Mirayti Privacy Policy
Last updated: 31 May 2026
Version: 1.0
1. Introduction
This Privacy Policy explains how Mirayti (مرايتي) ("Mirayti", "we", "us", or "our") collects, uses, discloses, transfers, retains, and protects your personal data when you use the Mirayti mobile application and related services (the "App" or "Service").
Mirayti is an AI-powered virtual try-on application for modest fashion, designed primarily for users in the Middle East and North Africa (MENA) and Gulf region. The App allows you to upload photographs of your face and body so that artificial intelligence can generate images showing how garments may look on you.
Because the App processes photographs of your face and body — which we treat as sensitive and biometric personal data — please read this Policy carefully before using the Service. We will not process these photographs without your explicit, separate, and freely given consent, captured through a dedicated in-app consent screen before any photograph leaves your device.
This Policy is designed to comply with the data protection laws of the jurisdictions in which our users are located, including:
- United Arab Emirates — Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL).
- Kingdom of Saudi Arabia — Personal Data Protection Law (PDPL) and its Implementing Regulations, administered by the Saudi Data and Artificial Intelligence Authority (SDAIA).
- State of Qatar — Law No. 13 of 2016 concerning Personal Data Privacy Protection.
- Arab Republic of Egypt — Law No. 151 of 2020 on the Protection of Personal Data.
- Kingdom of Bahrain — Law No. 30 of 2018 (Personal Data Protection Law / PDPA).
- State of Kuwait — CITRA Data Privacy Protection Regulation.
Where the EU General Data Protection Regulation (GDPR) or the EU AI Act applies to processing carried out by our infrastructure providers, we apply equivalent safeguards.
2. Data Controller and Privacy Contact
Data Controller
Mirayti, operated by an individual developer (Mirayti is not a registered company).
Jurisdiction: the United Arab Emirates
Contact email: privacy@miraya.app
The Controller determines the purposes and means of processing your personal data and is responsible for this processing under the applicable laws listed above.
Privacy Contact
Mirayti is operated by an individual developer, so a separate Data Protection Officer has not been appointed. Mirayti is responsible for data protection and is the designated contact for data subjects and supervisory authorities.
Privacy contact: Mirayti
Email: privacy@miraya.app
You may contact us at any time to exercise your rights, withdraw consent, raise a concern, or ask questions about this Policy.
3. How We Collect Your Data and Its Sources
We collect personal data directly from you when you create an account, grant the App access to your device camera or photo library, upload photographs, request a try-on, or contact support. Photographs are collected only through the camera or photo-library permissions you grant on your device; we do not access your camera or photos without that permission and without your action.
We also receive a limited amount of data from third parties in connection with your use of the App, namely: purchase, subscription-status, and transaction identifiers from Apple, Google, and RevenueCat (we do not receive your full payment-card details, which are handled by the app stores). We do not buy personal data about you from data brokers.
4. Categories of Personal Data We Process
| Category | Examples | Classification |
|---|---|---|
| Face photographs | Images of your face uploaded for try-on / AI model generation | Sensitive / biometric personal data |
| Body photographs | Images of your body uploaded for try-on / AI model generation | Sensitive / biometric personal data |
| Generated try-on images | AI-generated images derived from your face/body photos and a garment | Sensitive / biometric personal data (derived) |
| Garment images | Photos of clothing you upload to try on | Treated to the sensitive-data standard (because such images may incidentally reveal you, another person, or your surroundings) |
| Content-safety signals | Automated indicators generated when scanning uploaded and generated images for prohibited content (e.g., nudity, minors, illegal content) | Sensitive (derived from photographs) |
| Account data | Email address, user ID (UID), authentication identifiers | Personal data |
| Purchase & subscription data | Subscription tier (Starter / PRO), credit balance and ledger, transaction identifiers, purchase history | Personal data |
| Technical & usage data | Device type, app version, crash/diagnostic logs, timestamps of inference requests | Personal data |
We do not intentionally collect special categories of data beyond the photographs and derived data described above, and we do not request religious, political, health, or financial-instrument data.
5. Photographs Are Sensitive / Biometric Data
We classify the face and body photographs you upload, the try-on images generated from them, and the garment images you upload, as sensitive personal data of a biometric nature. Facial images in particular can constitute biometric data capable of uniquely identifying you.
We apply the highest (sensitive-data) protection standard to ALL users and ALL photographs, regardless of the user's country of residence and regardless of whether a given jurisdiction would technically classify the data as "sensitive", "special-nature", or "biometric." This means heightened consent, minimized retention, restricted access, and additional transfer safeguards as described below.
5.1 Data Protection Impact Assessment (DPIA)
Because we conduct large-scale processing of sensitive biometric data, we have carried out — and maintain on a living basis — a Data Protection Impact Assessment (DPIA) that identifies the risks of this processing to your rights and freedoms and the measures adopted to mitigate them (consistent with Article 35 GDPR and good practice under the UAE PDPL and KSA PDPL). The DPIA is reviewed whenever processing or sub-processors materially change.
6. Lawful Basis: Explicit, Granular, Withdrawable Consent
Our lawful basis for processing your face and body photographs, garment images, and generated try-on images is your explicit consent, obtained in compliance with UAE PDPL, KSA PDPL, Qatar Law 13/2016, Egypt Law 151/2020, Bahrain PDPA, and Kuwait CITRA regulations.
This consent is:
- Explicit — collected through a clear, affirmative action (a dedicated in-app consent screen with an unticked checkbox), separate from a general "I agree" button, and presented before any photograph leaves your device.
- Granular — you separately consent to (a) processing your photographs for AI try-on, (b) automated content-safety scanning of your images (see Section 7), and (c) the cross-border transfer of your photographs to processors located outside MENA (see Section 9). Each can be granted or refused independently.
- NOT bundled — consent to sensitive-data processing is not combined with, or buried inside, our Terms of Service or any other agreement. Accepting the Terms of Service does not constitute consent to process your photographs. The in-app consent screen is the sole operative consent mechanism.
- Informed — presented alongside plain-language information about who processes the data, where, and for how long.
- Freely given and withdrawable — you may refuse without losing access to non-photo features that do not require it, and you may withdraw consent at any time (see Sections 10 and 11). Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
For non-sensitive data (account, purchase, technical data), our lawful bases are performance of a contract (providing the Service you signed up for) and our legitimate interests in operating, securing, and improving the App, as well as compliance with legal obligations.
7. How and Why We Use Your Data
| Purpose | Data used | Lawful basis |
|---|---|---|
| Generate AI virtual try-on images | Face/body photos, garment images | Explicit consent |
| Generate an AI model of you for repeated try-ons | Face/body photos | Explicit consent |
| Optional image enhancement of results | Generated try-on images | Explicit consent |
| Automated content-safety / Trust & Safety scanning of uploaded and generated images to detect and block prohibited content (nudity, sexual content, imagery of minors, and other illegal or abusive content) | Face/body photos, garment images, generated images, content-safety signals | Explicit consent + legal obligation (child-protection) + legitimate interest (platform safety) |
| Create and authenticate your account | Email, user ID | Contract |
| Manage subscriptions, credits, and IAP | Purchase/subscription data, user ID | Contract |
| Prevent fraud, abuse, and secure the Service | Technical/usage data, user ID | Legitimate interest / legal obligation |
| Provide customer support | Account data, relevant logs | Contract / legitimate interest |
| Comply with legal and regulatory obligations | As required | Legal obligation |
We do not use your data for behavioral advertising, and we do not sell your personal data.
7.1 No Automated Decisions With Legal or Significant Effects
The generation of a try-on image is an automated process, but it does not constitute automated decision-making producing legal effects concerning you or similarly significantly affecting you within the meaning of Article 22 GDPR and equivalent MENA provisions. Automated content-safety scanning may block a specific upload or output, and you may contact us to have any such action reviewed by a human.
8. Processing Photographs of Other People
You may only upload a photograph that depicts another person if that person is an adult who has given you their explicit, informed consent to upload and process their image through the Service. When you upload such a photograph, you act as the source of that person's image and you represent to us that you hold their consent; we rely on your representation.
The depicted person is also a data subject and has the same rights described in Section 13. If you are a person depicted in an image uploaded by another user and you wish to exercise your rights — including erasure of your image — contact us at privacy@miraya.app and we will act on your request, including by deleting the relevant images and instructing our processors accordingly.
9. Processors, Sub-Processors, and the Countries They Operate In
To deliver the Service we share data with the following processors and sub-processors. Each processes data only on our documented instructions, under a written data processing agreement (DPA). Photographs are processed on our servers and transmitted to the AI processors below — try-on generation is performed server-side and your images leave your device for this purpose.
| Processor | Role | Data shared | Location / Country |
|---|---|---|---|
| FASHN AI | AI virtual try-on generation and AI model generation | Face/body photos, garment images, generated results | United States of America |
| Replicate (optional) | AI image enhancement of generated results | Generated try-on images | United States of America |
| Supabase | Authentication, database (Postgres), and storage | Account data, purchase data, photo/result storage, ledger | European Union (Frankfurt, Germany) |
| RevenueCat | Subscription and IAP management | Purchase/subscription data, user ID | United States of America |
| Apple (App Store) / Google (Play) | Payment processing and IAP billing | Transaction data | United States of America / global |
Important transfer notice: FASHN AI, Replicate, RevenueCat, Apple, and Google are located in or operate from the United States, and Supabase hosts our core infrastructure in the European Union. None of these countries is currently on the "adequate jurisdiction" whitelist maintained by the relevant MENA data protection authorities (e.g., the UAE Data Office, SDAIA in KSA). We therefore rely on appropriate safeguards and your separate explicit consent for cross-border transfers, as described in Section 10.
We do not share your face/body photographs, garment images, or generated try-on images with any party other than the processors named above for the purposes stated. We do not disclose them to advertisers, data brokers, or unrelated third parties.
9.1 Notification of New Sub-Processors
We maintain the list above as our current set of processors. If we engage a new sub-processor that will process your photographs or other personal data — particularly one that changes the countries to which your data is transferred — we will notify you in-app before the change takes effect and, where the change affects sensitive-data processing or cross-border transfer, request renewed consent. Copies of our DPAs and the Standard Contractual Clauses we rely on are available on request from our DPO.
10. Cross-Border (International) Data Transfers
Because your photographs and other data are transferred outside the MENA region (principally to the United States and the European Union), the following safeguards apply:
- Separate explicit consent. We obtain your distinct, granular consent to the international transfer of your sensitive photographs at the in-app consent screen, separately from your consent to process them.
- Contractual safeguards. Each processor is bound by a Data Processing Agreement incorporating Standard Contractual Clauses (SCCs) or equivalent contractual protections requiring confidentiality, security, purpose limitation, and onward-transfer restrictions. Copies are available on request (Section 9.1).
- United Arab Emirates. As no processor country is currently designated by the UAE as providing an adequate level of protection, we rely on the contract-and-consent basis under Articles 22–23 of the UAE PDPL: transfers are made under appropriate contractual safeguards (SCCs/DPAs) and with your explicit consent.
- Kingdom of Saudi Arabia. Where KSA PDPL applies, we conduct a Transfer Risk Assessment (TRA) prior to transferring personal data outside the Kingdom and apply the safeguards required by SDAIA.
- Egypt. Egypt's Law 151/2020 requires a cross-border transfer license from the Personal Data Protection Center (PDPC). The core AI try-on feature cannot function without transferring your images outside Egypt. Until the required PDPC licensing framework is operational and the license is obtained, we either (a) do not offer the cross-border AI try-on feature to users we identify as resident in Egypt, or (b) where the framework permits, rely on your explicit consent as an interim transfer basis; we will update this Policy when the PDPC licensing regime becomes fully operational.
- Qatar. Where Qatar Law 13/2016 applies, transfers of special-nature personal data require prior permission, and we will not transfer such data outside Qatar without meeting that requirement. We also provide the processing notifications required to the competent Qatari authority where applicable.
- Kuwait. Where CITRA regulations apply, we provide the required transfer notification and follow CITRA's cross-border data transfer conditions.
- European Union (Supabase). Although Supabase hosts data within the EU, the EU is not automatically treated as an adequate jurisdiction by all MENA authorities; we therefore apply the same contract-and-consent safeguards to the EU transfer as we do to the US transfers described above.
If you withdraw your consent to international transfer, we can no longer provide the AI try-on feature, because the generation is performed by processors located outside MENA.
11. No AI Model Training — Single-Use for Inference
We give you the following firm assurance regarding your photographs:
- Your face and body photographs are used on a single-use, per-request basis for inference only — that is, solely to generate the try-on or model images you request.
- Your photographs are NEVER used to train, fine-tune, or improve any AI model, whether ours or a processor's.
- Your photographs and generated images are not shared, sold, licensed, or disclosed to any party beyond the named processors in Section 9, and only for the purpose of fulfilling your request.
- We contractually require our AI processors (FASHN AI, Replicate) to refrain from using your images for model training and to delete inputs after processing.
12. Data Retention — Specific Periods
We retain personal data only for as long as needed for the purpose for which it was collected, using the following concrete schedule:
| Data | Retention period |
|---|---|
| Source face/body photographs | Retained only for the duration of the inference request and deleted as soon as the result is delivered, and in no case later than 24 hours after upload. We instruct our AI processors to delete the input immediately after returning the result. |
| Garment uploads | Automatically deleted approximately 72 hours after upload. |
| Generated try-on results (unsaved) | Automatically deleted 48 hours after generation. |
| Generated try-on results (saved by you) | Retained until you delete them (via in-app delete or "Delete all my data"). |
| Account data (email, user ID) | Retained for the life of your account and deleted within 30 days of account deletion, except minimal records we are legally required to keep (see purchase/ledger below). |
| Purchase/subscription & credit-ledger data | Retained as required for tax, accounting, and audit obligations for the statutory period applicable in the United Arab Emirates (for example, commonly approximately 5–7 years under UAE tax/commercial-records rules), then deleted or anonymized. |
| Technical/diagnostic logs | Retained for up to 90 days for security and troubleshooting, then deleted. |
| Content-safety signals / moderation records | Retained for up to 12 months to enforce our policies and to comply with legal-reporting obligations, then deleted. |
Upon expiry of the applicable period, or upon your erasure request, data is deleted from active systems and from processor systems in accordance with our DPAs.
13. Your Right to Erasure and In-App Controls
You can erase your data directly inside the App:
- "Withdraw consent & delete photos" — immediately revokes your consent to sensitive-data processing and triggers deletion of your face/body photographs and associated generated images.
- "Delete all my data" — initiates and completes full account deletion directly in the App. You do not need to email us, and account deletion is not a mere deactivation: it permanently deletes your account and associated data as set out below.
When you use "Delete all my data", we perform a cascading deletion across all systems, removing:
- Your authentication user record (Supabase Auth);
- Your stored photographs and generated images (Supabase Storage);
- Your try-on records and associated metadata (database /
tryonrows); - Your credit ledger entries and subscription-linked records (subject to financial-record retention obligations);
- A deletion instruction to our AI processors to remove any residual inputs in accordance with our DPAs.
We will confirm completion of the erasure and, where law requires, inform you of any data we must retain (e.g., minimal transaction records for tax/audit) and the basis for doing so.
14. Your Data-Subject Rights
Subject to the applicable law in your jurisdiction, you have the right to:
- Access — obtain confirmation of, and a copy of, the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure — request deletion of your data (see Section 13).
- Objection — object to processing based on legitimate interests.
- Restriction — request that we limit processing in certain circumstances.
- Portability — receive your data in a structured, commonly used, machine-readable format, and have it transmitted to another controller where technically feasible.
- Withdraw consent — withdraw your consent to sensitive-data processing and/or cross-border transfer at any time, without affecting the lawfulness of prior processing.
How to exercise your rights:
- In-app: use the Privacy & Data section in Settings — including "Delete all my data" and "Withdraw consent & delete photos", and request access/portability.
- By email: privacy@miraya.app.
We respond within the timeframe required by the applicable law (generally without undue delay, and within the statutory maximum of the relevant jurisdiction). We do not charge for legitimate requests except where permitted for manifestly unfounded or excessive requests.
15. Personal Data Breach Notification
We maintain procedures to detect, report, and investigate personal data breaches, including breaches that may occur at our processors. We contractually require FASHN AI, Replicate, Supabase, and our other processors to notify us without undue delay of any breach affecting your data so that we can meet our own notification obligations.
In the event of a personal data breach affecting your data:
- We will notify the competent supervisory authority within the timeframe required by the applicable law. Several MENA laws require notification without undue delay, and where the relevant framework applies a 72-hour benchmark (as under the GDPR and certain MENA regimes) we will aim to notify within 72 hours of becoming aware of the breach. Some jurisdictions (for example, under KSA PDPL) prescribe their own specific timelines, which we will follow where they apply.
- Where the breach is likely to result in a high risk to your rights and freedoms, we will notify affected data subjects without undue delay and, in any event, as soon as reasonably practicable, providing information on the nature of the breach, likely consequences, and mitigation measures.
16. Children — 18+ Only
Mirayti is intended exclusively for adults aged 18 and over. We do not knowingly collect or process personal data — and in particular never the photographs — of any person under the age of 18.
We enforce this through a combination of measures: (a) an age-attestation gate at sign-up requiring you to confirm you are 18 or older; (b) automated content-safety scanning of uploaded and generated images designed to detect and block imagery of minors (see Section 7), including images of children that an adult might attempt to upload; and (c) prompt deletion and, where required, reporting where we detect such content.
If we become aware that we have collected data from, or photographs of, a minor, we will delete that data promptly. If you believe a minor has provided us data, or that an image of a minor has been uploaded, contact privacy@miraya.app.
17. AI-Generated Output Disclosure
The try-on images produced by the Service are artificially generated by AI and are simulations of how a garment may appear. They may not accurately reflect real-world fit, color, texture, or proportions.
In line with transparency requirements — including Article 50 of the EU AI Act on transparency of AI-generated and manipulated content — we mark images generated by the Service as artificially generated, in a machine-readable manner (for example through metadata or watermarking), and we disclose to you within the App that these images are AI-generated. You should not represent AI-generated try-on images as genuine, unedited photographs.
18. Data Security
We implement appropriate technical and organizational measures to protect your data, including encryption in transit, access controls, minimized retention, automated deletion of photographs and results, and contractual security obligations on our processors. No system is perfectly secure, but we work continuously to safeguard your data.
19. Supervisory Authorities
You have the right to lodge a complaint with the data protection authority in your country:
| Country | Supervisory Authority | Contact / Note |
|---|---|---|
| United Arab Emirates | UAE Data Office | uaedataoffice.gov.ae |
| Saudi Arabia | Saudi Data & AI Authority (SDAIA) | sdaia.gov.sa |
| Qatar | Competent personal-data protection authority under Law 13/2016 (the Compliance and Data Protection (CDP) function within the relevant Ministry) | Contact details as published by the competent Ministry. (The statutory body name has evolved; please verify the current authority.) |
| Egypt | Personal Data Protection Center (PDPC) | The PDPC's full operating framework and executive regulations were still being established as of this Policy's date; a complaint route may not yet be fully operational. |
| Bahrain | Personal Data Protection Authority (under the PDPA) | Contact details as published by the competent Bahraini authority. |
| Kuwait | Communication and Information Technology Regulatory Authority (CITRA) | citra.gov.kw |
We encourage you to contact us first at privacy@miraya.app so we can try to resolve your concern directly.
20. Versioned, Timestamped Consent Records
We maintain a versioned, timestamped record of every consent you provide and every consent you withdraw, including the date and time, the version of this Privacy Policy and consent text in force at that moment, and the specific scopes you agreed to or revoked (sensitive-data processing, content-safety scanning, and/or cross-border transfer). These records allow us to demonstrate the validity of your consent and to prove that we honored your withdrawal at a specific point in time. When this Policy or the consent text changes materially, we will request renewed consent and record the new version.
21. Changes to This Policy
We may update this Policy from time to time. When we make material changes — especially changes affecting sensitive-data processing, sub-processors, or transfers — we will notify you in-app and, where required, request renewed consent. The "Last updated" date and version number at the top reflect the current version.
22. Language
This Privacy Policy and the in-app consent text are provided in both Arabic and English. As Mirayti is an Arabic-first service for the MENA region, the Arabic version is made available so that your consent is genuinely informed. Where a conflict arises between the two versions, the Arabic version governs for users resident in jurisdictions whose law requires it; otherwise the English version governs, unless applicable local law provides otherwise.
23. Contact Us
Mirayti — operated by an individual developer
Email: privacy@miraya.app
Location: the United Arab Emirates