Privacy Policy

1. Information We Collect

Information You Provide

• Account Information: Email address, password, name, and profile preferences when you create an account.
• User Content: Photos and videos you voluntarily upload for virtual try-on and styling features.
• Communications: Messages you send to our support team or feedback you provide.
• Style Preferences: Your fashion preferences, saved items, and wardrobe information.

Information We Derive

• AI-Derived Style Attributes: Categorical labels describing your visual characteristics (such as face shape, skin undertone, body shape category, color season, and hair texture) derived from your uploaded photos using AI. These are descriptive categories, not biometric measurements. See Section 2 for details.
• Style Profile: Inferred preferences based on your interactions with the Services.

Information Collected Automatically

• Device Information: Device type, operating system, unique device identifiers, and mobile network information.
• Usage Data: Pages visited, features used, time spent, clicks, and interaction patterns.
• Log Data: IP address, browser type, access times, and referring URLs.
• Location Data: General location inferred from IP address (we do not collect precise GPS location).

2. AI-Derived Style Attributes

When you upload photos, our AI analyzes the image and returns categorical labels to power styling and try-on features. This section explains what we extract, how we use it, and how long we keep it.

What We Extract

Our AI derives general descriptive categories from your photos, such as:

• Face shape (e.g., “oval,” “heart,” “square”)
• Skin tone and undertone (e.g., “medium,” “warm”)
• Body shape category (e.g., “pear,” “hourglass,” “athletic”)
• Body size category (e.g., “slim,” “mid-size,” “plus-size”)
• Height impression (e.g., “petite,” “average,” “tall”)
• Hair color and texture (e.g., “brown,” “wavy”)
• Color season (e.g., “warm autumn,” “cool summer”)
• Estimated clothing size

What we do NOT collect: We do not extract or store facial geometry, body measurements, pose data, biometric templates, or mathematical embeddings from your photos. The attributes above are general descriptive categories, not biometric identifiers.

Purpose

• Personalized style and color recommendations
• Virtual try-on visualization
• Outfit compatibility scoring
• Improving recommendation accuracy

Retention

• Active accounts: Style attributes are retained while your account is active.
• Account deletion: Permanently deleted within 30 days of your deletion request.

Protection

• We do NOT sell, lease, or trade your style attributes or photos.
• Your data is encrypted at rest (AES-256) and in transit (TLS 1.3).
• Photos and style attributes may be processed by third-party AI service providers solely to provide the Services (see Section 5 for a full list).

You may request deletion of your style attributes at any time by deleting your account or contacting privacy@zayafit.com.

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our Services
• Generate AI-based virtual try-on visualizations
• Provide personalized outfit and style recommendations
• Extract and store preference facts from your AI stylist conversations (e.g., “prefers bold colors”) to provide continuity across chat sessions. You can view and delete these memories in your app settings.
• Process transactions and send related information
• Send technical notices, updates, security alerts, and support messages
• Respond to your comments, questions, and customer service requests
• Monitor and analyze trends, usage, and activities
• Detect, investigate, and prevent fraudulent transactions and abuse
• Comply with legal obligations
• With your consent, use data to improve our AI models

4. Legal Basis for Processing (EEA/UK Users)

If you are located in the European Economic Area (EEA) or United Kingdom (UK), we process your personal data based on the following legal grounds:

• Consent: For processing your photos to derive style attributes and for sending marketing communications. You may withdraw consent at any time.
• Contract: To provide the Services you requested when you created an account.
• Legitimate Interests: For analytics, fraud prevention, and service improvement, where our interests are not overridden by your rights.
• Legal Obligation: To comply with applicable laws and regulations.

5. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

• Service Providers: With vendors who perform services on our behalf under contractual confidentiality obligations. See the list below for details.
• Affiliate Partners: Non-identifiable, aggregated data for affiliate tracking purposes. We never share your photos or style attributes with retail partners.
• Legal Requirements: When required by law, subpoena, or legal process, or to protect rights, safety, or property.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, with notice to you.
• With Your Consent: For any other purpose with your explicit consent.

Service Providers & Third-Party Processors

The following third-party services process user data on our behalf to provide the Services:

• Google Vertex AI & Google Gemini: User photos and garment images for virtual try-on generation, style attribute extraction, cartoon avatar generation, and image processing.
• Replicate: User photos and garment images for virtual try-on processing, animation generation, and background removal.
• Anthropic (Claude): Chat conversations and user style preferences for our AI stylist feature.
• Microsoft Azure Face API: Selfie photos for liveness detection during identity verification. Face data is temporary and session-based; no biometric data is permanently stored.
• Amazon Web Services (AWS): Cloud infrastructure including image storage (S3), database (RDS), authentication (Cognito), email delivery (SES), and asynchronous processing (SQS).
• Expo Push Service: Device tokens and notification content for push notification delivery.
• Google reCAPTCHA v3: IP address and browser interaction data for bot detection on our website forms. Subject to Google’s Privacy Policy.

All service providers are contractually required to use your data only to provide services to us and are prohibited from using or disclosing it for any other purpose.

6. Data Retention

We retain your information for as long as necessary to provide the Services and fulfill the purposes described in this Policy:

• Account data: Until you delete your account
• Uploaded images: Until you delete them or your account
• AI-derived style attributes: Retained while your account is active; deleted within 30 days of account deletion
• Usage data: Retained while your account is active
• Legal compliance records: As required by applicable law

7. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate personal data
• Deletion: Request deletion of your personal data
• Portability: Request a machine-readable copy of your data
• Restriction: Request restriction of processing in certain circumstances
• Objection: Object to processing based on legitimate interests
• Withdraw Consent: Withdraw previously given consent at any time

To exercise these rights, contact privacy@zayafit.com. We will respond within 30 days (or as required by applicable law). We may verify your identity before processing requests.

EEA/UK residents: You have the right to lodge a complaint with your local data protection authority.

9. International Data Transfers

Zaya Fit is based in the United States. If you access our Services from outside the United States, your information will be transferred to, stored, and processed in the United States where our servers are located.

EEA/UK Users: We transfer data to the United States using Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional technical and organizational measures to ensure your data remains protected.

By using our Services, you consent to the transfer of your information to the United States and other countries that may have different data protection laws than your country of residence.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal information:

• Encryption at rest (AES-256) and in transit (TLS 1.3)
• Access controls and authentication requirements
• Regular security assessments and monitoring
• Employee training on data protection
• Incident response procedures

However, no method of transmission or storage is 100% secure. If you have reason to believe your interaction with us is no longer secure, please contact us immediately.

Data Breach Notification: In the event of a data breach affecting your personal information, we will notify you and relevant authorities as required by applicable law (within 72 hours for GDPR-covered breaches).

11. Children’s Privacy

Our Services are not intended for children under the age of 13 (or 16 in the EEA/UK). We do not knowingly collect personal information from children under these ages.

If we learn that we have collected personal information from a child under the applicable age, we will take steps to delete that information as quickly as possible. If you believe we have collected information from a child, please contact us at privacy@zayafit.com.

12. Cookies & Tracking Technologies

We use cookies and similar tracking technologies to collect information about your interactions with our Services:

• Essential Cookies: Required for basic functionality (authentication, security)
• Analytics Cookies: Help us understand how users interact with our Services
• Preference Cookies: Remember your settings and preferences
• Google reCAPTCHA v3: Used on website forms for bot detection. May collect device information, IP address, and cookies. Subject to Google’s Privacy Policy.

You can control cookies through your browser settings. Note that disabling certain cookies may affect functionality.

Do Not Track: Our Services currently do not respond to “Do Not Track” signals.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy on our website and in the app
• Updating the “Effective Date” at the top
• Sending you an email notification for significant changes
• Requesting renewed consent where required by law

Your continued use of the Services after the effective date constitutes acceptance of the updated Policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

EEA/UK Representative: If you are located in the EEA or UK and have questions, you may also contact our representative at privacy@zayafit.com.

We will respond to all inquiries within 30 days.