Legal
Privacy Policy.
Version 2026-05-31 · Last updated 2026-05-31 · Drafted under GDPR (Regulation (EU) 2016/679) and the French Loi Informatique et Libertés
1. Who we are (data controller)
Aplomb is operated by Aplomb SAS, a French société par actions simplifiée (SAS) — [SIREN to be assigned], headquartered at [Postal address — to be added once the SAS siège social is registered].
We are the data controller for the personal data described in this policy. The brands you discover through Aplomb are our commercial partners, not joint controllers of your scan data.
Privacy contact: privacy@aplomb-app.com. We do not currently have a designated Data Protection Officer — under GDPR Art 37 §1.b, a DPO becomes mandatory once we cross the “regular and systematic monitoring on a large scale” threshold; we'll appoint one before that.
2. What data we collect, why, and on what legal basis
The table below maps every personal-data category to its purpose, the GDPR Article 6 lawful basis, and how long we keep it.
| Data | Purpose | Basis (Art 6) | Retention |
|---|---|---|---|
| Email + password (hashed in Supabase Auth) | Account access | §1.b (contract) | Account lifetime + 30 days |
| Name (display) | UI personalisation | §1.b (contract) | Account lifetime |
| Front + side body photos (private bucket) | Derive measurements (side deleted after); render try-on (front) | §1.b (contract) + Art 9 §2.a (explicit consent for try-on) | Side: immediately post-derivation. Front: 30 days from last use, then auto-purged |
| Body measurements (height, weight, chest, waist, hips, etc.) | Size recommendations | §1.b (contract) | Account lifetime; deleted on erasure |
| Style preferences + occasion picks | Outfit generation | §1.b (contract) | Account lifetime; deleted on erasure |
| Recommendation sessions + generated outfits | Service delivery + history | §1.b (contract) | 13 months from creation OR account deletion (whichever first) |
| Try-on imagery (cached) | Skip re-generation; persistent gallery | §1.b (contract) | Deleted with the underlying recommendation session |
| Anonymous session cookie + token hash | Match an anonymous shopper back to their data on subsequent requests (Safari ITP-safe) | §1.b (contract — strictly necessary) | 13 months OR until the cookie expires |
| Stripe customer + subscription IDs + plan + status | Billing | §1.b (contract) + §1.c (legal obligation — bookkeeping) | 10 years (French Code de commerce art. L123-22) |
| Legal-acceptance proof (IP, user-agent, version, timestamp) | Prove clickwrap consent under Art 7 §1 | §1.f (legitimate interest in proving consent) | Account lifetime + 5 years (French Code civil art. 2224) |
| Server logs (timestamps, request paths, errors) | Operations + security + abuse detection | §1.f (legitimate interest) | ~30 days (Vercel + Supabase default) |
We never collect: government-issued IDs, payment card numbers (Stripe handles those — we only see customer IDs), location data beyond IP country inference, advertising identifiers, or biometric templates used for unique person identification.
3. Body photos + Article 9 (special-category data)
Body-scan photos are notprocessed to uniquely identify you as an individual — they are processed to estimate body dimensions and render try-on imagery. We treat them as Article 9 “biometric- adjacent” data anyway and process them only under your explicit consent (Art 9 §2.a), captured at signup and re-requested per session before the first try-on render.
You can withdraw consent at any time from your Account → Your datapage; deleting your account erases every photo (front + side derivatives) from our private bucket before deleting any database rows. Withdrawing consent does not affect the lawfulness of past processing.
4. Who we share data with (subprocessors)
We share strictly the minimum data each subprocessor needs to perform its role under a written DPA. We never sell, rent, trade, or share personal data for marketing purposes.
| Subprocessor | Role | Region + transfer mechanism | DPA |
|---|---|---|---|
| Supabase | Authentication, primary database, private object storage for body-scan photos | Ireland (eu-west-1) — data at rest in the EU; entity is Supabase Inc. (US) Transfer mechanism: Standard Contractual Clauses (SCCs) for any US-based admin access | DPA → |
| Vercel | Application hosting + CDN edge serving | Global edge with EU regions for app rendering; corporate entity Vercel Inc. (US) Transfer mechanism: EU-US Data Privacy Framework (Vercel is DPF-certified) | DPA → |
| Stripe | Subscription billing + payment processing | Ireland for EU customers; corporate entity Stripe Payments Europe Ltd. Transfer mechanism: Intra-EU transfer (no Chapter V mechanism required) | DPA → |
| Cloudflare | Bot protection (Turnstile) + DDoS mitigation | Global edge; corporate entity Cloudflare Inc. (US) Transfer mechanism: EU-US Data Privacy Framework (Cloudflare is DPF-certified) | DPA → |
| Google (Gemini API) | Generative AI — outfit recommendations from product catalogue + your measurements | United States — Google LLC Transfer mechanism: EU-US Data Privacy Framework (Google Cloud is DPF-certified) | DPA → |
| fal.ai | Virtual try-on imagery — generates the look on your front photo | United States — fal AI Inc. Transfer mechanism: Standard Contractual Clauses (SCCs) on file; ask fal directly for their DPA | DPA → |
| Upstash | Rate-limiting + abuse protection (Redis) | EU region available; corporate entity Upstash Inc. (US) Transfer mechanism: SCCs + EU region enabled — see Trust Center | DPA → |
We will notify you 30 days in advance of adding any new subprocessor via this page (you can subscribe to a feed by checking back monthly or following Aplomb on a public channel).
5. International transfers (Chapter V)
Several subprocessors are headquartered in the United States. GDPR Chapter V allows such transfers when an adequate mechanism is in place:
- EU-US Data Privacy Framework (DPF): Vercel, Cloudflare, Google Cloud (Gemini). The European Commission recognised DPF as adequate in July 2023; you can verify each company's current DPF certification at dataprivacyframework.gov.
- Standard Contractual Clauses (SCCs): Supabase Inc. (parent), Stripe, fal.ai, Upstash. We use the European Commission's 2021 SCC templates.
- Intra-EU only: Stripe Payments Europe Ltd. (Ireland) handles all European billing data — no transfer outside the EEA.
A copy of any transfer mechanism we rely on is available by emailing privacy@aplomb-app.com.
6. How we protect your data
Photos are stored in a private object bucket that is unreadable without short-lived signed URLs we generate server-side. All transport uses HTTPS with HSTS preload. Session tokens use SHA-256 hashing and constant-time comparison. Row-level security policies enforce per-user access to database rows. We log access to private buckets and review for anomalies.
We've set technical limits to prevent abuse (rate-limiting per IP, Cloudflare Turnstile on sign-up, file-size + MIME caps on photo uploads) and to make denial-of-service costly to attackers.
7. Your rights
As a data subject in the EU/EEA, you have the following rights. Most can be exercised directly from your account, in-app:
- Access (Art 15) — see what we hold. Use Account → Export my data.
- Rectification (Art 16) — fix wrong details. Edit your name from Account; for email, contact us.
- Erasure (Art 17) — delete everything. Use Account → Danger zone. Your photos are removed from storage before any database row is deleted.
- Restriction (Art 18) — pause processing while a dispute is resolved. Contact us.
- Portability (Art 20) — receive your data in JSON. Same export link as Access above.
- Object (Art 21) — to processing on legitimate-interest grounds. Contact us with your reasons.
- Withdraw consent (Art 7 §3) — wherever processing is on consent (e.g., try-on photos). Deleting the account is the most thorough way; consent withdrawal does not undo past processing.
We respond within one month (Art 12 §3). You can also lodge a complaint with your local supervisory authority — for residents of France, that is the CNIL (cnil.fr/fr/plaintes).
8. Anonymous shoppers (no account)
When you use Aplomb's widget through a brand's site without signing up, we identify your session via an opaque token stored in a cookie (the hash, not the token, is stored in our database). Because we cannot link that token back to a real identity, Art 11 §2 applies: we cannot fulfil access or erasure requests on this anonymous data on our own — but you can present the cookie token back to us to prove ownership and request a deletion. To take direct control of your data, create a free account.
Anonymous data is auto-purged 13 months after the last activity.
10. Marketing communications
We send only transactional emails by default (welcome, password reset, billing). Marketing emails (newsletter, product updates, promotions) require a separate opt-in checkbox at signup or a dedicated subscribe action — never bundled with general consent. Every marketing email contains a one-click unsubscribe link.
11. Changes to this policy
We bump the policy version (2026-05-31) on every material change and store proof of your acceptance. When the policy materially changes, you may be asked to re-accept before continuing to use Aplomb. Non-material edits (typos, clarifications) don't change the version.
12. Contacting us
For any privacy-related question — exercising your rights, asking about subprocessors, querying retention, etc. — email privacy@aplomb-app.com. For everything else, use hello@aplomb-app.com.