MiraPx Privacy Policy
Last updated: June 18, 2026
Privacy policy version: v1.3
MiraPx (mirapx.com) is a web project by a Finnish natural person. This privacy policy explains how MiraPx handles your personal data, including when you visit mirapx.com or contact us via the support email.
Privacy policy time. ^_^
This privacy policy focuses primarily on compliance with the EU General Data Protection Regulation (GDPR), while also taking other applicable EU laws into account. As the primary privacy protection law relevant to MiraPx, the GDPR provides the primary frame of reference for the concepts and rights described below.
For information about the terms of service, that apply when you use the MiraPx websites, see the: MiraPx Terms of Service.
How MiraPx Handles Personal Data
MiraPx currently handles personal data in only three contexts:
- Serving and protecting the websites with Cloudflare
- Restricting access to non-public pages with Cloudflare Access
- Providing support by email with Proton Mail
MiraPx takes various technical and organizational measures to protect personal data, including by using the service providers specified here. Despite these efforts, "perfect" security or privacy cannot be guaranteed for any data transmitted, stored, or processed. Risks may arise from causes such as unfortunate configuration errors, adversarial threat actors, or lawful and binding legal obligations from a court.
The sections below explain what personal data is processed in each context, why it is processed, how long it is retained, and the role of each service provider.
Website Infrastructure (Cloudflare)
What Is Processed and Why
MiraPx uses Cloudflare to serve and protect the websites. When you visit the websites, Cloudflare automatically processes certain data as part of delivering the page to your browser. This includes your IP address, browser type and version, operating system, the page you requested, the referring URL, and the date and time of your visit.
Cloudflare may set strictly necessary cookies (such as __cf_bm) for security purposes, including bot detection and DDoS mitigation. These are strictly necessary for the functioning of the websites, and therefore do not require consent.
The above-mentioned processing is based on legitimate interest under Article 6(1)(f) GDPR: the interest of operating, securing, and delivering the websites. Given the technical nature of the data, its short retention period, and the necessity of this processing for serving any web page, MiraPx considers that this interest is not overridden by the rights and freedoms of data subjects.
Cloudflare acts as a data processor in accordance with Cloudflare's Data Processing Addendum: cloudflare.com/cloudflare-customer-dpa
Cloudflare's privacy policy: cloudflare.com/privacypolicy
How Long It Is Stored
Personal data processed by Cloudflare in delivering web requests is generally retained for a short period, typically not exceeding a few days, for security and operational purposes. Cloudflare may retain aggregated or anonymized data for longer periods. Specific retention periods are governed by Cloudflare's data retention policies and may vary by data type.
Data Transfers
Cloudflare is a US-based company and operates global infrastructure, meaning your data may be processed in countries outside the European Economic Area (EEA). Cloudflare relies on the EU-U.S. Data Privacy Framework, Standard Contractual Clauses (SCCs), and other safeguards to ensure an adequate level of data protection for such transfers.
Restricted Pages (Cloudflare Access)
Some development and infrastructure pages of MiraPx use Cloudflare Access to restrict access to pre-authorized individuals. These pages are clearly marked and are not part of the public site.
These pages are also served through Cloudflare, so the processing described in the Website Infrastructure (Cloudflare) section above applies here as well, including Cloudflare's use of strictly necessary cookies (such as CF_Authorization in the case of restricted pages, which keeps signed-in users authenticated). In addition, Cloudflare Access records login attempts, including the IP address, email address, time, and page accessed.
This additional processing is based on legitimate interest under Article 6(1)(f) GDPR: the interest of securing MiraPx's development and infrastructure systems. Because access is limited to pre-authorized individuals who voluntarily authenticate, and the data retained is limited to what is necessary for security monitoring, MiraPx considers that this interest is not overridden by the rights and freedoms of data subjects. Login records are typically retained for up to six months in accordance with Cloudflare's data retention policies.
Support Email (Proton Mail)
What Is Processed and Why
If you contact MiraPx by email at mirapx@proton.me, your email address, name (if provided), and the contents of your message will be processed for the purpose of responding to your inquiry. This processing is based on legitimate interest under Article 6(1)(f) GDPR: the interest of being able to respond to and follow up on communications related to the project. Because the data subject initiates the communication and the processing is limited to what is necessary to respond, MiraPx considers that this interest is not overridden by the rights and freedoms of data subjects. Avoid sending sensitive personal information via email where possible.
Support email is provided through Proton Mail, operated by Proton AG in Switzerland. Proton processes email data, including the sender address, message contents, and associated metadata, as part of delivering and storing correspondence. Proton also processes certain service and security data, such as IP addresses, for the operation, security, and abuse prevention of Proton Mail.
Proton acts as a data processor in accordance with Proton's Data Processing Agreement: proton.me/legal/dpa
Proton's privacy policy: proton.me/legal/privacy
Proton Mail's privacy policy: proton.me/mail/privacy-policy
How Long It Is Stored
Support emails are retained for up to 12 months from the date of the last message in a conversation, though they are typically deleted months earlier in batches. Retention beyond 12 months may occur where a specific legitimate interest or legal necessity exists. After the retention period, correspondence is deleted unless longer retention is required by law or another legitimate interest. You may request early deletion of your email correspondence at any time, subject to certain conditions.
Data Transfers
Proton AG is based in Switzerland and operates infrastructure in Switzerland, Germany, and Norway. Proton may also use group companies and subprocessors in other countries, meaning your data may be processed outside the European Economic Area (EEA). Proton relies on adequacy decisions, Standard Contractual Clauses (SCCs), and other safeguards to ensure an adequate level of data protection for such transfers.
Your Rights Under GDPR
As a data subject under GDPR, you have the right to the following, subject to certain conditions:
- Access the personal data held about you
- Rectification of inaccurate or incomplete data
- Erasure of your data ("right to be forgotten")
- Restriction of the processing of your personal data
- Object to the processing of your personal data, in particular where processing is based on legitimate interest
- Data portability, where applicable, to receive your data in a portable format or have it transferred to another organization
- Lodge a complaint with a supervisory authority
Right to Object
Because all processing described in this policy is based on legitimate interest under Article 6(1)(f) GDPR, you have the right to object to the processing of your personal data at any time, on grounds relating to your particular situation (Article 21 GDPR). In practice, the processing tied to serving and protecting the websites cannot be separated from delivering the page to your browser. The right to object is most relevant to email correspondence, where you can request that your messages be deleted and not retained further.
Automated Decision-Making
MiraPx does not carry out automated decision-making or profiling that produces legal or similarly significant effects within the meaning of Article 22 GDPR.
Providing Personal Data
You are not required to provide personal data to MiraPx under any statutory or contractual obligation. Visiting the websites and contacting MiraPx by email are voluntary. The personal data processed when you visit the websites is a technical requirement for the pages to be delivered. The personal data in your email correspondence is necessary for MiraPx to respond to your inquiry.
Data Controller
MiraPx is a web project by a Finnish natural person. For privacy-related inquiries, or to exercise any of these rights, you can reach the data controller at mirapx@proton.me. Avoid sending sensitive personal information via email where possible.
MiraPx has not appointed a data protection officer (DPO), as the conditions under Article 37 GDPR do not apply.
Response Times
Under Article 12 GDPR, requests are answered without undue delay, and in any event within one month of receipt. Where a request is made by electronic means, the response will be provided electronically unless you request otherwise.
This response period may be extended by up to two further months where necessary, taking into account the complexity and number of requests. You will be informed of any such extension within the first month, together with the reasons for the delay.
If MiraPx decides not to act on a request, you will be informed within one month, including the reasons and your right to lodge a complaint with a supervisory authority or seek a judicial remedy.
Request Handling
Exercising these rights is free of charge. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, MiraPx may charge a reasonable fee or refuse to act on the request, in accordance with Article 12 GDPR.
Where there are reasonable doubts about the identity of the person making the request, MiraPx may request additional information necessary to confirm the identity of the data subject before acting on the request.
Supervisory Authority
Should you wish to lodge a complaint, or if you feel that MiraPx has not addressed your concern in a satisfactory manner, you may contact the relevant supervisory authority, which in Finland is the Office of the Data Protection Ombudsman: tietosuoja.fi/en/home. If you are located in the EU/EEA, you may alternatively contact the supervisory authority in your own country of residence. You also have the right to an effective judicial remedy under Article 79 GDPR.
Changes to This Policy
This privacy policy may be updated from time to time. The "last updated" date at the top reflects the most recent revision.