Privacy Policy.

Mirror is operated by Redact Labs Inc. (“Redact Labs,” “we,” “us,” or “our”), a corporation registered in Ontario, Canada. Our office is in Toronto, Ontario. You can reach us at security@redactlabs.ca for any privacy-related questions.

This privacy policy applies to the Mirror mobile application, the Mirror web pages at redactlabs.ca/mirror, and any related services we operate.

Mirror collects no personal information. The iOS app has no sign-up flow, no account creation, no email field, no password, no bank login, and no third-party SDK that could collect data on our behalf. The app makes zero network calls.

In the app

Your hourly rate, your transactions, your categories, and any other data you enter are stored in the iOS app sandbox on your device, using SwiftData. They never leave your phone. They are not transmitted to us, to a third party, or to any cloud service.

On this website

The Mirror marketing site at redactlabs.ca/mirror is static HTML. It does not set cookies, run analytics, or include advertising or tracking scripts. Your hosting provider (currently GitHub Pages) records standard server access logs, which include IP addresses and user-agent strings, retained briefly per their normal operations.

If you email us

If you write to contact@redactlabs.ca or security@redactlabs.ca, we receive that email. The contents are stored in Redact Labs’ standard email system and used only to respond to you. We do not add you to any marketing list.

We do not collect, transmit, or have access to: your transactions, your hourly rate, your categories, location, contacts, photos, browsing history, search history, microphone or camera data, advertising identifiers, biometric data, device identifiers, crash logs, or any usage analytics.

We have no data of yours to use. The Mirror app does not transmit your transactions, your hourly rate, or anything else to us — all calculations (Time Wealth annotations, the 30/90/365-day reflections, share cards) happen on your device.

The only data flow that exists is direct email correspondence: if you write to us, we read what you wrote and respond. That’s it.

We do not:

• Show advertisements anywhere — in the app, on the website, in email.
• Sell, rent, or share data with brokers, marketers, or any third party.
• Train machine learning models on your data.
• Score, rank, or profile you for any purpose.
• Run analytics that could tell us whether or how often you use the app.

The Mirror app has no third-party SDKs and shares no data with anyone. There is no Plaid, no payroll aggregator, no analytics service, no crash reporter, no advertising identifier, no cloud sync provider, and no payment processor.

The two infrastructure dependencies that touch the Mirror surface are:

• GitHub Pages — static hosting for the redactlabs.ca/mirror website. They see standard web server logs (IPs, user-agents).
• Apple iCloud — if (and only if) a future build enables iCloud sync, your data would be synced through your own private CloudKit database, end-to-end between your own devices. Mirror does not have access to your iCloud database. As of this version, iCloud sync is not enabled.

If you email us, your message is processed by whatever email provider Redact Labs uses for our shared inbox. That email is used only to respond to you and is not shared further.

We do not sell your data to anyone. We have no data to sell.

Your Mirror data lives in one place: the iOS app sandbox on your phone. When iCloud sync is enabled in a future version, your data would be replicated through your own private iCloud database to your other Apple devices — still inaccessible to us.

The marketing site at redactlabs.ca/mirror is hosted by GitHub Pages, with edge servers globally. Email sent to our addresses is processed by our email provider; the geographic location of those servers depends on Redact Labs’ provider choice and is not user-specific.

• Your transactions and rate sit in the iOS app sandbox, encrypted at rest by Apple’s hardware-backed Data Protection (AES-256) whenever your device is locked.
• The app makes no network calls, so there is no “in transit” layer to attack.
• No bank login is collected, so none can be stolen. No account is created, so none can be compromised.
• If you have iCloud sync enabled in a future version, your private iCloud database is encrypted in transit by Apple between your devices.

Mirror is built by Redact Labs, a Toronto cybersecurity firm. The simplest way to protect financial data is not to collect it.

You have the following rights, but in most cases there is nothing for us to act on because we hold no data about you:

• Access. Your data is on your phone. Open the app to view it — we have no copy.
• Correction. Edit transactions and your rate directly in the app, on your device.
• Deletion. Delete the app, or use Settings → Reset All Data inside the app. We have no server-side copy to remove.
• Portability. A future version may add a CSV export inside the app. As of this version, the data is contained within the iOS app sandbox and accessed through the app’s own UI.
• Email correspondence. You can ask us to delete any email you’ve sent us by writing to security@redactlabs.ca.
• Complaint. If you believe we’ve handled your data improperly, you can complain to the Office of the Privacy Commissioner of Canada or your local data protection authority.

App data is retained on your device for as long as you keep it. There is no server-side retention because there is no server. When you delete the app or use Settings → Reset All Data, the data is removed from your device’s storage immediately by iOS.

Email you send to us is retained in our inbox for as long as it’s useful for ongoing correspondence, then archived or deleted per Redact Labs’ standard internal practices.

Mirror is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us at security@redactlabs.ca and we will delete it.

The Mirror website does not set cookies. There is no analytics service, no advertising script, no retargeting pixel, no cross-site tracker, and no third-party JavaScript anywhere on the page.

The Mirror mobile app does not request the AppTrackingTransparency permission because there is no tracking to authorize. There is no advertising identifier collected.

We may update this privacy policy from time to time. Because Mirror has no user accounts, we cannot notify you directly — please check this page if you want to confirm the current version. The “Last updated” date at the top reflects the most recent change. Material changes (e.g. introducing iCloud sync, or any future feature that introduces data flow) will be highlighted at the top of this page when they take effect.

For privacy questions, data requests, or to exercise any of your rights:

We respond to privacy requests within 5 business days, and resolve them within 30 days as required by PIPEDA.