Legal

Privacy Policy

Last updated: June 2026

1. Data Controller

The platform Mirrovo is operated by YAMPA MEDIA, a simplified joint-stock company (SAS) registered in France under SIREN 910 581 172, with its registered office at 135 avenue Gaston Roussel, 93230 Romainville, France ("YAMPA MEDIA", "we", "us", "our"). YAMPA MEDIA is the data controller for personal data collected directly through this platform. For any questions relating to this Privacy Policy, contact us at team@mirrovo.com.

2. Data We Collect

We collect information you provide directly when creating an account or subscribing to a plan: name, work email address, company name, and billing details. We also collect usage data (pages visited, features used, session duration) to improve the platform. We do not collect the content of survey responses — these are anonymised at the point of collection and cannot be linked to any individual.

3. Survey Invitations & Our Role as Data Processor

When you use Mirrovo to send survey invitations, you act as the data controller for the participant email addresses you provide and are solely responsible for ensuring you have a lawful basis to contact each participant under the GDPR or other applicable law. YAMPA MEDIA acts solely as a data processor (within the meaning of GDPR Article 4(8) and Article 28) in respect of those participant email addresses, processing them exclusively on your documented instructions to deliver survey invitations and reminders. YAMPA MEDIA assumes no liability for survey invitations sent by customers without a valid lawful basis. Survey responses themselves are anonymised at the point of collection: we store only a completion flag (so you know who responded) — the content of each response is fully de-identified and cannot be linked to any individual, not even by us.

4. Legal Bases for Processing (GDPR Article 6)

We process account and billing data on the basis of contract performance (Article 6(1)(b)) — to fulfil your subscription and deliver the service. We process usage and log data on the basis of legitimate interests (Article 6(1)(f)) — to improve the platform, prevent fraud, and maintain security. We process your email address for marketing communications only where you have given consent (Article 6(1)(a)), which you may withdraw at any time without affecting the lawfulness of prior processing.

5. Data Hosting & Security

All customer and account data is hosted on Supabase infrastructure with data centres located in Frankfurt, Germany (European Union). Data never leaves the European Economic Area (EEA). We use industry-standard encryption in transit (TLS 1.2+) and at rest. Access to personal data is restricted to authorised personnel on a strict need-to-know basis.

6. Data Retention

We retain account and billing data for the duration of your active subscription plus 90 days following account closure, except where we are required to retain it for legal or tax obligations (financial records are retained for 10 years under French law). Anonymised survey aggregates — which cannot be linked to any individual — may be retained indefinitely for statistical purposes.

7. Your Rights Under GDPR (Articles 15–22)

You have the right to: (a) access your personal data and receive a copy; (b) rectify inaccurate or incomplete data; (c) erase your data ("right to be forgotten") where no overriding legal basis exists; (d) restrict processing in certain circumstances; (e) receive your data in a portable, machine-readable format; (f) object to processing based on legitimate interests; (g) withdraw consent at any time without affecting prior processing. To exercise any of these rights, contact team@mirrovo.com. If you believe your rights have not been respected, you may lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL), the French data protection supervisory authority, at www.cnil.fr.

8. Sub-Processors

We engage the following third-party sub-processors to operate the service: (a) Supabase, Inc. — database hosting and file storage, servers located in Germany (EU); (b) Stripe, Inc. — payment processing, operating under Standard Contractual Clauses with EU data residency options; (c) Transactional email provider — for delivering survey invitations, reminders, and account notifications within the EU. All sub-processors are bound by data processing agreements and provide appropriate technical and organisational safeguards required by GDPR Article 28.

9. Cookies

We use only strictly necessary, essential cookies to maintain your authenticated session and ensure the platform functions correctly. We do not use third-party advertising, analytics, or tracking cookies. You may control cookie settings through your browser, but disabling session cookies will prevent you from using the authenticated areas of the platform.

10. Changes to This Policy

We may update this Privacy Policy to reflect changes in law, our data practices, or our services. We will notify you of material changes by email at least 30 days before they take effect, or by a prominent notice on the platform. The date of the last update is shown at the top of this page. Continued use of Mirrovo after the effective date of any changes constitutes acceptance of the updated policy.