Back to home

Legal

Privacy Policy

Last updated: 1 April 2026 · Effective immediately

In plain English

  • Your photos are processed on your device and never stored on our servers.
  • We collect only what we need to give you a personalised plan: name, email, and your goals.
  • We never sell your data and we never share it without a lawful basis.
  • You can ask us to delete everything we hold about you at any time.

This Privacy Policy explains how ShapeMirror Ltd ("ShapeMirror", "we", "us", or "our") collects, uses, shares, and protects your personal information when you use our website, mobile applications, and related services (together, the "Service").

We are the data controller for the personal data we process about you under the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.

1. Who we are

ShapeMirror Ltd, a company registered in England and Wales (Company No. 14572839), with registered office at:

20 Eastbourne Terrace
London W2 6LA
United Kingdom

Registered with the Information Commissioner's Office (ICO) under reference ZA987654. VAT registered: GB 412 3956 78.

For any privacy-related question, contact our Data Protection point of contact at privacy@shapemirror.com.

2. Information we collect

2.1 Information you give us

  • Account information: name, email address, and a password (stored as a salted hash).
  • Goal information: your selected goal, target weight (if provided), activity level, and other preferences you enter.
  • Communications: the content of any message you send us via email, contact form, or in-app support.

2.2 Photos you upload

When you use the body-mapping feature, your photos are processed locally on your device. Only anonymised body-shape measurements (e.g. circumference estimates and proportion ratios) are transmitted to our servers to generate your plan. The original photos are not uploaded, not stored, and not retained by ShapeMirror.

Body measurement data is treated as special category data (health data) under Article 9 of the UK GDPR. We process it only with your explicit consent (which you give when you confirm a plan) and only for the purpose of providing the Service.

2.3 Information we collect automatically

  • Usage data: pages viewed, features used, timestamps, and aggregate activity patterns.
  • Device data: device type, operating system, browser type, language, and approximate location derived from IP address (city-level only).
  • Cookies: see Section 9 below.

2.4 Information from third parties

If you sign up using a third-party identity provider (e.g. Apple or Google sign-in), we receive your name and email from that provider. We do not receive your social-network contact list, photos, or any other content.

3. How we use your information

We use your information for the following purposes, each with the lawful basis identified:

  • To provide the Service (lawful basis: performance of a contract) — generating your plan, tracking progress, sending transactional emails such as account confirmations and password resets.
  • To personalise your plan (lawful basis: explicit consent for special-category data) — using your goal, body measurements, and progress to tailor weekly recommendations.
  • To improve the Service (lawful basis: legitimate interest) — analysing aggregated, anonymised usage patterns to understand which features help users most.
  • To communicate with you (lawful basis: consent for marketing; legitimate interest for product updates) — sending you product updates, tips, and occasional marketing. You can opt out of marketing at any time using the unsubscribe link in any email.
  • To prevent fraud and ensure security (lawful basis: legitimate interest) — detecting and preventing unauthorised access or abuse.
  • To comply with legal obligations (lawful basis: legal obligation) — responding to lawful requests from public authorities and meeting record-keeping requirements.

4. Who we share information with

We never sell your personal data. We share data only with carefully selected service providers ("processors") who help us run the Service, and only where necessary:

  • Cloud hosting: Amazon Web Services (eu-west-2, London region).
  • Transactional email: Postmark (delivery of account and plan emails).
  • Payment processing: Stripe Payments UK Ltd (handles billing for paid plans; we do not store your card details).
  • Privacy-respecting analytics: Plausible Analytics (cookie-free, aggregated, no personal identifiers).
  • Customer support tooling: Help Scout (handles support tickets).

All processors are bound by written data processing agreements that meet UK GDPR standards.

We may also disclose information when required by law, court order, or to protect the rights, property, or safety of ShapeMirror, our users, or others.

5. International transfers

Your data is stored in the United Kingdom. Where any of our processors are located outside the UK or the European Economic Area, transfers are protected using the UK International Data Transfer Agreement ("IDTA") or the UK Addendum to the EU Standard Contractual Clauses, together with appropriate supplementary measures.

6. How long we keep your data

  • Account data: for as long as your account is active, plus 30 days after account closure for backup hygiene.
  • Plan and progress data: for the duration of your subscription, plus 12 months after, so you can resume without losing your history.
  • Body measurement data: deleted within 24 hours of generating your plan; only the resulting plan is retained.
  • Billing records: 6 years (to meet HMRC requirements).
  • Support tickets: 24 months from the last interaction.

You can request earlier deletion at any time (see Section 7).

7. Your rights under UK GDPR

You have the following rights in relation to your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure — ask us to delete your data ("right to be forgotten").
  • Restriction — ask us to limit how we process your data.
  • Portability — receive your data in a structured, machine-readable format.
  • Object — object to processing based on legitimate interests, including for marketing.
  • Withdraw consent — withdraw any consent you previously gave, without affecting prior lawful processing.
  • Lodge a complaint — with the UK Information Commissioner's Office (ico.org.uk) if you believe we have not handled your data lawfully.

To exercise any of these rights, email privacy@shapemirror.com. We will respond within one calendar month.

8. How we protect your data

We use technical and organisational measures to protect your data, including encryption in transit (TLS 1.2+), encryption at rest (AES-256), strict access controls based on the principle of least privilege, regular penetration testing, and an incident response process aligned with UK GDPR breach-notification requirements.

Despite our best efforts, no system is perfectly secure. If we ever suffer a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the ICO within 72 hours, in line with UK GDPR.

9. Cookies and similar technologies

We use a small number of cookies and similar technologies to operate the Service:

  • Strictly necessary cookies — for sign-in, security, and remembering your session. These cannot be turned off.
  • Preference cookies — to remember your settings (e.g. units, language).
  • Analytics — we use Plausible Analytics, which is cookie-free and does not track individuals.

We do not use advertising cookies or third-party tracking pixels. You can control cookies through your browser settings.

10. Children

The Service is intended for users aged 16 and over. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us at privacy@shapemirror.com and we will delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and post a prominent notice on the Service before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

12. Contact us

If you have any questions about this Privacy Policy or how we handle your data:

Email: privacy@shapemirror.com
Phone: +44 20 7946 0345
Post:
Data Protection
ShapeMirror Ltd
20 Eastbourne Terrace
London W2 6LA
United Kingdom