The boring part.
In plain English

What you can do, and what breaks it

The service. stream.mirrorfractal.com (the "Service") is a software-as-a-service streaming platform operated by Mirror Fractal Lab S.L. (the "Company") at Valencia, Spain. By creating an account or using the Service you agree to these Terms.

Who can sign up. You must be at least 18 years old (or the age of majority where you live) and capable of forming a legally binding contract. Corporate accounts must be signed up by someone authorised to bind the entity.

Fees & payment. Plan prices, overage rates and currency are published at /pricing. Subscriptions renew automatically on the same calendar day each month unless cancelled. Payments are processed by our merchant of record (Paddle.com Market Limited or Stripe Payments Europe Ltd., shown at checkout) — they store and process your card details under PCI-DSS Level 1. We never see full card numbers. Applicable VAT / sales tax is added at checkout based on your billing country.

Cancel any time. Hobby (free), Startup and Pro have no minimum term. You can cancel from /dashboard/settings at any time. Enterprise contracts run a minimum of one year unless the MSA says otherwise.

Acceptable use. See section 04 · Acceptable use. We may suspend or terminate accounts that breach it, with notice except where notice would harm third parties (e.g. CSAM, ongoing fraud, active attacks).

Your content stays yours. You retain all ownership of the audio, video, geometry, telemetry and other data you transmit through the Service. We do not train models on it, resell it, or retain it longer than necessary to deliver the Service or meet legal retention obligations. See section 02 · Privacy for retention timelines.

Service availability. Pro tier carries a 99.9 % monthly uptime commitment; Enterprise 99.99 %. Credit schedule and exclusions in section 05 · SLA. Hobby and Startup are best-effort.

Warranty disclaimer & liability. The Service is provided "as is" and "as available". To the maximum extent permitted by law, the Company disclaims implied warranties of merchantability, fitness for a particular purpose, and non-infringement. The Company's aggregate liability for any claim shall not exceed the fees you paid in the twelve (12) months preceding the event giving rise to the claim. Nothing in these Terms excludes liability that cannot be excluded under applicable law (e.g. gross negligence, wilful misconduct, death or personal injury caused by negligence, consumer rights that cannot be waived).

Indemnification. You will indemnify and hold harmless the Company against third-party claims arising from your content or your breach of these Terms.

Governing law & venue. These Terms are governed by the laws of Spain. Disputes are submitted to the exclusive jurisdiction of the courts of Valencia, Spain — except where mandatory consumer-protection law grants you the right to bring a claim in your country of residence.

Changes. We may update these Terms; the effective date at the top of this section will change. Material changes are emailed to active customers at least 30 days before they take effect. Continuing to use the Service after the effective date constitutes acceptance.

Contact. Mirror Fractal Lab S.L. · Valencia, Spain · legal@mirrorfractal.com · full company details in section 09 · Impressum.

What we keep, and why

Controller. Mirror Fractal Lab S.L., Valencia, Spain. Email: privacy@mirrorfractal.com. We don't have a statutory Data Protection Officer because we don't meet the GDPR Art. 37 thresholds — for any privacy matter, the founder (Alex Solonsky) is the named contact and replies personally.

What we collect:

• Account & identity — email, name (optional), company (optional), password hash (PBKDF2-SHA256, 100k rounds). Legal basis: contract performance (GDPR Art. 6(1)(b)).
• Billing — name, billing address, VAT ID where applicable. Card details are tokenised by our merchant of record (Paddle / Stripe); we never see the PAN, CVV or expiry. Legal basis: contract + legal obligation (tax law).
• IP address & user-agent — for rate-limiting, abuse detection and regional routing. Legal basis: legitimate interest (Art. 6(1)(f)).
• Operational telemetry — per-stream bandwidth, layer counts, FEC recovery events, region. We do not inspect content. Legal basis: legitimate interest.
• Support communications — emails you send us and our replies. Legal basis: legitimate interest in supporting customers.
• Cookies — see section 06 · Cookies. Only strictly-necessary cookies are set without consent.

What we don't: cross-site tracking cookies, browser fingerprints, third-party advertising pixels, Google Analytics, Meta pixel, X pixel, or any data broker integration.

Retention. Operational telemetry: 90 days, then aggregated. Account data: while your account is active, then 30 days for backups before complete purge. Billing records: 7 years (EU tax law requires this). Support emails: 3 years. Deleted-account purges include encrypted off-site backups.

International transfers. Our hosting (Vercel · USA), edge CDN (Cloudflare · USA), email (Resend · USA), database (Upstash · USA/EU) and payment processor (Paddle · UK / Stripe · Ireland) may process data outside the EEA. Transfers are protected by Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework. Full sub-processor list in section 07 · Sub-processors.

Your rights (GDPR Articles 15–22). You can:

• Access — download a JSON of everything we hold on you from Settings → Danger zone → Export everything.
• Rectify — edit your profile fields any time from Settings.
• Erase — "Delete workspace" from Settings; full purge within 30 days.
• Portability — the Export download is machine-readable JSON (Art. 20).
• Restrict / object — email privacy@mirrorfractal.com; we'll action within 30 days.
• Withdraw consent — toggle off in the cookie banner (footer link "Cookies"); we respect Do-Not-Track.
• Complain — to your local Supervisory Authority. In Spain that's the AEPD (aepd.es).

Automated decision-making. We do not make solely automated decisions that produce legal or similarly significant effects on you. Rate-limit blocks can be reviewed and lifted by emailing support.

Breach notification. If we ever suffer a personal-data breach likely to result in a risk to your rights, we notify the Supervisory Authority within 72 hours (GDPR Art. 33) and you without undue delay (Art. 34).

Changes to this notice. Material changes are emailed to active customers at least 30 days in advance; the effective date is at the top of this section.

When you get your money back

14-day cooling-off period (EU/EEA/UK consumers). If you are a consumer resident in the EU, the EEA or the UK, you have 14 days from the date of purchase to cancel and receive a full refund of the most recent payment, no questions asked — provided you have not used substantial service capacity (defined as > 25 % of the plan's monthly transfer quota). Email billing@mirrorfractal.com from the account address; refund is issued to the original payment method within 14 days.

SLA credits. If we fail the uptime commitment for your tier (Pro: 99.9 %; Enterprise: per MSA), you receive credit toward future invoices as defined in section 05 · SLA. SLA credits are the sole remedy for downtime.

Pro-rata on plan downgrade. Downgrading mid-cycle: unused full days on the higher tier are credited toward the new tier; no cash refund.

Annual prepay. Annual prepaid subscriptions cancelled before renewal: pro-rata refund of unused full months minus the discount you received vs. monthly billing.

Disputed charges. If you see an unexpected charge, contact us first at billing@mirrorfractal.com — we resolve almost every issue within 48 h, faster than a chargeback. We honour valid chargebacks from your card issuer, but bona-fide disputes lodged with us first are always faster.

What is non-refundable. Usage-based overage charges already invoiced and reflecting traffic actually delivered. One-off custom-integration fees in Enterprise SOWs once work has begun. Patent-license fees once executed.

How to request. One email: billing@mirrorfractal.com. Include account email and the invoice number. A human responds within 2 working days; full refund within 14 calendar days where due.

What's not allowed

You may not use the Service to do, or to facilitate doing, any of the following:

• Illegal content — CSAM, content inciting violence or terrorism, content infringing court orders, content prohibited under the law applicable to you or to us.
• Copyright / IP infringement — content you do not have the right to transmit. We honour DMCA takedown notices and EU Digital Services Act requests at abuse@mirrorfractal.com.
• Fraud & deception — phishing, scams, fake-credential collection, fraudulent advertising.
• Malware & attacks — distributing malware, command-and-control traffic, exfiltration, network attacks against any third party.
• Harassment & doxxing — non-consensual personal data, targeted harassment, stalking, intimate imagery without consent.
• High-risk uses — operating life-support, nuclear control systems, mass-transit signalling, or military weapons targeting on tiers other than Enterprise (and even then, only with a written addendum). Hobby / Startup / Pro tiers are not safety-rated.
• Reverse engineering / abuse of resources — using the Service to benchmark for a competing product, attempting to subvert rate limits, sharing API keys outside your organisation, or using bots to register accounts.
• Spam & unsolicited bulk — using the Service to send unsolicited promotional traffic or transactional emails through Resend on our behalf.
• Sanctions — use by entities or individuals subject to EU, UN, UK or US sanctions, or located in sanctioned jurisdictions.

How we enforce. Most violations get a written warning and 7 days to cure. Egregious violations (CSAM, ongoing attacks, fraud) are terminated immediately and reported to law-enforcement where required. We reserve the right to suspend access to prevent ongoing harm while we investigate.

Report abuse. abuse@mirrorfractal.com · we acknowledge within 24 h.

When we don't deliver, you get credits

• Pro · 99.9% uptime per calendar month. < 99.9% → 10% credit. < 99.5% → 30% credit. < 99.0% → 100% credit.
• Enterprise · 99.99% uptime. Financial credit schedule negotiated in the MSA.
• Measurement: the ingest endpoint returning non-2xx for ≥ 60 consecutive seconds counts as downtime. Maintenance announced ≥ 48h in advance does not.
• Status page: status.mirrorfractal.com (in roll-out) will publish real-time uptime + historical incidents.
• Credits are applied to the next invoice automatically. For missed SLA months, contact support@mirrorfractal.com.

Hobby and Startup tiers don't carry an SLA — they are best-effort. If you need reliability guarantees, you need Pro or Enterprise.

What's set, and what you can turn off

We use the minimum cookies and local-storage entries needed to run the Service. Nothing is set for advertising or cross-site tracking.

Strictly necessary (always on, no consent required under ePrivacy):

• stream_session — HttpOnly, Secure, SameSite=Lax · authenticated session · 30 days · removed on sign-out
• stream-theme · localStorage · remembers dark / light theme preference
• stream-cookie-consent-v1 · localStorage · remembers your cookie choice itself

Preferences (opt-in via banner; off by default):

• stream-intent · localStorage · remembers the persona you picked on the home page (Live / Medical / Broadcast / Dev)
• stream-user · localStorage · client-side cache of your profile to avoid re-fetching /api/me
• stream-db-v1 · localStorage · client-side cache of streams shown in the dashboard

Analytics (opt-in via banner; off by default): currently none configured. If we add a privacy-friendly analytics service in future (e.g. Plausible — cookieless, IP-anonymised), it will appear here and require your consent.

How to change your choice. Toggle in the cookie banner (it re-appears via the "Cookies" link in the footer) or clear your browser storage. We respect Do-Not-Track and Global Privacy Control signals as a reject-optional default.

Who else touches your data

To deliver the Service we use the following sub-processors. Each is contractually bound to GDPR Art. 28 obligations, including data-processing addenda and (where applicable) SCCs for international transfers.

• Vercel Inc. (USA / global) · hosting + serverless functions · data: account, session, telemetry · transfer mechanism: SCCs + EU-US Data Privacy Framework.
• Cloudflare Inc. (USA / global edge) · DNS, edge CDN, WAF · data: IP address, request headers · DPF + SCCs.
• Upstash Inc. (operator of Vercel KV; USA / EU regions) · primary database · data: account, sessions, streams, contacts · SCCs; EU region available on request.
• Resend Inc. (USA) · transactional email (welcome, password reset, contact ack, billing receipts) · data: email address, message body · DPF + SCCs.
• Stripe Payments Europe Ltd. (Ireland) / Paddle.com Market Limited (UK) · merchant of record at checkout · data: billing name, address, VAT ID, tokenised card · UK adequacy + SCCs.
• GitHub Inc. (USA, via Microsoft) — only if you sign in with GitHub OAuth. Data: GitHub user ID, email, name, avatar URL.
• Google LLC (USA) — only if you sign in with Google OAuth. Data: subject ID, email, name, picture URL.

How we notify changes. Active customers receive an email at least 30 days before a new sub-processor is enabled, with the option to object — in which case we discuss your specific scenario.

The FQL protocol is patent pending

What's protected: the layer-first quantisation bitstream (RBIQ), per-layer unequal error protection, the progressive decode handshake. The software that implements it is separate.

Hosted customers (Hobby / Startup / Pro): your usage of stream.mirrorfractal.com is covered by an implicit paid-up license for the duration of your subscription. Nothing extra to sign.

Self-hosting / embedded / derivative works: require a separate patent license. Email licensing@mirrorfractal.com — we'll send terms within 48h. Enterprise tier includes this license by default.

Academic & research use: no-cost non-commercial license for non-profit research institutions. Publish, cite, teach, extend. Reach out and we'll counter-sign a letter.

FOSS implementations: pending, will be published under a RAND-Z patent pledge once the PCT filing is finalised.

Who you're doing business with

Disclosed in accordance with Article 5 of the EU e-Commerce Directive and equivalent national requirements:

• Legal entity: Mirror Fractal Lab S.L.
• Founder & legal representative: Aleksei Solonskii (Alex Solonsky)
• Registered office: Valencia, Spain
• Postal & correspondence address: available on request via legal@mirrorfractal.com (we publish it on Enterprise contracts and invoices, not on the open web, to reduce spam to a small team).
• VAT ID: issued upon EU VAT registration; included on every invoice when applicable.
• Email: general · stream@mirrorfractal.com · legal · legal@mirrorfractal.com · privacy · privacy@mirrorfractal.com · billing · billing@mirrorfractal.com · abuse · abuse@mirrorfractal.com.
• Parent organisation: Mirror Fractal Lab · mirrorfractal.com
• Responsibility for content (§ 55 RStV, equivalent): Aleksei Solonskii, address above.
• EU online dispute resolution platform: ec.europa.eu/consumers/odr — we are not obliged to participate in dispute-resolution proceedings before a consumer arbitration board, and we generally do not.

Trade-mark notice. "Mirror Fractal", "The Stream", "FQL" and the diamond + layer-lines mark are trade marks of Mirror Fractal Lab S.L.

Image & font credits. Logo and illustrations are © Mirror Fractal Lab. Typefaces: Fraunces (Stefanie Kubanek & David Berlow, SIL Open Font License) and JetBrains Mono (JetBrains, SIL OFL).