Skip to content
← Mimicly

Legal

Privacy Policy

Last updated: April 20, 2026

This is a plain-language summary, not individualized legal advice. Consult a lawyer for your situation.

Mimicly (“we”, “us”) operates mimicly.net from Türkiye and serves customers in the EU and globally. This policy explains what personal data we collect, why we collect it, and the rights you have over it. We act as the data controller for the information described below.

1. What we collect

  • Account information: your email address, display name, and — if you sign in with Google — the basic profile fields Google returns (name, email, avatar URL, Google account ID).
  • Authentication credentials: if you sign up with email and password, we store your password as a salted hash, never in plain text.
  • Billing identifiers: subscription status, plan, and an identifier from the payment processor that handled your purchase (Lemon Squeezy for new web purchases, Apple / Google / RevenueCat for in-app purchases, or Stripe for legacy web purchases made before April 2026). We do not store full card numbers; the payment processor does.
  • Export metadata and thumbnails: the design documents you save, small preview thumbnails, template used, and timestamps, so you can return to your work.
  • Technical data: IP address, user-agent, and approximate location derived from IP, used for abuse prevention, rate limiting, and fraud detection.
  • Support correspondence: emails you send to info@mimicly.net, retained so we can follow up.

2. Why we use it (legal bases)

  • To provide the service — processing is necessary to perform our contract with you (GDPR Art. 6(1)(b)).
  • To prevent abuse and keep the service secure — our legitimate interests (Art. 6(1)(f)).
  • To comply with legal and tax obligations — Art. 6(1)(c).
  • For optional cookies and communications — your consent (Art. 6(1)(a)), which you can withdraw at any time.

3. Cookies

We use a small number of cookies: an authentication session cookie so you stay signed in, a consent-preference cookie so we remember your cookie choice, and a short-lived Cloudflare Turnstile challenge cookie to block automated abuse. Full details are in our Cookie Policy. We do not use advertising or cross-site tracking cookies.

4. Third parties we share data with

  • Lemon Squeezy (Lemon Squeezy LLC) (United States) — Merchant of Record and payment processor for purchases made on the website. Lemon Squeezy receives your email and billing data directly.
  • Apple Inc. and Google LLC — payment processing for purchases made inside the Mimicly iOS or Android app. The store receives your billing data; we receive only the purchase receipt and anonymized user identifier.
  • RevenueCat, Inc. (United States) — reconciles App Store and Play Store purchase receipts and notifies our server which accounts are Pro.
  • Stripe, Inc. (United States) — legacy web payment processor for customers who subscribed before April 2026. Stripe receives billing data only for the legacy customers it still serves.
  • Google LLC (United States, Ireland) — only if you choose to sign in with Google. Google receives a sign-in request from us; we receive your basic profile in return.
  • Cloudflare, Inc. (United States) — content delivery, DDoS protection, and the Turnstile bot-check challenge. Cloudflare processes your IP and request metadata.
  • Our email infrastructure — a Postfix server we operate to send transactional email from noreply@mimicly.net and info@mimicly.net.

We do not sell your personal data, and we do not share it for advertising purposes.

5. International data transfers

Because Mimicly is operated from Türkiye and uses providers headquartered in the United States (Lemon Squeezy, Stripe, Google, Cloudflare), your data will be transferred outside the European Economic Area. For those transfers we rely on the European Commission's Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework certifications maintained by our processors.

6. How long we keep it

  • Active accounts: we keep your data for as long as your account exists.
  • After deletion: when you delete your account, personal data is purged from production systems within 30 days. Residual copies in encrypted backups roll off according to our backup schedule (up to 90 days).
  • Billing records: invoices and payment records are retained for up to 10 years as required by Turkish tax and accounting law.

7. Your rights (GDPR and similar laws)

If you are in the EU, UK, or another jurisdiction with similar protections, you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your data (“right to be forgotten”) where no legal obligation requires us to keep it.
  • Receive a copy of your data in a portable format.
  • Object to, or ask us to restrict, certain processing.
  • Withdraw consent at any time for processing based on consent.
  • Lodge a complaint with your local supervisory authority.

To exercise any of these rights, email info@mimicly.net from the address associated with your account. We respond within 30 days.

8. Security

We use HTTPS everywhere, hashed password storage, principle-of-least-privilege access controls, and encrypted backups. No system is perfectly secure; if we ever detect a breach affecting your personal data, we will notify affected users and the relevant supervisory authority within 72 hours as required by law.

9. Children

Mimicly is not intended for children under 13. We do not knowingly collect data from anyone under 13. If you believe a child has created an account, contact us and we will delete the account and associated data.

10. Changes to this policy

When we update this policy, we will revise the “Last updated” date at the top. Material changes will be announced by email or in-app notice at least 14 days before taking effect.

11. Contact

Privacy questions and data-rights requests: info@mimicly.net.

Need help? info@mimicly.net