Privacy Policy

March 31, 2026Read inFR EN ES DE IT PT

Article 1 — Data Controller

The data controller for personal data is:

CES Venture SAS (trading name: Hello Mira)

Registered office: Euratechnologies, 165 avenue de Bretagne, 59000 Lille, France

SIREN: 991 370 115

Legal representative: Cédric Tumminello, President

Data Protection Officer (DPO):

Cédric Tumminello

Email: [email protected]

Article 2 — Scope of Application

This Privacy Policy applies to all personal data collected and processed in connection with:

the use of the Hello Mira Platform (Mira Nomad mobile application, website hello-mira.com, Mira Chat);
the subscription to and use of the Mira Pass;
the booking and execution of Mira Trips;
interactions with Mira Agents and Mira Brain;
participation in Mira Tribes and the Mira community;
exchanges with customer support.

Article 3 — Data Collected and Purposes

3.1 Registration and Profile Data

Data	Purpose	Legal Basis
First name, last name	Identification, personalisation	Performance of contract
Email address	Communication, authentication	Performance of contract
Password (hashed)	Authentication	Performance of contract
Date of birth	Age verification (18 years), destination eligibility	Performance of contract
Nationality	Destination eligibility (visa), personalisation	Performance of contract
Mobile phone number	Communication, notifications, emergency assistance	Performance of contract
Country of tax residence (requested at time of payment)	Application of VAT rate	Legal obligation
Occupation / professional activity	Personalisation, Mira Tribes assignment	Consent
Profile photo	Community identification	Consent
Travel preferences	Personalisation, AI recommendations	Consent

3.2 Booking and Travel Data

Data	Purpose	Legal Basis
Passport scan	Identity verification (KYC)	Performance of contract + legal obligation
MRZ data extracted from passport (name, nationality, date of birth, expiry date, document number)	KYC, destination eligibility	Performance of contract
Departure city	Price calculation (flight supplement)	Performance of contract
Booking history	Account management, loyalty discounts	Performance of contract
Travel insurance proof	Verification of booking prerequisite	Performance of contract
Payment data	Transaction processing (via Stripe)	Performance of contract

3.3 Platform Usage Data

Data	Purpose	Legal Basis
Connection logs	Security, fraud prevention	Legitimate interest
Conversations with Mira Agents and Mira Brain	Service operation, AI model improvement	Performance of contract (operation) / Legitimate interest (improvement)
Messages in Mira Tribes	Service operation, moderation	Performance of contract
Private messages (DMs)	Service operation	Performance of contract
Navigation data (analytics)	UX improvement	Consent (Clarity) / Exempt (Plausible)

3.4 Communication Data

Data	Purpose	Legal Basis
History of support exchanges	Customer service	Performance of contract
Notification preferences	Targeted communication	Consent
Email address (newsletters)	Commercial prospecting	Consent (opt-in)

Article 4 — Legal Basis for AI Model Improvement

The User's conversations with Mira Agents and Mira Brain may be used to improve the quality of responses and enrich Mira Knowledge (proprietary knowledge base).

This processing is based on the legitimate interest of Hello Mira (Article 6.1.f of the GDPR), following a balancing exercise against the rights and freedoms of Users:

Interest pursued: continuous improvement of the relevance and reliability of information provided to Nomads, in a field (travel, visas, health, taxation) where the quality of information is critical;
Protective measures: anonymisation of data prior to use for training, data minimisation, User's right to object.

The User may at any time object to the use of their conversations for AI model improvement, via their account settings or by email to [email protected]. This objection applies to future conversations.

Article 5 — Data Recipients

5.1 Internally

Data is accessible to Hello Mira's operational teams (customer support, travel operations, technical, marketing) strictly to the extent necessary for the performance of their functions.

5.2 Technical Sub-processors

Hello Mira engages the following sub-processors for the processing of personal data:

Sub-processor	Service	Data Location	Transfer outside EU
OVHcloud	Hosting, infrastructure	France / EU	No
Supabase (AWS Stockholm)	Database, authentication	Sweden (EU)	No
Stripe	Payments, Stripe Connect (escrow)	EU (US headquarters)	Possible (SCCs)
Brevo	Emailing, newsletters	France	No
Cloudflare	CDN, DDoS protection	EU caches (US headquarters)	Possible (SCCs)
Duffel	Flight API	United Kingdom	No (adequacy decision)
Vonage	Communications (SMS, voice)	US headquarters	Likely (SCCs)
Firebase (Google)	Push notifications	US headquarters	Likely (SCCs)
Plausible	Web analytics	EU	No
Microsoft Clarity	Behavioural analytics (heatmaps, session replays)	US headquarters	Likely (SCCs)
Google Gemini	Generative AI (Mira Brain)	US headquarters	Likely (SCCs)
Anthropic (Claude)	Generative AI (Mira Brain)	US headquarters	Likely (SCCs)
OpenAI (GPT)	Generative AI (KYC investigation, Mira Brain)	US headquarters	Likely (SCCs)
Mistral AI	Generative AI (Mira Brain)	France	No

Note: Hello Mira is committed to a progressive approach to technological sovereignty, with the development of proprietary AI models hosted in the EU, aimed at reducing dependence on non-European providers.

Each sub-processor is bound by a data processing agreement compliant with Article 28 of the GDPR.

5.3 Travel Partners (at the time of actual sale)

In the context of the execution of a Mira Trip, certain data may be transmitted to travel service providers:

Accommodation providers (coliving, hotels): data strictly necessary for the booking (name, dates, preferences);
Airlines: passenger data required by aviation regulations;
Mira Amigos: limited data (first name, interests).

Transmission of passport to service providers: with the explicit consent of the Traveller, Hello Mira may transmit passport data to travel operators (airlines, accommodation providers) who require it for administrative formalities. This consent is optional, separate and revocable at any time.

5.4 Authorities

Data may be disclosed to competent authorities in response to a legal obligation (tax authorities, judicial authorities, etc.).

5.5 Marketing Sharing

Hello Mira may share anonymised and aggregated data (which does not allow Users to be identified) with marketing partners for statistical analysis and campaign improvement purposes.

No personally identifiable data is shared with marketing partners without the User's express consent.

Article 6 — Transfers outside the European Union

Some of Hello Mira's sub-processors are established outside the European Union, primarily in the United States (Stripe, Cloudflare, Vonage, Firebase, Google Gemini, Anthropic, OpenAI, Microsoft Clarity).

These transfers are governed by the following safeguards:

Standard Contractual Clauses (SCCs) adopted by the European Commission, incorporated into the contracts with the relevant sub-processors;
Adequacy decisions of the European Commission, where applicable (e.g.: United Kingdom for Duffel);
Additional measures: encryption of data in transit and at rest, minimisation of data transmitted.

Hello Mira ensures that only data strictly necessary for the purpose of the processing is transmitted. In particular, sensitive data (passport scan) is not transmitted to AI providers, except for the KYC process (name investigation via OpenAI GPT-4.1 Vision), for which the data transmitted is limited to the strict minimum and subject to OpenAI's SCCs.

Article 7 — Retention Periods

Type of data	Retention period
Active account data	Duration of the contractual relationship
Account data after deletion	3 years (limitation period, dispute management)
Account data after inactivity (without deletion)	Archived after 24 months of inactivity, deleted after 36 months
Booking data	Duration of the contract + 5 years (accounting obligations)
Invoices and payment data	10 years (accounting obligation, Art. L123-22 Code de commerce [French Commercial Code])
Passport scan — rejected/failed	24 hours after rejection
Passport scan — validated, `retain_document = false`	Image deleted 30 days after validation; MRZ data retained for as long as the Mira Pass is active
Passport scan — validated, `retain_document = true`	Retained for as long as the Mira Pass is active + 90 days grace period after expiry
Passport scan — right to erasure	Immediate soft delete + physical deletion within 30 days
AI conversations (active account)	Duration of the contractual relationship
AI conversations (after account deletion)	Anonymised within 30 days (content retained anonymously for service improvement)
Mira Tribes messages / DMs	Anonymised after account deletion
Connection logs	1 year (CNIL recommendation)
Prospecting data	3 years after the last contact
Cookies and trackers	Maximum 13 months (CNIL recommendation)
Promotional credits	12 months from the date of attribution

Article 8 — Data Security

8.1 Technical Measures

Hello Mira implements the following security measures:

encryption of data in transit (TLS/SSL) and at rest;
strict access control based on roles (RBAC);
logging of all access to sensitive files (notably passport scans), with full traceability;
pre-signed URLs with limited validity (15 minutes) for access to sensitive files;
hosting on certified servers (OVHcloud) located in France and the EU;
pseudonymisation of data where technically possible.

8.2 Organisational Measures

internal security policy;
raising team awareness of data protection issues;
access to data restricted to authorised personnel, in compliance with the principle of data minimisation.

8.3 Breach Notification

In the event of a personal data breach likely to result in a risk to the rights and freedoms of individuals:

the CNIL (Commission Nationale de l'Informatique et des Libertés, French Data Protection Authority) is notified within 72 hours;
the data subjects are informed as soon as possible if the risk is high.

Article 9 — User Rights

In accordance with Articles 15 to 22 of the GDPR, the User has the following rights:

Right	Description
Right of access (Art. 15)	Obtain a copy of all their personal data
Right to rectification (Art. 16)	Correct inaccurate or incomplete data
Right to erasure (Art. 17)	Request the deletion of their data ("right to be forgotten")
Right to restriction (Art. 18)	Restrict processing in certain cases (contestation, unlawfulness)
Right to data portability (Art. 20)	Retrieve their data in a structured, machine-readable format
Right to object (Art. 21)	Object to processing for legitimate reasons (notably to the use of conversations for AI improvement)
Right to withdraw consent	At any time, without affecting the lawfulness of prior processing
Right not to be subject to automated decision-making (Art. 22)	Not to be subject to a decision based solely on automated processing producing legal or similarly significant effects

9.1 Automated Decisions

Hello Mira uses an automated system for identity verification (KYC): the passport scan is analysed by an AI that compares MRZ data with profile information. This system may automatically validate or reject an identity verification.

The User has the right to contest any automated decision and to request human intervention by contacting customer support at [[email protected]]. A manual investigation system is provided for disputed cases.

9.2 Exercise of Rights

The User may exercise their rights:

by email to [email protected];
by post to CES Venture SAS — Euratechnologies, 165 avenue de Bretagne, 59000 Lille, France.

Hello Mira undertakes to respond within one (1) month of receipt of the request. This deadline may be extended by two months in the case of a complex request, in which case the User is informed of the additional delay.

Verification of the applicant's identity may be required to process the request.

9.3 Deletion of AI Conversation History

The User may request the deletion of their conversation history with Mira Agents and Mira Brain by contacting [email protected].

Article 10 — Cookies and Trackers

10.1 Strictly Necessary Cookies

These cookies are essential for the operation of the Platform (authentication, security, session management). They do not require the User's consent.

10.2 Analytical Cookies

Plausible: a privacy-friendly analytics tool that does not place cookies and does not collect personal data. No consent is required.

Microsoft Clarity: a behavioural analysis tool (heatmaps, session replays). Clarity places cookies and processes personal data. Its activation is subject to the prior consent of the User via the cookie banner.

10.3 Consent Management

On their first visit, the User is invited to express their choice via a cookie banner. Refusal is as easy as acceptance. Trackers subject to consent are only activated after explicit acceptance.

The User may modify their preferences at any time from the Platform settings.

Cookies have a maximum lifespan of 13 months in accordance with the recommendations of the CNIL (Commission Nationale de l'Informatique et des Libertés, French Data Protection Authority).

Article 11 — Minors' Data

The Platform is not intended for persons under the age of 18. Hello Mira does not intentionally collect personal data from minors.

If Hello Mira becomes aware that data from a minor has been collected, such data will be deleted as soon as possible.

Article 12 — Amendments to the Privacy Policy

Hello Mira reserves the right to amend this Privacy Policy. In the event of a material change, Users will be informed by email and/or by in-app notification at least 30 days before the change takes effect.

Article 13 — Contact and Complaints

Personal data contact point: [email protected]

In the event of an unresolved complaint, the User may refer the matter to the competent supervisory authority:

Commission Nationale de l'Informatique et des Libertés (CNIL)

3 Place de Fontenoy — TSA 80715

75334 Paris Cedex 07

Website: www.cnil.fr

Users residing in another EU Member State may also refer the matter to the data protection authority of their country of residence.