Privacy Policy

1. Data controller

The data controller responsible for processing your personal data is:

Elena Schulte Ladbeck
Operating as: Aurelle (Einzelunternehmen)
Location: Germany
Email: privacy@aurelle.app

Aurelle is a personal fashion assistant that uses artificial intelligence to help you manage your wardrobe and discover outfits. We are committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

2. What data we collect

We collect and process the following categories of personal data:

• Account information — email address and authentication credentials.
• Wardrobe photos — images of clothing items you upload. These are stored in EU-hosted cloud infrastructure and analysed by AI to identify garment attributes (colour, category, pattern, fabric).
• Style preferences — aesthetics, fit, colour, climate, and occupation preferences you provide.
• Body profile — height, body shape, and sizing information you optionally share, used for outfit fit recommendations.
• Outfit history — saved outfits, wear logs, and feedback ratings.
• Shopping activity — favourited products, product clicks, and affiliate link interactions.
• Location data — your approximate location is used to fetch local weather for weather-appropriate outfit suggestions. Location is used transiently for the weather API call and is not stored long-term.
• Google Calendar data (optional) — if you connect your Google Calendar, we read event titles and times (read-only) to suggest occasion-appropriate outfits. We never modify your calendar or access other Google services.
• Payment data — subscription payments are handled entirely by Apple (App Store), Google (Play Store), or Stripe. Aurelle never receives, processes, or stores credit card numbers or payment details.
• Device & usage data — product-usage analytics (via PostHog, EU-hosted) associated with your account identifier, and crash/error diagnostics (via Sentry, EU-hosted), used to improve and secure the app. We do not use advertising identifiers or build ad profiles.

3. Legal basis for processing

We process your data on the following legal bases under GDPR Article 6(1):

• Contract performance (Art. 6(1)(b)) — processing your wardrobe photos, style preferences, body profile, and outfit history is necessary to provide the core Aurelle service you signed up for.
• Consent (Art. 6(1)(a)) — Google Calendar access, community image sharing, and location data are processed only with your explicit, freely given consent. You can withdraw consent at any time from your profile settings.
• Legitimate interest (Art. 6(1)(f)) — product-usage analytics and crash diagnostics (PostHog and Sentry, both EU-hosted) to improve and secure the service. We use the minimum data necessary for this purpose, do not use it for advertising, and balance it against your rights.

4. How we use your data

• Generate personalised outfit recommendations tailored to your style, body, wardrobe, weather, and calendar.
• Analyse wardrobe photos to identify garment attributes for AI-driven outfit matching.
• Provide shopping suggestions for identified wardrobe gaps.
• Display weather-appropriate outfit suggestions based on your location.
• Improve recommendation quality through anonymised, aggregated analytics.
• Communicate essential service updates (we never send marketing emails without consent).

5. Third-party services & data sharing

We do not sell your data to any third party. We do not use your data for advertising. We use the following categories of third-party service providers to operate Aurelle:

• Cloud database and storage infrastructure (EU-hosted) — stores your account, wardrobe, and preference data. Your primary data remains in the EU.
• AI processing services — outfit generation and style analysis. We send garment metadata (category, colour, fabric, occasion tags) to generate outfit recommendations. AI providers do not use API inputs to train their models and do not retain data beyond the request lifecycle. Transfer safeguard: Standard Contractual Clauses (SCCs) and Data Processing Agreements (DPAs).
• AI image generation services — flat-lay product images and outfit collage composition. Individual garment photos may be sent for image-to-image processing. Providers do not use API inputs for model training. Transfer safeguard: SCCs and DPAs.
• Product search services — shopping recommendations. Only generic product queries are sent (e.g. "navy wool blazer women"); no personal data is included. Transfer safeguard: SCCs.
• Weather data services — weather-appropriate outfit suggestions. Only geographic coordinates are sent (no user identifiers). Transfer safeguard: SCCs.
• Calendar integration services — read-only access to event titles and times when you opt in. Governed by the provider's privacy policy and your OAuth consent.
• Web hosting and content delivery — hosting and serverless functions. Requests are routed to the nearest edge location. Transfer safeguard: SCCs.
• Subscription management services — manages subscription status and anonymous user identifiers. No personal data beyond subscription state is shared. Transfer safeguard: SCCs and DPA.
• Email delivery services — processes your email address to deliver account-related emails (welcome, password reset). Transfer safeguard: SCCs and DPA.
• Affiliate partners (if active) — shopping recommendations may include affiliate links. The affiliate provider may set a cookie to track referrals for commission purposes. No personal data beyond the click event and referral URL is shared.
• PostHog — product analytics (EU-hosted). Helps us understand feature usage and improve the app.
• Sentry — crash and error monitoring (EU-hosted). Helps us detect and fix technical problems.
• Payment processing — subscription payments are handled by Apple (App Store), Google (Play Store), or equivalent payment processors. Aurelle never receives payment card details.

All processors are bound by data processing agreements. A complete list of current sub-processors is available upon request at privacy@aurelle.app.

6. International data transfers

Your primary data (wardrobe, profile, preferences) is stored in the EU. Some processing involves transfers to the United States via AI processing, product search, weather data, subscription management, and hosting providers. These transfers are protected by Standard Contractual Clauses (SCCs) as approved by the European Commission, or equivalent safeguards under GDPR Article 46. You may request a copy of the applicable SCCs by emailing privacy@aurelle.app.

7. Community image sharing

You may optionally contribute anonymised garment photos to improve outfit suggestions for all users. This is strictly opt-in (consent-based) and can be toggled off at any time from your profile. Contributed images are fully anonymised — no personal information, metadata, or user identifiers are attached or recoverable. Withdrawing consent stops future contributions; previously anonymised images cannot be traced back to you.

8. Automated decision-making & AI (Art. 22 GDPR)

Aurelle uses artificial intelligence to generate outfit recommendations. The AI analyses your wardrobe item metadata (category, colour, pattern, fabric, occasion tags), style preferences, body profile, weather data, and calendar events to suggest outfit combinations.

These recommendations are suggestions only and do not produce legal or similarly significant effects. You are free to accept, modify, or ignore any suggestion. You can provide feedback (like/dislike/wear) to improve future recommendations.

You have the right to understand the logic involved in the AI processing. If you have questions about how a specific recommendation was generated, contact us at privacy@aurelle.app.

9. Affiliate tracking & shopping

Shopping recommendations may include affiliate links. When you click an affiliate link, the affiliate provider may place a cookie on your device to track the referral for commission purposes. No personal data beyond the click event and referral URL is shared with any affiliate partner. You can manage cookies in your browser or device settings.

10. Data storage & security

Your data is stored in an EU data centre (Frankfurt). All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Row-Level Security (RLS) policies ensure users can only access their own data. Service-role keys are used exclusively in server-side API routes, never in client-side code.

11. Data retention

• Active account — your data is retained for as long as your account is active and necessary to provide the service.
• Account deletion — when you delete your account (via "Delete Account" in the app), all personal data is permanently removed within 24 hours, including: database records across all tables, wardrobe images from storage, and the authentication account.
• Anonymised analytics — aggregated, anonymised usage data may be retained indefinitely as it cannot be linked back to you.
• Community images — anonymised garment photos contributed to the community pool are retained independently of your account, as they contain no personal data.
• Inactive accounts — accounts inactive for more than 24 months may be flagged for deletion. You will be notified by email before any action is taken.

12. Your rights under GDPR

As a data subject, you have the following rights:

• Right of access (Art. 15) — request a copy of all personal data we hold about you. Use "Export My Data" in the app for instant access.
• Right to rectification (Art. 16) — correct inaccurate data by editing your profile, wardrobe items, or preferences in the app.
• Right to erasure (Art. 17) — permanently delete your account and all associated data. Use "Delete Account" in the app or email us.
• Right to restriction of processing (Art. 18) — request that we limit processing of your data while a concern is resolved.
• Right to data portability (Art. 20) — download all your data in structured, machine-readable JSON format via "Export My Data".
• Right to object (Art. 21) — object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
• Right to withdraw consent — where processing is based on consent (calendar, location, community sharing), you can withdraw at any time without affecting the lawfulness of prior processing.

To exercise any right, use the in-app controls or email privacy@aurelle.app. We will respond within 30 days (extendable by 60 days for complex requests, with notice).

13. Right to lodge a complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. The competent authority for Germany is:

Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)
Graurheindorfer Str. 153, 53117 Bonn
www.bfdi.bund.de

You may also contact the data protection authority for North Rhine-Westphalia:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
Postfach 20 04 44, 40102 Düsseldorf
www.ldi.nrw.de

14. Analytics and product improvement

We use PostHog (product analytics) and Sentry (crash and error diagnostics) to understand how the app is used and to detect and fix technical problems. Both services are configured to store data within the European Union.

PostHog collects product-usage events — such as which features are used and where users encounter difficulty — associated with your account identifier, so we can improve the app. Sentry collects crash reports and technical error diagnostics, including device model and app-version information, to help us identify and resolve issues.

We do not sell your personal data and we do not use this data for advertising or to build ad profiles. You can contact us at privacy@aurelle.app to exercise your data-protection rights.

15. Children

Aurelle is not directed at children. We do not knowingly collect personal data from anyone under the age of 16 (or under 13 where applicable). If you believe a child has provided us with personal data, please contact us at privacy@aurelle.app and we will delete it promptly.

16. Changes to this policy

We may update this policy from time to time. Material changes will be communicated in-app before they take effect. The "Last updated" date at the top will always reflect the most recent revision. Continued use of Aurelle after changes constitutes acceptance of the updated policy.

17. Contact

For privacy questions, data requests, or to exercise any of your rights:

Elena Schulte Ladbeck
Email: privacy@aurelle.app