Privacy Policy
Last updated: February 7, 2026
Flatterly, Inc. ("Flatterly," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and web platform (collectively, the "Service"). Please read this policy carefully. By using Flatterly, you consent to the data practices described in this policy.
1. Data Controller
Flatterly, Inc. is the data controller responsible for your personal data. If you have any questions about this Privacy Policy or our data practices, please contact us at:
- Email: privacy@flatterly.com
- Data Protection Officer: Flatterly, Inc., Attn: Privacy Team
2. Information We Collect
2.1 Information You Provide
- Account Information: Name, email address, password, and profile details when you create an account.
- Profile Data: Body measurements, style preferences, budget ranges, and aesthetic choices you provide during onboarding and Style Genome analysis.
- Photos and Images: Outfit photos you upload for Fit Check analysis, wardrobe inventory images, and shopping screenshots.
- Purchase and Shopping Data: Product URLs you submit for analysis, purchase feedback, and shopping history within the app.
- Communications: Messages you send to our support team or feedback you provide through the app.
2.2 Information Collected Automatically
- Device Information: Device type, operating system, unique device identifiers, and mobile network information.
- Usage Data: Pages viewed, features used, time spent in the app, interaction patterns, and navigation paths.
- Log Data: IP address, browser type, access times, and referring URLs.
- Analytics Data: Aggregated interaction data collected through PostHog for product improvement.
2.3 Biometric and Body Geometry Data
Flatterly uses AI-powered computer vision (OpenAI GPT-4 Vision and OpenCV) to analyze photos you submit. This analysis may derive body geometry measurements, proportions, color palette information, and style characteristics from your photos. This data is classified as biometric data under certain jurisdictions.
Important: We process biometric data only with your explicit consent. You will be asked to provide affirmative consent before any biometric analysis is performed. You may withdraw this consent at any time through Settings > Data & Privacy.
3. How We Use Your Information
We use the information we collect to:
- Provide, maintain, and improve the Service, including AI-powered style analysis and recommendations.
- Generate your Style Genome profile and personalized outfit feedback.
- Deliver shopping recommendations across price tiers (from fast fashion to luxury).
- Process subscription payments and manage your account.
- Send you notifications about streaks, achievements, compliments, and style insights (with your consent).
- Analyze usage patterns to improve our AI models and user experience.
- Detect and prevent fraud, abuse, or security incidents.
- Comply with legal obligations.
4. Legal Basis for Processing (GDPR)
Under the General Data Protection Regulation (GDPR), we process your personal data on the following legal bases:
- Consent (Article 6(1)(a) and Article 9(2)(a)): For biometric data processing, marketing communications, and optional analytics. You may withdraw consent at any time.
- Contract Performance (Article 6(1)(b)): To provide the Service you have subscribed to, including Style Genome analysis and shopping recommendations.
- Legitimate Interests (Article 6(1)(f)): For fraud prevention, security, and product improvement, where these interests are not overridden by your rights.
- Legal Obligation (Article 6(1)(c)): To comply with applicable laws and regulations.
5. Data Sharing and Third-Party Services
We may share your information with the following categories of third parties:
- AI Processing: OpenAI (for GPT-4 Vision style analysis). Photos are processed via API and are not retained by OpenAI for training purposes per our data processing agreement.
- Cloud Infrastructure: Cloudinary (image storage and processing), Railway (backend hosting), Vercel (web hosting).
- Payment Processing: Stripe processes subscription payments. We do not store your complete credit card information.
- Analytics: PostHog for anonymous usage analytics.
- Affiliate Partners: When you click shopping links, retailers may receive a referral identifier. We share only what is necessary to attribute the referral; we do not share your personal profile or biometric data with affiliate partners.
- Error Monitoring: Sentry for crash reporting and performance monitoring.
We do not sell your personal information. We do not share your biometric data with third parties for their own purposes.
6. Data Retention
We retain your personal data for as long as necessary to provide the Service and fulfill the purposes described in this policy:
- Account Data: Retained for the duration of your account plus 30 days after deletion request.
- Outfit Photos and Analysis: Retained for up to 365 days from the date of upload. You may delete individual photos at any time.
- Style Genome Data: Retained for the duration of your account. Deleted upon account closure.
- Shopping History: Retained for up to 365 days. You may clear your history at any time.
- Usage and Analytics Data: Aggregated and anonymized data may be retained indefinitely for product improvement. Identifiable usage data is retained for up to 365 days.
- Biometric Data: Derived body geometry and color analysis data is retained only for the duration of your account and deleted within 30 days of account closure.
7. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Right of Access: Request a copy of the personal data we hold about you.
- Right to Rectification: Request correction of inaccurate or incomplete data.
- Right to Erasure (Right to be Forgotten): Request deletion of your personal data. We will delete your data within 30 days of a verified request, except where retention is required by law.
- Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format (JSON or CSV).
- Right to Restrict Processing: Request that we limit how we use your data in certain circumstances.
- Right to Object: Object to processing based on legitimate interests or for direct marketing.
- Right to Withdraw Consent: Withdraw consent for biometric processing or marketing at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email us at privacy@flatterly.com or use the Data & Privacy section in your account Settings. We will respond within 30 days (or 45 days for complex requests, with notice).
8. Data Protection Impact Assessment
In accordance with GDPR Article 35, we have conducted a Data Protection Impact Assessment (DPIA) for our biometric data processing activities. This assessment evaluates the necessity, proportionality, and risks of processing body geometry data for style analysis. A summary of our DPIA findings is available upon request by contacting privacy@flatterly.com.
9. Cookies and Tracking Technologies
We use the following types of cookies and similar technologies:
- Essential Cookies: Required for authentication, session management, and security. These cannot be disabled.
- Analytics Cookies: Help us understand how you use the Service. You may opt out through your browser settings or our cookie preferences panel.
- Functional Cookies: Remember your preferences such as theme and display settings.
We do not use advertising cookies or third-party tracking pixels. Affiliate links use first-party referral parameters only.
10. International Data Transfers
Your data may be transferred to and processed in countries outside your country of residence, including the United States. Where we transfer data internationally, we use appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission or verify that recipients participate in recognized frameworks.
11. Data Security
We implement industry-standard security measures to protect your data, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
- JWT-based authentication with secure token management.
- Regular security audits and vulnerability assessments.
- Access controls limiting employee access to personal data on a need-to-know basis.
- Redis-based session management with automatic expiration.
While we strive to protect your data, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.
12. Children's Privacy
Flatterly is not intended for use by individuals under the age of 16 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal information from children. If we become aware that we have collected data from a child without parental consent, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at privacy@flatterly.com.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes affecting your rights or how we process biometric data, we will provide additional notice via email or in-app notification. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.
14. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- Email: privacy@flatterly.com
- Subject line: "Privacy Inquiry"
If you are in the European Economic Area and believe your data protection rights have been violated, you have the right to lodge a complaint with your local Data Protection Authority.