Privacy policy

This Privacy Policy explains how Mippo ("Mippo", "we", "us", or "our") collects, uses, shares, and protects information about you when you:

• visit our website at mippo.ai (the "Site");
• create or use a Mippo account through our mobile application (the "App");
• run NearPass on your device while the App is installed; or
• contact us at [email protected].

Together, the Site and the App are the "Service". This is a single, comprehensive document covering both. Where a practice applies only to the Site or only to the App, we say so.

Capitalised terms used here have the meanings given in this Privacy Policy or, where applicable, in our Terms of Service or in the EU General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR").

Mippo is the "controller" of your personal data within the meaning of GDPR Article 4(7) and the equivalent terms under United Kingdom and other applicable privacy laws.

Mippo will be operated by Mippo, Inc., a Delaware corporation, upon its incorporation. On that date, Mippo, Inc. will assume the role of controller under this Privacy Policy without further action by you, and references to "Mippo", "we", "us", or "our" in this Privacy Policy will be read as references to Mippo, Inc.

The single point of contact for any question about this Privacy Policy, or to exercise any of the rights described in Sections 9 to 12, is [email protected].

EU Article 27 representative

Because we will offer the Service to data subjects in the European Economic Area, GDPR Article 27 requires us to appoint a representative established in the EEA (unless an exemption applies). We will appoint our EU representative, and publish their name and contact details in this section, before the European public beta opens to users in the EEA. Until then, you can reach us about any GDPR matter at [email protected].

United Kingdom representative

Where UK GDPR Article 27 requires it, we will appoint and publish the details of a United Kingdom representative in this section before the United Kingdom launch.

We collect only the data we need to operate the Service, to keep it safe, and to comply with our legal obligations. The categories below are exhaustive. If a category of data is not described here, we do not collect it.

When you visit mippo.ai

When you load a page on our website, our hosting provider records standard server log data: your IP address, the date and time of the request, the URL you requested, the HTTP response status, the response size, and the user-agent string your browser sends. We use this data to operate the Site, protect it from abuse, and diagnose technical problems. We retain it for no longer than thirty (30) days.

If you submit your email address to our waitlist form, we store that email address solely to notify you when Mippo opens to new users. You can unsubscribe at any time using the link in any email we send, or by writing to [email protected].

The Site does not set tracking cookies, embed third-party analytics, run advertising pixels, or share any data with advertising networks. See Section 15 for details.

When you create a Mippo account

To create an account, you provide:

• an email address (for account access, recovery, and essential service communications);
• a display name (which you choose; it does not have to be your real name);
• an Avatar configuration (the stylised parts and colours you select);
• the year you were born (to confirm you meet our minimum age, see Section 14); and
• optionally, the languages you speak, your university or campus, and any other profile fields you choose to complete.

Avatars

Your Avatar is built from a library of stylised parts (currently Microsoft's Fluent emoji set, used under its open-source licence). You assemble your Avatar manually inside the App. We do not take, analyse, or store any photograph of you in order to generate or suggest Avatar parts.

Photos you upload (profile and gallery)

You can, optionally, upload photos to your Mippo profile or gallery. Photos you upload are stored on our servers, encrypted at rest, and shown only to the audience you set for each photo in the App's visibility controls (for example, friends only, pinged users only, or no-one). Your photos are kept private from strangers by default; sharing beyond your chosen audience is always your decision.

We do not analyse the contents of your photos for advertising, profiling, AI model training, or any purpose other than displaying them according to the visibility you have set. We do not run face recognition or any other biometric processing on your photos. You can delete any photo at any time; deletion is reflected within thirty (30) days from our live systems and within ninety (90) days from encrypted backups.

When you use NearPass (proximity)

NearPass is the Bluetooth protocol that powers Mippo. It is engineered to surface a Ping only when two devices have independently opted in to each other on the basis of compatible Intent and Status.

When the App is running on your device, NearPass:

• broadcasts and listens for short, rotating, anonymous identifiers over your device's Bluetooth;
• compares those identifiers locally on your device against the Intents and Statuses you have opted in to; and
• raises a Ping only when both devices confirm a mutual opt-in.

The identifiers exchanged by NearPass rotate frequently and do not include your account ID, your name, your email, or your device's persistent hardware identifier. We do not log the raw identifiers exchanged over the air, the locations at which exchanges occurred, or the times of exchanges that did not result in a Ping. NearPass itself does not use GPS, Wi-Fi positioning, IP geolocation, cell-tower triangulation, or any other location-resolution technique. The Bluetooth exchanges NearPass performs cannot tell us where you are. Mippo offers separate, opt-in location features that you can turn on yourself (see "Optional features" below); those features are independent of NearPass and use only the location data you choose to share at the moment you act.

When a Ping does occur, we record the minimum metadata needed to deliver and audit the interaction: the IDs of the two accounts involved, the time the Ping was raised, and the Intent category that the two sides had in common. We do not record GPS coordinates, Bluetooth signal strength, or any inferred place. Ping metadata is encrypted at rest and is deleted within thirty (30) days of either party deleting their account.

When you message someone

Direct messages between Mippo users are end-to-end encrypted. Encryption keys live on the sending and receiving devices, and our servers hold only the ciphertext. We are not able to read, view, or hand over the contents of your messages, because we do not hold the keys to decrypt them.

For each message we do retain a minimal set of routing metadata: the message identifier, the sender account ID, the recipient account ID, the time the message was queued for delivery, and the time it was delivered. We use this metadata to deliver the message, to operate spam-and-abuse systems on routing patterns (not on content), and to comply with the law. Routing metadata is deleted within thirty (30) days of delivery.

When you talk to Mip

Mip is Mippo's in-app AI companion. Mip maintains a dynamic interest vector: a mathematical representation of the topics, people, places, and activities you have told Mip you care about. The vector updates as you converse with Mip, and we use it to inform what Mip suggests to you (people, Communities, conversations).

To make Mip work, we store:

• your conversations with Mip (so Mip remembers what you have already shared);
• the current state of your interest vector; and
• the structured inferences Mip has drawn from those conversations (for example, "user is learning Korean", "user plays tennis").

You can view what Mip knows about you in the App at any time. You can edit or remove any individual fact Mip has stored, and you can reset Mip's memory entirely, without deleting your Mippo account. Section 13 explains your rights regarding automated processing in more detail.

Status and Intent selections

Intent and Status are the two signals you broadcast to other users. We store them on our servers because they need to be compared against other users' selections in order to generate Pings. You can change either at any time, including disabling them entirely in stealth mode.

Optional features

Some features process additional data only when you turn them on. We will ask for your explicit consent the first time you enable each one, and you can disable any of them at any time in the App.

• Opt-in location. Some Mippo features (for example, discovering people in your city or country who share an interest, or finding Communities in your area) work with a location signal you have explicitly turned on. You choose the precision when you enable the feature: country only, city only, or your device's location at the moment you act. Mippo does not continuously collect or store your location history; we use only the location data necessary for the feature, at the moment you use it. You can disable location features at any time in the App, and you can revoke the underlying device permission in your operating-system settings.
• Wider-reach discovery. When enabled, Mip can suggest connections beyond your immediate NearPass circle based on shared interests, at city or country scale. This builds on the opt-in location feature above and is itself off by default.
• Marketing emails. If you opt in, we will send you occasional product updates and event invitations. You can withdraw your consent at any time via the unsubscribe link in any email.
• Push notifications. If you enable push notifications, we send Ping and message alerts through Apple's or Google's notification gateway. The notification text never includes message content; it indicates only that a new Ping or message is waiting.
• Crash and diagnostics reports. If you opt in, the App may send anonymised crash logs and performance telemetry to our error-tracking sub-processor.

Special-category data

Some of the data above (particularly the contents of your messages, or details you share with Mip about your beliefs, health, or sexuality) may qualify as "special categories of personal data" under GDPR Article 9, as "sensitive personal information" under the California Privacy Rights Act, or as comparable categories under other privacy laws.

We process special-category data only:

• with your explicit consent (GDPR Article 9(2)(a)), which we obtain the first time you share special-category content with Mip; or
• where you have manifestly made the data public on the Service (GDPR Article 9(2)(e)).

You may withdraw your consent at any time, with effect for the future.

For users in the European Union, the European Economic Area, the United Kingdom, and Switzerland, we rely on the following legal bases under GDPR Article 6:

• Contract performance (Art. 6(1)(b)): to create and operate your account; to deliver Pings, messages, push notifications, and Mip; to provide the Communities feature; to route data within the Service. Without these activities we cannot provide the Service to you.
• Consent (Art. 6(1)(a)): for marketing emails; for crash and diagnostics reports; for wider-reach discovery; for any processing of special-category data under Art. 9(2)(a). You can withdraw your consent at any time, with effect for the future.
• Legitimate interests (Art. 6(1)(f)): to maintain the security and integrity of the Service; to detect and prevent abuse, fraud, and spam; to keep basic operational logs. Our interest in providing a safe and reliable Service is balanced against your right to privacy, and you can object to processing on this basis at any time (see Section 9).
• Legal obligation (Art. 6(1)(c)): to respond to lawful requests from competent authorities; to comply with tax, accounting, and retention requirements; to comply with any other applicable law.

For users in other jurisdictions, we rely on the analogous legal grounds available under the privacy laws of your country (for example, "necessary to provide the service" under California's CCPA, or "consent" and "performance of a contract" under Brazil's LGPD).

With other Mippo users

Your Avatar, display name, Intent, Status, and any profile fields you have chosen to make visible are shown to other users according to the visibility settings you have set. Your real name (if you have not chosen to display it), your email address, your year of birth, and the contents of your messages are never shown to other users unless you yourself choose to send them.

With sub-processors

We use a small number of vetted third-party service providers to operate the Service. These "sub-processors" act under written data-processing agreements that require them to process your data only on our documented instructions, to keep it confidential, and to apply security measures consistent with this Privacy Policy.

Our current sub-processor categories are:

• Cloud infrastructure and website hosting, including Cloudflare for the mippo.ai website;
• Transactional email delivery (for account verification, password reset, waitlist notifications, and any marketing emails you opt in to);
• Push-notification gateways (Apple Push Notification Service and Google Firebase Cloud Messaging, for users who have enabled push);
• Error and crash reporting (for users who have opted in to crash and diagnostics reports).

A current, named list of sub-processors is available on request from [email protected]. We will update that list before adding any new sub-processor that processes personal data, and where the change is material we will notify you in advance.

In response to lawful requests

We may disclose personal data when we are legally compelled to do so, for example by a valid subpoena, court order, or production order from a competent authority. We review every request for legal validity and scope, and we push back on requests we consider overbroad, unlawful, or improperly served. We will notify you of a request affecting your data unless we are legally prohibited from doing so. Because messages on Mippo are end-to-end encrypted, we cannot produce message content in response to any legal request, regardless of its source or scope.

In the context of a business transfer

If Mippo is involved in a merger, acquisition, reorganisation, or sale of all or part of its assets, your personal data may be transferred to the acquirer as part of the transaction. Any acquirer would be bound by terms at least as protective as this Privacy Policy, and we would notify you in advance.

What we do not do

We do not sell personal data. We do not share personal data for cross-context behavioural advertising. We do not place tracking pixels, embed third-party advertising SDKs, or run any form of cross-site or cross-app tracking. We do not provide bulk data access to data brokers, advertisers, or any party other than the sub-processors described above. We do not use the contents of your messages, the photos you have uploaded, or your Mip conversations to train AI models, and we do not allow any of our sub-processors to do so.

Mippo's primary servers and principal staff are based in the United States. When you use the Service from the European Union, the European Economic Area, the United Kingdom, or Switzerland, your personal data is transferred to and processed in the United States and in other countries where our sub-processors operate.

For transfers from the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) entered into with each sub-processor that processes personal data outside the EEA. Where appropriate, we apply supplementary technical and organisational measures, including encryption in transit (TLS 1.2 or higher) and encryption at rest.

For transfers from the United Kingdom, we rely on the International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the United Kingdom Information Commissioner, or the United Kingdom International Data Transfer Agreement, as applicable.

For transfers from Switzerland, we rely on the Standard Contractual Clauses as amended for Swiss law, and we recognise the Swiss Federal Data Protection and Information Commissioner as the relevant supervisory authority for Swiss residents.

You may request a copy of the safeguards in place for transfers concerning your personal data by writing to [email protected].

We retain your data only for as long as we need it for the purposes set out above. Our standard retention periods are:

• Account data (email, profile, Avatar configuration, Intent, Status): while your account is active. Deleted within thirty (30) days of your account-deletion request, except as noted below.
• Ping metadata: until either party deletes their account, then deleted within thirty (30) days.
• Message routing metadata: thirty (30) days from delivery.
• Message content: not retained by us. Stays on user devices.
• Photos you have uploaded (profile or gallery): while your account is active. Deleted within thirty (30) days of your account-deletion or per-photo deletion request from our live systems, and within ninety (90) days from encrypted backups.
• Mip conversations and interest vector: while your account is active. Deleted on Mip reset or account deletion.
• Waitlist email: until you unsubscribe, or two years after your last interaction with us, whichever comes first.
• Server logs (mippo.ai): thirty (30) days.
• Crash and diagnostic reports (if opted in): ninety (90) days.
• Records required by law (for example, tax records, lawful-request logs): for the period required by the relevant law.
• Encrypted backups: rotated out within ninety (90) days of deletion from the live system.

We may retain de-identified or aggregated data (data from which you can no longer be identified) for longer where doing so does not affect your privacy.

We apply industry-standard technical and organisational measures to protect your data, including:

• end-to-end encryption of message contents (you and your correspondent hold the keys);
• encryption in transit (TLS 1.2 or higher) for all communication with our servers;
• encryption at rest of databases and backups containing personal data;
• short-lived, rotating identifiers for NearPass exchanges;
• role-based access control, multi-factor authentication, and audit logging for all staff access to systems holding personal data;
• regular security reviews, dependency scanning, and third-party penetration testing of the App before each public release;
• a documented incident-response process.

No system is perfectly secure. If we ever become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within seventy-two (72) hours, as required by GDPR Article 33, and, where the risk is high, we will notify you directly without undue delay.

Under the GDPR, you have the following rights regarding your personal data, exercisable by writing to [email protected]:

• Access (Article 15): obtain confirmation that we process personal data about you, and a copy of that data.
• Rectification (Article 16): have inaccurate or incomplete personal data corrected.
• Erasure (Article 17), also known as the "right to be forgotten".
• Restriction of processing (Article 18).
• Data portability (Article 20): receive your personal data in a structured, commonly used, machine-readable format, and transmit it to another controller.
• Object to processing based on legitimate interests, or to processing for direct marketing (Article 21).
• Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects (Article 22, see Section 13).
• Withdraw consent at any time, with effect for the future (Article 7(3)).
• Lodge a complaint with a supervisory authority (Article 77). Your primary supervisory authority is usually the data-protection authority of the country in which you live, work, or where the alleged infringement took place. For Mippo's first market, that authority is the Autoriteit Persoonsgegevens in the Netherlands (autoriteitpersoonsgegevens.nl). You may also contact the supervisory authority of any other EEA country where you reside.

We will respond to your request within one month, or within a longer period (up to two further months) for complex or numerous requests, as permitted by GDPR Article 12(3); we will tell you in advance if we need that extension. We do not charge for exercising your rights unless a request is manifestly unfounded or excessive, in which case we will tell you why. To protect your data, we may need to verify your identity before acting on a request, for example by asking you to confirm the request from the email address on your account.

If you are in the United Kingdom, you have the same rights as listed in Section 9 above, exercisable in the same way. The supervisory authority for the United Kingdom is the Information Commissioner's Office (ico.org.uk).

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

• Right to know what personal information we collect, the sources we collect it from, the purposes for which we use it, and the categories of third parties with whom we share it.
• Right to access the specific pieces of personal information we have collected about you in the preceding twelve months.
• Right to delete personal information we have collected from you, subject to limited exceptions.
• Right to correct inaccurate personal information.
• Right to opt out of sale or sharing of personal information. Mippo does not sell or share personal information for cross-context behavioural advertising as those terms are defined under California law. There is therefore nothing to opt out of, but the right remains available to you if our practices ever change.
• Right to limit use and disclosure of sensitive personal information. Mippo uses sensitive personal information only as needed to provide the Service and to fulfil purposes permitted by California Civil Code section 1798.121. The right to limit therefore does not apply to our current use, but the right remains available to you.
• Right to non-discrimination for exercising any of the rights above.

In the preceding twelve months, we have not sold or shared the personal information of any consumer, including any consumer under sixteen. To exercise your California rights, write to [email protected]. You may also authorise an agent to act on your behalf, provided the agent supplies us with written authorisation and we are able to verify your identity.

Residents of other jurisdictions with comprehensive privacy laws (including Brazil under the LGPD, Korea under PIPA, and Japan under APPI) have rights similar to those listed above. You can exercise those rights by writing to [email protected]. Where local law requires us to publish a separate privacy notice or to obtain a specific form of consent (for example, PIPA's notice-and-consent requirements at sign-up), we will provide that notice and obtain that consent within the App when we launch in the relevant country.

Mip maintains an interest vector that informs the people, Communities, and conversations Mip suggests to you. This is automated processing within the meaning of GDPR Article 22.

GDPR Article 22 restricts decisions that are based solely on automated processing and that produce legal or similarly significant effects. Mip is designed so that this restriction does not apply, because:

• Mip's outputs are suggestions, not decisions. You decide whether to act on any of them, and you can ignore them, override them, or turn them off.
• A Ping is only ever delivered when both you and the other person have independently confirmed your opt-in on Intent and Status. Mip cannot cause a Ping without your consent and the other person's consent.
• You can view, edit, and delete any inference Mip has drawn about you, and you can reset Mip's memory entirely, from inside the App, without deleting your Mippo account.

If you would like a plain-language explanation of why Mip suggested a specific Ping, Community, or conversation, or if you believe Mip is operating on incorrect information about you, write to [email protected] and we will explain and correct.

We do not use Mip's interest vector for any purpose outside the Service. We do not sell, share, or otherwise disclose your interest vector to any third party, including advertisers and data brokers. We do not use the contents of your Mip conversations or your interest vector to train general AI models.

Mippo is not directed to anyone under thirteen (13) years old. We do not knowingly collect personal data from anyone under thirteen. If we learn that we have collected personal data from someone under thirteen, we will delete that data without undue delay.

If you believe we may have collected data from a child under thirteen, please contact [email protected].

In some jurisdictions the minimum age at which a person can consent to the processing of their own personal data is higher than thirteen (for example, sixteen in much of the European Union under GDPR Article 8). Where local law requires it, the App will enforce that higher minimum age or require verified parental consent before allowing the account to operate.

The mippo.ai website does not set any cookies. It does not use Google Analytics, Meta Pixel, or any other behavioural-analytics or advertising technology. It does not run any third-party script other than fonts that we host ourselves and the small set of open-source libraries needed to render the site.

The App uses only strictly necessary local storage, for example to remember that you are logged in, to cache your Avatar so the App opens quickly, and to store messages on your device. The App does not contain advertising SDKs or third-party tracking SDKs.

If our cookie or similar-technology practices ever change, we will update this section and, where the EU ePrivacy Directive as implemented in your country or other applicable law requires consent, we will obtain that consent before deploying the change.

We may update this Privacy Policy from time to time. When we do, we will:

• post the updated Privacy Policy at mippo.ai/privacy with a new "Last updated" date;
• maintain a public log of material changes once we have a stable history (the change log currently lives in our public git history); and
• for material changes, give you reasonable advance notice in-App and by email before the change takes effect.

Continuing to use the Service after a change takes effect means you have read the updated Privacy Policy. If you do not agree with a change, you may delete your account using the in-App controls or by writing to [email protected].

For any question about this Privacy Policy, or to exercise any of the rights described above, write to [email protected]. We answer.

A postal address for service of formal legal notices will be published here once Mippo, Inc. is incorporated. Until then, [email protected] is the single contact channel.

You always have the right to lodge a complaint with the data-protection authority of your country. For Mippo's first market in the Netherlands, that authority is the Dutch Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl). For the United Kingdom, the Information Commissioner's Office (ico.org.uk). Residents of other jurisdictions can find their authority through their national or regional government's data-protection resources.