Clothster — Privacy Policy

Draft v1 — 2026-05-07. Locked pending founder review and a real attorney sign-off before public sign-ups.

Effective date: 08 May 2026 Version: 1.0

1. Who we are

Clothster is operated by Vynt Technology OÜ, registered in Estonia (Commercial Registry code 16945271), Aiandi 16/2, Tallinn, Estonia. We are the data controller for the personal data described in this policy.

Privacy contact: clothster@vynt.eu
Data Protection Officer (DPO): We have not appointed a Data Protection Officer. Our processing scale and the nature of our activities do not currently require a DPO under GDPR Art. 37. We will reassess this if our processing scope or scale changes materially.
EU representative (GDPR Art. 27): Not required. Vynt Technology OÜ is established in the EU (Estonia).

2. What data we collect and why

We collect personal data only when necessary to provide and improve Clothster. Below is a complete list of data categories, what we use them for, and our legal basis under GDPR.

Account data

Data	Purpose	Legal basis (GDPR)
Email address	Account creation, login, password reset, service communications	Art. 6(1)(b) — necessary to perform our contract with you
Display name	Shown on your profile and alongside your public generations	Art. 6(1)(b) — contract
Avatar URL (from OAuth provider, if used)	Shown on your profile	Art. 6(1)(b) — contract
Password (hashed)	Authentication (stored and managed by Supabase Auth; Clothster never sees the plaintext)	Art. 6(1)(b) — contract
Account tier (free/subscriber)	Determining which features are available to you	Art. 6(1)(b) — contract

Photos you upload

Data	Purpose	Legal basis
Self-photo (your face and body)	Used as the visual reference for AI outfit generation. This is the highest-sensitivity data we process — it contains your physical likeness.	Art. 6(1)(b) — contract (necessary to deliver the core service). For public-feed publication: Art. 6(1)(a) — your consent at signup.
Wardrobe item photos (photos of your clothing)	Used to compose outfit combinations and generate renders	Art. 6(1)(b) — contract
Label photos (optional — photos of clothing labels)	Used for item identification; not processed at launch	Art. 6(1)(b) — contract

Self-photos are stored in a private storage bucket. They are never displayed publicly. They are sent to our AI sub-processor (OpenAI) for generation only — see Section 5 on cross-border transfers.

Data derived from your photos

Data	Purpose	Legal basis
Wardrobe item attributes (category, color, material, fit)	Extracted by AI (gpt-4.1-mini vision) to classify and organize your wardrobe	Art. 6(1)(b) — contract
Full-body validation result	Confirms your self-photo shows your full body (required for generation quality)	Art. 6(1)(b) — contract

Important — sensitive data filtering (GDPR Art. 9): Our AI classification system is instructed to describe only observable physical characteristics of clothing (color, material, cut, fit). It is explicitly instructed NOT to infer or record religious affiliation, political opinion, health status, disability, sexual orientation, or ethnic origin from garment type. This filtering is a data-minimization measure under Art. 5(1)(c) to prevent inadvertent processing of special-category data. [Addresses SHIELD-1]

Generated images and prompts

Data	Purpose	Legal basis
Prompt text (your description of the outfit you want)	Sent to the AI to guide generation; displayed alongside your generated image	Art. 6(1)(b) — contract for generation; Art. 6(1)(a) — consent for public display
Generated outfit image	The AI-rendered output showing you in the outfit	Art. 6(1)(b) — contract for generation; Art. 6(1)(a) — consent for public-feed publication (free tier)

Note on public display: For free-tier users, both your prompt text and the anonymized generated image are displayed on Clothster's public feed. Your prompt text may reveal personal context (occasion, relationship, location). You consented to this at signup. Avoid including personal details in your prompts — see the guidance shown on the generation screen. [Addresses SHIELD-2]

Usage and technical data

Data	Purpose	Legal basis
Generation pool balance and usage count	Managing your free-tier allowance	Art. 6(1)(b) — contract
IP address	Security, abuse prevention, server logs	Art. 6(1)(f) — legitimate interest (platform security)
Authentication session cookie	Keeping you signed in	Art. 6(1)(b) — strictly necessary
Analytics events (Microsoft Clarity)	Understanding how people use Clothster to improve the service	Art. 6(1)(a) — your consent (analytics cookies are only activated after you consent)

Moderation data

Data	Purpose	Legal basis
Moderation status and logs	Recording content moderation decisions (automated and manual) for audit and appeals	Art. 6(1)(f) — legitimate interest (platform integrity, legal compliance)
Admin notification data (display name, prompt excerpt sent to our admin moderation channel)	Enabling admin review of flagged content	Art. 6(1)(f) — legitimate interest (content safety)

3. How we use your data

We use your data to:

Provide the service: Store your wardrobe, generate outfit images, display results.
Operate the public feed: Display anonymized free-tier generations to all visitors.
Moderate content: Check uploaded photos and generated images for policy violations using automated AI checks and human review.
Maintain your account: Authentication, session management, tier management.
Communicate with you: Service emails (password reset, account notifications, material Terms/Privacy Policy changes). We do not send marketing emails at launch.
Improve the service: Analytics (with your consent) to understand usage patterns.
Prevent abuse: Rate limiting, multi-account detection, security monitoring.

4. Who we share your data with (sub-processors)

We share your data with the following service providers who process it on our behalf:

Sub-processor	Data shared	Purpose	Location	Transfer safeguard
Supabase Inc.	All account data, photos, generated images, database records	Infrastructure: authentication, database, file storage	EU (Frankfurt, eu-central-1)	No cross-border transfer (EU-to-EU)
OpenAI Inc.	Self-photo image buffers, wardrobe item image buffers, prompt text	AI outfit generation, wardrobe classification, content moderation	United States	EU-US Data Privacy Framework (DPF) + Standard Contractual Clauses (SCCs) per OpenAI's Data Processing Addendum.
Telegram FZ-LLC	Display name (truncated), prompt excerpt (up to 200 characters), generation photo URL	Admin content moderation notifications	UAE / various	Data minimization applied. Telegram does not offer a processor DPA. We minimize data sent to the minimum needed for moderation decisions. Long-term, we plan to move moderation to an in-house dashboard.
Hetzner Online GmbH (hosting)	HTTP request metadata, IP addresses, server-side logs	Web application hosting and delivery	Helsinki, Finland (EU)	No cross-border transfer (EU-to-EU). DPA per Hetzner's Order Processing Agreement.
Microsoft Corporation (Clarity)	Analytics events, session recordings, pseudonymous user identifier, device data	Product analytics (consent-gated)	United States (Microsoft Azure global infrastructure)	Microsoft DPA + Standard Contractual Clauses; Microsoft is a DPF participant

We do not sell your personal data. We do not share it with advertisers. We do not use it for cross-context behavioral advertising. See Section 10 (California/CCPA) for the formal disclosure.

Cross-border data transfers (GDPR Art. 44-49)

Your self-photos and wardrobe photos are transferred from the EU to the United States when processed by OpenAI for outfit generation and classification. This is the most sensitive cross-border transfer in our system. The transfer is protected by:

OpenAI's participation in the EU-US Data Privacy Framework.
Standard Contractual Clauses included in OpenAI's Data Processing Addendum.
OpenAI retains request data for up to 30 days for abuse monitoring, then deletes it. [Addresses SHIELD-5]

5. How long we keep your data

Data	Retention period	Reason
Account data	As long as your account is active	Service delivery
Self-photos, wardrobe items, label photos	As long as your account is active. After you delete an item: 30 days, then permanently purged.	Recovery from accidental deletion
Generations (user-deleted by subscribers)	30 days after deletion, then permanently purged	Recovery from accidental deletion
Generations (removed by admin)	90 days after removal, then permanently purged	Appeals window — you have 90 days to appeal a moderation decision
Generations (active, free tier)	Indefinitely while your account is active	Public-feed publication is part of the free-tier value exchange. You consented to this at signup. You may request removal via our DSR process (see Section 6).
Prompt text	Same retention as the associated generation	Displayed alongside the generation
Moderation logs	1 year	Audit trail for moderation decisions and potential legal holds
Analytics data (Microsoft Clarity)	Up to 13 months per Clarity default retention; configurable in the Clarity dashboard	Product improvement
Server logs (IP addresses, request metadata)	Per hosting provider default (typically 30 days)	Security and debugging

After your account is deleted: All your personal data enters the applicable retention window described above, then is permanently purged. During the retention window, your data is not displayed or accessible to other users — it is held only for recovery or legal compliance.

6. Your rights

Rights under GDPR (EU users) — Articles 15-22

You have the following rights regarding your personal data:

Right of access (Art. 15): You can request a copy of all personal data we hold about you. We will provide it in a structured, machine-readable format (JSON).

Right to rectification (Art. 16): You can correct inaccurate data. Currently, you can update your display name through your profile. For other corrections, contact us.

Right to erasure / "right to be forgotten" (Art. 17): You can request that we delete your personal data.

Subscribers: Can delete individual generations through the app.
Free-tier users: Cannot delete generations through the app (this is a free-tier limitation). You can request deletion of specific generations or your entire account by emailing clothster@vynt.eu (subject: "Erasure request"). We will process your request within 30 calendar days. [Addresses SHIELD-3]
Account deletion: Contact clothster@vynt.eu (subject: "Account deletion"). We will delete your account and all associated data within 30 calendar days, subject to the retention windows above.

Right to restriction (Art. 18): You can request that we pause processing of your data while a dispute is resolved. Contact us at clothster@vynt.eu (subject: "Restriction request").

Right to data portability (Art. 20): You can request an export of your data in a machine-readable format (JSON). Contact clothster@vynt.eu (subject: "Data portability request").

Right to object (Art. 21): You can object to processing based on our legitimate interest (Art. 6(1)(f)). For processing based on consent (public-feed publication, analytics), you can withdraw consent — see below.

Withdrawing consent (Art. 7(3)): Where we process your data based on consent (public-feed publication for free-tier users, analytics), you have the right to withdraw that consent at any time.

To withdraw consent for analytics: Reject analytics cookies in your browser or via the cookie banner.
To withdraw consent for public-feed publication: Request removal of your generations via clothster@vynt.eu (subject: "Withdraw feed consent"). Note: Clothster's free tier is structured around public feed contribution. Withdrawing consent for public display effectively means your existing public generations will be removed, but future free-tier generations will still be published publicly per the Terms. To generate privately, upgrade to a subscriber account.

Automated decision-making (Art. 22): Clothster uses automated systems to flag content for moderation review (the flagged_auto status). This automated flagging may temporarily restrict your content's visibility. However, all final moderation decisions (approval or removal) are made by a human admin. You have the right to contest moderation decisions — see our Terms of Service Section 10 on appeals.

How to exercise your rights

Email: clothster@vynt.eu (subject: "Data subject request")

Include:

The email address associated with your Clothster account.
The specific right you are exercising.
If requesting deletion of specific generations: the generation URLs or UUIDs.

We will acknowledge your request within 14 calendar days and complete it within 30 calendar days (extendable to 90 days for complex requests, with notification).

We may need to verify your identity before processing your request. We will ask you to confirm from the email address on your account.

Rights under CCPA (California users) — see Section 10

7. Children

Clothster is not intended for anyone under 16 years old. We do not knowingly collect personal data from children under 16. If you are under 16, do not create an account or upload photos.

Our Terms of Service prohibit uploading photos depicting any person under 16.

If we learn that we have collected personal data from a child under 16, we will delete the account and associated data promptly. If you believe a child under 16 is using Clothster, please contact us at clothster@vynt.eu.

8. Cookies

We use a minimal set of cookies and local storage. Full details are in our Cookie Policy.

Summary:

Supabase session cookie (sb-*-auth-token): Strictly necessary for authentication. No consent required.
Microsoft Clarity analytics cookies and localStorage (_clck, _clsk): Non-essential. Only activated after you consent. [Addresses SHIELD-4]
No advertising or marketing cookies are used.

9. Security

We implement technical and organizational measures to protect your data, including:

Encrypted storage and transmission (HTTPS everywhere, encrypted-at-rest via Supabase).
Row-level security (RLS) on all database tables — your wardrobe and photos are only accessible to you.
Private storage buckets for self-photos and wardrobe items (access via short-lived signed URLs only).
Server-side session verification on every authenticated request.
Separation of internal identifiers (never exposed to the public) from external identifiers.
Content moderation on uploaded and generated images.

No system is 100% secure. If we become aware of a data breach affecting your personal data, we will notify the relevant supervisory authority within 72 hours per GDPR Art. 33, and notify you without undue delay if the breach is likely to result in a high risk to your rights per Art. 34.

10. California residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and California Privacy Rights Act:

Right to know: You can request the categories and specific pieces of personal data we have collected about you. See Section 6 above — the process is the same.

Right to delete: Same as GDPR right to erasure. See Section 6.

Right to opt-out of sale/sharing: Clothster does not sell your personal data. We do not share your personal data for cross-context behavioral advertising. The public feed displays anonymized generated images and prompt text based on your consent at signup — this is not a "sale" or "sharing" under CCPA.

"Do Not Sell or Share My Personal Information": Because we do not sell or share personal information as defined by CCPA, no opt-out mechanism is necessary. If this changes in the future, we will provide one.

Financial incentive disclosure (CCPA 1798.125(b)): Clothster's free tier provides the service at no monetary cost in exchange for your generated content being published on the public feed. This is a financial incentive program — you receive free AI outfit generation in exchange for contributing anonymized content to the public feed. You opt into this at signup. You may opt out by subscribing to a paid plan (which allows private generations) or by requesting deletion of your account and data. The value of the data to Clothster is the contribution to the public-feed content library, which we use to attract new users. We do not assign a per-record monetary value to this data. [Addresses SHIELD-8]

Non-discrimination: We will not discriminate against you for exercising your CCPA rights.

11. Supervisory authority

If you are in the EU/EEA and believe we are processing your personal data unlawfully, you have the right to lodge a complaint with your local data protection supervisory authority.

Our lead supervisory authority is the:

Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) Tatari 39, 10134 Tallinn, Estonia Web: https://www.aki.ee/en Phone: +372 627 4135 Email: info@aki.ee

You may also lodge a complaint with the supervisory authority of your country of residence, place of work, or where the alleged infringement occurred (GDPR Art. 77).

12. Data Protection Impact Assessment (DPIA)

Due to the nature of data we process (face photos, AI-based image generation, automated content classification), we have identified that a Data Protection Impact Assessment is required under GDPR Art. 35. [FOUNDER TODO — DPIA must be completed before significant user growth. Shield has defined the scope in SHIELD-6. This is a regulatory obligation, not optional.] [Addresses SHIELD-6]

13. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes:

We will post the revised policy with a new effective date.
We will notify you by email at least 30 days before the changes take effect.
If a change materially affects how we process your self-photos or public-feed data, we may ask for renewed consent.

14. Contact

For all questions — privacy, data subject requests, or general support:

Email: clothster@vynt.eu

Use a descriptive subject line (e.g. "Data subject request", "Privacy question", "Account support") so we can route your message promptly.

Clothster Privacy Policy v1.0 — Draft — 2026-05-07 Last updated: 2026-05-08