Privacy Policy

1. Who we are

VestiaAI ("VestiaAI," "we," "us," or "our") is a personal wardrobe assistant application operated by Josie de la Grana, a sole proprietor based in California. Our app helps you organize your wardrobe, recommends daily outfits, and assists with wardrobe planning.

This Privacy Policy applies to information collected through our iOS application, our website at vestiaai.com, and any related services (collectively, the "Service").

2. Information we collect

Information you provide directly

Account information: Your email address and display name when you create an account.
Wardrobe photos: Images of your clothing, shoes, bags, jewelry, and accessories that you upload to build your digital wardrobe.
Style preferences: Formality preferences, color preferences, and any style notes you provide during onboarding or in settings.
Outfit feedback: Ratings and notes you submit on recommended outfits.
Location (optional): Your city and approximate coordinates, used solely to fetch local weather for outfit recommendations. You may use VestiaAI without providing location.

Information collected automatically

Usage data: How you interact with the app — screens visited, features used, outfit recommendations accepted or dismissed.
Device information: Device type, iOS version, and app version for troubleshooting purposes.
Wear history: Records of which outfits you mark as worn, used to improve recommendations and avoid repetition.

Information we deliberately do NOT collect

Calendar data stays on your device. VestiaAI reads your calendar using Apple's on-device EventKit framework. Raw calendar event details, attendees, locations, and titles are never transmitted to our servers. We send only derived context — for example, "formal event at 2pm" — to generate outfit recommendations.

Image location data is stripped. Before any wardrobe photo is stored, we permanently remove all EXIF metadata — including GPS coordinates, device serial numbers, and timestamps embedded in the image file. We never store or process the location where a photo was taken.

3. How we use your information

We use the information we collect exclusively to provide and improve the VestiaAI Service:

To power outfit recommendations: Your wardrobe inventory, wear history, style preferences, weather data, and derived calendar context are combined to generate personalized daily outfit suggestions.
To analyze wardrobe items: Wardrobe photos are processed by AI vision systems to extract garment attributes including type, color, pattern, formality, and seasonality.
To operate your account: Email is used for authentication, account recovery, and essential service communications.
To improve the Service: Aggregate, anonymized usage patterns help us improve recommendation quality and app performance. We never use individual user data for model training without explicit consent.
To send service updates: We may email you about important changes to the app or this policy. You may opt out of non-essential communications at any time.
To fulfill affiliate recommendations: When you tap a shopping recommendation, we facilitate a referral to our retail partners. No personal data beyond the product category is shared with partners.

We do not use your information for advertising, do not build advertising profiles, and do not allow third-party advertisers to target you through VestiaAI.

4. How we share your information

We do not sell, rent, or trade your personal information. We share information only in the following limited circumstances:

Service providers: We use Microsoft Azure to store data and run our backend infrastructure. Azure processes data on our behalf under strict data processing agreements. We use Azure OpenAI Service to analyze wardrobe photos and generate outfit recommendations — images and wardrobe data are transmitted to this service for processing.
Affiliate partners: When you click a shopping recommendation, we pass a product identifier and affiliate tracking code to our retail partners (such as Amazon or Nordstrom). We do not share your name, email, wardrobe data, or any personal profile with these partners.
Legal requirements: We may disclose information if required by law, court order, or to protect the rights, property, or safety of VestiaAI, our users, or the public.
Business transfers: If VestiaAI is acquired or merges with another company, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.

5. Data storage and security

Your data is stored on Microsoft Azure infrastructure located in the United States. We implement the following security measures:

Wardrobe images are stored in private Azure Blob Storage containers with no public access. Images are accessible only via short-lived, time-expiring private links generated at the time of access.
All data is encrypted in transit using TLS and at rest using Azure's default encryption.
Authentication is handled by Clerk — we never store passwords or manage authentication credentials directly.
API credentials and secrets are stored in Azure Key Vault and never hardcoded in our applications.
Access to production systems is limited to authorized personnel only.

No method of transmission or storage is 100% secure. If you believe your account has been compromised, please contact us immediately at privacy@vestiaai.com.

6. Data retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Specifically:

Wardrobe items: Retained until you delete them or close your account. Deleted items are soft-deleted (hidden from the app) and permanently purged from storage within 30 days.
Outfit history: Retained for the life of your account to support historical analysis and declutter insights.
Account data: Retained until account deletion. Upon deletion, personal identifiers are anonymized within 30 days.
Wardrobe photos: Permanently deleted from Azure Blob Storage within 30 days of account deletion or item removal.
Usage logs: Retained for up to 90 days for security and debugging purposes.

7. Your rights

You have the following rights regarding your personal data:

Access: Request a copy of all personal data we hold about you.
Correction: Update or correct inaccurate information through the app's settings or by contacting us.
Deletion: Request deletion of your account and all associated personal data. You may also delete individual wardrobe items at any time within the app.
Portability: Request an export of your wardrobe data in a machine-readable format.
Opt-out of communications: Unsubscribe from non-essential emails at any time using the unsubscribe link in any email or by contacting us.

To exercise any of these rights, contact us at privacy@vestiaai.com. We will respond within 30 days.

8. California privacy rights (CCPA / CPRA)

For California residents

Under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), California residents have specific rights regarding their personal information:

Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, our business purpose for collecting it, and the categories of third parties with whom we share it.
Right to Delete: You may request deletion of personal information we have collected, subject to certain exceptions required by law.
Right to Correct: You may request correction of inaccurate personal information.
Right to Opt-Out of Sale or Sharing: VestiaAI does not sell or share personal information for cross-context behavioral advertising. No opt-out is required, but you may contact us to confirm this in writing.
Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information beyond what is necessary to provide the Service.
Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights.

To submit a CCPA request, email privacy@vestiaai.com with "CCPA Request" in the subject line. We will verify your identity and respond within 45 days as required by law.

Categories of personal information collected (CCPA)

Identifiers: Email address, account ID (collected)
Personal records: Wardrobe images, style preferences (collected)
Commercial information: Outfit history, purchase referrals (collected)
Internet activity: App usage data (collected)
Geolocation: Approximate city-level location for weather (collected if provided)
Sensitive personal information: Not collected beyond what is necessary for the Service

9. Children's privacy

VestiaAI is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will delete it immediately. If you believe a child under 13 has used our Service, please contact us at privacy@vestiaai.com.

10. Third-party services

VestiaAI integrates with the following third-party services. Each has its own privacy policy:

Microsoft Azure / Azure OpenAI: Cloud infrastructure, data storage, and AI processing. Microsoft Privacy Statement
Clerk: Authentication and session management. Clerk handles sign-in, sign-up, and account security on our behalf. Clerk Privacy Policy
Open-Meteo: Weather data based on approximate location. Open-Meteo is an open-source weather API that does not store personal data. Open-Meteo Terms
Apple EventKit: On-device calendar access. Data processed entirely on your device per Apple's framework. Apple Privacy Policy
Affiliate partners (Amazon, Nordstrom, others): Shopping referrals when you tap product recommendations. These partners have their own privacy policies governing purchases made on their platforms.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the "Last updated" date at the top of this page. Your continued use of VestiaAI after any changes constitutes your acceptance of the updated policy.

We encourage you to review this policy periodically. For significant changes affecting how we handle your data, we will provide at least 30 days' notice before the changes take effect.