Legal

Privacy Policy.

Version 2026-05-31 · Last updated 2026-05-31 · Drafted under GDPR (Regulation (EU) 2016/679) and the French Loi Informatique et Libertés

This policy is written by the Aplomb team based on internal compliance audits and CNIL guidance. It should be reviewed by qualified privacy counsel before any material business change (new subprocessor, new processing activity, new market). Bracketed values like the SIREN and postal address will be filled in once the SAS is registered.

1. Who we are (data controller)

Aplomb is operated by Aplomb SAS, a French société par actions simplifiée (SAS) — [SIREN to be assigned], headquartered at [Postal address — to be added once the SAS siège social is registered].

We are the data controller for the personal data described in this policy. The brands you discover through Aplomb are our commercial partners, not joint controllers of your scan data.

Privacy contact: privacy@aplomb-app.com. We do not currently have a designated Data Protection Officer — under GDPR Art 37 §1.b, a DPO becomes mandatory once we cross the “regular and systematic monitoring on a large scale” threshold; we'll appoint one before that.

2. What data we collect, why, and on what legal basis

The table below maps every personal-data category to its purpose, the GDPR Article 6 lawful basis, and how long we keep it.

DataPurposeBasis (Art 6)Retention
Email + password (hashed in Supabase Auth)Account access§1.b (contract)Account lifetime + 30 days
Name (display)UI personalisation§1.b (contract)Account lifetime
Front + side body photos (private bucket)Derive measurements (side deleted after); render try-on (front)§1.b (contract) + Art 9 §2.a (explicit consent for try-on)Side: immediately post-derivation. Front: 30 days from last use, then auto-purged
Body measurements (height, weight, chest, waist, hips, etc.)Size recommendations§1.b (contract)Account lifetime; deleted on erasure
Style preferences + occasion picksOutfit generation§1.b (contract)Account lifetime; deleted on erasure
Recommendation sessions + generated outfitsService delivery + history§1.b (contract)13 months from creation OR account deletion (whichever first)
Try-on imagery (cached)Skip re-generation; persistent gallery§1.b (contract)Deleted with the underlying recommendation session
Anonymous session cookie + token hashMatch an anonymous shopper back to their data on subsequent requests (Safari ITP-safe)§1.b (contract — strictly necessary)13 months OR until the cookie expires
Stripe customer + subscription IDs + plan + statusBilling§1.b (contract) + §1.c (legal obligation — bookkeeping)10 years (French Code de commerce art. L123-22)
Legal-acceptance proof (IP, user-agent, version, timestamp)Prove clickwrap consent under Art 7 §1§1.f (legitimate interest in proving consent)Account lifetime + 5 years (French Code civil art. 2224)
Server logs (timestamps, request paths, errors)Operations + security + abuse detection§1.f (legitimate interest)~30 days (Vercel + Supabase default)

We never collect: government-issued IDs, payment card numbers (Stripe handles those — we only see customer IDs), location data beyond IP country inference, advertising identifiers, or biometric templates used for unique person identification.

3. Body photos + Article 9 (special-category data)

Body-scan photos are notprocessed to uniquely identify you as an individual — they are processed to estimate body dimensions and render try-on imagery. We treat them as Article 9 “biometric- adjacent” data anyway and process them only under your explicit consent (Art 9 §2.a), captured at signup and re-requested per session before the first try-on render.

You can withdraw consent at any time from your Account → Your datapage; deleting your account erases every photo (front + side derivatives) from our private bucket before deleting any database rows. Withdrawing consent does not affect the lawfulness of past processing.

4. Who we share data with (subprocessors)

We share strictly the minimum data each subprocessor needs to perform its role under a written DPA. We never sell, rent, trade, or share personal data for marketing purposes.

SubprocessorRoleRegion + transfer mechanismDPA
SupabaseAuthentication, primary database, private object storage for body-scan photosIreland (eu-west-1) — data at rest in the EU; entity is Supabase Inc. (US)
Transfer mechanism: Standard Contractual Clauses (SCCs) for any US-based admin access
DPA →
VercelApplication hosting + CDN edge servingGlobal edge with EU regions for app rendering; corporate entity Vercel Inc. (US)
Transfer mechanism: EU-US Data Privacy Framework (Vercel is DPF-certified)
DPA →
StripeSubscription billing + payment processingIreland for EU customers; corporate entity Stripe Payments Europe Ltd.
Transfer mechanism: Intra-EU transfer (no Chapter V mechanism required)
DPA →
CloudflareBot protection (Turnstile) + DDoS mitigationGlobal edge; corporate entity Cloudflare Inc. (US)
Transfer mechanism: EU-US Data Privacy Framework (Cloudflare is DPF-certified)
DPA →
Google (Gemini API)Generative AI — outfit recommendations from product catalogue + your measurementsUnited States — Google LLC
Transfer mechanism: EU-US Data Privacy Framework (Google Cloud is DPF-certified)
DPA →
fal.aiVirtual try-on imagery — generates the look on your front photoUnited States — fal AI Inc.
Transfer mechanism: Standard Contractual Clauses (SCCs) on file; ask fal directly for their DPA
DPA →
UpstashRate-limiting + abuse protection (Redis)EU region available; corporate entity Upstash Inc. (US)
Transfer mechanism: SCCs + EU region enabled — see Trust Center
DPA →

We will notify you 30 days in advance of adding any new subprocessor via this page (you can subscribe to a feed by checking back monthly or following Aplomb on a public channel).

5. International transfers (Chapter V)

Several subprocessors are headquartered in the United States. GDPR Chapter V allows such transfers when an adequate mechanism is in place:

  • EU-US Data Privacy Framework (DPF): Vercel, Cloudflare, Google Cloud (Gemini). The European Commission recognised DPF as adequate in July 2023; you can verify each company's current DPF certification at dataprivacyframework.gov.
  • Standard Contractual Clauses (SCCs): Supabase Inc. (parent), Stripe, fal.ai, Upstash. We use the European Commission's 2021 SCC templates.
  • Intra-EU only: Stripe Payments Europe Ltd. (Ireland) handles all European billing data — no transfer outside the EEA.

A copy of any transfer mechanism we rely on is available by emailing privacy@aplomb-app.com.

6. How we protect your data

Photos are stored in a private object bucket that is unreadable without short-lived signed URLs we generate server-side. All transport uses HTTPS with HSTS preload. Session tokens use SHA-256 hashing and constant-time comparison. Row-level security policies enforce per-user access to database rows. We log access to private buckets and review for anomalies.

We've set technical limits to prevent abuse (rate-limiting per IP, Cloudflare Turnstile on sign-up, file-size + MIME caps on photo uploads) and to make denial-of-service costly to attackers.

7. Your rights

As a data subject in the EU/EEA, you have the following rights. Most can be exercised directly from your account, in-app:

  • Access (Art 15) — see what we hold. Use Account → Export my data.
  • Rectification (Art 16) — fix wrong details. Edit your name from Account; for email, contact us.
  • Erasure (Art 17) — delete everything. Use Account → Danger zone. Your photos are removed from storage before any database row is deleted.
  • Restriction (Art 18) — pause processing while a dispute is resolved. Contact us.
  • Portability (Art 20) — receive your data in JSON. Same export link as Access above.
  • Object (Art 21) — to processing on legitimate-interest grounds. Contact us with your reasons.
  • Withdraw consent (Art 7 §3) — wherever processing is on consent (e.g., try-on photos). Deleting the account is the most thorough way; consent withdrawal does not undo past processing.

We respond within one month (Art 12 §3). You can also lodge a complaint with your local supervisory authority — for residents of France, that is the CNIL (cnil.fr/fr/plaintes).

8. Anonymous shoppers (no account)

When you use Aplomb's widget through a brand's site without signing up, we identify your session via an opaque token stored in a cookie (the hash, not the token, is stored in our database). Because we cannot link that token back to a real identity, Art 11 §2 applies: we cannot fulfil access or erasure requests on this anonymous data on our own — but you can present the cookie token back to us to prove ownership and request a deletion. To take direct control of your data, create a free account.

Anonymous data is auto-purged 13 months after the last activity.

9. Cookies and local storage

We use only strictly necessarycookies and local storage today — no analytics, no ad tracking, no profiling beyond what's needed to operate the service. Under the ePrivacy Directive, strictly-necessary storage does not require a consent banner.

  • aplomb_session_token — anonymous shopper session (httpOnly cookie, 7 days)
  • client_plan — your shopper plan (httpOnly cookie, 1 year)
  • next-auth.session-token — your signed-in session (httpOnly cookie, 30 days)
  • aplomb_wardrobe — locally cached saved looks (localStorage)
  • SCAN_COUNT_KEY — monthly scan counter for quota UI (localStorage)
  • Cloudflare Turnstile cookies (one-time bot-check)

If we ever add analytics or marketing storage, we'll publish a full cookie banner with a reject option as prominent as the accept option, in compliance with CNIL guidelines.

10. Marketing communications

We send only transactional emails by default (welcome, password reset, billing). Marketing emails (newsletter, product updates, promotions) require a separate opt-in checkbox at signup or a dedicated subscribe action — never bundled with general consent. Every marketing email contains a one-click unsubscribe link.

11. Changes to this policy

We bump the policy version (2026-05-31) on every material change and store proof of your acceptance. When the policy materially changes, you may be asked to re-accept before continuing to use Aplomb. Non-material edits (typos, clarifications) don't change the version.

12. Contacting us

For any privacy-related question — exercising your rights, asking about subprocessors, querying retention, etc. — email privacy@aplomb-app.com. For everything else, use hello@aplomb-app.com.