Short version: we collect what we need to run the AI generation pipeline and bill correctly, nothing more. Your reference photos and generated designs are scoped to your account and can be deleted at any time. We don't train shared models on user uploads.

What we collect

Account info — email + optional name from sign-in (Google OAuth or email/password). That's the only PII we need to run an account.
Uploaded photos — the reference photos you submit to the generator. Stored in private R2 buckets scoped to your user ID. Accessible only via authenticated proxy URLs.
Generated designs — the AI outputs we produce on your behalf. Same access model as uploads.
Usage events — anonymized product analytics via PostHog (page views, feature engagement). No PII in event payloads beyond a hashed user ID for sessionization.
Billing data — handled by Stripe. We store a customer ID + subscription state on our side; card numbers stay with Stripe.

Your photos & face data

Because ChangeOutfit transforms photos that contain faces, the images you upload may be analyzed for facial features so the AI can generate your outfits. Depending on where you live, this face data may be considered "biometric" information / biometric identifiers / Sensitive Personal Information — for example under the Illinois Biometric Information Privacy Act (BIPA), the EU/UK GDPR, or the California CCPA/CPRA. We treat it accordingly:

We collect it only with your consent, which you give at your first upload (and can withdraw anytime in Settings).
We use it solely to generate the outputs you request — never to identify or authenticate you.
We contractually prohibit our AI provider from training on it or retaining it.
We never sell, rent, or trade it.

What we don't collect

We don't sell or share your photos with third parties.
We don't train shared AI models on your uploads. Generation is one-shot reference-edit per call; no persistent model is built from your data.
We don't track you across the open web. No third-party ad-tech pixels on the marketing site.

How the AI pipeline works

When you run a capsule, your reference photo is sent to a third-party AI provider (currently Replicate, hosting Seedream-4 and BiRefNet models) over an encrypted connection. The provider processes the image in memory and returns the generated output. We don't grant the provider any persistent storage rights on your uploads — see their respective privacy policies for their retention.

Generated outputs are saved to private R2 storage scoped to your user ID. They're served only via authenticated proxy URLs (/files/d/<designId>/full) — public URL guessing is not a viable vector.

Retention

Source photos you upload are automatically deleted 30 days after generation, or sooner if you delete them. Generated designs stay in your gallery until you delete them or close your account. Even absent activity, any biometric data is destroyed within three years of your last interaction. Full detail in our Data Retention & Destruction Policy.

Your rights

You can access, delete, and export your data — and we do not sell or share your personal information. Under the GDPR you have rights to access, rectification, erasure, and portability; under the CCPA/CPRA you have the right to know, delete, and limit use of sensitive personal information.

Access — see every upload + design under /app/media-library and /app/designs.
Delete — delete any upload or design at any time from those surfaces. Deletion removes the R2 object + the database row.
Export — download a full JSON copy of your data yourself from Settings → Privacy & data → Export my data.
Account deletion — delete your whole account instantly from Settings → Danger zone. It wipes all storage + database data tied to your user ID, right then.
Withdraw consent — manage cookie/analytics consent anytime via Settings → Privacy & data → Cookie preferences.

Free tools (browser-only)

Three of the tools at /tools (HEIC-to-JPG, Image Cropper, Image Resizer) run entirely in your browser via the Canvas API and WebAssembly. Those files NEVER leave your device — there's no upload, no server processing, no logging.

Cookies + analytics

Auth uses a strictly-necessary HTTP-only session cookie set by the API on your authenticated subdomain — that one is required to keep you logged in. For analytics (PostHog) we follow your region's law: in the EU, EEA, UK and Switzerland nothing is captured until you opt in via our cookie banner; elsewhere analytics run by default under this notice and you can opt out anytime. Either way you're in control from Settings → Privacy & data → Cookie preferences. See our Cookie Policy for the full list.

Contact

Privacy questions, data requests, or anything else: [email protected] .

This policy may change as the product evolves. Material changes will be announced in the app + via the email on your account.