Privacy Policy
Version 1 · Effective date: TBD
LEGAL REVIEW REQUIRED. Scaffold text only. Replace with counsel-approved wording before publishing.
1. Who we are (Controller)
The controller of your personal data is TBD — sole trader full name, a sole trader registered in Poland.
- NIP: TBD — NIP (Polish tax ID)
- REGON: TBD — REGON (if any)
- Business address: TBD — registered business address (do NOT use home address)
- Contact for privacy queries: TBD — privacy@wardobe.example
We have not appointed a Data Protection Officer. Our processing is small-scale and does not meet the GDPR Art. 37 threshold; the contact email above is the single point of contact for privacy matters.
2. What personal data we process
- Identity data obtained from Google when you sign in: name, email address, avatar URL, Google account identifier.
- Photos you upload (Outfits) and the derived materials (cropped Garment images, visual embeddings, detection metadata, occurrence records). Photos may incidentally contain faces, places or other personal data — please avoid uploading photos of other identifiable people without their consent.
- Technical data: IP address (used transiently for rate limiting and abuse prevention — not persisted against your consent record), user-agent string, request correlation identifiers, error reports.
- Consent records: which versions of these policies you accepted, the timestamp, your user-agent string, and a per- acceptance random nonce. We retain these for accountability under GDPR Art. 7(1). We do not store your IP address against the consent record.
3. Purposes and legal bases (GDPR Art. 6)
- Providing the Service — creating your Account, storing your uploaded photos, running the AI detection and dedup pipeline, displaying the wardrobe and outfit views. Legal basis: performance of the contract you enter into when you accept the Terms (Art. 6(1)(b)).
- Security, abuse prevention, rate limiting, logging — our legitimate interest in keeping the Service secure and available (Art. 6(1)(f)).
- Consent records — fulfilling our accountability obligation under Art. 5(2) and Art. 7(1), legal obligation (Art. 6(1)(c)) combined with legitimate interest (Art. 6(1)(f)).
- Responding to legal requests — legal obligation (Art. 6(1)(c)).
4. Recipients and sub-processors
We engage the following processors. Each is contractually bound to process your data only on our instructions and to apply appropriate security measures.
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Supabase | Database, authentication, object storage | EU region where configured; otherwise USA | EU-region hosting or Standard Contractual Clauses |
| Replicate (planned) | AI inference (segmentation, embedding) | USA | Standard Contractual Clauses |
| Upstash | Rate limiting | Region-pinned (EU recommended) | EU-region hosting or Standard Contractual Clauses |
| Sentry | Error reporting | USA / EU | Standard Contractual Clauses; PII scrubbing enabled |
| Hostinger | VPS hosting for the Next.js application | EU (Lithuania) | EEA hosting — Standard Contractual Clauses not required |
| Google LLC | OAuth identity provider | USA | EU-US Data Privacy Framework |
5. International transfers
Where a sub-processor processes data outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (2021/914) or the EU-US Data Privacy Framework, as appropriate.
6. Retention
- Account-related data: for as long as your Account exists.
- Photos and derived materials: deleted within 30 days of Account deletion or of an erasure request.
- Consent records: retained for three years after Account deletion to allow us to demonstrate, if challenged, that consent existed at the relevant time. This is the general limitation period under Polish civil law.
- Operational logs: typically up to 30 days.
7. Your rights (GDPR Art. 15–22)
- Right of access — Art. 15
- Right to rectification — Art. 16
- Right to erasure (right to be forgotten) — Art. 17
- Right to restriction of processing — Art. 18
- Right to data portability — Art. 20
- Right to object — Art. 21
- Right not to be subject to automated decision-making — Art. 22
- Right to withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal — Art. 7(3)
You can exercise most of these rights directly in the application (account deletion = erasure). For other requests, contact TBD — privacy@wardobe.example.
8. Right to lodge a complaint
You have the right to lodge a complaint with the Polish supervisory authority:
- Prezes Urzędu Ochrony Danych Osobowych (UODO)
- ul. Stawki 2, 00-193 Warszawa, Poland
- https://uodo.gov.pl
9. Automated decision-making
The Service uses AI to detect, classify and embed garments in your photos. The output is assistive and does not produce decisions with legal or similarly significant effects on you within the meaning of GDPR Art. 22.
10. Children
The Service is not directed at users under 16. If you become aware that a child has created an Account, please contact us at TBD — privacy@wardobe.example and we will close the Account and delete the associated data.
11. Security
We apply industry-standard measures appropriate to the small scale of the processing: encrypted transport (TLS), row-level security enforced at the database, per-user isolation of stored objects, short-lived signed URLs for image access, secrets stored only as environment variables on the hosting platform, and access logging.
12. Changes to this Privacy Policy
We may update this Privacy Policy. Material changes will trigger a re-prompt when you next sign in: you will see the updated text and must accept the new version to continue using the Service. Prior consent records are preserved for accountability.
13. Cookies
For information about the cookies the Service uses, see the Cookie Policy.