What happens to your photo when you upload it to MirrAI
This is how MirrAI keeps your photos private between upload and result. The file picks up four protections along the way, each described below.
Your photo carries hidden data: EXIF
Every photo your phone takes ships with a hidden block of metadata called EXIF (Exchangeable Image File Format). GPS coordinates, phone make and model, timestamp, lens. Cameras enable this by default.
Before your photo lands on disk, the file is rewritten inside an Edge Function (a small server next to the storage). Pixels stay. EXIF is dropped.
The EXIF your phone embeds
GPS latitude, longitude, altitude
and the image pixels
What lands on my disk
GPS coordinates
Phone make and model
Date and time
Lens, ISO, exposure
The cleanup happens during upload, not after. The original file with EXIF intact is never written to disk. The Edge Function reads the upload as it arrives, rewrites it, and saves only the cleaned version to storage.
Who can see your photos: Row-Level Security (RLS)
Your photos live in object storage (files storage). Each file sits under a path that starts with your user ID. A rule called a Row-Level Security policy (RLS), enforced by the storage layer itself, lets through only the user whose ID matches that first folder.
Alice asks for alice/photo.jpg
RLS: requester = first folder?
file served
Bob asks for alice/photo.jpg
RLS: requester = first folder?
403 Forbidden
The check is enforced by the storage system itself. Every read or write request is filtered through it, no matter where the request comes from.
Temporary access: signed URLs
To show you a picture, the app hands you a temporary signed URL: an access pass that carries three things. The storage refuses the file if any of the three is wrong or out of date.
A fresh pass is generated each time an actually authenticated user on the app needs to display a photo. Once a pass expires it cannot be renewed; the app simply requests a new one with a new deadline.
Third-party products in the try-on chain
MirrAI is not the only product in the chain. Two others sit between your phone and the final result.
Your device
where the photo is born, and where the result is shown back
↓ uploaded over HTTPS (encrypted in transit)
MirrAI server (Edge Function)
run by me. Strips EXIF, checks who you are, generates signed URLs.
↓ sends the photo for try-on inference
Vertex AI (Google Cloud)
run by Google. The actual try-on model. Receives the photo, returns a result, does not retain it.
↓ photo and result stored
Supabase Storage
run by Supabase. Hosts the files, encrypted at rest, locked to your account by the RLS rule above.
Vertex AI only sees the photo it needs to process, and nothing else. Supabase is the data and files storage service.
The whole pipeline
From upload to result, your photo passes through three services. The MirrAI Edge Function strips its EXIF metadata. Vertex AI (Google) runs the try-on. Supabase Storage holds both the original and the result under an RLS policy locked to your account folder. Whenever the app shows you a picture, it generates a signed URL that lasts fifteen minutes.