Mira Privacy Policy

Effective Date: March 1, 2026 Last Updated: April 24, 2026

1. Overview

Mira ("Mira," "we," "us," or "our") is an AI-powered talent sourcing platform designed for recruiters, talent acquisition professionals, and hiring teams ("Users"). This Privacy Policy explains how we collect, use, share, and protect personal information in connection with our services at mira.day.

This Policy covers two categories of individuals:

Users — Recruiters and talent acquisition professionals who register for and use the Mira platform.
Talent (Candidates) — Individuals whose professional information appears within Mira as part of our sourcing features. Candidates typically have not directly registered with Mira; their data is sourced from third-party data providers and publicly available sources.

If you are a Candidate and have questions about your data or wish to exercise your rights, please contact us at .

By accessing or using Mira, you acknowledge that you have read and understood this Privacy Policy.

2. What We Collect

2.1 Information About You (Users)

When you register for or use Mira, we collect:

Account Information: Name, email address, company name, job title.
Authentication Data: Login credentials (passwords are hashed; we do not store plaintext passwords).
Usage Data: Features accessed, tasks created, search queries (anonymized where possible), interaction logs, and session data.
Preference and Memory Data: Saved searches, filters, notes, and AI-generated summaries you create within the platform.
Communications: Messages you send to our support team.

Credit System and Billing: Mira uses a Credit-based system to meter usage of platform features (including AI model usage, talent searches, contact information retrieval, and sandbox operations). During the current trial period, Credits are provided free of charge and we do not collect payment card or banking information. When our pricing structure is finalized, we will collect only the minimum necessary payment information through compliant third-party payment processors and update this Policy accordingly.

2.2 Information About Candidates

As part of our talent sourcing features, Mira processes the following categories of candidate data:

Identification and Employment Data: Full name, current and past job titles, employer names.
Contact Information: Business email addresses, phone numbers (where publicly available or licensed from data providers).
Work History: Employment timeline, industry, location (city/country level).
Education: Degree, institution (where publicly available).
Public Profile Links: LinkedIn profile URL or other professional profile identifiers.

We do not intentionally collect or process sensitive categories of personal data (e.g., health data, racial or ethnic origin, political opinions, religious beliefs, sexual orientation) about candidates. If any such information appears in publicly indexed content, it is not used by Mira.

2.3 Technical and Device Data

Log Data: IP address, browser type, operating system, pages visited, timestamps.
Device Information: Device type, screen resolution (for UI optimization).
Cookies and Similar Technologies: See Section 11 for details.

2.4 Mira Chrome Extension Data Collection

When you enable the Mira Chrome Extension feature, Mira collects the following additional data through the browser extension:

Page Content: Text and visual content of web pages you visit while Mira Chrome Extension is active, including content behind login sessions.
Screenshots: Visual snapshots of browser tabs captured to enable AI understanding and task execution.
URLs and Navigation Data: Web addresses visited, click paths, and navigation history during Mira Chrome Extension sessions.
Form Data: Information you enter into web forms (excluding password fields, which are automatically masked before processing).
Operation Logs: Records of actions performed by AI on your behalf, including clicks, inputs, and page interactions.
Session Cookies: Browser session information required to maintain authenticated access to websites on your behalf.

Important: Mira Chrome Extension can access content from websites where you are logged in, which may include sensitive personal or financial information. See Section 5.5 for details on Mira Chrome Extension capabilities and data flow.

3. Sources of Information

Source	Description
Directly from Users	Information you provide during registration and use of the platform.
Apollo.io	A B2B contact intelligence platform (SOC 2 Type II certified). Apollo provides professional contact data under a Data Processing Agreement with Mira. Apollo's Privacy Policy is available at .
Exa (Metaphor Systems)	A semantic web search API. Exa indexes publicly available web content and provides structured data extracts. Exa's Privacy Policy is available at .
Public Sources	Professional social networks (e.g., LinkedIn, GitHub), company websites, public job postings, and open professional directories.
Automatically Collected	Cookies, logs, and analytics tools when you access our platform.
Mira Chrome Extension	Data collected through Mira Chrome Extension when it is enabled, including page content, screenshots, URLs, form inputs, and operation logs. See Section 2.4 for details.

4. How We Use Your Data

We use personal information for the following purposes, with the corresponding legal basis under GDPR where applicable:

Purpose	Legal Basis (GDPR)
Providing talent sourcing and AI agent services	Contract performance (Art. 6(1)(b))
Creating and managing your account	Contract performance (Art. 6(1)(b))
Processing and displaying candidate profiles in response to your search queries	Legitimate interests (Art. 6(1)(f)) — enabling recruiters to identify talent using professional contact data
Improving product performance and personalizing your experience	Legitimate interests (Art. 6(1)(f))
Sending service-related communications (e.g., security alerts, policy updates)	Legitimate interests (Art. 6(1)(f)) / Legal obligation (Art. 6(1)(c))
Fraud prevention, security monitoring, and abuse detection	Legitimate interests (Art. 6(1)(f))
Complying with legal obligations (e.g., data subject requests, regulatory inquiries)	Legal obligation (Art. 6(1)(c))
Analytics and product research (aggregated, anonymized data)	Legitimate interests (Art. 6(1)(f))
Enabling browser automation and task execution through Mira Chrome Extension	Legitimate interests (Art. 6(1)(f)) — enabling users to automate web-based recruiting workflows with their explicit consent

Candidate Data — Legitimate Interests Basis: We process candidate data under the legitimate interests legal basis. Our legitimate interest is enabling talent acquisition professionals to discover and evaluate publicly available professional information for lawful hiring purposes. We have assessed that this processing does not override candidates' fundamental rights and freedoms, given that the data is professional in nature, sourced from publicly accessible platforms, and used solely for recruitment activities. Our Legitimate Interest Assessment is available upon request by contacting .

Candidates may object to this processing at any time — see Section 9 (Your Rights).

5. Our Use of AI

Mira is an AI-powered platform. We believe in transparency about how AI is used in our service, particularly given its role in hiring-related workflows.

5.1 What AI Does in Mira

Candidate Matching: Mira uses AI to interpret natural-language search queries and match them against candidate profiles.
Profile Enrichment: AI generates structured summaries and enriched candidate profiles based on data from multiple sources.
Task Automation: AI agents automate multi-step recruiting workflows (e.g., sourcing, outreach drafting, data compilation).

5.2 What AI Does Not Do

Mira AI does not make autonomous hiring decisions. All outputs are presented to the recruiter as recommendations or information for review.
Mira does not use candidate data or user data to train its underlying AI models (LLMs). Our AI models are provided by third-party providers under contracts that prohibit data retention for training purposes.
Mira AI does not profile candidates based on sensitive characteristics such as race, gender, age, religion, or disability status.

5.3 Human Oversight (EU AI Act)

Mira's AI features may be classified as a high-risk AI system under Annex III of the EU Artificial Intelligence Act (Category 4 — Employment and Workers Management). We have designed the platform in accordance with relevant requirements and will continue to monitor regulatory guidance. Mira:

Provides human oversight mechanisms: recruiters review, override, and make all final decisions.
Does not use automated decision-making that produces legal or similarly significant effects without human review (GDPR Art. 22 compliance).
Maintains logs of AI-generated outputs to support auditability.
Makes this AI usage disclosure publicly available as required.

5.4 Third-Party AI Providers

Mira uses third-party large language model providers, including Anthropic (Claude) and OpenAI, to power its AI features. These providers are contractually bound not to retain user data, candidate data, or conversation content for their own training or commercial purposes.

5.5 Mira Chrome Extension Capabilities

When you enable Mira Chrome Extension, you authorize Mira's AI to:

View your browser screen: AI can see and analyze content displayed in your browser tabs, including pages where you are logged in.
Interact with websites on your behalf: AI can click buttons, fill forms, navigate pages, and perform other actions as if you were doing so manually.
Capture screenshots: Visual snapshots are taken to enable AI understanding of page content and task execution.
Access authenticated sessions: Mira Chrome Extension operates within your active browser session and can access websites using your existing login credentials.

Data Flow:

Browser content and screenshots are transmitted from your device to Mira's servers.
Mira's servers process this data and share it with third-party AI model providers (see Section 6) to generate AI responses.
AI-generated actions are sent back to your browser for execution.
Operation logs are stored for the retention period specified in Section 7.

What Mira Chrome Extension Cannot Do:

Mira Chrome Extension cannot access content outside your browser (local files, other applications).
Mira Chrome Extension is disabled by default and requires your explicit consent to activate.
Password fields are automatically masked before screenshots are captured or processed.

Sensitive Website Handling: When Mira Chrome Extension detects that you are visiting financial, healthcare, or other sensitive websites, you will be prompted to confirm whether to continue automation or switch to manual control. See Section 10 for security measures.

6. How We Share Your Data

We do not sell your personal information. We share data only in the following circumstances:

Recipient	Purpose	Safeguards
Infrastructure Providers (e.g., cloud hosting, CDN)	Hosting and delivering the Mira service	Data Processing Agreements; EU Standard Contractual Clauses where applicable
AI Model Providers	Processing natural language queries	Contracts prohibiting data retention for training; confidentiality obligations
AI Model Providers (for Mira Chrome Extension)	Processing browser screenshots and page content to generate automated actions	Contracts prohibiting data retention for training; confidentiality obligations; sensitive data masking before transmission
Analytics Tools	Understanding product usage (aggregated/pseudonymized data only)	Data Processing Agreements
Apollo.io	Source of candidate contact data	Separate Data Processing Agreement; Apollo's own privacy practices apply to their collection
Exa	Source of web-indexed candidate data	Enterprise agreement governing data use
Legal Authorities	Responding to lawful requests (court orders, subpoenas, regulatory inquiries)	Reviewed on a case-by-case basis; we notify users where permitted by law
Business Transfers	In connection with a merger, acquisition, or sale of all or substantially all of our assets	Successor entity bound by equivalent privacy commitments

No Payment Processors: We do not currently use payment processors. This section will be updated when paid plans are introduced.

7. Data Retention

Data Category	Retention Period
User account data	Duration of account + 90 days after deletion request or account closure
User activity logs	12 months from creation, then aggregated/anonymized
Candidate opt-out records	Retained permanently (to prevent re-processing of opted-out candidates)
Consent records (clickwrap logs)	7 years (to demonstrate regulatory compliance)
Support communications	2 years after case closure
Security/fraud logs	12 months
Payment/transaction records	Not applicable at this stage; will be updated when billing is introduced

We will delete or anonymize data that is no longer needed for the purpose for which it was collected, unless a longer retention period is required by law.

8. International Data Transfers

Mira's infrastructure is primarily hosted in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data may be transferred to and processed in the United States or other countries outside the EEA.

We ensure that such transfers are subject to appropriate safeguards, including:

Standard Contractual Clauses (SCCs): For transfers from the EU/EEA to the US, we rely on the European Commission's Standard Contractual Clauses as approved under GDPR Art. 46.
UK International Data Transfer Agreement (IDTA) / UK Addendum: For transfers from the United Kingdom to the US, we rely on the ICO's International Data Transfer Agreement or the UK Addendum to the EU SCCs, as required under UK GDPR and the Data Protection Act 2018.
Data Processing Agreements: All data sub-processors are bound by data processing agreements that include SCCs and/or UK IDTA where required.

You may request a copy of the applicable transfer mechanisms by contacting .

9. Your Rights

9.1 Rights for All Individuals (Including Candidates)

Regardless of whether you are a registered User or a Candidate whose data appears on the platform, you have the following rights with respect to your personal data:

Right of Access: Request a copy of the personal data we hold about you.
Right to Rectification: Request correction of inaccurate or incomplete data.
Right to Erasure ("Right to Be Forgotten"): Request deletion of your personal data where no overriding legitimate interest exists.
Right to Object: Object to processing based on legitimate interests (including candidate sourcing).
Right to Restrict Processing: Request that we limit processing while a dispute is pending.
Right to Data Portability: Receive your data in a structured, machine-readable format (applies to User data provided under contract performance).

Candidates (who are not registered Mira Users): You may exercise any of the above rights by emailing . We will respond within 30 days. Upon a verified deletion request, we will remove your data from Mira's systems and add you to our permanent opt-out list to prevent future re-processing.

9.2 EU / EEA / UK Users

If you are located in the EU or EEA and believe we have infringed your rights under GDPR, you have the right to lodge a complaint with your national Data Protection Authority (DPA). A list of EU DPAs is available at .

If you are located in the United Kingdom, you may lodge a complaint with the Information Commissioner's Office (ICO) at .

9.3 US State Privacy Laws

California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected.
Right to Delete: Request deletion of your personal information.
Right to Correct: Request correction of inaccurate personal information.
Right to Opt Out of "Sale" or "Sharing": We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise these rights, contact . We will verify your identity before processing your request. You may designate an authorized agent to submit a request on your behalf.

Other US State Privacy Laws

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and other states with comprehensive privacy legislation are afforded equivalent rights to access, delete, correct, and opt out of certain processing activities. You may exercise these rights by contacting .

10. Data Security

We implement technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, or destruction, including:

Encryption in Transit: All data transmitted between your browser/device and Mira is encrypted using TLS 1.2 or higher.
Encryption at Rest: Sensitive data at rest is encrypted using industry-standard algorithms.
Access Controls: Access to personal data is limited to authorized personnel on a need-to-know basis; access is logged and reviewed.
Security Testing: We conduct regular security assessments of our platform.
Breach Response: In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (as required by GDPR Art. 33) and notify affected individuals without undue delay where required.

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

11. Cookies and Tracking

Mira uses cookies and similar tracking technologies to operate and improve our service.

Cookie Type	Purpose	Opt-Out
Strictly Necessary	Authentication, session management, security (e.g., CSRF tokens)	Cannot be disabled; required for service operation
Analytics / Performance	Understanding how users interact with Mira (page views, feature usage); data is aggregated and pseudonymized	Can be disabled via cookie preferences
Preference	Remembering your settings and UI preferences	Can be disabled via cookie preferences

We do not use advertising or tracking cookies for third-party marketing purposes.

You can manage your cookie preferences through our cookie settings tool (available in the product footer) or by configuring your browser settings. Note that disabling necessary cookies will affect the functionality of the service.

12. Children

Mira is a professional platform intended for individuals aged 18 and older. We do not knowingly collect personal information from children under the age of 13, or the higher age of digital consent applicable in your jurisdiction (up to 16 in certain EU member states under GDPR Art. 8). If we become aware that we have inadvertently collected data from a child under the applicable age, we will promptly delete such information.

If you believe we have inadvertently collected data from a minor, please contact .

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

Post the revised Policy on this page with a new "Last Updated" date.
Send an email notification to registered Users at least 30 days before the changes take effect.
Display a notice within the Mira product.

For non-material changes (e.g., clarifications, formatting corrections), we will update the "Last Updated" date without prior notification.

Your continued use of Mira after a material change takes effect constitutes your acceptance of the updated Policy. If you do not agree with the changes, you may close your account before the effective date.

14. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data rights, or have a privacy concern, please contact us at:

Email:

Mailing Address: Mira 131 Continental Dr, Suite 305 Newark, DE 19713 United States

Response Time: We aim to respond to all privacy inquiries and data subject requests within 30 days of receipt.

This Privacy Policy is governed by the laws of the State of Delaware, United States, without regard to conflict of law principles. For EU/UK data subjects, Mira acts as the Data Controller for User data. The characterization of Mira's role with respect to candidate data (as controller, joint controller, or processor) depends on the specific processing activity and is subject to ongoing legal review. Please contact for details.