Plain language summary: We are a Bulgarian company. We use your photos only to edit them — virtual try-on. We do not recognise who you are from your photos and we do not use your face or body images for AI training. We may sell anonymised, aggregated wardrobe trend data to third parties, but this data cannot identify you. You can delete everything we hold about you at any time, directly in the app.
Clottr is operated by NOVSI IT Ltd. a limited liability company (EOOD) registered in Bulgaria, EU.
Contact and data enquiries:
NOVSI IT Ltd.
Company Registry Number: 208124639
Geo Milev str, floor 1, Sofia, 1111, Bulgaria
privacy@clottr.ai
EU/EEA: Our lead supervisory authority is the Commission for Personal Data Protection (CPDP), Bulgaria — www.cpdp.bg. EU/EEA residents may also complain to the authority in their country of habitual residence.
UK United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
AU Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au
CA Canada: Office of the Privacy Commissioner of Canada (OPC) — priv.gc.ca. Quebec residents may also contact the Commission d'accès à l'information (CAI).
US United States: California residents have specific rights under the CCPA/CPRA — see Section 14.1.
This policy applies to all users of the Clottr mobile application (iOS and Android), the Clottr browser extension, and any associated web services or APIs.
Age requirement: Our services are intended for users aged 18 and over. We do not knowingly collect data from anyone under 18. If you believe a minor has provided us with personal data, contact us and we will delete it promptly.
You may use the app without a named account. Anonymous sessions are supported via device identifier. This policy applies equally to anonymous and registered users.
We only collect what we need to provide the service. Legal bases below reference GDPR/UK GDPR Article 6. Equivalent bases for other jurisdictions are described in Section 14.
| Data Category | What It Includes | Purpose | Legal Basis (EU/UK) |
|---|---|---|---|
| Account & identity | Email address, name (if provided), Sign in with Google / Apple token, authentication credentials | Account creation and login | Contract performance (Art. 6(1)(b)) |
| Device & session identifiers | Supabase anonymous auth ID, internal device ID, push notification token | Anonymous sessions, push notifications, fraud prevention | Contract performance / Legitimate interest (Art. 6(1)(b)(f)) |
| Body & selfie images | Photos you upload of yourself for virtual try-on poses (front, side, back, detail) | Image editing only — to generate virtual try-on visuals. We do not extract biometric identifiers, do not identify you, and do not use these images for AI training. | Contract performance (Art. 6(1)(b)) |
| Wardrobe images & metadata | Photos of clothing items; category, colour, brand, material, pattern, fit metadata | Wardrobe management, outfit creation, fit analysis | Contract performance (Art. 6(1)(b)) |
| Wardrobe images (AI training) | Clothing-only images with no face or body (e.g. flat lays, product photos) | Improving our AI models. Only with your explicit separate consent, which you may withdraw at any time without affecting your use of the service. | Consent (Art. 6(1)(a)) |
| Style & fashion preferences | Materials, styles, colours, patterns, fit, brands, occasions | Personalised outfit recommendations | Contract performance (Art. 6(1)(b)) |
| Outfit & activity history | Outfit calendar events, wear history, canvas compositions, favourites, wishlist, try-on history | History, in-app analytics, weekly digest | Contract performance (Art. 6(1)(b)) |
| Routine preferences | Preferred wake-up or get-ready time | Scheduling timely outfit recommendations and notifications | Contract performance (Art. 6(1)(b)) |
| Social media usernames | Instagram, TikTok, and/or Pinterest username (optional) | Verifying posts for the rewards programme only | Contract performance (Art. 6(1)(b)) |
| Location data | GPS coordinates (latitude/longitude), if you grant permission | Fetching local weather via Google Weather API. Coordinates sent to Google only; no other location sharing. | Consent (Art. 6(1)(a)) |
| IP address (security) | IP address logged at network/application level | Security monitoring, abuse prevention, rate limiting | Legitimate interest (Art. 6(1)(f)) |
| Usage & analytics data | Anonymised interaction events via Google Analytics (IP anonymisation enabled) | Understanding app usage to improve the product. No personally identifiable data sent to Google Analytics. | Legitimate interest (Art. 6(1)(f)) |
| Crash & diagnostic data | Device model, OS version, app version, crash logs | Identifying and fixing bugs | Legitimate interest (Art. 6(1)(f)) |
| Browser extension data | On explicit activation: page URL, product name, price, description, availability | Enabling virtual try-on or wardrobe save from retail sites. Only activates on your explicit action — does not passively monitor browsing. | Contract performance / Consent (Art. 6(1)(b)(a)) |
Note on body and selfie images: We process photographs of your face and body solely to perform image editing (virtual try-on generation). We do not use computer vision to identify or categorise you as a person. We do not use body or selfie images to train any AI model. These images are deleted immediately when you delete your account.
We use your data to: provide core features; generate personalised weather-aware outfit suggestions; send service communications (account confirmations, resets, weekly digests, opted-in notifications); operate the rewards programme; improve the app through anonymised analytics; train AI models on clothing-only images with your explicit consent; derive and commercialise Aggregated Data (Section 5); maintain security; and comply with legal obligations.
We do not sell individually identifiable personal data, use your data for advertising profiling, use your images to identify you, or share identifiable personal data with third parties for their own marketing.
Marketing emails: We do not currently send promotional emails. When we do, we will obtain explicit opt-in consent in advance, and every message will include a functional unsubscribe mechanism. Canadian users: see CASL note in Section 14.3. US users: see CAN-SPAM note in Section 14.1.
We may derive, aggregate, and anonymise data from user content and usage patterns — including wardrobe composition trends, style preferences, outfit frequency, and product popularity — in a form that does not identify any individual ("Aggregated Data"). We retain the right to use, analyse, and sell Aggregated Data to third parties including fashion brands, retailers, market research firms, and data analytics businesses. Aggregated Data does not include your name, contact details, photographs, or any data that could reasonably identify you.
US California residents have the right to opt out of the sale or sharing of personal information. See Section 14.1.
CA Quebec residents: we will obtain explicit consent before selling Aggregated Data where required under Quebec Law 25. See Section 14.3.
We share your data only with the processors below, under Data Processing Agreements (DPAs), and only to the extent necessary to provide the service.
| Processor | Role | Data Transferred | Location |
|---|---|---|---|
| Supabase, Inc. | Database, authentication (including anonymous auth) | Account data, wardrobe data, app data, device IDs | EU (AWS eu-central-1 by default — confirm your project region) |
| Hetzner Online GmbH | Backend infrastructure / servers | All data processed by our backend | EU (Germany / Finland) |
| Cloudflare, Inc. | CDN, DDoS protection, network security | IP addresses, request metadata | Global (EU SCCs / UK IDTA apply for non-EEA/UK nodes) |
| Google LLC | Cloud infrastructure (GCP), AI image processing, weather forecasts (Google Weather API), OAuth authentication (Sign in with Google), anonymised usage analytics (Google Analytics) | Images for virtual try-on; GPS coordinates for weather; account token and email for auth; anonymised interaction events for analytics | US — EU SCCs and UK IDTA apply. Google's DPA covers all Google services listed. |
| Apple Inc. | OAuth authentication (Sign in with Apple) | Apple account token, email address (if not hidden by user) | US (EU SCCs / UK IDTA apply) |
| 650 Industries, Inc. (Expo) | Push notification delivery | Push notification token, notification content | US (EU SCCs / UK IDTA apply) |
| Resend, Inc. | Transactional email delivery | Email address, email content | US (EU SCCs / UK IDTA apply) |
| RevenueCat, Inc. | Subscription and in-app purchase management | Device ID, subscription status, purchase history, app user ID | US (EU SCCs / UK IDTA apply) |
| Groq, Inc. | AI inference processing | Text prompts and styling queries sent for AI processing | US (EU SCCs / UK IDTA apply) |
EU/EEA: International transfers rely on Standard Contractual Clauses (SCCs) approved by the European Commission.
UK UK transfers rely on the UK International Data Transfer Agreement (IDTA) or EU SCCs with the UK Addendum.
AU By using the Service, you acknowledge that your personal information will be disclosed to overseas recipients as listed above. We take reasonable steps to ensure those recipients handle your information consistently with the Australian Privacy Principles (APPs). However, once data is disclosed to an overseas recipient, Australian Privacy Act obligations on us regarding that recipient's handling may not apply, and you may not be able to seek redress under the Australian Privacy Act in respect of that recipient. See also Section 14.4.
We do not share identifiable personal data with advertisers, data brokers, or social media platforms beyond what you explicitly initiate.
Core rights below apply to EU/EEA and UK users under GDPR/UK GDPR. Additional and equivalent rights for US, Canadian, and Australian users are in Section 14.
| Right | What It Means | How to Exercise |
|---|---|---|
| Access | Obtain a copy of all personal data we hold about you | "Export my data" in Profile settings |
| Rectification | Correct inaccurate or incomplete data | Edit in-app, or email us |
| Erasure | Request deletion of your personal data | "Delete my data" in Profile settings — immediate |
| Portability | Receive your data in a structured, machine-readable format | "Export my data" in Profile settings |
| Restriction | Request we limit processing in certain circumstances | Email privacy@clottr.ai |
| Objection | Object to processing based on legitimate interest | Email privacy@clottr.ai |
| Withdraw consent | Withdraw any consent (AI training, location, marketing) without penalty | In-app consent settings or email us |
| Lodge a complaint | Complain to a supervisory authority | See Section 1 for relevant authority by region |
We will respond to all requests within 30 days. No fee applies.
In the event of a personal data breach posing risk to your rights and freedoms:
The mobile app does not use browser cookies. It uses device identifiers for session management. The browser extension does not use cookies to track browsing. Google Analytics with IP anonymisation is used for aggregate usage statistics. Where any future web interface uses non-essential cookies, we will implement an appropriate consent mechanism before placing them.
Our services are intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with data, contact us at privacy@clottr.ai and we will delete it promptly.
We may update this policy from time to time. For material changes, we will notify you via in-app notification and/or email at least 30 days before the changes take effect. The updated version is always available in the app under Profile > Privacy Policy. Continued use after the effective date constitutes acceptance.
This section sets out additional rights and disclosures for users in specific jurisdictions. Where this addendum conflicts with the main policy, the addendum takes precedence for users in the relevant jurisdiction.
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides the following rights in addition to those in Section 8:
Categories of personal information collected in the past 12 months: Identifiers (email, device ID); personal records (name); characteristics (style preferences); commercial information (outfit history, wishlist); internet/electronic activity (usage data, IP address); geolocation data (if permitted); inferences drawn from the above (recommendations, trend data).
Categories sold or shared: Aggregated, de-identified wardrobe and usage trend data only. We do not sell or share identifiable personal information.
Authorised agents may submit requests on your behalf by providing written authorisation. Residents of other states with applicable privacy laws (Virginia, Colorado, Texas, Connecticut, and others) have comparable rights to access, correct, delete, and opt out of sales — contact us at privacy@clottr.ai.
CAN-SPAM: All commercial email messages sent to US users will comply with the CAN-SPAM Act, including clear identification as commercial messages, a valid physical address, and a functional unsubscribe mechanism honoured within 10 business days.
The Service is made available to UK users subject to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The rights in Section 8 apply in full to UK users.
International transfers of UK personal data are conducted using the UK International Data Transfer Agreement (IDTA) or EU SCCs with the UK Addendum, as described in Section 6.
The EU-UK adequacy regulations mean that data flows between Clottr's EU infrastructure and UK users benefit from a recognised adequacy framework, subject to that framework remaining in force.
UK users may direct complaints to the ICO at ico.org.uk or by calling 0303 123 1113. UK users also retain the right to bring proceedings in UK courts.
For users in Canada, we process personal information in accordance with the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial legislation.
Your rights under PIPEDA include: access to personal information we hold about you; the right to challenge its accuracy; and the right to withdraw consent at any time subject to legal or contractual restrictions.
Quebec residents — Law 25:
CASL — Commercial Electronic Messages: All marketing emails sent to Canadian users will comply with Canada's Anti-Spam Legislation (CASL). We will only send marketing messages to Canadian users with express or implied consent as defined by CASL. Every marketing message will include a clear, functional unsubscribe mechanism honoured within 10 business days.
Complaints may be directed to the OPC at priv.gc.ca or, for Quebec residents, to the CAI at cai.gouv.qc.ca.
For users in Australia, we handle personal information in accordance with the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs).
Your rights include:
APP 8 — Overseas Disclosure: We disclose personal information to overseas recipients as detailed in Section 6. We take reasonable steps to ensure those recipients handle your information consistently with the APPs. By using the Service, you consent to this overseas disclosure. Once data is disclosed to an overseas recipient, our obligations under the Australian Privacy Act in respect of that recipient's handling may be limited, and you may not be able to seek redress under the Australian Privacy Act against that recipient directly.
Notifiable Data Breaches: Where a breach is likely to result in serious harm to you, we will notify you and the OAIC as required under the NDB scheme (Part IIIC of the Privacy Act 1988).
For any privacy-related questions, data subject requests, or concerns:
NOVSI IT Ltd.
Company Registry Number: 208124639
Geo Milev str, floor 1, Sofia, 1111, Bulgaria
Email: privacy@clottr.ai
Clottr · Privacy Policy · Last updated March 2026 · EU GDPR · UK GDPR · CCPA/CPRA · PIPEDA / Quebec Law 25 · Australian Privacy Act