Privacy Policy
TruthMirror is designed for private reciprocal reflection. This page explains what the app handles and what users should understand before sharing answers.
Last updated: 11 June 2026
1. What TruthMirror does
TruthMirror lets a creator make a private mirror containing questions and their own reflections. A recipient answers first, and the creator’s reflection unlocks only according to the selected mirror mode.
2. Information the app may store
The app may store account information, mirror titles and descriptions, question text, creator reflections, recipient answers, invite/session records, timer state, basic audit records, and lightweight analytics such as invite views and answer opens.
3. Who can see answers
Recipient answers are visible to the person who created or sent the mirror. Creator reflections are revealed to the recipient only after the recipient answers according to the mirror’s unlock rules.
4. Sensitive information
TruthMirror can invite deep personal answers. Share only what you are comfortable sharing. Do not use the app to submit emergency, crisis, medical, legal, financial, or self-harm information.
5. Storage and security
The app uses server-side access checks, CSRF protection, password hashing, hashed password-reset tokens, invite controls, and an encryption-at-rest foundation for newly saved answers when an encryption key is configured. Older plain-text answers remain readable for backward compatibility until a future migration pass encrypts them. This MVP should not be treated as end-to-end encrypted unless a future deployment explicitly adds that capability.
6. Password recovery
Password reset links are never displayed publicly. Account recovery requires configured mail and a configured canonical App URL.
7. Self-hosted deployments
If this app is installed on a self-hosted or cPanel server, the site owner/admin is responsible for hosting security, mail configuration, backups, domain configuration, HTTPS, and any legal/privacy obligations for their jurisdiction.
8. Data deletion and retention
Recipients can delete their response session for a mirror from the answer page. Users can delete their account from Settings after password confirmation. Account deletion removes the user row and relies on database relationships to delete user-owned mirrors, answers, sessions, tokens, and related records where applicable.
9. Contact
For privacy or misuse concerns, contact the operator of this TruthMirror installation.