Privacy Policy
Last updated: February 12, 2026
1. Introduction
Welcome to Mimic ("we," "our," or "us"). We are committed to protecting your privacy and ensuring you have a positive experience when using our AI-powered voice matching and tweet scheduling service.
This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and services at usemimic.app (the "Service"). Please read this policy carefully. If you do not agree with the terms of this privacy policy, please do not access the Service.
2. Information We Collect
Account Information
When you create an account, we collect your email address, name, and profile picture. We also store your timezone preferences for scheduling features.
Twitter Data
To provide our voice matching service, we collect and analyze your Twitter data, including:
- Your Twitter handle, user ID, and display name
- Verification status
- OAuth access and refresh tokens (stored securely)
- Past tweets (text and engagement metrics) for voice analysis
- Voice fingerprint data (80+ linguistic metrics extracted from your writing style)
Important: Voice fingerprints are linguistic profiles based on writing patterns, not biometric data. They analyze characteristics like vocabulary, punctuation, sentence structure, and tone.
Payment Information
Payments are processed by our third-party provider, Polar.sh. We do not store your credit card details. We receive and store:
- Subscription status and plan type
- Billing dates
- Polar customer ID
Usage Data
We automatically collect information about how you use our service:
- Generation and publish counts
- API usage (tokens consumed, costs)
- Session data and IP addresses
- Pages visited and features used
3. How We Use Your Information
We use collected information to:
- Provide and maintain our service — Including account creation, authentication, and core features
- Analyze your voice — Extract linguistic patterns from your tweets to create your voice fingerprint
- Generate content — Use AI models to create tweets that match your voice
- Schedule and publish — Post content to your Twitter account on your behalf
- Process payments — Manage subscriptions and billing
- Communicate with you — Send service updates, security alerts, and support responses
- Improve our service — Analyze usage patterns and optimize performance
4. AI Model Training
We do not use your personal data to train AI models. Your tweets, voice fingerprints, and generated content are used solely to provide you with our service.
- Your past tweets are processed to create your voice fingerprint and are used as RAG (retrieval-augmented generation) context for content generation
- Voice fingerprint data is used exclusively for generating content that matches your writing style
- We may use anonymized, aggregated usage statistics (not personal content) to improve service quality and performance
- Third-party AI providers (OpenRouter, Vertex AI) process your generation requests in real-time and do not retain your data for model training under our data processing agreements
5. Data Sharing and Third-Party Services
We do not sell your personal data. We share data only with the following service providers who help us operate:
| Service | Purpose | Data Shared |
|---|---|---|
| Convex | Database and backend | All user data (encrypted) |
| Polar.sh | Payment processing | Email, subscription info |
| Resend | Email delivery | Email address, content |
| Twitter/X API | OAuth and posting | Access tokens, tweets |
| OpenRouter | AI content generation | Voice context, topic, style examples |
| Vertex AI | AI fallback provider | Voice context, topic, style examples |
| Vercel | Hosting and analytics | Page views, performance |
We may also share data when required by law or to:
- Comply with legal obligations
- Protect our rights and safety
- Prevent fraud or security threats
We will notify you of any changes to our sub-processors that may affect the processing of your personal data. An updated list of sub-processors is maintained on this page.
6. Data Retention
- Active accounts: We retain your data for as long as your account is active and as needed to provide our services.
- Account deletion: When you delete your account, we remove your personal data within 30 days. Some data may be retained in backups for up to 90 days.
- Tweet data: Imported tweets and embeddings are retained while your account is active and deleted within 30 days of account deletion.
- Voice fingerprints: Linguistic profiles are deleted immediately upon account deletion.
- Generated content: Drafts and scheduled tweets are deleted within 30 days of account deletion. Published tweets remain on Twitter/X independently.
- Usage logs: API usage logs and analytics data are retained for 12 months, then automatically purged.
- Anonymized data: We may retain anonymized, aggregated analytics data indefinitely to improve our service.
7. Your Privacy Rights
For EU/EEA Users (GDPR)
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate or incomplete data
- Erasure: Request deletion of your data ("right to be forgotten")
- Data portability: Receive your data in a machine-readable format
- Restriction: Request limited processing of your data
- Object: Object to processing based on legitimate interests
- Withdraw consent: Withdraw consent at any time where processing is based on consent
- Lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority if you believe your data is being processed unlawfully
For California Users (CCPA)
- Right to know: Request information about what personal data we collect and how we use it
- Right to delete: Request deletion of your personal data
- Right to opt-out: We do not sell personal data, so this right does not apply
- Non-discrimination: We will not discriminate against you for exercising your rights
CCPA Categories of Personal Information
In the preceding 12 months, we have collected the following categories of personal information:
- Identifiers (name, email, Twitter handle)
- Internet activity (browsing history, usage data, interaction with our service)
- Professional information (Twitter content, engagement metrics)
- Inferences (voice fingerprints, linguistic profiles derived from your content)
To exercise these rights, contact us at support@usemimic.app.
8. Automated Decision-Making
Under GDPR Article 22, you have the right to not be subject to decisions based solely on automated processing that produce legal or similarly significant effects.
Mimic uses automated processing in the following ways:
- Voice fingerprint extraction: Automated analysis of your tweets to build a linguistic profile
- Content generation: AI-powered creation of tweet drafts based on your voice profile
- Content scoring: Automated quality scoring of generated content against your voice fingerprint
These automated processes generate suggestions only and do not make decisions with legal or similarly significant effects. You always retain full control over whether to publish, edit, or discard any generated content. If you have concerns about automated processing, contact us at support@usemimic.app.
10. Data Security
We implement industry-standard security measures to protect your data:
- Encryption: Data is encrypted at rest and in transit using TLS 1.3
- Secure storage: Hosted on Convex's secure cloud infrastructure
- OAuth token protection: Twitter tokens are stored securely and never exposed client-side
- Access controls: Strict access controls limit data access to authorized personnel
While we strive to protect your data, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.
11. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33
- Notify affected users without undue delay when the breach is likely to result in a high risk to your rights and freedoms
- Provide details about the nature of the breach, the likely consequences, and the measures taken or proposed to address it
- Document all breaches internally, including those that do not require notification, along with remediation steps taken
Notifications will be sent via email to the address associated with your account.
12. Children's Privacy
Mimic is not intended for users under 13 years of age. We do not knowingly collect personal information from children under 13. If we learn that we have collected data from a child under 13, we will delete that information promptly.
13. International Data Transfers
Your data may be transferred to and processed in countries other than your own, including the United States. These countries may have different data protection laws. By using our service, you consent to such transfers.
We ensure appropriate safeguards are in place, including standard contractual clauses where applicable.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by:
- Posting the new policy on this page
- Updating the "Last updated" date
- Sending an email notification for significant changes
We encourage you to review this page periodically for the latest information.
15. Legal Basis for Processing (GDPR)
Under the GDPR, we process your personal data based on the following legal grounds:
- Contract performance: Processing necessary to provide the services you requested
- Legitimate interests: Processing for fraud prevention, security, and service improvement
- Consent: Processing based on your explicit consent (e.g., marketing communications)
- Legal obligations: Processing required to comply with applicable laws
16. Contact Us
If you have questions about this Privacy Policy or our data practices, or wish to exercise your privacy rights, contact us at:
For GDPR-related inquiries, you may also contact your local data protection authority.