Privacy Policy

Effective date: April 6, 2026  |  Last updated: April 6, 2026

Vestiari ("we", "our", or "us") is an AI-powered wardrobe management app available at vestiari.app. We are committed to protecting your personal information. This Privacy Policy explains what data we collect, why we collect it, how we use it, and what rights you have over it.

Vestiari is operated by Comando T OU, based in Estonia. As such, this policy is written in compliance with the General Data Protection Regulation (GDPR) and applicable EU data protection law.

1. Data Controller

The data controller responsible for your personal data is:

• Entity: Comando T OU
• Country: Estonia
• Contact: hola@comando-t.com

2. Data We Collect

2.1 Account information

When you create an account, we collect:

• Your name and email address
• Profile photo (if provided via Google OAuth)
• Authentication provider details (Google or email/password)
• Preferred language and locale

2.2 Wardrobe content

To provide the core service, we collect garment data you upload:

• Photos of clothing and accessories
• Garment attributes: category, color, fabric, brand, size, condition, tags
• Outfit combinations and notes
• Style preferences and occasion tags

2.3 Usage data

We collect data about how you use the app:

• Pages visited, features used, and actions taken
• Device type, operating system, and browser
• IP address and approximate location (country/region)
• Session timestamps and session duration

2.4 Payment data

If you subscribe to Vestiari Pro, payment is processed by Stripe. We do not store your card details. Stripe may share billing information such as your country and subscription status with us.

3. How We Use Your Data

We use your data to:

• Provide and improve the Vestiari service, including AI-generated outfit suggestions and styling recommendations
• Authenticate your identity and maintain account security
• Process subscription payments and manage your plan
• Send transactional emails (account creation, password reset, subscription receipts)
• Respond to feedback and support requests
• Analyze aggregate usage patterns to improve the product (no individual profiling for advertising)
• Comply with legal obligations

4. Legal Basis for Processing (GDPR)

We process your data on the following legal bases:

• Contract: Processing necessary to provide the service you have signed up for (Art. 6(1)(b) GDPR)
• Legitimate interests: Fraud prevention, security, and product improvement (Art. 6(1)(f) GDPR)
• Legal obligation: Where required by applicable law (Art. 6(1)(c) GDPR)
• Consent: Where you have explicitly opted in, such as marketing emails (Art. 6(1)(a) GDPR)

5. AI Features and Third-Party Processing

Vestiari uses Google Gemini Flash to generate outfit suggestions and styling advice. When you request AI-generated recommendations, anonymized garment attribute data (not your photos) may be transmitted to Google's API. We do not send personally identifiable information to AI providers. Google processes this data in accordance with their own data processing terms.

AI-generated content is provided for convenience and does not constitute professional styling advice. You remain in full control of your wardrobe data.

6. Third-Party Service Providers

We share data with carefully selected third parties who help us operate Vestiari:

• Supabase: Database hosting, authentication, and file storage (EU region)
• Resend: Transactional email delivery
• Stripe: Payment processing (PCI-DSS compliant)
• Google: OAuth authentication and Gemini AI API

All providers are bound by data processing agreements. We do not sell your data to any third party, and we do not use your data for advertising purposes.

7. Data Retention

• Your account data and wardrobe content are retained as long as your account remains active
• If you delete your account, all personal data will be permanently removed within 30 days
• Anonymized, aggregated usage data may be retained indefinitely for product analytics
• Backup data is purged on a rolling 90-day schedule

8. Your Rights

Under GDPR, you have the following rights regarding your personal data:

• Right of access: Request a copy of the data we hold about you
• Right to rectification: Correct inaccurate or incomplete data
• Right to erasure: Request deletion of your account and all associated data
• Right to portability: Receive your data in a structured, machine-readable format
• Right to restrict processing: Request that we limit how we use your data
• Right to object: Object to processing based on legitimate interests
• Right to withdraw consent: At any time, where processing is based on consent

To exercise any of these rights, contact us at hola@comando-t.com. We will respond within 30 days. If you believe your rights have not been respected, you have the right to lodge a complaint with the Spanish Data Protection Authority (AEPD) at www.aepd.es.

9. Cookies and Local Storage

Vestiari uses session cookies and browser local storage solely to maintain your authenticated session and remember your preferences (such as language and theme). We do not use third-party advertising cookies or tracking pixels. You can clear cookies through your browser settings, though this will log you out of the app.

10. Data Security

We take the security of your data seriously. Our measures include:

• All data transmitted over HTTPS/TLS
• Row-level security (RLS) policies enforced at the database layer
• Passwords hashed using bcrypt; we never store plaintext passwords
• Access to production systems restricted to essential personnel
• Regular security reviews and dependency updates

In the event of a data breach that affects your rights and freedoms, we will notify you and the relevant supervisory authority as required by GDPR (within 72 hours of becoming aware).

11. International Data Transfers

Vestiari is built on infrastructure primarily within the European Union. Where data is processed by third parties outside the EU (such as Google), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

12. Children's Privacy

Vestiari is not intended for children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a minor has provided us with personal data, please contact us at hola@comando-t.com and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by displaying a prominent notice in the app before the changes take effect. The effective date at the top of this document will always reflect the latest version.

14. Contact Us

If you have any questions, requests, or concerns about this Privacy Policy or how we handle your data, please reach out:

• Email: hola@comando-t.com
• Website: vestiari.app
• Mailing address: available upon request

---

Vestiari by Comando T OU  |  vestiari.app  |  hola@comando-t.com