outfytd — privacy policy

DRAFT — pending counsel review. Not the final binding version.

This document is an engineering-authored draft. It accurately describes Outfytd's data handling and infrastructure, but it has not been reviewed by qualified legal counsel. Final language must be approved by an attorney before App Store / Play Store submission and before any public release.

Effective date: 2026-05-11 (placeholder — final date set on legal sign-off) Last updated: 2026-05-11

1. who we are

Outfytd ("Outfytd", "we", "us", "our") operates the Outfytd mobile applications (iOS and Android) and the website at https://outfytd.com (collectively, the "Service"). Outfytd is an avant-garde fashion application that helps users catalog their wardrobe, generate outfit suggestions, and share looks with other users.

This policy explains what information we collect, how we use it, who we share it with, and the rights you have.

If you have any question about this policy or your data, contact us at [email protected]. (Note: this mailbox is being provisioned. If you reach an undeliverable state during the pre-launch period, you may reach the founder directly via the contact listed in the App Store / Play Store listings.)

2. scope

This policy applies to:

• The Outfytd iOS app.
• The Outfytd Android app.
• The Outfytd web app at https://outfytd.com.
• Any related backend service operated by Outfytd.

This policy does not apply to third-party services we link to or that you choose to sign in with (e.g., Apple, Google) — those services have their own privacy policies, which we encourage you to read.

3. information we collect

3.1 information you give us at sign-up

When you create an Outfytd account, we collect:

• email address — used for sign-in, account recovery, and service notices.
• birth year — used only to verify you are 13 or older. We do not display, share, or use this for marketing. See Section 9 (children's privacy).
• display name — the name shown on your profile.
• handle (a @username) — a unique identifier you choose for your profile URL.
• identity provider subject — if you sign in with Apple or Google, we receive a stable, opaque federated subject ID (and your email, which may be a relay address you control). We store this ID so that subsequent sign-ins match the same account.
• Cognito subject (cognito_sub) — a unique account identifier generated by our authentication system (AWS Cognito).

3.2 optional profile information (defaulted OFF)

The following fields are entirely optional and default to empty / off. They are collected only if you choose to enable the trend-data sharing toggle in your settings:

• home country
• home city
• age range (a coarse bucket, e.g., "25–34")
• gender identity

These fields exist solely to support the future aggregated, anonymized trend reporting described in Section 7. We do not display them on your public profile. We do not sell them. If you never enable the trend-data toggle, we never collect or store these fields.

3.3 content you upload

When you use the Service you may upload:

• photos of clothing items — stored in our private Amazon S3 bucket (outfytd-<env>-images-original) in AWS region us-east-2 (Ohio, USA). Display-sized and thumbnail derivatives are stored in two additional private buckets we control. None of these buckets is publicly readable; access is granted only through signed, short-lived URLs to your own account.
• tags and corrections — labels you add, edit, or confirm on your closet items (e.g., category, colors, materials, brand). These are stored in our Postgres database tied to the item.
• outfit compositions — combinations of your closet items you save or publish.
• social content — posts, captions, likes, follows, comments.

3.4 information we collect automatically

• device and app metadata — app version, device model, operating system version, language, timezone, and a coarse approximation of your IP address (e.g., country / region; we do not retain full IPs in long-term storage).
• crash and error reports — diagnostic data when the app crashes or hits an unexpected error.
• usage events — every meaningful business action you take (e.g., closet.item_created, outfits.generated, closet.tag_corrected, social.post_liked). These events are published to our analytics pipeline. Before any event is written to the analytics store, your user identifier is replaced with a one-way HMAC-SHA-256 hash using a server-side secret ("pepper") that we do not export. The analytics store therefore never holds your raw user identifier. See Section 7.

3.5 information we receive from third parties

• Apple, via Sign in with Apple — when you choose this sign-in method, Apple gives us a stable federated subject ID and an email address (which may be a relay address Apple manages for you). We do not receive any other Apple account information.
• Google, via Sign in with Google — similarly, a stable federated subject ID and your email address. No other Google account data.

We do not purchase data from data brokers. We do not scrape, import, or otherwise read your contacts, your photo library beyond what you explicitly upload, your social-media friend lists, or any other off-platform data.

4. how we use information

We use the information we collect to:

• operate the Service — store your closet, generate outfit suggestions, deliver your social feed, send you notifications you've requested.
• process your photos with our own machine-learning models — see Section 5 for the full description.
• maintain security — detect abuse, prevent fraud, respond to support requests, comply with legal obligations.
• improve the product — analyze aggregated behavior to decide what to build next.
• communicate with you — service notices, password resets, security alerts, and (if you opt in) feature announcements.
• comply with law — respond to valid legal process and protect our rights and the rights of our users.

We do not use your information for behavioral advertising. We do not run third-party advertising trackers or marketing pixels.

5. how we process your photos (machine learning)

This section is unusually detailed by design — image processing is the most privacy-sensitive part of the Service, and we want you to understand exactly what happens.

5.1 our own models, in our own cloud

Photos you upload are processed by our own machine-learning Lambdas running in our AWS account in us-east-2. The model we run is fashion-CLIP, an open-source convolutional vision model published by Marqo. The model runs entirely within our AWS environment.

We do not send your photos to third-party large language models. We do not send them to Bedrock, OpenAI, Anthropic, Google Gemini, or any external AI service for image content. The photo bytes never leave our AWS account boundary.

5.2 what the model produces

For each photo, the model produces:

• a tag set — category, subcategory, colors, materials, style descriptors, and similar attributes.
• per-field confidence scores.
• an embedding vector — a numeric representation we use for similarity search and outfit composition.

These outputs are stored alongside your closet item in our Postgres database.

5.3 outfit generation

When you ask Outfytd to generate an outfit, the recommendation runs inside our own Lambda using the embeddings stored against your closet items, plus deterministic scoring rules. No external AI service is called for outfit generation.

5.4 active learning (tag confirmation)

When the model's confidence on a tag is below an internal threshold, we may prompt you to confirm or correct it ("not sure. confirm."). Your correction is recorded as a labeled training example that we may later use to improve our model.

The training-example record is keyed by a hash of the image and your hashed user identifier — the raw user identity is never written to our training-data archive. See docs/ACTIVE_LEARNING.md for the engineering specification. The training data we retain consists of:

• the image URI inside our private S3 bucket
• the original predicted tags
• the corrected tags
• the original confidence values
• a list of which fields were changed

We do not retain, in the training data, any field that would identify you, such as your raw user ID, email, handle, or display name.

You may opt out of having your future corrections used as training data by emailing [email protected]. Doing so does not affect product functionality — the model still tags your items; we just won't store your corrections as training examples after the opt-out date.

5.5 we do not sell your photos

Your photos are never sold, licensed, or shared with any third party for any purpose other than as described in this policy.

6. how we share information

We share your information only as described below.

6.1 service providers (sub-processors)

We do not use third-party analytics SDKs, advertising trackers, attribution pixels, or marketing tag managers in the Service at MVP.

6.2 legal

We may disclose information when we have a good-faith belief disclosure is required by law, regulation, or valid legal process, or is necessary to protect the safety or rights of users or the public.

6.3 business transfers

If Outfytd is acquired, merges with another company, or sells substantially all of its assets, your information may be transferred to the successor entity, subject to a binding commitment to honor this policy.

6.4 with your consent

For any sharing not described above, we will ask for your consent first.

7. trend-data sharing (opt-in only; defaulted off)

Outfytd's long-term plan includes a separate B2B fashion-trend platform. The data collection that will eventually power this platform happens only with your explicit, revocable opt-in.

At present (MVP), we collect this data; we do not commercially share or sell it. No claim about selling trend data is being made under this policy. Any future commercial sharing of trend data will require an additional, publicly disclosed update to this policy with prior notice to you.

7.1 what the opt-in enables

If you turn the trend-data sharing toggle on (in settings; defaulted off):

• The optional profile fields described in Section 3.2 (home country, home city, age range, gender identity) become collectible. You choose which fields to fill in.
• Your usage events continue to be published — always with your user ID replaced by an HMAC-SHA-256 hash keyed with a server-side pepper.
• Aggregations of those events may inform internal trend research and, in the future, may be shared in aggregate-only form with enterprise customers (see below).

If the toggle stays off:

• The optional profile fields are not collected.
• Your hashed events still flow to our internal analytics store (this is necessary for product operation, security, and abuse prevention), but they are not used for trend-aggregation reports.

7.2 anonymization at write time

User identifiers in our analytics store ("data lake") are hashed with HMAC-SHA-256 using a server-side pepper before they are written. The pepper is stored in AWS Secrets Manager. The hash is one-way and we cannot reverse it.

Because hashing happens before the event is written, the analytics store never sees your raw user identifier.

7.3 reversibility

You can turn the trend-data sharing toggle off at any time. Future events stop flowing to the trend-aggregation pipeline immediately. Past hashed records cannot be selectively removed because we cannot re-identify which hashed records were yours — but they are by design aggregated, anonymized, and (in any future B2B reporting) subject to k-anonymity guards so that no individual user can be singled out.

7.4 commitment line (the line counsel must clear)

We may collect aggregated, hashed usage data under this opt-in. We do not sell or commercially license such trend data at this time and will not do so until we have made an additional public disclosure and given you prior notice. If and when that future disclosure happens, you will retain the right to withdraw your opt-in.

8. cookies, sessions, and similar technologies

Outfytd authenticates you using AWS Cognito. Your session token is a short-lived JWT.

• Mobile apps (iOS, Android): the token is stored in the platform's secure keychain / keystore. No web cookies.
• Web app: the token is stored in localStorage or in a secure, HttpOnly, SameSite=Lax cookie scoped to outfytd.com. This token is used only for authentication.

We do not use third-party analytics cookies, advertising cookies, or cross-site tracking technologies at MVP.

9. children's privacy (COPPA)

Outfytd is not directed at, and is not intended for use by, children under 13. We do not knowingly collect personal information from anyone under 13.

We enforce the age minimum at several layers:

• Pre-Sign-Up Lambda gate. Account creation requires a custom:birth_year attribute. A Cognito Pre-Sign-Up Lambda trigger computes the implied age and rejects the sign-up before any data is persisted if the user is under 13. This means no closet, no profile, no event, no row in our database is ever created for a sub-13 sign-up.
• No marketing to minors. Our marketing channels and on-platform copy do not target children.
• No third-party trackers. Even if a minor circumvented our age gate, no third-party advertising or analytics tracker is active in the Service.

If we learn that we have collected information from a child under 13, we will:

1. disable the account immediately,
2. delete the associated data within 30 days,
3. confirm deletion to the reporting parent or guardian in writing if requested, and
4. log the incident internally.

Parents or guardians who believe their child has created an Outfytd account should email [email protected] with the username or email used; we will verify, delete, and confirm within 7 business days.

We do not seek verifiable parental consent because we do not allow under-13 accounts at all. If the product direction ever changes, this policy and the sign-up flow will be updated and you will be notified.

10. data retention and account deletion

10.1 active accounts

We retain your account data for as long as your account is active or as needed to provide the Service.

10.2 deletion of individual items

When you delete an individual closet item, the item is soft-deleted (the row is retained with a deleted_at timestamp set) so we can audit abuse and restore accidental deletions. Soft-deleted items are not shown anywhere in the Service.

10.3 account deletion (planned; backlog)

A self-service "delete my account" flow is on the product backlog and will ship before general availability. When you delete your account:

• the photos in our S3 buckets that belong to your account will be deleted,
• the rows in our Postgres database that belong to your account will be deleted,
• past hashed events in the analytics store will be removed on a best-effort basis using the hashed identifier — note that, by design, we cannot perfectly enumerate every record (the hash is one-way) but we will scrub everything that joins through it.

Until that flow ships, you can email [email protected] and we will process the deletion manually within 30 days.

10.4 backups

System backups are retained on a 90-day rolling cycle. Deletions propagate to backups as they roll over.

11. your rights

Depending on where you live, you may have some or all of the following rights:

• access — request a copy of the personal information we hold about you.
• correction — request that we correct inaccurate information.
• deletion — request that we delete your information ("right to erasure").
• portability — request a machine-readable copy of your data.
• withdrawal of consent — turn off the trend-data sharing toggle (in settings) at any time.
• objection — object to certain types of processing.
• non-discrimination — we will not deny service, charge different prices, or provide a different level of service because you exercised a privacy right.

To exercise any of these rights, email [email protected]. We will respond within 30 days. We may ask you to verify your identity before acting on a request to protect your account.

If you are in the European Economic Area, the United Kingdom, or Switzerland, you also have the right to lodge a complaint with your local data protection authority. If you are in California, you may also have rights under the California Consumer Privacy Act (CCPA / CPRA), including the right to know, the right to delete, the right to correct, and the right to opt out of "sale" or "sharing" of personal information (we do not sell or share for cross-context behavioral advertising).

12. security

We protect your information using technical and organizational measures, including:

• encryption in transit — TLS 1.2+ for all network traffic between your device and our servers.
• encryption at rest — AES-256 (the AWS S3 default and the encryption used on the Postgres database and managed backups).
• least-privilege access — service-to-service calls within AWS use IAM authentication. Database credentials are rotated and held only in AWS Secrets Manager.
• private storage — your photos are stored in private S3 buckets. They are not publicly readable; access requires signed, short-lived URLs.
• network perimeter — the application database requires IAM authentication. The security group is configured to be open during the current pre-launch infrastructure-debugging phase under the AWS Free Plan; access nonetheless requires IAM authentication and credentials we control. The security group will be closed to public ingress before general availability.
• pepper isolation — the HMAC pepper used to hash event identifiers is stored in AWS Secrets Manager, never in code or logs.

No system is perfectly secure. If we become aware of a security breach affecting your personal information, we will notify you and the relevant authorities as required by law.

13. where your data is stored

Your data is stored primarily in AWS region us-east-2 (Ohio, United States). Our static web bundle is also served via Amazon CloudFront's global edge network (primary distribution origin: us-east-1) for performance.

If you access Outfytd from outside the United States, your data will be transferred to and processed in the United States. Where international transfer mechanisms (such as the European Commission's Standard Contractual Clauses) are applicable, we rely on them.

14. third-party links

The Service may contain links to third-party websites (for example, brand or designer pages). We are not responsible for those websites' privacy practices. Read their policies before providing information to them.

15. changes to this policy

We may update this policy from time to time. When we make a material change, we will notify you in the Service and update the "Last updated" date above. Continued use of the Service after the effective date of a change constitutes acceptance of the updated policy.

16. contact

For any privacy question, request, or concern, contact:

[email protected]

(Note: this mailbox is being provisioned during the pre-launch period. Counsel should confirm a working address before the policy is published.)

open questions for counsel

The following points are flagged for legal review:

1. Section 5.4 (active learning) — confirm the language adequately covers our right to use corrections as training data under GDPR Art. 6 / Art. 22 (automated decisions) and CCPA "deidentified data" definitions.
2. Section 7 (trend-data opt-in) — confirm the "may collect, will not sell until further notice" posture is sound and does not itself constitute an actionable representation that we will sell.
3. Section 7.3 — confirm the framing that past hashed records cannot be re-identified is consistent with how the regulator would define "anonymization" vs. "pseudonymization."
4. Section 12 — confirm the disclosure that the database security group is currently open at the network layer (but IAM-authenticated at the application layer) is adequate for the pre-launch period.
5. Section 13 — confirm the international-transfer language for users in the EEA / UK / Switzerland is sufficient.
6. Effective date — replace placeholder once approved.
7. Contact mailbox [email protected] — confirm provisioning before publication.