Skip to content
The Mirror logo
Log in Start for Free
Individuals Clinics Features Pricing How It Works FAQ About Blog Log in Start for Free

Digital sanctuary

Security as sacred architecture

Your reflections are sacred. We built an invisible architecture so that every word you whisper here belongs to you alone. This is more than security — it is the craft of guarding the privacy of your becoming.

Read the full covenant See your controls

Sanctuary checklist

Invisible Shield · Record of Integrity · Clinical-grade stewardship · Consent-first sharing.

Certified HIPAA BAA-ready Audit logged

The Guarded Soul

We call our protection layer The Invisible Shield — a woven system of sealing, separation, and watchfulness that ensures every entry remains between you and the sanctuary.

Silent seals

Each reflection is sealed the moment you send it, long before it touches our storage vaults. Even if someone captured the raw storage, they would find only unreadable shapes with no key to unlock them.

Separate vaults

We keep the map to your words apart from the words themselves. The key lives in a guarded chamber, the text in another. Neither is useful without the other, and only you can bring them together.

Protective passage

Every request travels through shielded channels. We monitor for anomalies, cut off unsafe routes, and verify that the person knocking is truly you before anything is delivered.

Record of integrity

Trust is built on light. Every touch of your data creates a permanent entry in the Record of Integrity so clinicians, regulators, and most importantly you can see exactly how your sanctuary is tended.

Visible stewardship

We log who accessed what, when, and why — from automated systems to human operators. Nothing slides in unnoticed.

Clinic-grade proofs

Linked providers receive clarity, not mystery. Each action they perform on shared data is recorded for their own compliance trail.

Immutable memory

The integrity record cannot be edited or hidden. If a regulator, therapist, or you need an audit, we can provide it instantly.

Clinical-grade sanctuary

We treat this space like a clinical facility — because many of our members work directly with licensed providers.

Certified HIPAA status

Our infrastructure is independently audited for HIPAA compliance. We maintain policies, security training, and rapid breach reporting channels worthy of a hospital system.

BAA on demand

Clinics receive an automated Business Associate Agreement workflow so administrators can sign, store, and verify our obligations without email chains.

Safety rituals

We run penetration tests, monitor intrusion alerts, and review access logs daily. Abnormal behavior is quarantined, investigated, and documented.

True ownership

You hold the key to your own door. Export everything, lock it away, or burn the archive — the choice is always yours.

Take it with you

Generate a machine-readable export anytime. We package your reflections, insights, and supporting context so you can store or share them on your terms.

Erase the trail

Deletion is permanent. Remove individual entries or your entire account, and backups follow within thirty days.

Silence the messenger

Control reminders, emails, and notifications in one place. Opt out and the sanctuary goes quiet until you invite it back.

Consent-first architecture

Nothing moves without your blessing. Every sharing flow begins with you opening the door.

How consent shapes the product

  • Granular sharing: Toggle “Share with Provider” on a single journal entry or your full notebook. We notify linked clinicians and log the event.
  • Provider invitations: Clinicians must accept your invitation through a secure portal before they can see anything.
  • Care-team transparency: When a clinician downloads or reviews a shared insight, the Record of Integrity reflects it.
  • Safety escalations: If our system detects high-risk language, you control whether a provider is notified. We surface guidance — you decide.

Need formal language? Read the full privacy covenant or execute a BAA at any time.

Stewardship practices

What we collect and why

  • Account essentials such as email, timezone, and login tokens keep your profile aligned with your schedule.
  • Your reflections, interviews, and optional context stay encrypted and exist only to power your reports and notebooks.
  • Diagnostics (crash logs, device model, OS version) help us maintain reliability — never to build advertising profiles.
  • Subscription receipts confirm billing compliance; full payment data stays with Stripe or Apple.

Data lives on U.S. servers with separate key management. EU/UK members are protected by contractual clauses and your explicit consent.

Your rights at a glance

  • Review or update account details inside Settings.
  • Request export or deletion anytime at support@trythemirror.com.
  • Report security concerns directly to security@trythemirror.com.
  • Contact your local regulator if we ever fall short — your jurisdictional rights are honored.
“A mind is a sanctuary. Our work is to keep the gates locked until you open them.”
— The Mirror Privacy Covenant

Need deeper detail on policies, audits, or provider workflows?

Visit the privacy FAQ