Privacy Policy

Effective Date: February 2026

At MIXR ("we", "us", or "our"), your privacy is our priority. This Privacy Policy describes how we collect, use, disclose, and safeguard your personal information when you use our website, applications, AR features, and related services (collectively, the "Services"). If you do not agree with this policy, please do not access or use the Services.

1. Information We Collect

1.1 Information You Provide as a Registered User

When you create an account, we collect: full name, email address, job title, company name, phone number, profile photo (optional), username, category of use, and timezone. If you use Google OAuth, Google provides your name and email address to us.

When you build a digital card or microsite, we store the content you input: text, images, videos, 3D model files, links, VCF contact card data, experience configuration settings, passwords for password-protected experiences (stored in plaintext — see Security section), NFT metadata (token IDs, transaction hashes, blockchain network), and contact form field configuration.

When you use Card Scanning, we receive the image you capture and transmit it to third-party AI services as described in Section 2.

1.2 Information Collected Automatically from Visitors

When any person visits a public microsite or digital card page (a "Visitor"), we automatically collect and store in our database, without requiring authentication or consent:

  • Page view count (total and unique per day; uniqueness determined by a browser localStorage key)
  • Link click count (total and unique per day)
  • VCF download count and QR code scan count
  • Device type (inferred from User-Agent string: Mobile, Tablet, or Desktop)
  • Traffic source (inferred from HTTP Referer header)
  • Country (derived by sending the Visitor's IP address to ipapi.co, a third-party geolocation service)

This data is written directly to our database in an unauthenticated operation. No persistent tracking cookie is set; uniqueness tracking uses the Visitor's browser localStorage.

1.3 Information Collected from Visitors via Contact Form

If a User has enabled a contact form on their microsite, Visitors who submit it provide: name, email address, phone number (optional), company (optional), job title (optional), and notes (optional). This data is:

  • Stored in our database under the card owner's account
  • Sent to the card owner via email notification
  • Used to send the Visitor a confirmation email containing links to the card owner's VCF file and microsite

Visitors submitting a contact form are not MIXR Studios customers. MIXR Studios processes this data as a processor on behalf of the card owner (the controller). See Section 7.

1.4 Usage and Technical Data

When you use the Studio dashboard, we collect standard server logs via Firebase and our hosting infrastructure, including IP addresses, browser type, pages visited, and timestamps. Firebase Auth uses HttpOnly session cookies for authentication.

2. AI-Assisted Card Scanning and Third-Party AI Services

We use OpenRouter, Inc. (openrouter.ai) as an API intermediary to access AI model capabilities. When you use Card Scanning:

  • The business card image is encoded as a base64 JPEG and transmitted over HTTPS to our server.
  • Our server transmits this image to the OpenRouter API.
  • OpenRouter routes the request to the Google Gemini 2.5 Flash Lite model for text extraction.
  • The extracted contact fields (name, title, company, email, phone) are returned to your MIXR Studio session. The image is not stored by MIXR Studios after the API call completes.

The image (which may include the personal information of a third party) is processed by OpenRouter and Google per their respective privacy policies. We do not use images submitted through Card Scanning to train our own models.

3. How We Use Your Information

  • Provide and Maintain the Services — create your account, host your public profile, and ensure our AR and AI features function correctly.
  • Personalize Your Experience — tailor content and information we display to you.
  • Improve Our Platform — analyze usage trends, track marketing effectiveness, and develop new features.
  • Communicate With You — send administrative information, security alerts, customer support responses, and marketing communications (which you can opt out of at any time).
  • Ensure Security — protect our Services, monitor fraudulent activity, verify accounts, and enforce our Terms of Service.

4. Third-Party Service Providers

We share data with the following third parties as necessary to operate the Service:

ProviderPurposeData Shared
Google LLC (Firebase)Database, authentication, file storageAll user and visitor data
OpenRouter, Inc.AI API routing for Card ScanningCard images (base64 JPEG)
Google LLC (Gemini)AI model for Card ScanningCard images via OpenRouter
Zappar LimitedAR experience deliveryExperience config, asset URLs, card owner contact info encoded in AR payload
ipapi.coCountry geolocation for analyticsVisitor IP addresses
QuickChart.ioQR code generationQR code content strings (your microsite URL)
Gmail SMTP (Google)Transactional email deliveryRecipient email, name, card links

We do not sell personal data to third parties for advertising purposes.

We may also share data in connection with a merger, acquisition, or sale of company assets, and when legally required (e.g., court order, subpoena, legal process).

5. Lawful Basis for Processing (EEA, UK, and Switzerland)

If you are located in the European Economic Area, United Kingdom, or Switzerland, we rely on the following lawful bases under GDPR Article 6:

Processing ActivityLawful Basis
Creating and managing your registered accountContract (Art. 6(1)(b))
Sending welcome and account communicationsContract (Art. 6(1)(b))
Analytics tracking of Visitors to public micrositesLegitimate interests (Art. 6(1)(f)) — providing card owners with engagement metrics. Visitors may object by contacting privacy@mixrstudios.com.
Storing CRM contact data you addContract (Art. 6(1)(b)) — stored as your processor to operate the CRM feature
Card Scanning (transmitting images to AI APIs)Legitimate interests (Art. 6(1)(f)) — the User is responsible for obtaining any required consent from the scanned party
Sending Visitor confirmation emailsLegitimate interests (Art. 6(1)(f)) — transactional communications following Visitor's own form submission
Fraud prevention and securityLegitimate interests (Art. 6(1)(f))

6. Public Information and Your Profile

Any User Content you explicitly add to your published MIXR Site will be publicly accessible to anyone on the internet who possesses your unique URL or scans your custom QR code. This includes search engines, which may index your public MIXR profile. Please do not place sensitive, highly confidential, or privately identifiable information on your public profile that you do not wish to share publicly.

7. Data Controller and Processor Roles

  • MIXR Studios as Controller: MIXR Studios is the data controller for information about registered Users (account data, billing data, usage logs).
  • MIXR Studios as Processor: When a registered User stores third-party contact data in the CRM (contacts from Visitors, imported contacts, or card-scan results), MIXR Studios acts as a processor on behalf of the User (who is the controller). We process this data only to provide the CRM features.
  • Data Processing Agreements: If you are a business using MIXR Studio and need a DPA, contact privacy@mixrstudios.com.
  • Data Subject Requests for CRM Contacts: Individuals whose data you have stored as CRM contacts have rights under applicable law. You are responsible as the controller for responding to such requests. MIXR Studios will cooperate with your requests to delete contact records upon instruction through the platform or by emailing privacy@mixrstudios.com.

8. Visitor Rights and Notice

If you are a Visitor who accessed a MIXR microsite and wish to exercise any rights, contact us at privacy@mixrstudios.com or use our Data Request Form.

  • Analytics Data: We collect analytics automatically without consent. If you are in the EU/EEA and object, you may contact us to request deletion. Because analytics are stored in aggregate without persistent visitor identifiers, we may be unable to identify individual visit records.
  • Contact Form Data: If you submitted a contact form, your data is stored under the card owner's account. MIXR Studios is a processor; the card owner is the controller. We will relay deletion requests to the relevant card owner within 30 days.
  • Emails: If you received a confirmation email after submitting a contact form and do not wish to receive future emails from MIXR Studios, you may click the unsubscribe link in the email or email privacy@mixrstudios.com.

9. Cookies and Local Storage

MIXR Studios does not serve a cookie consent banner. The following storage mechanisms are in use:

  • HttpOnly Session Cookie (Firebase Auth): Set when you sign in. Required for authentication and cannot be disabled without logging out.
  • Browser localStorage (Visitor Analytics Deduplication): When a Visitor views a microsite, MIXR Studios writes a key in the format mixr_view_{experienceId}_{date} to the Visitor's browser localStorage to determine whether a view should be counted as "unique" for that day. This data is not transmitted to MIXR Studios servers.

We do not use third-party advertising cookies. Zappar's iframe may use cookies governed by Zappar's own cookie policy.

10. Data Security

We implement reasonable technical and organizational measures to protect your data, including Firebase security rules, HTTPS for all data in transit, rate limiting on public API endpoints, constant-time password comparison for experience access passwords, and allowlisted domains for asset proxying.

Passwords for password-protected experiences are stored in plaintext in our database. Do not use a password for a protected experience that you use for any other service.

No internet transmission or electronic storage is 100% secure. We cannot guarantee that hackers or unauthorized third parties will not be able to defeat our security measures.

Data Breach Notification: In the event of a breach likely to result in a risk to your rights and freedoms, MIXR Studios will notify affected Users within 72 hours of becoming aware of the breach. If you are in the EU/EEA, we will report qualifying breaches to the relevant supervisory authority. Notification will be sent to the email address associated with your account.

11. Data Retention

  • Account Data: Retained for the duration of your account. Upon account deletion, we delete your profile, experiences, and stored files. Some data may be retained in backups for up to 90 days.
  • CRM Contact Data: You may configure a data retention period in Settings > CRM. Contact support@mixrstudios.com to confirm retention enforcement for your account.
  • Visitor Analytics: Retained indefinitely unless you delete the associated experience.
  • Card Scan Images: Not retained by MIXR Studios. Images are transmitted to AI providers and not stored on MIXR Studios servers after the API response is received.
  • Transactional Email Logs: May be retained for up to 90 days for troubleshooting and compliance purposes.

12. Your Privacy Rights (GDPR, CCPA/CPRA, UK GDPR)

Depending on your location, you may have the following rights regarding your personal data:

  • Right to Access / Know — request a copy of the personal data we hold about you
  • Right to Rectification / Correction — request correction of inaccurate or incomplete data
  • Right to Erasure (Right to be Forgotten) — request deletion of your personal data (you can also use the "Delete Account" function in your dashboard)
  • Right to Restrict Processing — request we temporarily or permanently stop processing your data
  • Right to Data Portability — request a copy of your data in electronic format
  • Right to Opt-Out of Sale/Sharing — we do not sell your personal data. To the extent sharing data with ipapi.co and Zappar constitutes "sharing" under CCPA's broad definition, you may opt out by emailing privacy@mixrstudios.com with "CCPA Opt Out" in the subject or by using our Do Not Sell or Share form. We do not currently automatically honor Global Privacy Control (GPC) signals.
  • Right to Non-Discrimination — we will not discriminate against you for exercising these rights

To exercise any of these rights, contact us at privacy@mixrstudios.com or use our Data Request Form. We will respond within 30 days (GDPR) or 45 days (CCPA). We will not charge a fee for your first request per 12-month period.

13. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), as described in Section 12 above.

To submit a verifiable consumer request, email privacy@mixrstudios.com or use our Data Request Form. We will respond within 45 days.

California residents may also submit a Do Not Sell or Share My Personal Information request at any time.

14. International Data Transfers

MIXR Studios is headquartered in the United States. Your information may be transferred to, stored, and processed in the U.S. or other countries where our servers or service providers are located. When we transfer data originating from the EEA, UK, or Switzerland, we utilize standard contractual clauses or other legally approved transfer mechanisms.

15. Children's Privacy

Our Services are not directed to children under the age of 13 (or under 16 in certain jurisdictions). We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information without your consent, contact us immediately. If we become aware that we have collected such information, we will take steps to securely delete it.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page, updating the "Effective Date," and (where applicable) sending a notification to the email address associated with your account.

17. Contact Us

If you have questions, comments, or concerns about this Privacy Policy or our data practices, or wish to exercise your privacy rights, contact us at:

privacy@mixrstudios.com

MIXR Studios, LLC, 1143 Vine St., Los Angeles, CA 90038

Or use our Data Request Form for structured requests (access, deletion, correction, opt-out).

Terms of ServiceData RequestBack to MIXR