Mirror Health — Privacy Policy

Effective date: May 5, 2026

This privacy policy describes how the Mirror Health — Garmin Sync Chrome extension ("the Extension") and the Mirror Health server ("the Service") collect, use, and protect your data.

What the Extension Does

The Extension forwards your existing Garmin Connect browser session to the Mirror Health server so that Claude (by Anthropic) can read your Garmin health and fitness data on your behalf.

Data Collected

• Garmin Connect session cookies — captured from the Cookie header of HTTP requests your browser already sends to connect.garmin.com. These are authentication tokens that allow the Mirror Health server to make API calls to Garmin on your behalf.
• Garmin profile metadata — your Garmin email and display name, auto-detected by the Extension's content script from Garmin's own profile API while you are signed in to Garmin Connect. Used to associate your session with your Mirror Health account.

Data NOT Collected

• We do not collect your Garmin password.
• We do not collect browsing history, keystrokes, page content, or any data from non-Garmin websites.
• We do not sell, share, transfer, or rent your data to third parties for advertising or any unrelated purpose.
• We do not use your data to train AI models.
• We do not use the chrome.cookies API. Cookies are only read from outgoing HTTP request headers via chrome.webRequest.onSendHeaders.

How Data Is Used

Captured cookies are transmitted over HTTPS to a single endpoint, https://mcp.mirrorhealth.co/api/extension/push-cookies, and stored in the user's row of an encrypted Supabase database protected by row-level security. They are used solely to:

• Authenticate API requests to Garmin Connect on your behalf.
• Retrieve your health and fitness data when you ask Claude a question that requires it.

Data Storage and Security

• All data transmission uses TLS/HTTPS.
• Cookies are stored in Supabase with row-level security so only the owning user (and the Mirror Health backend service) can access them.
• Cookies are short-lived: Garmin sessions typically expire within ~24 hours, after which fresh cookies must be captured by re-syncing.
• Locally, the Extension stores its working state in chrome.storage.local. No data leaves your browser except via the HTTPS push to the Mirror Health server above.

Data Retention

Each sync overwrites the previously stored cookies — old sessions are not retained. You can erase all stored data at any time by:

• Clicking Change Account in the Extension popup (clears local storage immediately).
• Clicking Invalidate session on the Mirror Health authorize page (clears the server-side row).
• Uninstalling the Extension from chrome://extensions.
• Emailing privacy@mirrorhealth.co to request full account and data deletion.

Permissions Explained

• webRequest — to read the Cookie header from outgoing requests to connect.garmin.com. Read-only; no requests are blocked, modified, or redirected.
• storage — to store your sync state (last sync time, cookie count, captured cookie string) locally in the browser.
• alarms — to schedule a periodic auto-sync (every 4 hours) and a stale-session check (every 1 hour).
• notifications — to alert you when your Garmin session is approaching expiry, or when sync is rejected because the session has already expired.
• Host access to https://*.garmin.com/* — to observe outgoing requests for the cookie header and to run the profile-detection content script. No other garmin.com behavior is altered.
• Host access to https://mcp.mirrorhealth.co/* — to push captured cookies to the Mirror Health server.

Third Parties

The Extension communicates only with two domains: connect.garmin.com (read-only observation of cookie headers) and mcp.mirrorhealth.co (HTTPS POST of captured cookies). The Mirror Health backend uses Supabase for storage, Anthropic for Claude API calls, and Railway for hosting. No analytics, advertising, or tracking SDKs are used in the Extension or the Service.

Your Rights

You can revoke the Extension's access at any time by uninstalling it from chrome://extensions. This immediately stops all cookie capture and sync. To request deletion of your stored data, contact us below.

Contact

For questions about this privacy policy or your data, contact: privacy@mirrorhealth.co

Changes

We may update this policy from time to time. Material changes will be posted on this page with an updated effective date. The current effective date appears at the top.