Privacy Policy

1. Data controller

The data controller responsible for processing your personal data is:

Elena Schulte Ladbeck
Operating as: Aurelle (Einzelunternehmen)
Location: Germany
Email: privacy@aurelle.app

Aurelle is a personal fashion assistant that uses artificial intelligence to help you manage your wardrobe and discover outfits. We are committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

2. What data we collect

We collect and process the following categories of personal data:

• Account information — email address and authentication credentials (managed by Supabase Auth).
• Wardrobe photos — images of clothing items you upload. These are stored in Supabase Storage (EU) and analysed by AI to identify garment attributes (colour, category, pattern, fabric).
• Style preferences — aesthetics, fit, colour, climate, and occupation preferences you provide.
• Body profile — height, body shape, and sizing information you optionally share, used for outfit fit recommendations.
• Outfit history — saved outfits, wear logs, and feedback ratings.
• Shopping activity — favourited products, product clicks, and affiliate link interactions.
• Location data — your approximate location is used to fetch local weather for weather-appropriate outfit suggestions. Location is used transiently for the weather API call and is not stored long-term.
• Google Calendar data (optional) — if you connect your Google Calendar, we read event titles and times (read-only) to suggest occasion-appropriate outfits. We never modify your calendar or access other Google services.
• Payment data — subscription payments are handled entirely by Apple (App Store), Google (Play Store), or Stripe. Aurelle never receives, processes, or stores credit card numbers or payment details.
• Device & usage data — anonymous, aggregated usage analytics to improve the app. We do not use tracking IDs, advertising identifiers, or build ad profiles.

3. Legal basis for processing

We process your data on the following legal bases under GDPR Article 6(1):

• Contract performance (Art. 6(1)(b)) — processing your wardrobe photos, style preferences, body profile, and outfit history is necessary to provide the core Aurelle service you signed up for.
• Consent (Art. 6(1)(a)) — Google Calendar access, community image sharing, and location data are processed only with your explicit, freely given consent. You can withdraw consent at any time from your profile settings.
• Legitimate interest (Art. 6(1)(f)) — anonymous usage analytics to improve service quality and security. Our legitimate interest does not override your rights, as the data is fully anonymised and aggregated.

4. How we use your data

• Generate personalised outfit recommendations tailored to your style, body, wardrobe, weather, and calendar.
• Analyse wardrobe photos to identify garment attributes for AI-driven outfit matching.
• Provide shopping suggestions for identified wardrobe gaps.
• Display weather-appropriate outfit suggestions based on your location.
• Improve recommendation quality through anonymised, aggregated analytics.
• Communicate essential service updates (we never send marketing emails without consent).

5. Third-party services & data sharing

We use the following third-party services to operate Aurelle. We do not sell your data to any third party. We do not use your data for advertising.

• Supabase (EU region, Frankfurt) — database, authentication, and file storage. Your data remains in the EU.
• Anthropic (Claude AI) (USA) — outfit generation and style analysis. We send garment metadata (category, colour, fabric, occasion tags) to generate outfit recommendations. Raw photos are not sent. Anthropic does not use API inputs to train its models and does not retain prompt data beyond the request lifecycle. Transfer safeguard: Standard Contractual Clauses (SCCs).
• OpenAI (USA) — flat-lay image generation and AI collage composition. Individual garment photos may be sent for image-to-image processing. OpenAI does not use API inputs to train its models. Transfer safeguard: SCCs and Data Processing Agreement (DPA).
• Google Gemini (USA) — fallback image generation for flat-lays and collages. Garment metadata and photos may be sent when primary providers are unavailable. Google does not use API data to train its models under the API Terms of Service. Transfer safeguard: SCCs and DPA.
• Serper.dev (USA) — product search for shopping recommendations. Only generic product queries are sent (e.g. "navy wool blazer women"); no personal data is included. Transfer safeguard: SCCs.
• OpenWeatherMap (USA) — weather data for outfit suggestions. Only geographic coordinates are sent (no user identifiers). Transfer safeguard: SCCs.
• Google Calendar API — read-only access to event titles and times when you opt in. Governed by Google's privacy policy and your OAuth consent.
• Vercel (USA/EU) — hosting and serverless functions. Requests are routed to the nearest edge location. Transfer safeguard: SCCs.
• RevenueCat (USA) — subscription and in-app purchase management. Processes your subscription status and anonymous user identifiers. No personal data beyond subscription state is shared. Transfer safeguard: SCCs and DPA.
• Resend (USA) — transactional email delivery. Processes your email address to deliver account-related emails (welcome, password reset, waitlist). Transfer safeguard: SCCs and DPA.
• Affiliate partners (if active) — shopping recommendations may include affiliate links. If an affiliate partnership is active, the affiliate provider may set a cookie to track referrals for commission purposes. No personal data beyond the click event and referral URL is shared. You can manage cookies in your browser or device settings.
• Apple / Google / Stripe — payment processing for subscriptions. Aurelle never receives payment card details.

6. International data transfers

Your primary data (wardrobe, profile, preferences) is stored in the EU (Supabase, Frankfurt). Some processing involves transfers to the United States (Anthropic, OpenAI, Google Gemini, Serper.dev, OpenWeatherMap, RevenueCat, Resend, Vercel). These transfers are protected by Standard Contractual Clauses (SCCs) as approved by the European Commission, or equivalent safeguards under GDPR Article 46. You may request a copy of the applicable SCCs by emailing privacy@aurelle.app.

7. Community image sharing

You may optionally contribute anonymised garment photos to improve outfit suggestions for all users. This is strictly opt-in (consent-based) and can be toggled off at any time from your profile. Contributed images are fully anonymised — no personal information, metadata, or user identifiers are attached or recoverable. Withdrawing consent stops future contributions; previously anonymised images cannot be traced back to you.

8. Automated decision-making & AI (Art. 22 GDPR)

Aurelle uses artificial intelligence (Anthropic Claude) to generate outfit recommendations. The AI analyses your wardrobe item metadata (category, colour, pattern, fabric, occasion tags), style preferences, body profile, weather data, and calendar events to suggest outfit combinations.

These recommendations are suggestions only and do not produce legal or similarly significant effects. You are free to accept, modify, or ignore any suggestion. You can provide feedback (like/dislike/wear) to improve future recommendations.

You have the right to understand the logic involved in the AI processing. If you have questions about how a specific recommendation was generated, contact us at privacy@aurelle.app.

9. Affiliate tracking & shopping

Shopping recommendations may include affiliate links. When you click an affiliate link, the affiliate provider may place a cookie on your device to track the referral for commission purposes. No personal data beyond the click event and referral URL is shared with any affiliate partner. You can manage cookies in your browser or device settings.

10. Data storage & security

Your data is stored in Supabase (EU data centre, Frankfurt). All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Row-Level Security (RLS) policies ensure users can only access their own data. Service-role keys are used exclusively in server-side API routes, never in client-side code.

11. Data retention

• Active account — your data is retained for as long as your account is active and necessary to provide the service.
• Account deletion — when you delete your account (via "Delete Account" in the app), all personal data is permanently removed within 24 hours, including: database records across all tables, wardrobe images from storage, and the authentication account.
• Anonymised analytics — aggregated, anonymised usage data may be retained indefinitely as it cannot be linked back to you.
• Community images — anonymised garment photos contributed to the community pool are retained independently of your account, as they contain no personal data.
• Inactive accounts — accounts inactive for more than 24 months may be flagged for deletion. You will be notified by email before any action is taken.

12. Your rights under GDPR

As a data subject, you have the following rights:

• Right of access (Art. 15) — request a copy of all personal data we hold about you. Use "Export My Data" in the app for instant access.
• Right to rectification (Art. 16) — correct inaccurate data by editing your profile, wardrobe items, or preferences in the app.
• Right to erasure (Art. 17) — permanently delete your account and all associated data. Use "Delete Account" in the app or email us.
• Right to restriction of processing (Art. 18) — request that we limit processing of your data while a concern is resolved.
• Right to data portability (Art. 20) — download all your data in structured, machine-readable JSON format via "Export My Data".
• Right to object (Art. 21) — object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
• Right to withdraw consent — where processing is based on consent (calendar, location, community sharing), you can withdraw at any time without affecting the lawfulness of prior processing.

To exercise any right, use the in-app controls or email privacy@aurelle.app. We will respond within 30 days (extendable by 60 days for complex requests, with notice).

13. Right to lodge a complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. The competent authority for Germany is:

Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)
Graurheindorfer Str. 153, 53117 Bonn
www.bfdi.bund.de

You may also contact the data protection authority for North Rhine-Westphalia:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
Postfach 20 04 44, 40102 Düsseldorf
www.ldi.nrw.de

14. Analytics

Aurelle currently uses only anonymous, aggregated analytics (e.g. total number of outfits generated, feature usage counts). We do not use third-party analytics services that track individual users. If we introduce a third-party analytics tool in the future, this policy will be updated and you will be notified in-app before any change takes effect.

15. Children

Aurelle is not directed at children. We do not knowingly collect personal data from anyone under the age of 16 (or under 13 where applicable). If you believe a child has provided us with personal data, please contact us at privacy@aurelle.app and we will delete it promptly.

16. Changes to this policy

We may update this policy from time to time. Material changes will be communicated in-app before they take effect. The "Last updated" date at the top will always reflect the most recent revision. Continued use of Aurelle after changes constitutes acceptance of the updated policy.

17. Contact

For privacy questions, data requests, or to exercise any of your rights:

Elena Schulte Ladbeck
Email: privacy@aurelle.app