Mirror Health — Privacy Policy

Effective date: April 8, 2026

This privacy policy describes how the Mirror Health — Garmin Sync Chrome extension ("the Extension") collects, uses, and protects your data.

What the Extension Does

The Extension syncs your Garmin Connect browser session to the Mirror Health server so that Claude (by Anthropic) can access your Garmin health data on your behalf via the Mirror Health MCP integration.

Data Collected

• Garmin Connect session cookies — captured from HTTP requests to connect.garmin.com when you browse Garmin Connect. These are authentication tokens that allow the Mirror Health server to make API calls to Garmin on your behalf.
• Your Garmin email address — entered by you in the extension popup, used to associate your session with your Mirror Health account.

Data NOT Collected

• We do not collect your Garmin password.
• We do not collect browsing history, keystrokes, or any data from non-Garmin websites.
• We do not sell, share, or transfer your data to third parties for advertising or any purpose unrelated to the Mirror Health service.
• We do not use your data for training AI models.

How Data Is Used

Your Garmin session cookies are transmitted securely (HTTPS) to the Mirror Health server (mcp.mirrorhealth.co) and stored in an encrypted database (Supabase). They are used solely to:

• Authenticate API requests to Garmin Connect on your behalf
• Retrieve your health and fitness data when you request it through Claude

Data Storage and Security

• Session cookies are stored in Supabase with row-level security policies.
• Cookies are refreshed automatically when you visit Garmin Connect and expire when your Garmin session expires (typically 24 hours).
• All data transmission uses TLS/HTTPS encryption.

Data Retention

Session cookies are overwritten each time the extension syncs (typically every few hours). Old cookies are not retained. You can delete all stored data at any time by:

• Clicking "Change Account" in the extension popup
• Clicking "Invalidate session" on the Mirror Health authorize page
• Uninstalling the extension

Permissions Explained

• cookies — to read Garmin Connect cookies for session detection
• webRequest — to capture full cookie headers from network requests (including HttpOnly cookies not accessible via the cookies API alone)
• storage — to store your email and sync status locally
• alarms — to schedule periodic sync and stale-session checks
• notifications — to alert you when your Garmin session needs refreshing
• Host access to *.garmin.com — to read cookies from Garmin domains
• Host access to mcp.mirrorhealth.co — to push cookies to the Mirror Health server

Your Rights

You can revoke the extension's access at any time by uninstalling it from chrome://extensions. This immediately stops all cookie capture and sync. To request deletion of your stored data, contact us at the email below.

Contact

For questions about this privacy policy or your data, contact: privacy@mirrorhealth.co

Changes

We may update this policy from time to time. Changes will be posted on this page with an updated effective date.