Your wardrobe, your data.

Data controller

iDrobe ("we", "us", "our") is the data controller responsible for your personal data. iDrobe is operated from Bosnia and Herzegovina. For data protection inquiries, contact our Data Protection Officer at privacy@idrobe.io.

About this policy

This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and your rights. It applies to all users of iDrobe regardless of location, including users in the European Economic Area (EEA), United Kingdom, California (USA), Canada, Brazil, and other jurisdictions with data protection laws.

Account information

Email address and display name when you sign up (via Google OAuth or email/password). If you use Google OAuth, we also receive your Google profile picture and unique Google account identifier.

Wardrobe photos

Images you upload of your clothing items. These are stored securely in Google Cloud Storage and are accessible only to you.

AI analysis data

Category, color, style, material, and description generated by AI when you upload an item. This metadata stays attached to your account and is not shared.

Body photo

If you use virtual try-on, your body photo is stored privately and used only for generating try-on results. This photo is never shared with other users.

Payment information

Subscription purchases are processed by Stripe. We store your Stripe customer ID and plan details but never have access to your payment card numbers or bank details.

Consent records

We record when you accepted our Terms of Service and Privacy Policy, and which version you agreed to, as required by GDPR and other regulations.

Usage analytics

Anonymous, aggregated page views and performance metrics via Vercel Analytics and Vercel Speed Insights. These tools do not use cookies, do not collect personal data, and cannot identify individual users.

Data we do NOT collect

We do not collect your precise location (we may ask for approximate location for weather-based outfit suggestions — this is never stored), browsing history outside iDrobe, device fingerprints, or any biometric data.

Wardrobe features

Your data powers your personal wardrobe — inventory management, outfit suggestions, analytics dashboards, and virtual try-on. This is the core purpose of the service.

AI processing

Images are sent to Google Gemini AI for clothing analysis, to Replicate for virtual try-on, and to Remove.bg for background removal. These services act as data processors under our instructions and process your data only to return results — they do not store your data beyond the time needed for processing and do not use it for model training.

Account management

We use your email to manage your account, send essential service communications (password resets, subscription confirmations), and contact you about material changes to the service or these policies.

Service improvement

We use aggregated, anonymized usage data to understand how iDrobe is used and to improve features. Individual user data is never used for this purpose.

Contract performance (Art. 6(1)(b))

Processing your account data, wardrobe photos, and AI analysis is necessary to provide the iDrobe service you signed up for.

Consent (Art. 6(1)(a))

We process your data based on the consent you give when creating an account and accepting these terms. For optional features like virtual try-on body photos, you provide additional consent by choosing to use the feature. You can withdraw consent at any time by deleting your account.

Legitimate interest (Art. 6(1)(f))

We have a legitimate interest in maintaining the security of the service, preventing fraud, and collecting anonymous analytics to improve iDrobe. These interests do not override your fundamental rights and freedoms.

Legal obligation (Art. 6(1)(c))

We may process your data to comply with legal requirements, such as tax obligations related to paid subscriptions, or in response to lawful requests from authorities.

Sell your data

We do not sell, rent, or trade your personal data, wardrobe photos, or any other information to third parties. This applies under all circumstances, including CCPA's definition of "sale" which includes sharing for cross-context behavioral advertising.

Train AI models

Your images and data are never used to train AI models — neither ours nor any third party's. AI services process your data in real-time and discard it after returning results.

Share without consent

Your wardrobe is private by default. No other user can see your items, photos, or try-on results unless you explicitly choose to share them.

Track across sites

We do not use third-party tracking cookies, ad networks, pixel trackers, or browser fingerprinting. We do not engage in cross-site tracking of any kind.

Make automated decisions

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects on you, as defined under GDPR Article 22.

Overview

We use trusted third-party services to operate iDrobe. Each service processes only the minimum data necessary and operates under data processing agreements where required by law.

Google Gemini AI

Processes clothing images for category, color, and style analysis. Google's AI services do not use API data for model training. Data is processed in the United States.

Replicate (IDM-VTON)

Processes body photos and garment images for virtual try-on. Images are deleted after processing completes. Data is processed in the United States.

Remove.bg (Kaleido)

Removes backgrounds from clothing photos. Images are processed and not retained. Data is processed in the European Union.

Google Cloud Storage

Stores your wardrobe images, body photos, and try-on results in encrypted cloud storage. Data residency: United States (us-central1).

MongoDB Atlas

Stores user profiles, wardrobe metadata, and account information in encrypted databases. Data residency: United States.

Vercel

Hosts the iDrobe application. Provides anonymous analytics (Vercel Analytics) and performance monitoring (Speed Insights). Headquartered in the United States.

Stripe

Processes subscription payments. Stripe has its own privacy policy governing payment data. We never receive or store your payment card details.

Google OAuth

If you sign in with Google, Google shares your name, email, and profile picture with us. No other Google data is accessed.

Transfer mechanisms

Your data may be transferred to and processed in the United States and other countries outside your jurisdiction. For transfers from the EEA/UK, we rely on: (a) the European Commission's adequacy decisions where available; (b) Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914); (c) the UK International Data Transfer Agreement or UK Addendum to the EU SCCs where applicable.

Safeguards

All third-party services we use maintain appropriate technical and organizational security measures. We assess the data protection laws of recipient countries and implement supplementary measures where needed, in line with the Schrems II ruling (CJEU C-311/18).

Your rights

You may request information about the specific safeguards applied to your data transfers by contacting privacy@idrobe.io.

Active accounts

We retain your personal data for as long as your account is active and you continue to use iDrobe.

Deleted items

When you delete a wardrobe item, it is permanently removed from our database and cloud storage within 30 days. CDN caches may take up to 24 hours to clear.

Deleted accounts

When you delete your account, all personal data, wardrobe items, body photos, try-on results, and associated files are permanently deleted within 30 days. We may retain anonymized, aggregated data that cannot identify you.

Legal retention

We may retain certain data for longer periods if required by law (e.g., tax records related to paid subscriptions may be retained for up to 7 years as required by applicable tax law).

Inactive accounts

Accounts that have been inactive for more than 24 months may be flagged for deletion. We will notify you by email before deleting an inactive account and give you at least 30 days to log in and keep your account.

Infrastructure

Data is stored in MongoDB Atlas (user profiles, wardrobe metadata) and Google Cloud Storage (images). The application is hosted on Vercel's global edge network.

Encryption

All data is transmitted over TLS 1.2+ (HTTPS). Data at rest is encrypted using AES-256 in our cloud infrastructure. Passwords are hashed using bcrypt with per-user salts. Session tokens use cryptographically signed JWTs.

Access controls

Access to production systems is restricted to authorized personnel only, using role-based access control and multi-factor authentication. We follow the principle of least privilege.

Incident response

We maintain an incident response plan. In the event of a data breach that poses a risk to your rights, we will notify affected users within 72 hours (as required by GDPR Article 33) and the relevant supervisory authority. We will also comply with breach notification requirements under CCPA, UK GDPR, and other applicable laws.

Session cookie

A secure, HTTP-only session cookie manages your login via NextAuth.js. This is an essential cookie required for the service to function. No consent is needed for essential cookies under the ePrivacy Directive.

Cookie consent

We store your cookie consent acknowledgment in localStorage (key: idrobe-cookie-consent). This is a preference, not a tracking cookie.

Theme preference

Your light/dark mode choice is saved in localStorage (key: idrobe-theme). This contains no personal data.

No tracking cookies

We do not use advertising cookies, third-party tracking cookies, or any cookies for behavioral profiling. The only cookie we set is the essential session cookie for authentication.

GDPR rights (EEA & UK residents)

Under the General Data Protection Regulation, you have the right to: (a) Access — request a copy of all personal data we hold about you; (b) Rectification — correct inaccurate personal data; (c) Erasure ("right to be forgotten") — request deletion of your data (available via Profile > Delete Account); (d) Restriction — request we limit how we process your data; (e) Data portability — receive your data in a structured, machine-readable format; (f) Object — object to processing based on legitimate interests; (g) Withdraw consent — withdraw previously given consent at any time without affecting the lawfulness of prior processing.

CCPA/CPRA rights (California residents)

Under the California Consumer Privacy Act and California Privacy Rights Act, you have the right to: (a) Know — what personal information we collect and how we use it; (b) Delete — request deletion of your personal information; (c) Opt-out of sale — we do not sell your personal information, but you may still exercise this right; (d) Non-discrimination — we will not discriminate against you for exercising your rights; (e) Correct — correct inaccurate personal information; (f) Limit use of sensitive personal information — we do not use sensitive personal information for purposes beyond providing the service. iDrobe has not sold or shared personal information of any consumer in the preceding 12 months.

Canadian privacy rights

Under PIPEDA and provincial privacy laws, you have the right to access your personal information, challenge its accuracy, and withdraw consent. Contact privacy@idrobe.io for requests.

Brazilian privacy rights (LGPD)

Under Brazil's Lei Geral de Proteção de Dados, you have rights including access, correction, anonymization, portability, deletion, and information about sharing with third parties. Contact privacy@idrobe.io for requests.

Exercising your rights

To exercise any of these rights, email privacy@idrobe.io. We will respond within 30 days (or the timeframe required by your local law). We may need to verify your identity before processing your request. You will not be charged a fee for most requests.

Supervisory authority

If you are in the EEA or UK, you have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not adequately addressed your concerns. A list of EU supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

Age restriction

iDrobe is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, contact us at privacy@idrobe.io and we will promptly delete it.

COPPA compliance

In compliance with the U.S. Children's Online Privacy Protection Act (COPPA), we do not knowingly collect information from children under 13. If we learn that we have collected personal information from a child under 13, we will delete it immediately.

Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features. Material changes will be communicated via email or in-app notification at least 30 days before taking effect.

Version history

The "Last updated" date at the top of this policy indicates when it was last revised. Previous versions are available upon request by emailing privacy@idrobe.io.

Contact

For any questions about this Privacy Policy, your personal data, or to exercise your rights, contact our Data Protection Officer at privacy@idrobe.io. For general inquiries, contact hello@idrobe.io.