Legal · Data Protection

Privacy Policy

Last updated: 26 May 2026

XAN Enterprises Limited, a Hong Kong company (Company Number 80174645) with its registered office at Unit 1603, 16/F, The L. Plaza, 367-375 Queen’s Road Central, Sheung Wan, Hong Kong, trading as Mirai (“Mirai,” “we,” “us”), provides an AI modelling agency platform at miraitalent.ai (the “Platform”). This Privacy Policy explains what information we collect, why we collect it, with whom we share it, how long we keep it, and the rights you have over it. It is written to comply with the European Union General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the CPRA (CCPA), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), and the Hong Kong Personal Data (Privacy) Ordinance.

1. What We Collect

  • Account data. Full name, email address, password hash, role (brand, model, or admin), and, for brands, company name.
  • Talent photographs. Photos you upload during application and portfolio updates. These are biometric data in some jurisdictions and are treated with heightened protection.
  • Generated imagery. AI-generated images, the prompts used to create them, approval decisions, and licensing metadata.
  • Payment data. Billing address and a tokenised reference to your card or bank account. Card numbers, bank accounts, and verification details are handled directly by Stripe; we do not store them.
  • Communication data. Emails you send us, chat-message content, and, with consent, call recordings from support interactions.
  • Analytics events. Page views, button clicks, session duration, device type, and IP address. Used to diagnose issues and improve the product.
  • Cookies. Essential cookies for authentication and session state. We do not use tracking or advertising cookies. See our cookie notice below and the banner shown on your first visit.

2. Why We Collect It

  • Service provision. To create and run your account, create your digital twin from your reference kit, generate images, process approvals, and deliver licences.
  • Payments. To bill brands, calculate payouts, and transfer funds to talent.
  • Communication. To send transactional email (applications, approvals, payouts, security alerts) and, with opt-in consent, product updates.
  • Safety. To enforce our Terms and Acceptable Use Policy, detect fraud and abuse, and respond to legal process.
  • Product improvement. To debug, understand usage patterns, and roll out improvements.

2a. What We Never Do With Your Likeness

Talent photographs and likenesses are used exclusively for AI image generation and platform operation as described in Section 2. We explicitly do not, and will not, use Talent likeness data for:

  • Facial recognition or biometric identification. We do not use reference photographs to identify, match, track, or authenticate individuals against other images, databases, or identity systems.
  • Surveillance or monitoring. We do not use likeness data to monitor, profile, or track any individual’s movements, behaviour, or activity, online or offline.
  • Identity verification or authentication. Mirai is not an identity-verification platform. We do not supply likeness data to KYC, AML, border control, or any law-enforcement system.
  • Foundation model training. Reference photographs are never contributed to general-purpose AI training datasets, never used to fine-tune or train foundation models, and never shared with third parties for training purposes.

3. Legal Bases (GDPR)

  • Contract. To provide the Platform you signed up for.
  • Consent. For processing of biometric photographs, the creation of your personal digital twin, and marketing emails.
  • Legitimate interest. For fraud prevention, security, analytics, and improving the product, balanced against your rights.
  • Legal obligation. Tax, accounting, anti-money laundering, and rights-enforcement obligations.

4. Who We Share It With

We do not sell your personal information and we do not share it for cross-contextual behavioural advertising (within the meaning of the CCPA). We share data with a small set of vendors strictly as needed to operate the Platform. Each vendor is bound by a data-processing agreement.

  • Stripe (United States). Payment processing, Connect payouts, subscription management, fraud screening.
  • Supabase (Japan / Tokyo region). Database hosting, authentication, file storage for application uploads. Transfers from the EEA/UK rely on Japan’s GDPR adequacy decision; transfers from California rely on standard contractual protections.
  • Cloudinary (United States). Image storage, transformation, watermarking, and delivery.
  • fal.ai (United States). Image generation routing layer. Your reference photographs and the resulting generated images pass through fal.ai at the moment of each generation. fal.ai stores generations briefly for delivery to Mirai and does not use them to train models.
  • Resend (United States). Transactional email delivery.
  • OpenAI (United States). Operator of GPT-Image-2, the primary image generation model. Your reference photographs are transmitted to OpenAI via fal.ai at each generation. OpenAI’s API policy states they do not train on API inputs.
  • Google (United States). Operator of Nano Banana 2, used as a fallback image generation model. Also provides Google OAuth sign-in where you choose to use it. Google’s API policy states they do not train on API inputs.
  • Anthropic (United States). Operator of Claude, used to enhance brand-typed prompts into production photography briefs. Brand prompts (not your reference photographs) are sent to Anthropic. Anthropic’s API policy states they do not train on API inputs.
  • Railway (application hosting). Runs the Mirai application and processes operational logs and metrics.

We may also disclose information if required by a court order, lawful governmental request, or to protect the safety of users or the public.

5. Data Transfers

Your data may be processed in the United States, the European Union, Hong Kong SAR, and other regions where our vendors operate. Transfers from the EEA and UK are governed by the Standard Contractual Clauses. Transfers from Hong Kong are governed by the Hong Kong Personal Data (Privacy) Ordinance. Where possible we select vendor regions that are closest to you.

6. How Long We Keep It

  • Signed agreements and consent records. Kept indefinitely to preserve legal provability of the agreements you entered into.
  • Reference photographs. Kept while your account is active. Deleted within thirty (30) days of account closure or a withdrawal of consent, subject to legal holds. Mirai does not store derivative AI model weights of your likeness — reference photographs are passed to third-party generators at each generation moment, not used for training.
  • Generated images. Delivered images kept while the associated licence is active. Undelivered drafts deleted with your account.
  • Analytics events. Retained for up to fourteen (14) months and then aggregated or deleted.
  • Payment records. Retained for seven (7) years to meet tax and accounting obligations.

7. Your Rights

Subject to the laws of your jurisdiction, you have the following rights:

  • Access. Receive a copy of the personal data we hold about you.
  • Rectification. Correct inaccurate or incomplete data.
  • Deletion. Ask us to delete your account, your reference photographs, and your generated images.
  • Portability. Export your data in a machine-readable format.
  • Restriction and objection. Ask us to stop or limit specific processing, including direct marketing.
  • Withdraw consent. Withdraw consent for processing that is based on consent, without affecting the lawfulness of past processing.
  • Non-discrimination. We will not penalise you for exercising your CCPA rights.
  • Lodge a complaint. With your local data protection authority, for example the Hong Kong PCPD, the UK ICO, the Irish DPC, or the California Privacy Protection Agency.

8. Data Subject Access Requests

To exercise any of the rights above, email privacy@miraitalent.ai from the address associated with your Mirai account. Include the nature of your request. We will verify your identity, typically by asking you to confirm account details or a recent transaction, and respond within thirty (30) days. For complex requests we may extend this by up to sixty (60) days, notifying you in advance.

9. Children

The Platform is not intended for anyone under the age of eighteen. We do not knowingly collect personal information from minors. If you believe a minor has submitted information, email privacy@miraitalent.ai and we will promptly delete the data.

10. Security

We use encryption in transit (TLS 1.2 or higher), encryption at rest for files and databases, role-based access control, least-privilege service accounts, webhook signature verification, and continuous monitoring. No system is perfectly secure. If we learn of a breach affecting your data we will notify you and the relevant authorities within the time frames required by law.

11. Cookies

Mirai uses only essential cookies: session cookies for authentication and CSRF protection. We do not use advertising, cross-site tracking, or third-party analytics cookies. On your first visit to a marketing page we display a brief notice so you can acknowledge our cookie use. For more detail see the cookie notice banner on the site.

12. Changes

Material changes to this Privacy Policy will be notified by email and by an in-product banner at least thirty (30) days before they take effect, except where immediate changes are required to comply with law.

Contact

Privacy enquiries: privacy@miraitalent.ai
General enquiries: info@miraitalent.ai

XAN Enterprises Limited (trading as Mirai)
Company Number 80174645
Unit 1603, 16/F, The L. Plaza, 367-375 Queen’s Road Central
Sheung Wan, Hong Kong
Data controller for the purposes of UK GDPR, EU GDPR, Hong Kong PDPO, and California CCPA/CPRA.