Privacy & Cookies Policy

Last updated: 13 May 2026 · Version: 2.1

This policy explains what personal data WeartyAI collects, why we collect it, how long we keep it and what rights you have. It applies to users in the United Kingdom, the European Economic Area and the United States, and is designed to comply with the UK GDPR, the EU GDPR (Regulation 2016/679), the UK Data Protection Act 2018, the Privacy and Electronic Communications Regulations (PECR), the California Consumer Privacy Act as amended by the CPRA, and the privacy laws of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA) and Oregon (OCPA).

1. Who is the data controller

The data controller is WeartyAI, operating under sole-trader registration in the United Kingdom. Contact: weartyai@gmail.com. We are registered with the UK Information Commissioner's Office (ICO) as a data controller under reference number ZC147184. We do not have a Data Protection Officer (DPO) — none is required for our scale — but the contact email above reaches the person responsible for privacy decisions.

2. What personal data we collect

Category	Examples	Source
Account identity	Email address, hashed password, display name, avatar URL (if you sign in with Google)	You, or Google OAuth
Usage data	Photos you upload to be analysed, the resulting AI outputs, your credit balance, transaction history	You
Payment data	Stripe customer ID, last-4 of card, country, billing email; we do not store card numbers	Stripe
Technical data	IP address, device type, browser, app version, error logs	Automatic, on each request
Communications	Emails you send to support; transactional emails we send you (login link, receipts)	You / us

3. Why we collect it (purposes & legal basis)

Under UK GDPR every processing activity needs a lawful basis. Ours:

What we do	Why	Legal basis (UK GDPR)
Create & maintain your account	You asked us to provide the service	Article 6(1)(b) — contract
Process your photos through AI models (valuation, product shot, model shoot, animation)	You asked for the result	Article 6(1)(b) — contract
Charge you / refund credits	To take payment for credits you bought	Article 6(1)(b) — contract
Send transactional emails (magic link, payment receipt, refund)	So you can use the service	Article 6(1)(b) — contract
Keep error logs & usage stats	Detect bugs, prevent fraud, plan capacity	Article 6(1)(f) — legitimate interest
Comply with tax / VAT / anti-money-laundering rules	UK law requires it	Article 6(1)(c) — legal obligation
Send marketing emails (only if you opt in)	Tell you about new features	Article 6(1)(a) — your consent (opt-in)
Use optional analytics cookies	See which features are used	Article 6(1)(a) — your consent (cookie banner)

To run WeartyAI we use a handful of carefully chosen vendors. Each is a data processor acting on our instructions under a written agreement (DPA). We do not sell your personal data and we do not share it with advertisers.

Vendor	What it does for us	Where data is processed
Supabase	Stores your account & transaction data, runs auth	EU (Frankfurt)
Railway	Hosts our backend API	USA (Oregon) with EU SCCs in place
Vercel	Hosts our website	Global edge network with EU SCCs
Stripe	Takes card payments, sends receipts	UK + Ireland
fal.ai	Runs the image / video AI models that analyse your uploaded photos	USA with EU SCCs in place
Anthropic	Runs Claude models that read your photo to write product descriptions	USA with EU SCCs in place
Resend	Sends our transactional emails	USA with EU SCCs in place
Zenserp	Runs anonymous marketplace price-search queries — we send only the item description, never your personal data	EU (Germany)
Google	Sign-in with Google (OAuth) only — we receive your email + name	USA with EU SCCs in place

A current list of sub-processors is maintained at the address above and may change with notice.

5. International transfers

Some of our sub-processors are based in the United States. When data leaves the UK / EEA, it is protected by the European Commission's Standard Contractual Clauses (SCCs) as incorporated into UK law, plus, where available, certification under the UK Extension to the EU-US Data Privacy Framework. Your data is encrypted in transit (TLS 1.3) and at rest.

6. How long we keep it

Data	Retention
Account record (email, password hash, settings)	While your account is open + 30 days after deletion
Photos you upload	Cached at our AI providers for the duration of generation, then deleted within 24 hours. Generated outputs are stored on your account until you delete them.
Credit transactions	7 years (UK HMRC requirement)
Stripe payment records	Held by Stripe under their own retention rules; we keep transaction IDs for 7 years
Server access logs	30 days
Marketing email opt-ins	Until you unsubscribe

7. Cookies & similar technologies

A "cookie" is a small text file your browser stores on your device. We use the minimum needed and ask your permission before setting anything optional, as required by PECR §6.

Strictly necessary (always on)

sb-access-token, sb-refresh-token — Supabase authentication. Without these you cannot stay logged in. HttpOnly, Secure, SameSite=Lax. Lifetime: 7 days.
weartyai-cookie-consent — Records your cookie choices so we do not ask again on every page. localStorage, lifetime 12 months.
Stripe cookies — set only on the Stripe Checkout page when you start a payment, for fraud prevention. We do not control these.

Optional — analytics (off unless you accept)

If you accept analytics in our cookie banner, we may, in future, set anonymous measurement cookies (e.g. Vercel Analytics). At the time of writing we do not load any analytics scripts. If we add some, we will only do so after you opt in via the cookie banner.

Optional — marketing (off unless you accept)

We do not currently use marketing cookies (no Google Ads, no Meta Pixel, no TikTok Pixel). If we ever add these, they will require your consent first.

Changing your mind

You can change your cookie choices any time using the "Cookie preferences" link in our website footer. Your choice is reset if you clear your browser storage.

8. Your rights (UK & EU users)

Under UK GDPR / EU GDPR you have the following rights. To exercise any of them, email weartyai@gmail.com from the address you registered with — we will respond within 30 days, free of charge.

Right of access — get a copy of your personal data. You can also self-serve via the in-app Export my data button (Profile screen).
Right to rectification — correct anything inaccurate.
Right to erasure ("right to be forgotten") — delete your account and personal data. You can self-serve via the in-app Delete my account button (Profile screen). We retain only the bare minimum required by tax law (transaction records for 7 years, anonymised where possible).
Right to restrict processing — pause processing while a dispute is resolved.
Right to data portability — receive your data in a portable JSON format.
Right to object — object to processing based on legitimate interest, including profiling.
Right to withdraw consent — for anything we relied on consent for (marketing emails, optional cookies). Withdrawal does not affect processing that already happened.
Right not to be subject to a solely automated decision — we do not make automated decisions that produce legal effects on you.

9. Your rights (US users — CCPA / state laws)

If you live in the United States, the rights below apply to you. We extend the same rights to all US residents, not only those in states with a privacy statute on the books, because giving the same protections everywhere is simpler and fairer.

9.1 Notice of collection (CCPA §1798.100)

In the past 12 months we have collected the categories of personal information listed below, as defined by the California Consumer Privacy Act:

CCPA category	What we collect	Purpose
Identifiers	Email address, account ID, IP address, device ID	Account creation & authentication
Customer records	Display name, password hash, billing email	Run your account
Commercial information	Credit purchases, transaction history, products consumed	Run our service & comply with tax law
Internet or network activity	App version, error logs, endpoints used	Detect bugs, prevent abuse
Geolocation (coarse)	Country derived from IP address — never precise GPS	Show local marketplace pricing
Visual information	Photos you upload of items to be analysed; AI-generated outputs	Provide the AI feature you requested
Inferences	Item category, suggested resale price, listing copy	Generate the output you asked for

We collect this information directly from you (when you sign up, upload a photo, buy credits) and from our sub-processors listed in section 4. Detailed retention periods are in section 6.

9.2 We do not sell or share your personal information

WeartyAI does not sell your personal information for money and does not share it for cross-context behavioural advertising, as those terms are defined under the CCPA / CPRA. We do not have a "Do Not Sell or Share My Personal Information" link because there is nothing to opt out of — but if this ever changes, we will publish that link and notify users at least 30 days before any selling or sharing begins.

9.3 Sensitive personal information

We do not collect "sensitive personal information" as defined by Cal. Civ. Code §1798.140(ae) (no government IDs, no precise geolocation, no biometric data, no health data, no race or ethnicity, no sexual orientation, no contents of mail or messages). Therefore the right to limit use of sensitive PI does not apply — there is nothing to limit.

9.4 Your rights and how to exercise them

You have the following rights regardless of which US state you live in. They are free to use and we will respond within 45 days (which we may extend once by a further 45 days if your request is complex, with notice to you).

Right to know what personal information we have collected about you, where it came from, why we collected it, who we shared it with, and receive a copy. The fastest way is to tap "Export my data" on the Profile screen in the app — you get the JSON instantly.
Right to delete your personal information. Tap "Delete my account" on the Profile screen. We must keep transaction records for 7 years to satisfy US federal and state tax requirements, but they are anonymised — your name and email are removed.
Right to correct inaccurate personal information. Send us an email or edit your profile from the app.
Right to opt out of sale or sharing — not applicable, see 9.2.
Right to limit use of sensitive PI — not applicable, see 9.3.
Right to non-discrimination — we will not deny service, charge a different price, give you a lower quality of service, or otherwise retaliate against you for exercising any of these rights.
Right to data portability — the export in the app is a machine-readable JSON file you can take anywhere.
Right to appeal (Virginia, Colorado, Connecticut, Texas) — if we deny your request, you can ask us to reconsider by replying to our denial. If we still refuse, you can complain to your state attorney general.

9.5 Verification & authorised agents

When you exercise a right by email, we verify you by replying to the email address on your account. You may also appoint an authorised agent to make the request for you; we will require a signed permission from you and reserve the right to verify directly with you before disclosing or deleting data.

9.6 Shine-the-Light (California Civil Code §1798.83)

We do not share personal information with third parties for their own direct marketing purposes, so there is nothing to disclose under §1798.83.

9.7 Notice for Nevada residents (NRS §603A.340)

Nevada residents may submit an opt-out of sale by email. We do not sell personal information, so the opt-out is automatic — but the right exists and is honoured.

10. Children's privacy & COPPA

WeartyAI is for users aged 18 and over. We do not knowingly collect, use or disclose personal information from anyone under 18, and we do not direct any part of the service to children under 13 as defined by the US Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §§ 6501–6506). If you believe a child has created an account, email us and we will delete it promptly. Parents who suspect a child has provided us with information can also contact us directly using the email below.

11. Security

We use TLS 1.3 for all traffic, hash passwords with bcrypt (via Supabase auth), store JWTs in HttpOnly cookies, and run our backend on Railway with private networking. Photos are processed in-memory and not written to long-term storage. Despite our efforts no system is 100% secure — if we discover a personal data breach that risks your rights, we will notify the ICO within 72 hours and you without undue delay, as required by Article 33 / 34 UK GDPR.

12. Changes to this policy

We may update this policy when our practices or the law changes. Material changes are emailed to registered users at least 14 days in advance. The current version number and date are at the top of the page. Old versions are kept on request.

13. Contact & complaints

Questions, requests, complaints: weartyai@gmail.com.

If you are not satisfied with our response, you have the right to complain to a data protection regulator:

United Kingdom — Information Commissioner's Office (ICO), ico.org.uk, helpline 0303 123 1113.
European Economic Area — your local data protection authority. A list is maintained at edpb.europa.eu. In Poland this is the Urząd Ochrony Danych Osobowych (UODO), uodo.gov.pl.
United States — California — California Privacy Protection Agency (CPPA), cppa.ca.gov, or the California Attorney General at oag.ca.gov/privacy.
United States — other states — your state Attorney General's consumer protection division (e.g. Virginia, Colorado, Connecticut, Utah, Texas, Oregon). A list of state AGs is at naag.org/find-my-ag.
Copyright / DMCA complaints — see our DMCA notice page for the takedown procedure and designated agent contact.