Privacy Policy

• We only collect what we need to run Kledd for you: your account, wardrobe, body photos (if you choose to add them), and how you use the app.
• We do not sell your personal data.
• We do not use your photos or wardrobe to train general-purpose AI models.
• Body photos and try-on outputs are stored in private storage and served only via short-lived signed URLs.
• Your Lumoo ID is only shared with stores you have explicitly connected. You can revoke any connection in Settings at any time.
• You can export or delete your data from Settings, or by emailing us.

a) Account & identity data. Your email, sign-in time, and a Lumoo ID identifier. If you sign in with Google or Apple, we receive your name, email, and avatar from those providers.

b) Profile data. Display name, avatar, locale, optional measurements (height, bust/chest, waist, hips, shoe size), style preferences, vibes, fit and colour signals.

c) Wardrobe & content. Garments you save, photos of items, outfits and looks, weekly plans, notes.

d) Body photos & try-ons (optional). Selfies and full-body photos you upload, and the AI try-on images we generate from them. You can delete any of these at any time.

e) Device & technical data. Device fingerprint (a hashed local identifier — not biometric), browser user-agent, approximate timezone, screen size, and last-seen timestamp. We use this to recognise the same device and to keep your account secure.

f) Usage data. Pages viewed, features used, interactions, performance metrics, and error/diagnostic logs.

g) Connected-store data. Records of which stores you have connected to your Lumoo ID, when you granted or revoked consent, and the limited identifiers shared with each store.

h) Communications. Messages you send to support and your responses to in-app prompts.

• To provide the Service — running your wardrobe, generating try-ons, syncing across devices. Legal basis: performance of contract (Art. 6(1)(b) GDPR).
• Body photos & AI try-on. Photos of you may constitute special-category data in some jurisdictions. We process them only on the basis of your explicit consent (Art. 9(2)(a) GDPR), which you give by uploading a body photo. Withdraw at any time by deleting the photos in Settings.
• To secure the Service — preventing fraud, abuse, and unauthorised access. Legal basis: legitimate interests (Art. 6(1)(f) GDPR).
• To improve the Service — aggregated, de-identified analytics and bug fixes. Legal basis: legitimate interests.
• To share with Connected Stores only when you authorise it. Legal basis: consent (Art. 6(1)(a) GDPR).
• To send service emails (sign-in codes, security alerts, important changes). Legal basis: contract / legal obligation. Marketing emails are sent only with your consent and you can opt out at any time.
• To meet legal obligations — tax, accounting, responding to lawful requests. Legal basis: legal obligation (Art. 6(1)(c) GDPR).

• We do not sell your personal data.
• We do not use your photos, garments, measurements, or try-ons to train general-purpose AI models.
• We do not share your Lumoo ID, photos, or wardrobe with stores you have not connected.
• We do not run advertising trackers inside the app.

To generate a try-on, we send your selected body photo(s) and the chosen garment image to our AI provider(s) over an encrypted connection. Our providers are contractually bound to process this data only to fulfil the request, not to retain it for their own purposes, and not to use it for model training. Generated try-on images are stored in your private bucket and only you can access them via signed URLs.

When you connect a store, we share a defined Lumoo ID payload with that store so it can recognise you. The exact fields are shown to you at the moment of connection. From the moment a store receives your data, it acts as an independent controller governed by its own privacy policy.

Where Kledd processes data for a Connected Store (e.g. relaying personalisation events back), we act as a processor for that store under a data-processing agreement. You can revoke any connection at any time in Settings; new sessions will then appear to that store as a brand-new shopper.

We share data only with vetted service providers who help us run the Service:

• Cloud infrastructure & database — hosting, authentication, file storage (currently Supabase, hosted in the EU).
• AI providers — try-on image generation, processed on a per-request basis with no model-training rights.
• Email delivery — sign-in codes and transactional emails.
• Analytics & error monitoring — aggregated usage and crash data.
• Payment processors — only if and when you subscribe to a paid plan.

We may also share data when required by law, to enforce these terms, or to protect the rights, property, or safety of users or the public. In a corporate transaction (merger, acquisition), data may transfer to the successor entity, subject to this Policy.

We aim to keep personal data within the EU/EEA. Where data must be processed outside the EEA (for example by an AI provider), we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, supplementary measures, to ensure an equivalent level of protection.

• Account & profile: kept while your account is active.
• Wardrobe, body photos, try-ons: kept until you delete them or close your account.
• Connection consents: kept while active and for up to 24 months after revocation as proof of consent (Art. 7(1) GDPR).
• Logs & security data: typically up to 90 days, longer where needed for security investigations.
• Billing records: retained for the period required by tax and accounting law (typically 5 years in Norway).
• Closed accounts: personal data is deleted within 30 days of account closure, except where we must retain it by law.

We protect your data with measures including encryption in transit (TLS) and at rest, row-level security in our database, scoped private storage buckets, signed URLs with short expiry, principle of least privilege for staff access, audit logging, and regular review of dependencies for vulnerabilities. No system is perfectly secure; if you discover a vulnerability, please email privacy@kledd.app — we will not pursue good-faith security research.

Subject to applicable law, you have the right to: (a) access the data we hold about you; (b) rectify inaccurate data; (c) request erasure; (d) restrict or object to certain processing; (e) data portability — receive your data in a machine-readable format; (f) withdraw consent at any time (without affecting the lawfulness of past processing); and (g) lodge a complaint with a supervisory authority — in Norway, the Datatilsynet.

You can exercise most rights directly from Settings (delete photos, revoke store connections, delete account). For anything else, email privacy@kledd.app and we will respond within 30 days.

The Service is not directed to children under 16 (or the local digital-consent age). We do not knowingly collect personal data from children below this age. If you believe a child has provided us personal data, contact privacy@kledd.app and we will delete it.

We use a minimal set of strictly-necessary cookies and local-storage entries to keep you signed in, remember your device, and maintain your session. We do not use third-party advertising cookies. Where analytics cookies are used, we either anonymise the data or rely on your consent in jurisdictions that require it.

AI try-on and personalised picks involve algorithmic processing, but they do not produce legal or similarly significant effects on you within the meaning of Art. 22 GDPR. You can always ignore or override any suggestion.

We may update this Policy from time to time. Material changes will be communicated by email or in-app notice at least 30 days before they take effect. The "Last updated" date at the top reflects the latest revision.

For privacy questions, requests, or complaints, contact us at privacy@kledd.app. We aim to respond within 30 days.