Privacy Policy
Whatrobe mobile application — user-facing version.
This Privacy Policy explains how Whatrobe (hereinafter: the "App" or "Whatrobe") collects, uses, stores, and protects users' personal data. This document complies with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (hereinafter: GDPR).
Data controller
The data controller for Whatrobe users is:
- Company
- Jakub Skoczek IT Solutions
- Tax ID (NIP)
- 6772474557
- Business Registry (REGON)
- 521265100
- Registered address
- ul. Franciszkańska 10, 38-200 Jasło, Podkarpackie voivodeship, Poland
- Contact email
- [email protected]
- App Store distribution
- Published via Apple Developer Program account registered as individual by Jakub Skoczek (Apple Developer Team ID: RPLZV4SB5R)
What data we collect
We only process data strictly necessary to provide the App's services. The scope of data depends on which features you use:
Account data
- Email address — required to create an account and log in
- First and last name — optional, for personalization
- External identifier from authentication provider (Clerk) — when you sign in via Apple ID or Google
Whatrobe's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We request only the email, profile, and openid scopes — the minimum needed to authenticate you.
Photos
- Body photo — uploaded by you for the virtual try-on (VTO) feature
- Wardrobe item photos — from camera or photo library, uploaded to your wardrobe catalog
- AI-generated images — virtual try-on results created from your photos
App usage data
- Wardrobe inventory — categories, colors, materials, brands (partially auto-tagged by AI)
- Generated outfits — and your reactions (saved, dismissed, marked as worn)
- Style preferences — provided during onboarding questionnaire
- Wear history — dates when you marked an item or outfit as worn
Location data
- Approximate location — used only in real-time to fetch weather forecast. Not stored in our systems after the weather query completes.
Technical data
- Push notification token — device identifier from Expo/Apple/Google, used to deliver notifications
- Device type — model, operating system (for error diagnostics)
- IP address — used transiently for server communication (server logs deleted after 30 days)
Purposes and legal bases
| Processing purpose | GDPR legal basis |
|---|---|
| Account creation and management | Article 6(1)(b) — contract performance |
| Providing app features (wardrobe catalog, outfit generation, virtual try-on) | Article 6(1)(b) — contract performance |
| Sending push notifications (e.g., VTO ready alert) | Article 6(1)(a) — consent (granted when enabling notifications) |
| Accessing location for weather-based suggestions | Article 6(1)(a) — consent |
| AI image generation from your photos (VTO) | Article 6(1)(b) — contract performance (on your explicit request) |
| App security, abuse detection | Article 6(1)(f) — legitimate interest |
| Dispute resolution, legal claims | Article 6(1)(f) — legitimate interest |
Providing data is voluntary but necessary to use the corresponding app features. Without an email address you cannot create an account. Without a body photo you cannot use VTO. Without location you cannot receive weather-based suggestions.
Recipients and subprocessors
Your data may be entrusted to the following data processors, with whom we have signed data processing agreements under Article 28 GDPR:
| Entity | Purpose | Location |
|---|---|---|
| Clerk Inc. | User authentication, session management | USA (SCC) |
| Supabase Inc. | Application database hosting | EU (Frankfurt) |
| Cloudflare Inc. | Photo storage (R2), CDN, DDoS protection | EU / USA (SCC) |
| Fly.io Inc. | Application server hosting | EU (Frankfurt) |
| OpenAI, L.L.C. | AI image generation (virtual try-on), style analysis | USA (SCC) |
| Expo, Inc. | Push notification delivery | USA (SCC) |
| Apple Inc. | APNs — push notification delivery to iOS devices | USA (SCC) |
| Google LLC | FCM — push notification delivery to Android devices (future) | USA (SCC) |
| RevenueCat, Inc. | Subscription and in-app purchase management | USA (SCC) |
| PostHog, Inc. | Product analytics (usage events, pseudonymous) | EU |
| AppsFlyer Ltd. | Mobile marketing attribution and measurement | EU / USA (SCC) |
The following services may be added in the future (with prior policy update):
- Sentry (application error reporting)
We do not sell your data to any third parties. We share a limited set of data with our advertising-measurement partner AppsFlyer to understand how users discover Whatrobe. On iOS, before any advertising-related collection we ask for your permission through Apple's App Tracking Transparency framework; if you decline, your advertising identifier (IDFA) is not accessed and attribution falls back to Apple's privacy-preserving SKAdNetwork. You can change this choice at any time in your device's Settings > Privacy & Security > Tracking.
International data transfers
Some of our subprocessors are based outside the European Economic Area (mainly in the United States). These transfers occur only with safeguards required by GDPR:
- Standard Contractual Clauses (SCC) — approved by the European Commission under Article 46(2)(c) GDPR
- EU-U.S. Data Privacy Framework — for participating entities (including Clerk, OpenAI)
- Additional technical measures — data encryption in transit (TLS 1.2+) and at rest (AES-256)
Transfer documentation is available on request at [email protected].
Data retention
| Data category | Retention period |
|---|---|
| Account data (email, profile) | Until user deletes the account |
| Wardrobe and body photos | Until user deletes them or account deletion |
| Generated VTO images | Until user deletes them or account deletion |
| Wear history, outfits | Until account deletion |
| Push notification token | Until consent withdrawal or app uninstall |
| Location data | Not stored — used only during weather query |
| Server logs (IP, errors) | 30 days from event |
| Data needed for legal claims (after account deletion) | Up to 3 years from deletion (statutory limitation periods) |
After the retention period, data is permanently deleted or anonymized.
Your rights
Under GDPR, you have the following rights regarding your personal data:
- Right of access (Article 15) — request information about what data we process about you
- Right to rectification (Article 16) — request correction of inaccurate or incomplete data
- Right to erasure ("right to be forgotten", Article 17) — request deletion when data is no longer necessary
- Right to restriction of processing (Article 18) — request temporary suspension of processing
- Right to data portability (Article 20) — receive your data in a structured electronic format (JSON)
- Right to object (Article 21) — to processing based on legitimate interest
- Right to withdraw consent (Article 7(3)) — at any time, without affecting prior processing
- Right to lodge a complaint — to the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland
How to exercise these rights
To exercise any of the above rights, send an email to [email protected]. We will respond within 30 days of receipt (under Article 12(3) GDPR; in exceptional cases this may be extended by 60 additional days).
For identity verification, the request should be sent from the email address linked to your account.
Cookies and similar technologies
The Whatrobe app does not use cookies in the traditional sense, as it operates as a native mobile application (iOS/Android). However, we use functionally similar technologies:
- Local device storage — stores your preferences (language, theme), session token, image cache
- Device identifiers — used by push systems (Expo Push token) and Clerk (session ID), and, only with your App Tracking Transparency consent, the advertising identifier (IDFA) used by AppsFlyer for attribution
This data is essential for the App to function and is removed upon uninstall or logout.
Data security
We apply appropriate technical and organizational measures to protect your data:
- Encryption in transit — TLS 1.2+ for all mobile-server connections
- Encryption at rest — AES-256 for database (Supabase) and object storage (Cloudflare R2)
- Passwords — we never store plain-text passwords (Clerk uses bcrypt hashing)
- Session tokens — short-lived, automatically refreshed
- Data minimization — we collect only what is necessary
- Access control — permissions follow the principle of least privilege
- Regular encrypted backups — of the database
Children's privacy
The Whatrobe app is not directed to children under 16 years of age. We do not knowingly collect personal data from children. If we learn that data of a child under 16 has been provided without parental consent, we will delete it immediately.
If you are a parent or guardian and suspect your child has created an account, contact us at [email protected].
Changes to this policy
This Privacy Policy may be updated to reflect changes in our services, technology, applicable laws, or in response to supervisory authority requirements. We will notify you of material changes by:
- In-app notification 14 days before changes take effect
- Email to your registered address (for significant changes)
- Updating the "Last updated" date at the top of this document
Continued use of the App after the updated policy takes effect constitutes acceptance of the new version. If you do not accept the changes, you may delete your account.
Contact
For personal data matters, contact us:
- Email (preferred)
- [email protected]
- Postal address
- Jakub Skoczek IT Solutions
ul. Franciszkańska 10
38-200 Jasło
Poland - Supervisory authority
- Personal Data Protection Office (UODO)
ul. Stawki 2, 00-193 Warsaw, Poland
uodo.gov.pl