Privacy Policy

Last updated: April 27, 2026

Mirra World, Inc. (“we,” “us,” “our”) operates Clo, an AI companion accessible via Telegram and iOS. This policy explains what data we collect, how we use it, and your rights.

1. Information We Collect

Information you provide:

• Account information: your Telegram user ID or Apple ID, and timezone
• Messages: everything you send to Clo
• Photos: images you send to Clo. We do not use your photos for facial recognition or biometric identification.
• Onboarding responses: whether you have a support network (yes/no)

Information we derive:

• Conversation summaries and facts extracted from your messages (e.g., your name, interests, life details you share with Clo)
• Safety signals: we scan messages for signs of distress to surface crisis resources when needed
• Personalization signals derived from your conversations to adapt Clo’s responses

Information collected automatically:

• Device tokens for push notifications (iOS)
• Usage data: daily message and photo counts
• Subscription data: your subscription tier and billing period. Payment details (card number, billing address) are collected and stored by Stripe — we never see or store them.

2. How We Use Your Information

• To operate Clo: your messages and photos are processed by AI models to generate responses, and stored to maintain conversation continuity
• To maintain Clo’s memory: we extract and store facts from your conversations so Clo remembers what you’ve shared
• To keep you safe: we scan for distress signals and surface crisis resources when needed
• To manage your subscription and enforce usage limits
• To deliver push notifications

3. Third-Party Services

Your messages and photos are sent to third-party AI providers for processing. We currently use:

• Moonshot AI (Kimi)— AI provider, based in China. Your messages and photos may be transmitted to Moonshot AI’s servers for processing. For EU/EEA users, this transfer is governed by Standard Contractual Clauses (SCCs).
• Anthropic— AI provider, based in the US
• Black Forest Labs (BFL)— AI image generation, based in Germany
• OpenAI— AI image generation, based in the US

These providers process your data solely to operate Clo. We do not sell or share your personal information for cross-context behavioral advertising. We disclose personal information to service providers solely for the purpose of operating Clo.

We also use:

• Stripe— payment processing. Stripe collects and stores your payment details directly. We receive only your subscription status and billing period. See Stripe’s privacy policy.
• Supabase— database hosting (PostgreSQL, US-based)
• Railway— application hosting
• Vercel— website hosting
• Apple— authentication and subscription management (iOS)
• Telegram— message delivery (beta)
• Sentry— error monitoring. May receive anonymized technical context (not message content) when errors occur.

4. Data Retention

• Your messages and conversation history are retained for as long as your account is active and deleted within 30 days of account deletion
• Older messages are summarized into compressed narratives; the original messages are also retained in our database
• Anonymized usage data may be retained for up to 2 years for product improvement
• Operational logs (AI model call records, image generation records) are retained for up to 2 years for debugging and product improvement, then deleted
• Safety event records are retained indefinitely for legal compliance

5. Data Security

• All data is encrypted at rest and in transit (TLS)
• Database access is controlled via row-level security policies
• Messages are not end-to-end encrypted — server-side processing is required for the AI to function

6. Your Rights

California residents (CCPA/CPRA):

• Right to know what personal information we collect and how we use it
• Right to delete your personal information
• Right to correct inaccurate personal information
• Right to opt out of the sale or sharing of personal information — we do not sell or share your personal information
• Right to limit use of sensitive personal information — your conversations with Clo may contain sensitive personal information such as details about your health, emotional state, or relationships. You have the right to limit our use of this information to what is necessary to provide the service.
• Right to non-discrimination — we will not discriminate against you for exercising your privacy rights

To exercise your California privacy rights, email contact@heyclo.app. We will verify your identity and respond within 45 days.

EU/EEA residents (GDPR):

• Right of access to your personal data
• Right to rectification of inaccurate data
• Right to erasure (“right to be forgotten”)
• Right to data portability
• Right to restrict or object to processing

We process your data on the basis of contractual necessity (performing the service you agreed to in our Terms of Service) and, where required for sensitive data, your consent. Your messages and photos are transmitted to Moonshot AI in China for processing. This international transfer is governed by Standard Contractual Clauses (SCCs) and is necessary to provide the service. You may contact us to request a copy of the applicable SCCs.

7. Automated Profiling

Clo uses automated processing to personalize your experience. This does not produce legal or similarly significant effects. You may contact us to object to this processing.

All users:

• You can delete your account at any time through the app or by contacting us
• You can request a copy of your data by contacting us

8. Children’s Privacy

Clo is not intended for anyone under 18. We do not knowingly collect information from anyone under 18. If we learn we have collected information from someone under 18, we will delete it promptly.

9. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes through the app or by updating the date at the top of this page.

10. Contact

If you have questions about this policy, contact us at contact@heyclo.app.