Privacy Policy — Lora · Outfit Stylist

This Privacy Policy describes how the Lora — Outfit Stylist mobile application ("Lora", "the App", "we", "our", "us"), operated by IT Edits, collects, uses, discloses and protects your information. By installing and using the App, you agree to the practices described below. If you do not agree, please do not install or use the App.

This policy is written to comply with the Apple App Store Review Guidelines, Google Play Developer Program Policies, the EU/UK General Data Protection Regulation (GDPR / UK GDPR), the California Consumer Privacy Act as amended by the CPRA (CCPA), and the Children's Online Privacy Protection Act (COPPA). Additional jurisdiction-specific rights are described in Section 10.

1. Data controller

The data controller (the entity responsible for your personal data) is:

IT Edits — registered sole proprietorship, Republic of Serbia
Email: contact@loraoutfitstylist.com

Our registered business address (held in the Serbian Business Registers Agency) is available to data subjects, supervisory authorities, and authorised third parties on written request submitted to the email above. We process such requests within 14 days.

1.1 EU/EEA representative (Article 27 GDPR)

For data subjects in the European Union and European Economic Area, our designated representative under Article 27 of the GDPR is to be appointed. Until appointment, EU/EEA data subjects may exercise their rights and submit complaints by emailing contact@loraoutfitstylist.com with the subject line "GDPR — EU Data Subject Request". We will respond within 30 days.

1.2 Data Protection Officer

We have not appointed a Data Protection Officer because our processing does not meet the thresholds set in Article 37 of the GDPR (we are not a public authority, our core activities do not consist of large-scale regular monitoring, and we do not process special categories of data on a large scale). For all data protection matters, contact contact@loraoutfitstylist.com.

2. Summary at a glance

• Your photos and personal wardrobe data stay on your device. We do not upload them to our servers for storage.
• Photos are sent to third-party AI providers strictly to fulfil your active request (clothing classification, virtual try-on). Providers do not retain or train on your photos under their published terms.
• Anonymous app usage analytics is opt-in only. The App fully functions without it.
• We do not sell or "share" personal data within the meaning of CCPA/CPRA.
• You can delete on-device data by uninstalling, and analytics data via Settings → Privacy in the App.
• The App is intended for users aged 13 and over (16+ in the EU/EEA where applicable). It is not directed to children below those ages.

3. Information we collect

3.1 Information stored on your device only

The App stores the following data locally on your device. We have no access to it from our servers and we cannot read it remotely.

• Photos you provide: photos of clothing items and full-body photos that you choose to import from your camera or photo library.
• Wardrobe metadata: categories, colours, patterns, and tags derived from your photos through AI classification, plus any outfit names, calendar entries, AI chat conversations, and notes you create.
• App preferences: theme, settings, premium subscription status, consent choices, stored using your device's secure storage (Apple Keychain on iOS, Android EncryptedSharedPreferences).

3.2 AI processing infrastructure

To classify clothing, generate styling suggestions, generate virtual try-on images, and produce chat responses, the App sends your photos and prompts to AI infrastructure providers via our backend proxy. Transmissions occur only when you actively trigger an action (e.g. tap "Add Clothing", "Try On", or send a chat message). Use of the App constitutes consent to this processing as it is necessary for the performance of our service to you (Article 6(1)(b) GDPR).

The AI processing involves two categories of providers:

• Self-hosted AI compute — open-weights AI models that we operate on dedicated GPU infrastructure (rented from a third-party cloud GPU provider). The hosting provider supplies the underlying compute and does not have access to your data beyond what is required to run the requested model.
• Third-party AI APIs — specialised AI APIs used for tasks where self-hosting is not practical. These providers process the data under their own privacy terms and, per their published policies, do not use submitted user data to train AI models.

Photos and prompts are sent solely to perform the requested operation. Our backend does not store your photos. The list of specific providers, their countries of operation, and links to their privacy policies are available on written request to contact@loraoutfitstylist.com; we will respond within 14 days, in accordance with your data subject rights under Article 15 GDPR and equivalent laws.

3.3 Automated decision-making and profiling (Article 22 GDPR)

The App uses automated AI processing in the following ways:

• Classification: categorising your uploaded clothing photos (e.g. "tops", "shoes") using a vision AI model.
• Image generation: generating virtual try-on images using a generative AI model.
• Content moderation: automatically detecting and rejecting images depicting swimwear, lingerie, or underwear, which are auto-removed from your wardrobe.
• Personalised suggestions: producing chat responses and outfit recommendations based on your wardrobe contents.

None of these automated decisions produce legal or similarly significant effects on you. They are part of the App's core functionality. You can decline to use a feature at any time by not triggering it. If you wish to discuss any AI-driven outcome, contact us at the address above.

3.4 Subscription and purchase data

If you purchase the Ads Free subscription, the purchase is processed entirely by the App Store (Apple) or Google Play. The subscription status is managed by RevenueCat, a subscription infrastructure provider. We receive only:

• An anonymous subscriber identifier (a random ID, not your name or email).
• Whether your subscription is currently active and its expiry date.

We never see your payment card, billing address, Apple ID, or Google account email. RevenueCat's privacy policy: https://www.revenuecat.com/privacy/.

3.5 Advertising

The free version of the App displays advertisements through Google AdMob. AdMob may collect:

• Your device's advertising identifier (IDFA on iOS, GAID on Android), which you can reset or limit at any time in your device settings.
• Limited diagnostic information for ad serving and fraud prevention (e.g. crash reports, ad latency).
• Coarse location (country level) inferred from IP address, used to serve relevant ads and comply with regional rules.

For details: Google's Ads Privacy & Terms and Google Privacy Policy. EU/EEA/UK users will be presented with a consent message (Google's User Messaging Platform) before personalized advertising identifiers are processed; you may decline or withdraw consent at any time. The Ads Free subscription removes all ads.

3.6 Anonymous usage analytics (opt-in only)

If — and only if — you explicitly opt in (during onboarding or in Settings → Privacy), the App collects anonymized event data to help us understand which features are used and how to improve the App. The legal basis is your consent (Article 6(1)(a) GDPR / consent under CCPA).

What we collect when opt-in is granted:

• Random anonymous ID — random UUID per install (de-duplicates events; cannot be linked back to you).
• Event name — e.g. clothing_added, try_on_generated (to understand feature usage).
• Event metadata — e.g. category="tops", color="black" (for aggregate trends).
• Country code — e.g. "US", "DE", "RS" (regional usage patterns).
• Platform — "ios" or "android" (for bug triage).
• App version — e.g. "1.0.0" (for bug triage).

What we never collect through analytics: your photos, your chat content, your wardrobe item descriptions, your name, your email, your phone number, your contacts, your precise location, your IP address (we receive only country-level inference from infrastructure), or any device identifier that could be linked back to you.

You can withdraw consent at any time in Settings → Privacy → Anonymous usage analytics. Withdrawal immediately stops collection and triggers deletion of all analytics events tied to your random ID on our server. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

3.7 Crash and diagnostic data

Apple and Google operating systems may collect crash reports if you have opted in at the OS level (separate from this App). We do not run a separate crash analytics SDK and do not receive crash data linked to identifiable users.

4. Information we do NOT collect

The App does not collect, access, or have visibility into any of the following:

• Your real name, email address, phone number, or any account credentials
• Your contacts, calendar events outside the App, SMS, or messages
• Precise GPS or fine location
• Microphone audio
• Browsing history outside the App
• Biometric identifiers (face geometry, fingerprints, voiceprints)
• Health data, financial data, or government-issued IDs
• Race, ethnicity, religion, political opinions, sexual orientation, trade union membership, or other special-category data under Article 9 GDPR

5. Purposes and legal bases

• Photos & wardrobe metadata (on device) — Provide app functionality — Performance of contract (Article 6(1)(b) GDPR).
• Photos & prompts (sent to AI providers on demand) — Generate try-on images, classify clothing, generate styling advice — Performance of contract (Article 6(1)(b)).
• Subscription status — Unlock Ads Free benefits — Performance of contract (Article 6(1)(b)).
• Advertising identifiers (free version) — Serve ads, fraud prevention — Legitimate interest (Article 6(1)(f)); Consent in EU/EEA/UK (Article 6(1)(a)).
• Anonymous analytics events — Improve the App — Consent (Article 6(1)(a)).
• Operational logs (proxy errors, request counts, no PII) — Security, abuse prevention — Legitimate interest (Article 6(1)(f)).

5.1 Legitimate interest balancing

Where we rely on legitimate interest as a legal basis (advertising in the free version outside the EU/EEA/UK, and security logging), we have considered the impact on data subjects and concluded that:

• The processing is limited (advertising IDs are device-resettable, security logs do not contain personal identifiers);
• Users have transparent information about it (this policy);
• Users have meaningful alternatives (purchase Ads Free to remove ads);
• The processing is necessary for the App to operate as a free, sustainable service.

You can object to processing based on legitimate interest at any time by emailing contact@loraoutfitstylist.com.

6. Data retention

• On-device data: retained until you delete it within the App or uninstall the App.
• Subscription status: retained by RevenueCat for the lifetime of your subscription plus any retention period required by Apple/Google for tax, refund, and audit processing.
• Anonymous analytics events: retained for up to 24 months on our server, then automatically purged. You can request immediate deletion at any time through Settings → Privacy.
• Server-side operational logs (proxy request counts, error logs without personal identifiers): up to 30 days.
• Customer support emails sent to contact@loraoutfitstylist.com: retained for up to 24 months for follow-up and quality purposes; you can request earlier deletion.

7. Data sharing and recipients

We share data only with the following categories of recipients, and only as strictly necessary:

• AI processing infrastructure providers — to fulfil your active requests, as described in Section 3.2. They act as data processors. A list of specific providers is available on request.
• Subscription infrastructure (Apple, Google, RevenueCat) — to manage Ads Free subscriptions.
• Advertising network (Google AdMob) — to serve ads in the free version. Disabled with the Ads Free subscription.
• Cloud infrastructure (Cloudflare, Railway) — to host our backend proxy and Privacy Policy. They do not access content beyond what is required to route the request.
• Legal authorities — only if compelled by valid legal process (court order, subpoena) and only to the extent required.

We do not sell, rent, or trade your personal data. We do not engage in cross-context behavioural advertising within the meaning of CCPA/CPRA. We do not share data for any third party's independent marketing.

8. International data transfers

Several of our service providers are located outside the European Economic Area (EEA), the United Kingdom, or your country of residence. Where we transfer personal data internationally, we rely on the following safeguards under Articles 44–49 of the GDPR (and equivalents under UK GDPR and other privacy laws):

• Apple, Google, AdMob (United States): EU-U.S. Data Privacy Framework certifications and/or Standard Contractual Clauses.
• AI infrastructure providers, subscription infrastructure (RevenueCat), and cloud hosting providers: Standard Contractual Clauses, supplementary technical measures (encryption in transit and at rest), and the providers' published privacy commitments. Specific provider details are available on request.

You may request a copy of the relevant transfer mechanism by emailing contact@loraoutfitstylist.com.

9. Security and breach notification

• All network requests use HTTPS with TLS 1.2 or higher.
• API credentials for AI providers are stored only on our backend, never embedded in the App.
• On-device subscription status and consent state are stored using the platform's secure storage (Apple Keychain / Android EncryptedSharedPreferences).
• We apply rate limiting, input validation, and request signing on the backend.
• Server access is restricted to authorized administrators using strong authentication.

Personal data breach notification: If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware, in accordance with Article 33 of the GDPR. If the breach is likely to result in a high risk, we will notify affected data subjects without undue delay through in-app notice and/or a notice posted at this Privacy Policy URL.

No system is perfectly secure. We recommend you protect your device with a passcode and biometric lock and keep your operating system up to date.

10. Your rights

10.1 All users

• Delete on-device data: remove individual items inside the App, or uninstall to remove everything.
• Withdraw analytics consent: Settings → Privacy → toggle off. We delete server-side events tied to your device on opt-out.
• Reset advertising identifier: use your device's "Reset Advertising ID" or "Limit Ad Tracking" setting at any time.
• Cancel subscription: manage your subscription through Apple ID or Google Play settings.

10.2 EU / EEA / UK / Switzerland (GDPR / UK GDPR)

You have the right to:

• Access the personal data we hold about you (Article 15)
• Rectify inaccurate personal data (Article 16)
• Erasure / "right to be forgotten" (Article 17)
• Restrict processing (Article 18)
• Data portability — receive your data in a structured, machine-readable format (Article 20)
• Object to processing based on legitimate interest (Article 21)
• Withdraw consent at any time, where processing is based on consent (Article 7(3))
• Not be subject to a decision based solely on automated processing that produces legal effects (Article 22) — see Section 3.3
• Lodge a complaint with your local supervisory authority (a list is available at edpb.europa.eu)

To exercise these rights, contact contact@loraoutfitstylist.com with the subject "GDPR Request". We will respond within one month and may extend by up to two months for complex requests, in which case we will inform you. We may need to verify your identity by responding from the same device or email.

10.3 California (CCPA / CPRA)

California residents have the right to:

• Know what personal information is collected, the sources, the purposes, and the categories of recipients
• Access specific pieces of personal information
• Delete personal information
• Correct inaccurate personal information
• Opt out of "sale" or "sharing" — we do not sell or share for cross-context behavioural advertising
• Limit use of sensitive personal information — we do not collect sensitive PI as defined under CPRA
• Non-discrimination for exercising rights

In the past 12 months we have collected and disclosed the categories of personal information described in Section 3 for the purposes set out in Section 5. We have not sold or shared personal information for cross-context behavioural advertising. To exercise rights, contact contact@loraoutfitstylist.com with the subject "CCPA Request". You may designate an authorized agent to make a request on your behalf with written authorization.

10.4 Other jurisdictions

Residents of jurisdictions with comparable privacy laws — including Brazil's LGPD, Canada's PIPEDA, Australia's Privacy Act, Japan's APPI, Virginia's VCDPA, Colorado's CPA, Connecticut's CTDPA, Utah's UCPA, Texas's TDPSA, and others — may exercise equivalent rights by contacting us at the address above. We will treat such requests under the standards of the applicable law.

11. Children's privacy (COPPA & GDPR-K)

Lora is rated 12+ on the App Store and Teen / 13+ on Google Play. The App is not directed to children under the age of 13 in the United States, nor to children under the age of 16 in the European Economic Area (or the lower national age, where applicable, but never below 13).

We do not knowingly collect personal information from children below those ages. If you are a parent or guardian and believe your child has provided personal information to us, please contact contact@loraoutfitstylist.com with the subject "COPPA — Child Data Removal" and we will:

• Verify the request to the extent reasonable;
• Delete any data we hold associated with the child;
• Notify the relevant AI processing providers to delete any cached request data, if applicable;
• Confirm completion in writing within 30 days.

12. Third-party content moderation

Our AI providers apply content moderation to images. Photos that the App or an AI provider classifies as containing swimwear, lingerie, underwear, or similar revealing intimate apparel are rejected: the App auto-removes them from your wardrobe and shows you a notice. This policy is required by the App's terms and the AI providers' terms of service. The classification is automated; if you believe a misclassification has occurred, contact us.

13. Cookies and similar technologies

The mobile App does not use HTTP cookies. The App uses local storage on your device (AsyncStorage and the platform's secure storage) to persist your wardrobe, preferences, and consent choices. Embedded ad SDKs (AdMob) may use device identifiers as described in Section 3.5.

This Privacy Policy webpage uses no cookies, no analytics scripts, and no third-party tracking.

14. Changes to this policy

We may update this policy from time to time. Material changes will be reflected by an updated "Last updated" date and version number at the top, and where required by law, we will obtain renewed consent before applying changes that affect rights. We will not retroactively use previously-collected data for new purposes without consent. Continued use of the App after changes take effect constitutes acceptance of the revised policy. Past versions are available on request.

15. Contact and complaints

For all privacy-related matters — questions, requests, complaints, or to exercise your rights:

IT Edits (Data Controller)
Republic of Serbia
Email: contact@loraoutfitstylist.com

A registered postal address is available on written request to the email above.

If you do not receive a response within 30 days, or are not satisfied with the response, you may contact your local data protection authority (EU/EEA/UK/Switzerland), the California Attorney General's office (California residents), or the equivalent supervisory body in your jurisdiction. A list of EU/EEA authorities is available at edpb.europa.eu.