DRAFT FOR LEGAL REVIEW — not yet in force. Sent to lawyer for redline. All documents →
All draft documents 12 specific questions for review

Brief for Legal Review — Virtue Mirage

Prepared by: Lukas Cervenan, Virtue Mirage Pty Ltd For: [Lawyer name + firm] Estimated review time: 1-hour briefing + 1-hour follow-up

What we'd like reviewed

We have prepared draft versions of the legal documents the business needs. Rather than asking you to write from scratch, we'd like you to:

  1. Review the drafts in this folder for fitness, enforceability, and gaps
  2. Flag the specific clauses that need real legal language rather than our draft
  3. Confirm we're compliant with Australian Privacy Principles and GDPR for the use cases described
  4. Sign off on the Founding Brand Agreement for immediate use with our first 3-5 pilot brands

The business in two paragraphs

Virtue Mirage is a Shopify-native AI layer for fashion e-commerce. When installed on a brand's Shopify store, it lets the shopper upload two photographs (portrait + full body) and creates a personalised "Digital Twin" — an AI-generated body model that looks like the shopper. Every product on the brand's store is then re-rendered in the background to show the shopper themselves wearing each product. The shopper can toggle this view on and off via a "Mirror Mode" switch on the storefront.

There is also a cross-brand network: the shopper's Digital Twin (their identity hash, not their photos) can carry across multiple brands on the platform — with their separate, explicit opt-in. The brand pays a monthly subscription that includes a token allowance; avatar creation and all AI generations draw from that allowance (4 tokens per avatar; no separate per-avatar dollar fee). The shopper pays nothing.

Regulatory surface

Jurisdiction Applicable framework Triggered when
Australia Privacy Act 1988 (Cth) + APPs Always — we're an Australian-incorporated entity
EU / UK GDPR + UK-GDPR Any time a shopper from EU/UK uploads photos through any brand using our platform
Australia Australian Consumer Law Always — we have B2B and B2C touchpoints
Shopify App Store Shopify Partner Program Agreement Once we list publicly
USA (California) CCPA / CPRA Any time a Californian shopper uses our platform

Of these, GDPR and Australian Privacy Principles are the highest-stakes surface because we process biometric / sensitive data.

What we're already doing technically

What we say What we actually do
"Original photos deleted immediately" Photos held in memory only during the avatar generation call (~30-60 seconds). Never written to any disk, never stored, never logged. After generation, the buffer is garbage-collected.
"12-month biometric lock" Once a customer's Digital Twin is created, our database refuses to overwrite it for 12 months. The brand can change this to 3 or 6 months in settings.
"Right to be forgotten" A delete request wipes: the customer record (Firestore), the Digital Twin image on Google Cloud Storage, all per-brand try-on renders, all pre-rendered images across every brand, and the master identity record. Cascading delete with audit log.
"Three-tier consent" Onboarding asks for separate consent on: (1) service use [required], (2) brand marketing [optional], (3) Virtue Mirage marketing [optional], (4) cross-brand network participation [optional]. Tracked separately, exportable per brand.
"We do not train AI on customer data" We use Google Vertex AI under enterprise terms that explicitly preclude training use of API inputs. We confirm this in our Privacy Policy.
"SHA-256 identity hashing" The customer's email is one-way hashed before storage. The 24-char prefix is the document ID. We cannot reconstruct the original email from the hash.

Specific questions for your review

Privacy & data

  1. Is our consent architecture sufficient under GDPR? The customer ticks four separate checkboxes during onboarding. Does our wording (in the onboarding flow, see screenshots in attached folder) constitute "explicit, informed, separately recorded" consent under GDPR Article 7 + 9?

  2. Are the AI-generated images personal data under GDPR? They are derived from a person's photograph, but the photograph itself is destroyed. Does the avatar inherit the personal-data classification? If yes, what additional retention / deletion rules apply?

  3. Biometric classification under Australian Privacy Act. The Australian regime treats biometric data as "sensitive information" (s.6 of the Act). We process it; we don't retain it. Does our flow satisfy the additional consent requirements for sensitive information under APP 3.4?

  4. Cross-border data transfers. Our infrastructure runs on Google Cloud (us-central1 region). Photographs are uploaded directly to Google's services. Does this constitute a cross-border transfer under APP 8 / GDPR Chapter V? If yes, what additional disclosures / safeguards do we need?

  5. AU privacy registration. Are we required to register with the OAIC as an APP entity? Our revenue is currently below the A$3M threshold, but we expect to cross it.

Contracts

  1. Founding Brand Agreement (file 05) — is it enforceable as drafted? Specific concerns: - The category-exclusivity clause (Section 3.1) — is "premium menswear" too vague? - The liability cap (Section 11.1) — appropriate for a pilot relationship? - The termination terms (Section 10) — are the data-handling commitments enforceable post-termination?

  2. Brand Service Agreement (file 03) — yet to be drafted. We'd like a long-form B2B contract for paid customers transitioning from pilot. What's the right structure, and which clauses do we copy from 05?

  3. DPA (file 04) — for any brand that processes EU customer data through us, we need a separate Data Processing Agreement. What's the right starting template (we'd prefer SCCs over our own DPA where possible)?

Marketing claims

  1. "Identity-locked" — we use this term in the deck and onboarding flow. Is this language safe, or does it carry an implication we can't deliver?

  2. "No re-shoots" / "95% cost reduction" — we use these in marketing material. Need to be defensible if challenged under Australian Consumer Law (misleading claims).

  3. Trademark "Virtue Mirage" — has this been searched for conflicts? Should we register?

Insurance

  1. Professional indemnity / public liability — what level of cover is appropriate given the biometric data processing exposure?

What we hope to walk away with after this review

  1. A green light to sign Founding Brand pilots with the agreement in 05 (or a tightened version with your edits).
  2. A redlined version of the customer-facing Terms of Service and Privacy Policy that we can publish to virtuemirage.com.au with confidence.
  3. A DPA template ready to send to any EU-exposed brand.
  4. A list of any compliance gaps with concrete remediation steps (e.g. "register with OAIC by [date]", "add specific clause to onboarding consent").
  5. An estimate of any further legal work needed before we list on the Shopify App Store publicly.

Attachments in this folder

In addition: the parent folder contains the marketing site (brain/public/website/), the live admin and tenant dashboards, and the SOURCE_OF_TRUTH.md operational reference. Happy to demo the live product on a 30-minute call before the review begins.

Document index virtuemirage.com.au hello@virtuemirage.com.au

© 2026 Virtue Mirage. A product of Virtue Mirage Pty Ltd · ABN 16 697 834 343. Sydney, Australia.