Last updated: 26 April 2026 · Version: 2.0
This policy explains what personal data WeartyAI collects, why we collect it, how long we keep it and what rights you have. It is written for users in the United Kingdom and the European Economic Area, and is designed to comply with the UK GDPR, the EU GDPR (Regulation 2016/679), the UK Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).
The data controller is WeartyAI, operating under sole-trader registration in the United Kingdom. Contact: weartyai@gmail.com. We do not have a Data Protection Officer (DPO) — none is required for our scale — but the contact email above reaches the person responsible for privacy decisions.
| Category | Examples | Source |
|---|---|---|
| Account identity | Email address, hashed password, display name, avatar URL (if you sign in with Google) | You, or Google OAuth |
| Usage data | Photos you upload to be analysed, the resulting AI outputs, your credit balance, transaction history | You |
| Payment data | Stripe customer ID, last-4 of card, country, billing email; we do not store card numbers | Stripe |
| Technical data | IP address, device type, browser, app version, error logs | Automatic, on each request |
| Communications | Emails you send to support; transactional emails we send you (login link, receipts) | You / us |
Under UK GDPR every processing activity needs a lawful basis. Ours:
| What we do | Why | Legal basis (UK GDPR) |
|---|---|---|
| Create & maintain your account | You asked us to provide the service | Article 6(1)(b) — contract |
| Process your photos through AI models (valuation, product shot, model shoot, animation) | You asked for the result | Article 6(1)(b) — contract |
| Charge you / refund credits | To take payment for credits you bought | Article 6(1)(b) — contract |
| Send transactional emails (magic link, payment receipt, refund) | So you can use the service | Article 6(1)(b) — contract |
| Keep error logs & usage stats | Detect bugs, prevent fraud, plan capacity | Article 6(1)(f) — legitimate interest |
| Comply with tax / VAT / anti-money-laundering rules | UK law requires it | Article 6(1)(c) — legal obligation |
| Send marketing emails (only if you opt in) | Tell you about new features | Article 6(1)(a) — your consent (opt-in) |
| Use optional analytics cookies | See which features are used | Article 6(1)(a) — your consent (cookie banner) |
To run WeartyAI we use a handful of carefully chosen vendors. Each is a data processor acting on our instructions under a written agreement (DPA). We do not sell your personal data and we do not share it with advertisers.
| Vendor | What it does for us | Where data is processed |
|---|---|---|
| Supabase | Stores your account & transaction data, runs auth | EU (Frankfurt) |
| Railway | Hosts our backend API | USA (Oregon) with EU SCCs in place |
| Vercel | Hosts our website | Global edge network with EU SCCs |
| Stripe | Takes card payments, sends receipts | UK + Ireland |
| fal.ai | Runs the image / video AI models that analyse your uploaded photos | USA with EU SCCs in place |
| Anthropic | Runs Claude models that read your photo to write product descriptions | USA with EU SCCs in place |
| Resend | Sends our transactional emails | USA with EU SCCs in place |
| Sign-in with Google (OAuth) only — we receive your email + name | USA with EU SCCs in place |
A current list of sub-processors is maintained at the address above and may change with notice.
Some of our sub-processors are based in the United States. When data leaves the UK / EEA, it is protected by the European Commission's Standard Contractual Clauses (SCCs) as incorporated into UK law, plus, where available, certification under the UK Extension to the EU-US Data Privacy Framework. Your data is encrypted in transit (TLS 1.3) and at rest.
| Data | Retention |
|---|---|
| Account record (email, password hash, settings) | While your account is open + 30 days after deletion |
| Photos you upload | Cached at our AI providers for the duration of generation, then deleted within 24 hours. Generated outputs are stored on your account until you delete them. |
| Credit transactions | 7 years (UK HMRC requirement) |
| Stripe payment records | Held by Stripe under their own retention rules; we keep transaction IDs for 7 years |
| Server access logs | 30 days |
| Marketing email opt-ins | Until you unsubscribe |
A "cookie" is a small text file your browser stores on your device. We use the minimum needed and ask your permission before setting anything optional, as required by PECR §6.
sb-access-token, sb-refresh-token — Supabase authentication. Without these you cannot stay logged in. HttpOnly, Secure, SameSite=Lax. Lifetime: 7 days.weartyai-cookie-consent — Records your cookie choices so we do not ask again on every page. localStorage, lifetime 12 months.If you accept analytics in our cookie banner, we may, in future, set anonymous measurement cookies (e.g. Vercel Analytics). At the time of writing we do not load any analytics scripts. If we add some, we will only do so after you opt in via the cookie banner.
We do not currently use marketing cookies (no Google Ads, no Meta Pixel, no TikTok Pixel). If we ever add these, they will require your consent first.
You can change your cookie choices any time using the "Cookie preferences" link in our website footer. Your choice is reset if you clear your browser storage.
Under UK GDPR / EU GDPR you have the following rights. To exercise any of them, email weartyai@gmail.com from the address you registered with — we will respond within 30 days, free of charge.
WeartyAI is for users aged 18 and over. We do not knowingly collect data from children under 18. If you believe a child has created an account, email us and we will delete it.
We use TLS 1.3 for all traffic, hash passwords with bcrypt (via Supabase auth), store JWTs in HttpOnly cookies, and run our backend on Railway with private networking. Photos are processed in-memory and not written to long-term storage. Despite our efforts no system is 100% secure — if we discover a personal data breach that risks your rights, we will notify the ICO within 72 hours and you without undue delay, as required by Article 33 / 34 UK GDPR.
We may update this policy when our practices or the law changes. Material changes are emailed to registered users at least 14 days in advance. The current version number and date are at the top of the page. Old versions are kept on request.
Questions, requests, complaints: weartyai@gmail.com.
If you are not satisfied with our response, you have the right to complain to a data protection regulator: