Privacy Policy
Last updated: May 29, 2026
miratempo is currently running as a free beta. We do not charge a platform fee, we do not sell subscriptions in the public version, and we do not process card payments through miratempo.
This Policy explains what personal data we process, why it is needed, who it may be shared with, how long it is kept, and how you can exercise your rights. The service is primarily governed by Ukrainian personal data protection law. If GDPR or ePrivacy rules apply to your situation, we also take those requirements into account.
1. Data controller
During the free beta stage, miratempo's operator and data controller is a natural person from Ukraine. If the legal structure of the service changes, this page will be updated.
2. What data we process
Account and access
Email, hashed password, account role, language settings, email confirmation status, login session data, CSRF protection and technical security logs.
Language, country/timezone hints, and preferences
mt_locale stores the selected interface language and may be shared across miratempo.com and app.miratempo.com. Cloudflare CF-IPCountry or request.cf.country provides a two-letter country-level IP-derived hint for first-visit language routing and the initial mt_phone_country value. The browser time zone from Intl is used first, and Cloudflare request.cf.timezone may provide a fallback IANA time zone hint for the initial mt_timezone value. mt_phone_country is used only so empty phone fields start with the expected country calling code; mt_timezone is used only for the specialist profile and booking page's initial time zone. These preference cookies are kept for up to 12 months unless you change or clear them earlier; they are not used for authorization, identity, billing, eligibility, profiling, advertising, analytics, or legal/compliance decisions. miratempo does not request precise browser or device geolocation through navigator.geolocation.
Mobile application
If you use a mobile application, we process a mobile login token, installation ID, device name or type, platform, application version, and data required to log in without a browser session. If you enable push notifications yourself, we store the push token in encrypted form and the hash for technical lookup.
Professional profile
Name, public link, description, services, prices, currencies, availability, terms of engagement, online or offline session settings, address for offline sessions, social links and profile picture if you add them.
Clients, bookings, and work notes
Names, email addresses, phone numbers, messengers, session history, recurring bookings, confirmation and payment statuses, meeting links, guest access codes, and encrypted private specialist notes.
Details and qualification verification
At the specialist's request: IBAN, RNOCPP or EDRPOU, legal name, bank name, payment purpose template, education, certificates, and files for admin verification. Private verification files are not shown to clients.
Referral program
Referral code, attribution source, save date, invitation status, aggregate invitation statistics and estimated future discounts. During the free beta, this is attribution only: it does not generate payouts, cashback or retroactive credit.
miratempo subscriptions
The public version is currently running as a free beta with no active paid subscriptions and no card payment processing through miratempo. If paid subscriptions purchased on the site are later enabled, we will process subscription status, payment channel, technical payment tokens, charge attempts, amounts, and discounts. miratempo will not store full card details.
Google Calendar and Meet
If the specialist independently connects Google Calendar, miratempo stores the OAuth access token and refresh token, granted permissions, token validity period, Google event ID, synchronization status, synchronization errors and Google Meet link. Only data required for the miratempo event is transmitted to Google: service name, client name in the description, time, time zone, meeting link or request to create a Google Meet.
Diagnostics, protection and antispam
IP address, browser data, request data, error logs, Cloudflare Turnstile results if protection is enabled, and Sentry technical diagnostics if Sentry is enabled. Sentry is configured without automatically sending typical personal data.
3. Why we process data
Data is needed to create accounts, confirm email addresses, show booking pages, manage schedules, send service emails, give guests access to their own bookings, protect accounts, prevent abuse, comply with legal obligations, support integrations enabled by the user, and keep the service running reliably.
For GDPR situations, legal grounds may include performance of a contract or user request, legitimate interest in service security and stability, compliance with legal obligations, and consent where it is required, for example to connect an integration, receive push notifications, or store optional data.
4. Cookies, localStorage and similar technologies
We do not use advertising, marketing or analytical cookies. The browser uses only first-party technically necessary cookies: session cookies for sign-in and guest access, CSRF cookies for protected actions, mt_cookie_consent to remember the display of the cookie message and mt_app_access=coach as an optional hint for the marketing site to show the specialist a link back to the dashboard, mt_locale for the language preference, mt_timezone for the specialist profile's initial time zone, and mt_phone_country for the initial country code in empty phone fields. mt_app_access does not authorize access and does not replace a login session; mt_phone_country and mt_timezone are not used for authorization, identity, billing, eligibility, profiling, advertising, analytics, or legal/compliance decisions.
On miratempo domains, these technical marks may be shared by miratempo.com and app.miratempo.com. Preference cookies are generally kept for up to 12 months unless you change or clear them earlier. Cloudflare may provide a two-letter country code through CF-IPCountry or request.cf.country; miratempo uses this country-level hint only for first-visit language routing and the initial phone prefix. The browser time zone is used first, and request.cf.timezone is used only as a fallback hint for the booking page's initial time zone. miratempo does not request precise browser or device geolocation through navigator.geolocation. The product also uses localStorage for the frontend theme, side panel state, and referral code from the link ?ref=CODE. The referral code is stored for up to 30 days and is only used for prefilling registration or role activation.
In the mobile application, the login token is stored in secure storage when the native plugin is available, or in localStorage for test web shells. Push notifications are enabled only after the specialist takes action in the application settings.
5. Providers and data transfer
For the operation of the service, we use technical suppliers: Hetzner for backend hosting and database, Cloudflare for DNS, frontend/marketing delivery, Turnstile protection, R2 storage, and country/timezone request hints for language, time zone, and phone defaults, Resend for transactional emails, Sentry for error diagnostics only when DSN is enabled, Google API for Calendar/Meet integration, and future payment providers for subscriptions purchased on the site if such subscriptions are launched.
Data may be accessible to clients or guests only within the specific booking to which the specialist has granted access. We may also disclose data where necessary for security, abuse investigations, compliance with law, or protection of the rights of miratempo, users or third parties.
User Google data is not sold, rented, or shared with advertising platforms, data brokers, or information vendors, and is not used for advertising, profiling, resale, or AI training. Use and transfer of information received through the Google API complies with Google API Services User Data Policy, including Limited Use requirements. Team access to Google data is possible only for security, bug fixes, user-requested support, or legal compliance.
6. Data protection
We use HTTPS in the production environment, secure cookie settings, CSRF protection for actions in the browser, email verification, role-based access control, rate limits for sensitive public requests and login requests, separate production secrets, encryption of private fields, and keyed hashes for exact lookup of private identifiers.
Private fields, including Google OAuth tokens, links to meetings, guest access codes, contacts, details, specialist notes, push tokens, and payment tokens for future subscriptions purchased on the site are encrypted in the database when stored. Email addresses and guest access codes are searched through keyed hashes, not through plaintext queries.
Encryption in the database is meant to protect the data in storage, but it is not a claim of end-to-end or zero-knowledge encryption. Specialist work notes are not shown to clients or guests; team access to production data is limited to operational need, security, support at the user's request, or legal compliance.
Google Calendar is requested only after the specialist takes action to connect the integration. Current Google scope: https://www.googleapis.com/auth/calendar.events.owned. After disabling Google Calendar, the integration becomes inactive, and the access token and refresh token are cleared.
7. Deletion, anonymization and storage periods
You can delete the account in settings after confirming the current password. For the client role, we anonymize related bookings and contact details. For the specialist role, we delete the workspace, including clients, bookings, services, notes, education documents, details, and profile photo. If the account has both roles, both actions apply.
Technical logs, backups, security records, billing events or records required for legal defense may be kept for a limited time after account deletion. Data that is no longer needed is deleted or anonymized.
8. Your rights
You can request access, correction, deletion, restriction, data transfer, withdrawal of consent where processing depends on consent, or object to processing. Some of the actions can be performed independently in account settings. For other inquiries, write to osvyryd@miratempo.com.
In Ukraine, a complaint regarding the protection of personal data can be filed with the Ukrainian Parliament Commissioner for Human Rights. If your situation is covered by the GDPR, you can also contact the supervisory authority in an EEA country.