results (saved by you)Retained until you delete them (via in-app delete or "Delete all my data").
Account data (email, user ID)Retained for the life of your account and deleted within 30 days of account deletion, except minimal records we are legally required to keep (see purchase/ledger below).
Purchase/subscription & credit-ledger dataRetained as required for tax, accounting, and audit obligations for the statutory period applicable in the United Arab Emirates (for example, commonly approximately 5–7 years under UAE tax/commercial-records rules), then deleted or anonymized.
Technical/diagnostic logsRetained for up to 90 days for security and troubleshooting, then deleted.
Content-safety signals / moderation recordsRetained for up to 12 months to enforce our policies and to comply with legal-reporting obligations, then deleted.

Upon expiry of the applicable period, or upon your erasure request, data is deleted from active systems and from processor systems in accordance with our DPAs.

13. Your Right to Erasure and In-App Controls

You can erase your data directly inside the App:

When you use "Delete all my data", we perform a cascading deletion across all systems, removing:

  1. Your authentication user record (Supabase Auth);
  2. Your stored photographs and generated images (Supabase Storage);
  3. Your try-on records and associated metadata (database / tryon rows);
  4. Your credit ledger entries and subscription-linked records (subject to financial-record retention obligations);
  5. A deletion instruction to our AI processors to remove any residual inputs in accordance with our DPAs.

We will confirm completion of the erasure and, where law requires, inform you of any data we must retain (e.g., minimal transaction records for tax/audit) and the basis for doing so.

14. Your Data-Subject Rights

Subject to the applicable law in your jurisdiction, you have the right to:

How to exercise your rights:

We respond within the timeframe required by the applicable law (generally without undue delay, and within the statutory maximum of the relevant jurisdiction). We do not charge for legitimate requests except where permitted for manifestly unfounded or excessive requests.

15. Personal Data Breach Notification

We maintain procedures to detect, report, and investigate personal data breaches, including breaches that may occur at our processors. We contractually require FASHN AI, Replicate, Supabase, and our other processors to notify us without undue delay of any breach affecting your data so that we can meet our own notification obligations.

In the event of a personal data breach affecting your data:

16. Children — 18+ Only

Mirayti is intended exclusively for adults aged 18 and over. We do not knowingly collect or process personal data — and in particular never the photographs — of any person under the age of 18.

We enforce this through a combination of measures: (a) an age-attestation gate at sign-up requiring you to confirm you are 18 or older; (b) automated content-safety scanning of uploaded and generated images designed to detect and block imagery of minors (see Section 7), including images of children that an adult might attempt to upload; and (c) prompt deletion and, where required, reporting where we detect such content.

If we become aware that we have collected data from, or photographs of, a minor, we will delete that data promptly. If you believe a minor has provided us data, or that an image of a minor has been uploaded, contact privacy@miraya.app.

17. AI-Generated Output Disclosure

The try-on images produced by the Service are artificially generated by AI and are simulations of how a garment may appear. They may not accurately reflect real-world fit, color, texture, or proportions.

In line with transparency requirements — including Article 50 of the EU AI Act on transparency of AI-generated and manipulated content — we mark images generated by the Service as artificially generated, in a machine-readable manner (for example through metadata or watermarking), and we disclose to you within the App that these images are AI-generated. You should not represent AI-generated try-on images as genuine, unedited photographs.

18. Data Security

We implement appropriate technical and organizational measures to protect your data, including encryption in transit, access controls, minimized retention, automated deletion of photographs and results, and contractual security obligations on our processors. No system is perfectly secure, but we work continuously to safeguard your data.

19. Supervisory Authorities

You have the right to lodge a complaint with the data protection authority in your country:

CountrySupervisory AuthorityContact / Note
United Arab EmiratesUAE Data Officeuaedataoffice.gov.ae
Saudi ArabiaSaudi Data & AI Authority (SDAIA)sdaia.gov.sa
QatarCompetent personal-data protection authority under Law 13/2016 (the Compliance and Data Protection (CDP) function within the relevant Ministry)Contact details as published by the competent Ministry. (The statutory body name has evolved; please verify the current authority.)
EgyptPersonal Data Protection Center (PDPC)The PDPC's full operating framework and executive regulations were still being established as of this Policy's date; a complaint route may not yet be fully operational.
BahrainPersonal Data Protection Authority (under the PDPA)Contact details as published by the competent Bahraini authority.
KuwaitCommunication and Information Technology Regulatory Authority (CITRA)citra.gov.kw

We encourage you to contact us first at privacy@miraya.app so we can try to resolve your concern directly.

20. Versioned, Timestamped Consent Records

We maintain a versioned, timestamped record of every consent you provide and every consent you withdraw, including the date and time, the version of this Privacy Policy and consent text in force at that moment, and the specific scopes you agreed to or revoked (sensitive-data processing, content-safety scanning, and/or cross-border transfer). These records allow us to demonstrate the validity of your consent and to prove that we honored your withdrawal at a specific point in time. When this Policy or the consent text changes materially, we will request renewed consent and record the new version.

21. Changes to This Policy

We may update this Policy from time to time. When we make material changes — especially changes affecting sensitive-data processing, sub-processors, or transfers — we will notify you in-app and, where required, request renewed consent. The "Last updated" date and version number at the top reflect the current version.

22. Language

This Privacy Policy and the in-app consent text are provided in both Arabic and English. As Mirayti is an Arabic-first service for the MENA region, the Arabic version is made available so that your consent is genuinely informed. Where a conflict arises between the two versions, the Arabic version governs for users resident in jurisdictions whose law requires it; otherwise the English version governs, unless applicable local law provides otherwise.

23. Contact Us

Mirayti — operated by an individual developer
Email: privacy@miraya.app
Location: the United Arab Emirates