Privacy Policy
Last updated: February 14, 2026
MIR Assertions (MIRA) is built on transparency. This policy explains what data we collect, why we collect it, and how you control it. We believe you should understand exactly what happens with your information.
The Short Version: We collect only what's needed to operate the assertion registry. We don't sell your data. We don't track you across the web. Assertions are public by design — everything else is private.
1. Who We Are
MIR Assertions is operated by phpMyDEV, LLC. We provide a cryptographic provenance registry that records verifiable assertions about digital media artifacts.
- Website: mirassertions.org
- Contact: hello@mirassertions.org
- Address: Phoenix, Arizona, USA
2. Data We Collect
2.1 Issuer Account Information
When you apply as an issuer, we collect:
| Data | Purpose | Retention |
|---|---|---|
| Email address | Account login (magic links), notifications | Until account deletion |
| Organization name | Public attribution on assertions | Until account deletion |
| Domain | Domain verification, public attribution | Until account deletion |
| Application details (use case, website) | Issuer vetting and approval | Duration of account plus 1 year |
2.2 Assertion Data
The core of MIRA is assertions — public, cryptographically attributed statements:
| Data | Purpose | Retention |
|---|---|---|
| Assertions (type, artifact hash, scope, context) | Public provenance registry | Permanent (may be revoked but not deleted) |
| Issuer keys (public keys only) | Cryptographic signature verification | Until revoked; revoked keys retained for verification |
| Perceptual hashes | Visual similarity matching | With associated assertion |
2.3 Technical Data
We automatically collect:
| Data | Purpose | Retention |
|---|---|---|
| IP address | Security, rate limiting | 30 days in logs |
| Browser/device info | Session security, device fingerprinting | With session (30 days max) |
| Access logs | Security, debugging | 30 days |
2.4 Billing Data
If you subscribe to a paid plan:
- Payment processing is handled by Stripe. We do not store credit card numbers.
- We retain your Stripe customer ID and subscription status for billing management.
3. How We Use Your Data
We use your data only for:
- Providing the service: Managing your issuer account, recording assertions, responding to lookups
- Security: Preventing fraud, abuse, and unauthorized access
- Communication: Account notifications, service updates (you can opt out of non-essential emails)
- Improvement: Aggregated analytics to improve the service (never individual tracking)
- Legal compliance: Responding to lawful requests
We do NOT: Sell your data. Show you ads. Track you across websites. Build profiles for advertising. Share data with data brokers.
4. Data Sharing
4.1 Public Assertion Data
Assertions are public by design. When anyone looks up an artifact hash:
- They see all assertions for that artifact, including your issuer name and domain
- This is fundamental to how MIRA works — provenance requires public attribution
- You consent to this public attribution when you create an assertion
4.2 With Service Providers
We use limited third-party services:
- Hosting: DigitalOcean (servers, database)
- Email: Transactional email provider for magic links and notifications
- Payments: Stripe for subscription billing
These providers process data only on our behalf and under strict agreements.
4.3 Legal Requirements
We may disclose data if required by law, court order, or to protect rights and safety. We will notify you unless legally prohibited.
5. Your Rights
You have control over your non-public data:
Access
View your issuer profile, assertions, and keys in the Issuer Portal
Correct
Update your issuer information or revoke/supersede assertions
Restrict
Limit how your non-public data is processed
Object
Opt out of non-essential communications
Note on assertion data: Assertions are permanent public records. They can be revoked (marked as no longer active) or superseded (replaced by a newer assertion), but cannot be deleted. This is by design and is fundamental to the integrity of the provenance registry.
To exercise your rights:
- Use the controls in the Issuer Portal
- Email us at hello@mirassertions.org
- Use our contact form
We respond to all requests within 30 days.
6. Data Security
We protect your data with:
- Encryption: TLS 1.2+ for all connections; encrypted database
- Passwordless authentication: Secure magic links sent to your email — no passwords to steal or leak
- API key hashing: API keys stored as SHA-256 hashes, never in plaintext
- Access controls: Principle of least privilege for all systems
- Rate limiting: Redis-backed rate limiting to prevent abuse
- Monitoring: Security logging and anomaly detection
No system is 100% secure. If we discover a breach affecting your data, we will notify you promptly.
7. Cookies
We use minimal cookies:
| Cookie | Purpose | Duration |
|---|---|---|
mir_session |
Keeps you logged in to the Issuer Portal | 30 days (or until logout) |
We do not use:
- Advertising cookies
- Third-party tracking cookies
- Analytics cookies that identify individuals
8. International Transfers
Our servers are located in the United States. If you are outside the US, your data will be transferred to and processed in the US. We apply appropriate safeguards for international transfers.
9. Age Requirement
MIRA is intended for use by individuals aged 13 and older. We do not knowingly collect personal information from children under 13. If we become aware that a user is under 13, we will delete their account and associated data.
10. Data Retention
We retain data only as long as needed:
- Issuer accounts: Data retained while account is active
- Assertions: Permanent (public provenance record)
- Closed accounts: Non-public data deleted within 30 days, except as required by law
- Logs: Retained for 30 days for security purposes
- Backups: Cycled out within 90 days
11. Changes to This Policy
We may update this policy. For significant changes:
- We'll email registered issuers
- We'll post a notice on the website
- We'll update the "Last updated" date
Continued use after changes constitutes acceptance.
12. Contact Us
For privacy questions or to exercise your rights:
- Email: hello@mirassertions.org
- Contact form: mirassertions.org/#contact
- Subject line: "Privacy Request"
We aim to respond within 30 days.
13. Jurisdiction-Specific Rights
California Residents (CCPA)
You have the right to:
- Know what personal information we collect
- Request deletion of your data
- Opt out of sale of personal information (we don't sell data)
- Non-discrimination for exercising your rights
European Residents (GDPR)
Additional rights include:
- Legal basis for processing (consent, contract, legitimate interest)
- Right to lodge a complaint with a supervisory authority
- Right to data portability
Our legal bases for processing are: contract performance (providing the service), legitimate interest (security, improvement), and consent (optional communications).
Questions? We're committed to transparency. If anything in this policy is unclear, please contact us and we'll explain.