outfytd — privacy policy

DRAFT — pending counsel review. Not the final binding version.

This document is an engineering-authored draft. It accurately describes Outfytd's data handling and infrastructure, but it has not been reviewed by qualified legal counsel. Final language must be approved by an attorney before App Store / Play Store submission and before any public release.

2026-05-12 policy update — REQUIRES LAWYER REVIEW: the previous "trend-data opt-in defaulted off" posture was replaced with the explicit "anonymized features extracted from your photos train our model — that is the price of the free service" posture. Image deletion still works; previously-extracted anonymized features remain in the model. Counsel must validate this posture under FTC unfairness doctrine, COPPA (we already gate at 13+), GDPR Art. 6 (legal basis: contractual necessity for service provision), and CCPA "deidentified data" definitions before public launch.

the deal (plain language)

Outfytd is free because anonymized features extracted from the clothing photos you upload (color, material, category, construction, aesthetic, era, brand probability, wear context, season, price tier) are used to train and improve Outfytd's fashion-intelligence models.

Your raw photos never leave our AWS account boundary. We do not sell your photos. We do not license them. No third-party AI sees them.
De-identified features extracted from those photos are used to improve our models and may, in aggregate and hashed form, power Outfytd's Phase 3 fashion-trend platform. The hashed features cannot be traced back to your raw user identity in the data lake.
You can delete your photos at any time. Account deletion (Section 12) removes all photos you uploaded and your account record. Previously-extracted anonymized features are not retracted — they have already been incorporated into the model and into aggregate trend signals where individual contributions are not separable.
We do not provide a separate opt-out from training-data use inside the app. If you do not want anonymized features from your photos to train our model, do not upload photos. Sections 5 and 7 below describe what's extracted and how it's used.

This is the only honest version of the deal. Free social-fashion apps either monetize through ads (which we don't and won't), paid subscriptions (which we may add later as an additional tier), or data. We chose data — specifically anonymized fashion-feature data, never raw photos or identity — and we say so up front.

Effective date: 2026-05-11 (placeholder — final date set on legal sign-off) Last updated: 2026-05-11

1. who we are

Outfytd ("Outfytd", "we", "us", "our") operates the Outfytd mobile applications (iOS and Android) and the website at https://outfytd.com (collectively, the "Service"). Outfytd is an avant-garde fashion application that helps users catalog their wardrobe, generate outfit suggestions, and share looks with other users.

This policy explains what information we collect, how we use it, who we share it with, and the rights you have.

If you have any question about this policy or your data, contact us at [email protected]. (Note: this mailbox is being provisioned. If you reach an undeliverable state during the pre-launch period, you may reach the founder directly via the contact listed in the App Store / Play Store listings.)

2. scope

This policy applies to:

The Outfytd iOS app.
The Outfytd Android app.
The Outfytd web app at https://outfytd.com.
Any related backend service operated by Outfytd.

This policy does not apply to third-party services we link to or that you choose to sign in with (e.g., Apple, Google) — those services have their own privacy policies, which we encourage you to read.

Beta period (current). Outfytd is currently in private beta. During the beta, this policy is supplemented by Section 2.1 below, which describes additional data handling specific to a pre-release product.

2.1 beta period — additional data handling

This Section 2.1 applies only during the private-beta period. It expires automatically when Outfytd publicly announces general availability.

Extra telemetry. During the beta, we collect additional telemetry useful for debugging and product iteration: client-side error stack traces, anonymized navigation paths, performance timings, and Lambda invocation logs. We may retain this data for the duration of the beta, in a form that is not anonymized to the same degree as our long-term trend-data feed (Section 5.2).
Reset rights. We may, during the beta, wipe the database, reset accounts, delete content, or migrate users to a new infrastructure stack with or without prior notice. Best-effort communication will go out via in-app banner or the email on file, but no notice is guaranteed.
Sharing with our infrastructure and AI providers. During the beta we use the same vendors named in Section 9 (AWS, Cloudflare, Postmark, Bedrock, etc.). We will not share beta data with marketing partners, ad platforms, or any data broker. We will not sell beta data.
Audit logs. We record acceptance of the Beta NDA, the Terms of Service, and the Privacy Policy with timestamp, IP address, and user-agent. These logs are retained for at least three (3) years after the end of the beta for legal-defense purposes, even after account deletion.
No public mention. As a condition of beta participation, you have agreed (via the Beta NDA + the Terms of Service Section 1.1) not to publicly describe the Service. That agreement applies to your data handling decisions too — for example, do not post screenshots of your private DMs or your closet to public social media.
Data export. During the beta, an authenticated user can request a data export at any time by emailing [email protected]. We will produce it within 30 days (no formal GDPR/CCPA SLA applies during beta — we still try to honor those windows).
Right to terminate beta access. We may terminate your participation in the beta at any time, with or without cause, with or without notice. On termination, your raw content is deleted within 30 days unless we are required by law to retain it. The audit-log entries described above are retained per their terms.

3. information we collect

3.1 information you give us at sign-up

When you create an Outfytd account, we collect:

email address — used for sign-in, account recovery, and service notices.
birth year — used only to verify you are 13 or older. We do not display, share, or use this for marketing. See Section 9 (children's privacy).
display name — the name shown on your profile.
handle (a @username) — a unique identifier you choose for your profile URL.
identity provider subject — if you sign in with Apple or Google, we receive a stable, opaque federated subject ID (and your email, which may be a relay address you control). We store this ID so that subsequent sign-ins match the same account.
Cognito subject (cognito_sub) — a unique account identifier generated by our authentication system (AWS Cognito).

3.2 optional profile information (defaulted OFF)

The following fields are entirely optional and default to empty / off. They are collected only if you choose to enable the trend-data sharing toggle in your settings:

home country
home city
age range (a coarse bucket, e.g., "25–34")
gender identity

These fields exist solely to support the future aggregated, anonymized trend reporting described in Section 7. We do not display them on your public profile. We do not sell them. If you never enable the trend-data toggle, we never collect or store these fields.

3.3 content you upload

When you use the Service you may upload:

photos of clothing items — stored in our private Amazon S3 bucket (outfytd-<env>-images-original) in AWS region us-east-2 (Ohio, USA). Display-sized and thumbnail derivatives are stored in two additional private buckets we control. None of these buckets is publicly readable; access is granted only through signed, short-lived URLs to your own account.
tags and corrections — labels you add, edit, or confirm on your closet items (e.g., category, colors, materials, brand). These are stored in our Postgres database tied to the item.
outfit compositions — combinations of your closet items you save or publish.
social content — posts, captions, likes, follows, comments.

3.4 information we collect automatically

device and app metadata — app version, device model, operating system version, language, timezone, and a coarse approximation of your IP address (e.g., country / region; we do not retain full IPs in long-term storage).
crash and error reports — diagnostic data when the app crashes or hits an unexpected error.
usage events — every meaningful business action you take (e.g., closet.item_created, outfits.generated, closet.tag_corrected, social.post_liked). These events are published to our analytics pipeline. Before any event is written to the analytics store, your user identifier is replaced with a one-way HMAC-SHA-256 hash using a server-side secret ("pepper") that we do not export. The analytics store therefore never holds your raw user identifier. See Section 7.

3.5 information we receive from third parties

Apple, via Sign in with Apple — when you choose this sign-in method, Apple gives us a stable federated subject ID and an email address (which may be a relay address Apple manages for you). We do not receive any other Apple account information.
Google, via Sign in with Google — similarly, a stable federated subject ID and your email address. No other Google account data.

We do not purchase data from data brokers. We do not scrape, import, or otherwise read your contacts, your photo library beyond what you explicitly upload, your social-media friend lists, or any other off-platform data.

4. how we use information

We use the information we collect to:

operate the Service — store your closet, generate outfit suggestions, deliver your social feed, send you notifications you've requested.
process your photos with our own machine-learning models — see Section 5 for the full description.
maintain security — detect abuse, prevent fraud, respond to support requests, comply with legal obligations.
improve the product — analyze aggregated behavior to decide what to build next.
communicate with you — service notices, password resets, security alerts, and (if you opt in) feature announcements.
comply with law — respond to valid legal process and protect our rights and the rights of our users.

We do not use your information for behavioral advertising. We do not run third-party advertising trackers or marketing pixels.

5. how we process your photos (machine learning)

This section is unusually detailed by design — image processing is the most privacy-sensitive part of the Service, and we want you to understand exactly what happens.

5.1 our own models, in our own cloud

Photos you upload are processed by our own machine-learning Lambdas running in our AWS account in us-east-2. The model we run is fashion-CLIP, an open-source convolutional vision model published by Marqo. The model runs entirely within our AWS environment.

We do not send your photos to third-party large language models. We do not send them to Bedrock, OpenAI, Anthropic, Google Gemini, or any external AI service for image content. The photo bytes never leave our AWS account boundary.

5.2 what the model produces

For each photo, the model produces:

a tag set — category, subcategory, colors, materials, style descriptors, and similar attributes.
per-field confidence scores.
an embedding vector — a numeric representation we use for similarity search and outfit composition.

These outputs are stored alongside your closet item in our Postgres database.

5.3 outfit generation

When you ask Outfytd to generate an outfit, the recommendation runs inside our own Lambda using the embeddings stored against your closet items, plus deterministic scoring rules. No external AI service is called for outfit generation.

5.4 active learning (tag confirmation)

When the model's confidence on a tag is below an internal threshold, we may prompt you to confirm or correct it ("not sure. confirm."). Your correction is recorded as a labeled training example that we may later use to improve our model.

The training-example record is keyed by a hash of the image and your hashed user identifier — the raw user identity is never written to our training-data archive. See docs/ACTIVE_LEARNING.md for the engineering specification. The training data we retain consists of:

the image URI inside our private S3 bucket
the original predicted tags
the corrected tags
the original confidence values
a list of which fields were changed

We do not retain, in the training data, any field that would identify you, such as your raw user ID, email, handle, or display name.

Training-data participation is not optional inside Outfytd. Anonymized feature extraction from the photos you upload (Section 5.2) and from your corrections (this section) is foundational to providing the Service and is not a separable opt-out. If you do not consent to anonymized features being extracted from your uploads, do not upload photos. You may always delete your account (Section 12); deletion removes your raw photos but does not retract anonymized features already incorporated into the model.

5.5 we do not sell your photos

Your photos are never sold, licensed, or shared with any third party for any purpose other than as described in this policy.

6. how we share information

We share your information only as described below.

6.1 service providers (sub-processors)

Provider	Purpose	Data shared
Amazon Web Services (AWS), us-east-2	hosting, storage, database, compute, machine learning	all operational data, photos, hashed events
Cloudflare	authoritative DNS for `outfytd.com` only — not a CDN for application content	none beyond standard DNS query metadata
Apple (via Sign in with Apple)	identity federation only	the federated subject identifier during sign-in
Google (via Sign in with Google)	identity federation only	the federated subject identifier during sign-in

We do not use third-party analytics SDKs, advertising trackers, attribution pixels, or marketing tag managers in the Service at MVP.

6.2 legal

We may disclose information when we have a good-faith belief disclosure is required by law, regulation, or valid legal process, or is necessary to protect the safety or rights of users or the public.

6.3 business transfers

If Outfytd is acquired, merges with another company, or sells substantially all of its assets, your information may be transferred to the successor entity, subject to a binding commitment to honor this policy.

6.4 with your consent

For any sharing not described above, we will ask for your consent first.

7. trend-data extraction (foundational; not opt-out)

Outfytd's long-term plan includes a separate B2B fashion-trend platform. The data collection that will eventually power this platform happens only with your explicit, revocable opt-in.

At present (MVP), we collect this data; we do not commercially share or sell it. No claim about selling trend data is being made under this policy. Any future commercial sharing of trend data will require an additional, publicly disclosed update to this policy with prior notice to you.

7.1 what the opt-in enables

If you turn the trend-data sharing toggle on (in settings; defaulted off):

The optional profile fields described in Section 3.2 (home country, home city, age range, gender identity) become collectible. You choose which fields to fill in.
Your usage events continue to be published — always with your user ID replaced by an HMAC-SHA-256 hash keyed with a server-side pepper.
Aggregations of those events may inform internal trend research and, in the future, may be shared in aggregate-only form with enterprise customers (see below).

If the toggle stays off:

The optional profile fields are not collected.
Your hashed events still flow to our internal analytics store (this is necessary for product operation, security, and abuse prevention), but they are not used for trend-aggregation reports.

7.2 anonymization at write time

User identifiers in our analytics store ("data lake") are hashed with HMAC-SHA-256 using a server-side pepper before they are written. The pepper is stored in AWS Secrets Manager. The hash is one-way and we cannot reverse it.

Because hashing happens before the event is written, the analytics store never sees your raw user identifier.

7.3 reversibility

You can turn the trend-data sharing toggle off at any time. Future events stop flowing to the trend-aggregation pipeline immediately. Past hashed records cannot be selectively removed because we cannot re-identify which hashed records were yours — but they are by design aggregated, anonymized, and (in any future B2B reporting) subject to k-anonymity guards so that no individual user can be singled out.

7.4 commitment line (the line counsel must clear)

We may collect aggregated, hashed usage data under this opt-in. We do not sell or commercially license such trend data at this time and will not do so until we have made an additional public disclosure and given you prior notice. If and when that future disclosure happens, you will retain the right to withdraw your opt-in.

8. cookies, sessions, and similar technologies

Outfytd authenticates you using AWS Cognito. Your session token is a short-lived JWT.

Mobile apps (iOS, Android): the token is stored in the platform's secure keychain / keystore. No web cookies.
Web app: the token is stored in localStorage or in a secure, HttpOnly, SameSite=Lax cookie scoped to outfytd.com. This token is used only for authentication.

We do not use third-party analytics cookies, advertising cookies, or cross-site tracking technologies at MVP.

9. children's privacy (COPPA)

Outfytd is not directed at, and is not intended for use by, children under 13. We do not knowingly collect personal information from anyone under 13.

We enforce the age minimum at several layers:

Pre-Sign-Up Lambda gate. Account creation requires a custom:birth_year attribute. A Cognito Pre-Sign-Up Lambda trigger computes the implied age and rejects the sign-up before any data is persisted if the user is under 13. This means no closet, no profile, no event, no row in our database is ever created for a sub-13 sign-up.
No marketing to minors. Our marketing channels and on-platform copy do not target children.
No third-party trackers. Even if a minor circumvented our age gate, no third-party advertising or analytics tracker is active in the Service.

If we learn that we have collected information from a child under 13, we will:

disable the account immediately,
delete the associated data within 30 days,
confirm deletion to the reporting parent or guardian in writing if requested, and
log the incident internally.

Parents or guardians who believe their child has created an Outfytd account should email [email protected] with the username or email used; we will verify, delete, and confirm within 7 business days.

We do not seek verifiable parental consent because we do not allow under-13 accounts at all. If the product direction ever changes, this policy and the sign-up flow will be updated and you will be notified.

10. data retention and account deletion

10.1 active accounts

We retain your account data for as long as your account is active or as needed to provide the Service.

10.2 deletion of individual items

When you delete an individual closet item, the item is soft-deleted (the row is retained with a deleted_at timestamp set) so we can audit abuse and restore accidental deletions. Soft-deleted items are not shown anywhere in the Service.

10.3 account deletion (planned; backlog)

A self-service "delete my account" flow is on the product backlog and will ship before general availability. When you delete your account:

the photos in our S3 buckets that belong to your account will be deleted,
the rows in our Postgres database that belong to your account will be deleted,
past hashed events in the analytics store will be removed on a best-effort basis using the hashed identifier — note that, by design, we cannot perfectly enumerate every record (the hash is one-way) but we will scrub everything that joins through it.

Until that flow ships, you can email [email protected] and we will process the deletion manually within 30 days.

10.4 backups

System backups are retained on a 90-day rolling cycle. Deletions propagate to backups as they roll over.

11. your rights

Depending on where you live, you may have some or all of the following rights:

access — request a copy of the personal information we hold about you.
correction — request that we correct inaccurate information.
deletion — request that we delete your information ("right to erasure").
portability — request a machine-readable copy of your data.
withdrawal of consent — turn off the trend-data sharing toggle (in settings) at any time.
objection — object to certain types of processing.
non-discrimination — we will not deny service, charge different prices, or provide a different level of service because you exercised a privacy right.

To exercise any of these rights, email [email protected]. We will respond within 30 days. We may ask you to verify your identity before acting on a request to protect your account.

If you are in the European Economic Area, the United Kingdom, or Switzerland, you also have the right to lodge a complaint with your local data protection authority. If you are in California, you may also have rights under the California Consumer Privacy Act (CCPA / CPRA), including the right to know, the right to delete, the right to correct, and the right to opt out of "sale" or "sharing" of personal information (we do not sell or share for cross-context behavioral advertising).

12. security

We protect your information using technical and organizational measures, including:

encryption in transit — TLS 1.2+ for all network traffic between your device and our servers.
encryption at rest — AES-256 (the AWS S3 default and the encryption used on the Postgres database and managed backups).
least-privilege access — service-to-service calls within AWS use IAM authentication. Database credentials are rotated and held only in AWS Secrets Manager.
private storage — your photos are stored in private S3 buckets. They are not publicly readable; access requires signed, short-lived URLs.
network perimeter — the application database requires IAM authentication. The security group is configured to be open during the current pre-launch infrastructure-debugging phase under the AWS Free Plan; access nonetheless requires IAM authentication and credentials we control. The security group will be closed to public ingress before general availability.
pepper isolation — the HMAC pepper used to hash event identifiers is stored in AWS Secrets Manager, never in code or logs.

No system is perfectly secure. If we become aware of a security breach affecting your personal information, we will notify you and the relevant authorities as required by law.

13. where your data is stored

Your data is stored primarily in AWS region us-east-2 (Ohio, United States). Our static web bundle is also served via Amazon CloudFront's global edge network (primary distribution origin: us-east-1) for performance.

If you access Outfytd from outside the United States, your data will be transferred to and processed in the United States. Where international transfer mechanisms (such as the European Commission's Standard Contractual Clauses) are applicable, we rely on them.

14. third-party links

The Service may contain links to third-party websites (for example, brand or designer pages). We are not responsible for those websites' privacy practices. Read their policies before providing information to them.

15. changes to this policy

We may update this policy from time to time. When we make a material change, we will notify you in the Service and update the "Last updated" date above. Continued use of the Service after the effective date of a change constitutes acceptance of the updated policy.

16. contact

For any privacy question, request, or concern, contact:

[email protected]

(Note: this mailbox is being provisioned during the pre-launch period. Counsel should confirm a working address before the policy is published.)

open questions for counsel

The following points are flagged for legal review:

Section 5.4 (active learning) — confirm the language adequately covers our right to use corrections as training data under GDPR Art. 6 / Art. 22 (automated decisions) and CCPA "deidentified data" definitions.
Section 7 (trend-data opt-in) — confirm the "may collect, will not sell until further notice" posture is sound and does not itself constitute an actionable representation that we will sell.
Section 7.3 — confirm the framing that past hashed records cannot be re-identified is consistent with how the regulator would define "anonymization" vs. "pseudonymization."
Section 12 — confirm the disclosure that the database security group is currently open at the network layer (but IAM-authenticated at the application layer) is adequate for the pre-launch period.
Section 13 — confirm the international-transfer language for users in the EEA / UK / Switzerland is sufficient.
Effective date — replace placeholder once approved.
Contact mailbox [email protected] — confirm provisioning before publication.