Nouva ("we," "us," "our," or the "Company") operates the Nouva mobile application (the "App"), an AI-powered digital closet and fashion styling platform. This Privacy Policy ("Policy") describes in detail how we collect, use, process, share, store, and protect your personal information when you access or use the App, and the rights and choices available to you regarding your information.
This Policy applies to all users of the App, including users located in the United States (including California residents protected under the California Consumer Privacy Act as amended by the California Privacy Rights Act, collectively "CCPA/CPRA"), the United Kingdom ("UK"), and other jurisdictions where the App is available. References to the "GDPR" mean the UK General Data Protection Regulation (the EU General Data Protection Regulation (Regulation (EU) 2016/679) as retained in UK law by the European Union (Withdrawal) Act 2018, commonly referred to as the "UK GDPR"), read together with the Data Protection Act 2018.
IMPORTANT — AI PROCESSING NOTICE: This App uses artificial intelligence and machine learning technologies to process your images. Your photographs may be analyzed by on-device AI systems and transmitted to cloud-based AI services for processing. Please read Section 4 (Artificial Intelligence and Automated Processing) carefully before using the App.
By downloading, installing, accessing, or using the App, you acknowledge that you have read, understood, and agree to the collection and processing of your information as described in this Policy. If you do not agree with any part of this Policy, please do not use the App.
- Definitions
- Information We Collect
- How We Use Your Information
- Artificial Intelligence and Automated Processing
- Legal Bases for Processing (UK Users)
- How We Share Your Information
- Third-Party Processors and Sub-Processors
- International Data Transfers
- Data Retention
- Your Privacy Rights
- Account Deletion
- Data Portability and Export
- Children's Privacy and Age Verification
- Biometric and Image Data
- Data Security
- Data Breach Notification
- Analytics, Advertising, and Tracking Technologies
- Do Not Track Signals
- Links to Third-Party Services
- Changes to This Privacy Policy
- Contact Us
- Additional Disclosures for California Residents
- Additional Disclosures for UK Residents
1. Definitions
For the purposes of this Policy, the following terms have the meanings set forth below:
"Personal Information" (also referred to as "Personal Data") means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. This includes, but is not limited to, names, email addresses, device identifiers, photographs, usage data, and location data.
"Processing" means any operation or set of operations performed on Personal Information, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
"Controller" means the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For the purposes of this Policy, Nouva is the Controller of your Personal Data.
"Processor" means a natural or legal person which processes Personal Data on behalf of the Controller.
"User Content" means any photographs, images, text, descriptions, tags, categories, or other materials that you upload, submit, store, or transmit through the App.
"AI-Generated Content" means outfit combinations, style recommendations, background-removed images, fashion embeddings, and other content created by our artificial intelligence and machine learning systems based on your User Content.
"Service" means the Nouva mobile application and all related features, tools, and functionality provided through it.
2. Information We Collect
We collect information from and about you in several ways. The categories of information we collect depend on how you interact with the App and which features you use.
2.1 Information You Provide Directly
When you create an account, use features, or communicate with us, you may provide the following information:
Account and Profile Information. When you register for the App, we collect information necessary to create and verify your account. If you sign up using Google Sign-In or Apple Sign-In, we receive your name, email address, and profile photograph (if you choose to share it) from the authentication provider. During the registration process, you are required to verify your phone number through a multi-step phone verification process; we collect and store your phone number for account verification and security purposes. You may also provide additional profile information such as a display name, biography, or style preferences within the App.
Closet and Wardrobe Data. The core function of the App involves uploading and organizing photographs of your clothing items. When you add items to your digital closet, we collect: the photographs you upload; item descriptions, names, and notes you add; categories, tags, colors, and attributes you assign; brand, size, and price information you provide; and any outfit associations or groupings you create.
Style Preferences and Interactions. As you use the App, you may provide style preferences through explicit selections (such as favorite colors, preferred styles, or occasion preferences) and through implicit signals generated by your interactions with the App (such as items you view, outfits you save, or recommendations you engage with).
Location Data. When you enable location-based features (such as weather-appropriate outfit suggestions or nearby store discovery), we collect your precise or approximate geographic location through your device's GPS, Wi-Fi, or cellular network signals. You can disable location access at any time through your device's operating system settings, though this may limit certain features.
Communications and Support. When you contact us for customer support, provide feedback, report a problem, or otherwise communicate with us, we collect the content of your messages, your contact information, and any attachments or files you send.
Survey and Research Responses. If you participate in surveys, research studies, beta testing, or promotional activities, we collect the information you provide in connection with those activities.
2.2 Information Collected Automatically
When you access or use the App, we automatically collect certain information about your device, your usage, and your interactions:
Device Information. We collect information about the device you use to access the App, including: device type, model, and manufacturer; operating system type and version; unique device identifiers (such as IDFA on iOS, GAID on Android, and device-specific identifiers); mobile carrier and network information; device language and regional settings; screen resolution and display characteristics; and available storage space.
Usage and Interaction Data. We collect information about how you use the App, including: pages, screens, and features you access; actions you take (such as uploading items, generating outfits, saving recommendations); time and date of your interactions; duration and frequency of your sessions; navigation paths through the App; feature engagement metrics; and in-app search queries.
Performance and Diagnostic Data. We collect technical data to monitor and improve the App's performance, including: app crash reports and error logs; performance metrics (load times, response times, frame rates); memory and CPU usage statistics; and network request performance data.
Log Data. Our servers automatically record certain information when you access the App, including: your Internet Protocol (IP) address; the type and version of your device's operating system; the date and time of your request; and the referring application or source (if applicable).
2.3 Information Generated Through AI Processing
Our AI and machine learning systems generate additional information based on your User Content:
Fashion Embeddings and Vectors. Our machine learning models create mathematical representations (known as "embeddings" or "vectors") of your clothing items. These are numerical representations that capture the visual characteristics, style attributes, and fashion properties of your garments. They are used for similarity matching, style analysis, and recommendation generation.
Segmentation Data. Our AI systems generate background-removed versions of your clothing images by separating the clothing item from the surrounding background. This process creates new, processed versions of your photographs that isolate the garments.
AI-Generated Outfit Combinations. Based on your wardrobe items and style preferences, our AI generates outfit combinations, mixing and matching items from your closet to suggest coordinated looks.
Style Classification Data. Our systems may classify your items and overall wardrobe by style characteristics (such as casual, formal, sporty, or bohemian), color palette, seasonal appropriateness, and occasion suitability.
2.4 Information from Third-Party Sources
We may receive information about you from third-party sources, including:
Authentication Providers. When you sign in using Google or Apple, we receive basic profile information that you have authorized those services to share with us, as described in Section 2.1. When you verify your phone number during registration, Firebase Authentication processes your phone number to deliver a verification code via SMS.
App Store Platforms. Apple App Store and Google Play Store may share certain transaction and subscription information with us through our payment processor (RevenueCat) in connection with your purchases.
Analytics Partners. Our analytics partners (Firebase Analytics) may provide us with aggregated or de-identified insights about user behavior, demographics, and engagement patterns.
2.5 Information We Do Not Collect
For the avoidance of doubt, Nouva does not collect the following categories of information: Social Security numbers, government-issued identification numbers, or national identity numbers; financial account numbers, credit card numbers, debit card numbers, or other payment card information (payment processing is handled entirely by the Apple App Store, Google Play Store, and RevenueCat — we never receive or store your payment details); health or medical information; genetic data; biometric identifiers as defined under the Illinois Biometric Information Privacy Act (BIPA), such as fingerprints, voiceprints, facial geometry scans, or retina scans (see Section 14 for details on our image processing); or information about your racial or ethnic origin, political opinions, religious beliefs, trade union membership, or sexual orientation. Note: while we collect your phone number for account verification purposes (see Section 2.1), we do not use it for marketing calls, SMS marketing, or any purpose other than account security and verification unless we obtain your separate consent.
3. How We Use Your Information
We use the Personal Information we collect for the following purposes. Each purpose is linked to a lawful basis for processing as described in Section 5.
3.1 Providing and Operating the App
We use your information to deliver the core features of the App, including: creating, maintaining, and securing your user account; storing, organizing, and displaying your digital closet and wardrobe items; processing your images through AI systems to enable features such as background removal, outfit generation, and style recommendations (see Section 4 for complete details); delivering personalized outfit suggestions based on your wardrobe, preferences, and contextual factors such as weather and occasion; enabling location-based features when you choose to share your location; syncing your data across devices and sessions; and processing and managing your subscription through RevenueCat and the applicable app store.
3.2 Personalization and Recommendations
We use your information to personalize your experience within the App, including: tailoring outfit recommendations based on your wardrobe composition, style preferences, and past interactions; customizing the App's interface, content, and feature suggestions based on your usage patterns; learning your style preferences over time to improve recommendation relevance; and suggesting new items, brands, or styles based on your existing wardrobe.
3.3 Communication
We use your information to communicate with you, including: sending service-related notifications (such as feature updates, maintenance notices, and security alerts); responding to your customer support inquiries and feedback; sending push notifications related to App features (such as outfit suggestions), which you can manage through your device settings; and providing information about new features, promotions, or updates (with your consent where required).
3.4 Improvement, Research, and Development
We use your information to improve and develop the App, including: analyzing aggregate usage patterns and trends to understand how the App is used; identifying and fixing bugs, errors, and technical issues; developing and testing new features and improvements; conducting internal research and analysis using anonymized or aggregated data; and monitoring App performance, stability, and reliability.
3.5 Advertising
For users on the free tier, we facilitate the display of advertisements through Google Mobile Ads. In connection with advertising, we may share device identifiers and general usage data with Google to enable ad personalization. You can manage your advertising preferences through your device settings (see Section 17).
3.6 Safety, Security, and Fraud Prevention
We use your information to protect the safety and security of the App, our users, and our business, including: detecting, investigating, and preventing fraudulent, unauthorized, or illegal activity; enforcing our Terms of Service and other policies; protecting against technical vulnerabilities, attacks, and abuse; verifying user identity in connection with privacy rights requests; and monitoring for violations of our Acceptable Use policies.
3.7 Legal Compliance
We use your information to comply with applicable laws, regulations, legal processes, and government requests, including: responding to subpoenas, court orders, and other legal processes; meeting regulatory reporting and disclosure requirements; establishing, exercising, or defending legal claims; and cooperating with law enforcement investigations when legally required.
4. Artificial Intelligence and Automated Processing
Nouva is built around AI and machine learning technologies. Transparency about how these systems operate is a core principle of our service. This section provides detailed information about each AI system we use, what data it processes, where processing occurs, and how you can control it.
4.1 On-Device AI Processing
The following AI processing occurs entirely on your mobile device. Your images are not transmitted to any external server for these functions, and we do not receive or store the intermediate processing data generated by these systems:
Google ML Kit — Subject Segmentation. When you upload a photo of a clothing item, our App uses Google ML Kit's Subject Segmentation model to automatically detect and separate the clothing item from the background of your photograph. This technology runs locally on your device using your phone's neural processing capabilities. The model identifies the subject (your clothing item) and creates a mask that allows us to isolate it from the surrounding environment. Google does not receive your images through this process, and no data about your images is transmitted to Google's servers.
Google ML Kit — Image Labeling. Our App uses Google ML Kit's Image Labeling model to automatically identify and categorize clothing items in your photographs. This model runs locally on your device and can detect attributes such as garment type (shirt, dress, pants), color, pattern, and other visual characteristics. Like Subject Segmentation, this processing is entirely on-device, and Google does not receive your images.
4.2 Cloud-Based AI Processing
The following AI processing involves transmitting your image data to cloud-based servers. We disclose each system, the specific data transmitted, the third party involved (if any), the purpose, and the data retention practices:
Fal.ai — AI Outfit Generation. When you request AI-generated outfit combinations or virtual try-on features, your clothing item images are transmitted to Fal.ai's cloud servers for processing. Fal.ai is a third-party AI infrastructure provider based in the United States. Fal.ai processes your images solely for the purpose of generating the requested outfit combinations and returns the results to the App. According to Fal.ai's data processing terms, your images are processed transiently and are not retained by Fal.ai beyond the duration of the processing session. Your images are not used by Fal.ai to train or improve their models. We have entered into a Data Processing Agreement with Fal.ai that governs the processing of your data.
CLIP/PyTorch — Fashion Embedding Generation. Your clothing images are transmitted to our own machine learning backend (hosted on Google Cloud Platform infrastructure) for processing by CLIP (Contrastive Language-Image Pre-training) and PyTorch-based models. These models create "fashion embeddings" — mathematical vector representations that encode the visual and stylistic characteristics of your clothing items. These embeddings are used for: matching similar items across your wardrobe; generating style-based recommendations; calculating outfit compatibility scores; and enabling "find similar" search functionality. The embeddings are stored in your user profile on our servers and are deleted when you delete the corresponding item or your account.
Firebase Cloud Functions — Style Processing. Certain style analysis, outfit scoring, and recommendation logic is executed through Firebase Cloud Functions (serverless computing on Google Cloud Platform). These functions may process your clothing item metadata, embeddings, and wardrobe composition to generate recommendations. This processing occurs on Google Cloud infrastructure under our Data Processing Agreement with Google.
4.3 Automated Decision-Making and Profiling
Nouva uses automated processing to generate outfit recommendations, style suggestions, and wardrobe analysis. Under the GDPR (Article 22) and similar regulations, you have rights related to automated decision-making. We provide the following information:
Nature of automated decisions. Our AI systems generate outfit recommendations, style classifications, and wardrobe suggestions based on automated analysis of your clothing images, wardrobe composition, style preferences, and usage patterns. These recommendations are purely advisory and are designed to inspire and assist you with outfit selection.
Significance and effects. The automated decisions made by our AI systems do not produce legal effects concerning you and do not significantly affect you in a similar way. Specifically, our automated processing does not affect your access to the Service, your pricing, your eligibility for any features, your credit or financial standing, your employment or housing prospects, or any other decision with material consequences. You are always free to ignore, modify, or override any recommendation.
Logic involved. Our recommendation system considers factors such as: the visual characteristics of your clothing items (color, pattern, style, formality); compatibility algorithms based on fashion principles encoded in our AI models; your stated style preferences and past interactions with recommendations; contextual factors you provide (such as occasion, weather, or destination); and collaborative filtering based on aggregate, anonymized style patterns.
Your rights. Even though our automated processing does not meet the threshold for GDPR Article 22 protections (decisions producing legal or similarly significant effects), we respect your right to: request human review of any automated recommendation by contacting our support team; express your point of view regarding any automated output; adjust your style preferences at any time to influence future recommendations; and opt out of specific automated features by contacting us at nouva@uniquepresident.com.
4.4 AI Model Training and Your Data
We do not use your personal images or User Content to train, fine-tune, or improve general-purpose AI models. Your wardrobe data is processed solely to deliver the App's personalization features to you individually.
Specifically: your images are not used to train new AI models; your images are not included in training datasets; your images are not shared with AI model providers (Fal.ai, Google, or others) for the purpose of model improvement; and we do not use your data to create synthetic training data for AI development.
We may use anonymized, aggregated, and de-identified data (from which no individual user can be identified) for internal research and development purposes, such as understanding aggregate fashion trends, improving recommendation algorithms at a system level, or evaluating new features. This aggregated data cannot be linked back to you.
If our practices regarding AI model training change in the future, we will: update this Privacy Policy; provide you with clear notice of the change; and obtain your explicit, informed consent before using your personal data for any new AI training purpose.
5. Legal Bases for Processing (UK Users)
If you are located in the United Kingdom, we are required under the UK GDPR to identify a lawful basis for each category of Personal Data processing. The following table sets forth our legal bases:
| Processing Activity | Legal Basis (GDPR Article) | Explanation |
|---|---|---|
| Account creation and management | Art. 6(1)(b) — Performance of contract | Necessary to provide the Service you have requested |
| Phone number verification and storage | Art. 6(1)(b) — Performance of contract | Necessary to verify your identity during registration and to secure your account |
| Storing and organizing your digital closet | Art. 6(1)(b) — Performance of contract | Core feature of the Service |
| On-device AI processing (ML Kit) | Art. 6(1)(b) — Performance of contract | Integral part of the Service functionality; no data leaves your device |
| Cloud-based AI processing (Fal.ai, CLIP) | Art. 6(1)(a) — Consent | You consent to cloud AI processing when you use features that require it; consent is collected through the App's onboarding flow |
| Fashion embedding generation and storage | Art. 6(1)(b) — Performance of contract | Necessary to power recommendation features you have requested |
| Personalization and recommendations | Art. 6(1)(f) — Legitimate interest | Our legitimate interest in providing a useful, personalized service; balanced against your interests through data minimization and transparency |
| Firebase Analytics (usage data) | Art. 6(1)(a) — Consent | Consent collected through the App in compliance with Google Consent Mode v2 |
| Firebase Performance Monitoring | Art. 6(1)(f) — Legitimate interest | Our legitimate interest in maintaining a reliable, performant App; minimal personal data processed |
| Advertising (Google Mobile Ads, free tier) | Art. 6(1)(a) — Consent | Consent collected through the App before personalized ads are shown |
| Push notifications | Art. 6(1)(a) — Consent | Consent collected through your device's notification settings |
| Security and fraud prevention | Art. 6(1)(f) — Legitimate interest | Our legitimate interest in protecting the App, users, and business from fraud and abuse |
| Responding to customer support requests | Art. 6(1)(b) — Performance of contract | Necessary to provide the support service you requested |
| Legal compliance and regulatory obligations | Art. 6(1)(c) — Legal obligation | Necessary to comply with applicable laws and regulations |
| Establishing, exercising, or defending legal claims | Art. 6(1)(f) — Legitimate interest | Our legitimate interest in protecting our legal rights |
Consent withdrawal. Where we rely on your consent as the legal basis for processing, you have the right to withdraw your consent at any time. You can withdraw consent through the App's privacy settings, by disabling specific features, or by contacting us at nouva@uniquepresident.com. Withdrawal of consent does not affect the lawfulness of processing that occurred before the withdrawal.
Legitimate interest balancing. Where we rely on legitimate interest as the legal basis for processing, we have conducted a Legitimate Interest Assessment (LIA) for each processing activity to ensure that our interests do not override your fundamental rights and freedoms. These assessments consider: the nature and purpose of the processing; the reasonable expectations of users; the impact on individuals; and the safeguards we have in place (including data minimization, pseudonymization, transparency, and user control). You have the right to object to processing based on legitimate interest at any time (see Section 10).
6. How We Share Your Information
We do not sell your Personal Information, and we have not sold Personal Information in the preceding twelve (12) months. We do not "share" your Personal Information for cross-context behavioral advertising purposes as defined under the CCPA/CPRA.
We disclose your Personal Information only in the following limited circumstances:
6.1 Service Providers and Data Processors
We engage third-party service providers ("Processors") to perform services on our behalf. These Processors process your Personal Information only as necessary to provide their services to us and are contractually prohibited from using your data for their own purposes. Each Processor is bound by a written Data Processing Agreement ("DPA") that requires them to: process Personal Information only on our documented instructions; maintain appropriate technical and organizational security measures; notify us promptly of any data breach; assist us with data subject rights requests; delete or return all Personal Information upon termination of the service; and permit audits of their data processing practices. See Section 7 for the complete list of Processors and Sub-Processors.
6.2 Legal Requirements and Law Enforcement
We may disclose your Personal Information if we believe in good faith that such disclosure is necessary to: comply with a legal obligation, including a court order, subpoena, search warrant, or other valid legal process; respond to a request from a governmental authority or regulatory body; protect and defend the rights, property, or safety of Nouva, our users, or the public; prevent or investigate possible wrongdoing in connection with the App; or enforce our Terms of Service and other agreements. When permitted by law, we will attempt to notify you before disclosing your Personal Information in response to legal process.
6.3 Business Transfers
In the event that Nouva is involved in a merger, acquisition, divestiture, restructuring, reorganization, dissolution, bankruptcy, or other change of ownership or control (whether in whole or in part), your Personal Information may be transferred, assigned, or disclosed to the acquiring entity or its advisors as part of the transaction. In such event: we will notify you via email and/or a prominent notice within the App before your Personal Information is transferred and becomes subject to a different privacy policy; you will have the opportunity to delete your account and data before the transfer is completed; and the acquiring entity will be bound by the commitments made in this Privacy Policy until it provides you with notice of changes.
6.4 With Your Explicit Consent
We may share your Personal Information with third parties when you have given us your explicit, informed, and freely given consent to do so. We will clearly inform you of the recipient, the purpose, and the data being shared before requesting your consent.
6.5 Aggregated and De-Identified Data
We may share aggregated, de-identified, or otherwise anonymized information that cannot reasonably be used to identify you with third parties for any purpose, including industry analysis, research, marketing, and trend reporting. This data is not Personal Information and is not subject to the restrictions in this Policy.
7. Third-Party Processors and Sub-Processors
The following third-party services process Personal Information on our behalf as Data Processors. We maintain current Data Processing Agreements with each Processor and regularly review their data protection practices.
| Processor | Category | Purpose and Services | Personal Data Processed | Data Location | DPA Status |
|---|---|---|---|---|---|
| Google Cloud Platform / Firebase | Infrastructure | Cloud infrastructure, hosting, Firestore database, Firebase Storage (file storage), Firebase Authentication (including phone number verification via SMS), Firebase Cloud Functions (serverless compute), Firebase Performance Monitoring, Firebase Crashlytics | Account data, phone numbers, closet images, wardrobe metadata, AI-generated content, fashion embeddings, usage data, performance data, crash logs, authentication tokens | United States (primary region: us-central1), with automatic replication across Google Cloud regions | Active (Google Cloud Data Processing Terms) |
| Fal.ai | AI Processing | AI-powered outfit generation and image processing | Clothing item images (transmitted for processing; not retained beyond processing session) | United States | Active |
| RevenueCat | Payments | Subscription management, purchase tracking, entitlement management | App User ID, subscription status, purchase history, transaction IDs (no payment card details — those are handled by app stores) | United States | Active |
| Google Mobile Ads (AdMob) | Advertising | Display advertising for free-tier users | Device advertising identifier (IDFA/GAID), general usage data, ad interaction data | United States and global Google infrastructure | Active (Google Ads Data Processing Terms) |
| Google (Authentication) | Authentication | Google Sign-In identity verification | OAuth tokens, email address, display name, profile photo URL (if shared by user) | United States | Active (Google Cloud Data Processing Terms) |
| Apple | Authentication | Sign in with Apple identity verification | OAuth tokens, email address (user may choose to hide), display name | United States | Active (Apple's standard terms) |
| Google Maps / Places | Location | Location search, place discovery, map display | Search queries, selected locations (only when location features are used) | United States and global | Active (Google Maps Platform Terms) |
Sub-Processor notifications. We maintain an up-to-date list of Sub-Processors. If you would like to receive notifications when we add or change Sub-Processors, please contact us at nouva@uniquepresident.com to subscribe to Sub-Processor change notifications. For UK users, we will provide at least 14 days' advance notice of new Sub-Processor appointments, during which you may raise objections.
8. International Data Transfers
Your Personal Information may be transferred to, stored in, and processed in countries other than your country of residence, including the United States. These countries may have data protection laws that differ from the laws of your country.
8.1 Transfers from the UK
When we transfer Personal Data from the UK to countries that have not received an adequacy decision from the European Commission or UK government (including the United States), we ensure that appropriate safeguards are in place through one or more of the following mechanisms:
Standard Contractual Clauses (SCCs). We use the European Commission's Standard Contractual Clauses (adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021) as the primary transfer mechanism with our Processors. For transfers of UK Personal Data, we use the UK International Data Transfer Addendum to the EU SCCs (issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018). The applicable SCCs are incorporated into our Data Processing Agreements with each Processor.
EU-U.S. Data Privacy Framework. Where our Processors are certified under the EU-U.S. Data Privacy Framework (and the UK Extension thereto), as determined by the European Commission's adequacy decision of 10 July 2023, we may rely on this framework as a valid transfer mechanism in addition to SCCs.
Supplementary Measures. Where our transfer impact assessments identify that the legal framework in the destination country does not provide essentially equivalent protection to that in the UK, we implement supplementary technical, organizational, and contractual measures. These may include: encryption of Personal Data in transit and at rest using industry-standard encryption algorithms; pseudonymization of Personal Data where feasible; access controls and multi-factor authentication for personnel accessing Personal Data; contractual commitments from Processors to challenge or resist government access requests and notify us where legally permitted; and data minimization to limit the volume of Personal Data transferred.
8.2 Transfer Impact Assessments
We have conducted Transfer Impact Assessments (TIAs) for each international data transfer to evaluate: the laws and practices in the destination country, particularly regarding government access to data; the effectiveness of the transfer mechanism (SCCs, DPF) in light of those laws; whether supplementary measures are necessary and sufficient to ensure essentially equivalent protection; and the nature, scope, and sensitivity of the Personal Data being transferred. Our TIAs are reviewed periodically and updated when there are material changes to the legal landscape in destination countries.
8.3 Your Rights Regarding Transfers
You may request a copy of the applicable Standard Contractual Clauses, transfer impact assessments, and other transfer-related documentation by contacting us at nouva@uniquepresident.com.
9. Data Retention
We retain your Personal Information only for as long as necessary to fulfill the purposes for which it was collected, provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. When the retention period expires, we either delete or irreversibly anonymize the data.
9.1 Retention Schedule
The following table sets forth our retention periods for each category of Personal Information:
| Data Category | Retention Period | Legal Basis / Justification | Deletion Method |
|---|---|---|---|
| Account profile information (name, email, phone number, profile photo) | Duration of active account + 30 days after account deletion request | Contract performance; 30-day grace period enables account recovery | Permanent deletion from Firebase Auth and Firestore |
| Closet images (uploaded photographs) | Duration of active account; deleted upon account deletion | Contract performance (core feature) | Permanent deletion from Firebase Storage |
| Wardrobe metadata (item descriptions, categories, tags, attributes) | Duration of active account; deleted upon account deletion | Contract performance (core feature) | Permanent deletion from Firestore |
| AI-generated outfits and recommendations | Duration of active account; deleted upon account deletion | Contract performance | Permanent deletion from Firestore |
| Fashion embeddings and vectors | Duration of active account; deleted upon account deletion | Contract performance (powers recommendations) | Permanent deletion from Firestore |
| Segmentation data (background-removed images) | Duration of active account; deleted upon account deletion | Contract performance | Permanent deletion from Firebase Storage |
| Usage and interaction data (Firebase Analytics) | 26 months from the date of collection | Legitimate interest (App improvement and analytics) | Automatic expiration per Firebase Analytics retention settings |
| Performance and diagnostic data (Firebase Performance, Crashlytics) | 90 days from the date of collection | Legitimate interest (App stability and reliability) | Automatic expiration per Firebase retention settings |
| Authentication and security logs | 12 months from the date of the log entry | Legitimate interest (security, fraud prevention, and incident investigation) | Automatic deletion |
| Transaction and subscription records (RevenueCat purchase history) | 7 years after the date of the transaction | Legal obligation (tax, financial, and accounting record-keeping requirements) | Deletion after legal retention period expires |
| Customer support communications | 3 years after resolution of the support inquiry | Legitimate interest (quality assurance, dispute resolution, and training) | Permanent deletion |
| Location data | Not stored persistently; used only during the active session for location-based features | Contract performance | Session data discarded when session ends |
| Advertising identifiers and ad interaction data | Managed by Google Mobile Ads per their retention policies; we do not independently store this data | Consent | Managed by Google |
9.2 Criteria for Determining Retention Periods
In establishing the retention periods set forth above, we have considered: the amount, nature, and sensitivity of the Personal Information; the potential risk of harm from unauthorized use or disclosure; the purposes for which we process the data and whether we can achieve those purposes through other means; applicable legal, regulatory, tax, accounting, or other requirements; and industry standards and best practices.
9.3 Anonymization and Aggregation
When data reaches the end of its retention period, it is either permanently deleted or irreversibly anonymized. Anonymized data (from which no individual can be identified, either directly or indirectly, alone or in combination with other data) is no longer Personal Information and may be retained indefinitely for aggregate statistical analysis, trend reporting, and product improvement.
10. Your Privacy Rights
We respect your rights regarding your Personal Information. The rights available to you depend on your location and the applicable law. This section describes your rights and how to exercise them.
10.1 Rights Available to All Users
Regardless of your location, all Nouva users have the following rights:
Right to Access. You have the right to request access to the Personal Information we hold about you. We will provide you with a copy of your data in a commonly used, machine-readable format (see also Section 12 on Data Portability).
Right to Correction. You have the right to request correction of inaccurate or incomplete Personal Information. You can correct most account and profile information directly within the App, or you can contact us for assistance.
Right to Deletion. You have the right to request deletion of your Personal Information, subject to certain exceptions described in Section 11. You can initiate account deletion directly within the App.
Right to Withdraw Consent. Where we process your data based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing that occurred before the withdrawal.
10.2 Additional Rights for UK Users (GDPR)
If you are located in the United Kingdom, you have the following additional rights under the UK GDPR:
Right to Data Portability (Art. 20). You have the right to receive the Personal Information you have provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance. This right applies to data processed based on your consent or for the performance of a contract, and where processing is carried out by automated means. See Section 12 for details.
Right to Restriction of Processing (Art. 18). You have the right to request restriction of processing of your Personal Information in certain circumstances, including: when you contest the accuracy of the data (for a period enabling us to verify accuracy); when the processing is unlawful and you oppose erasure; when we no longer need the data but you need it for legal claims; and when you have objected to processing pending verification of whether our legitimate grounds override yours.
Right to Object (Art. 21). You have the right to object, on grounds relating to your particular situation, to processing of your Personal Information based on our legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is for the establishment, exercise, or defense of legal claims. You have the absolute right to object to processing for direct marketing purposes at any time.
Rights Related to Automated Decision-Making (Art. 22). You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. As explained in Section 4.3, our automated processing does not meet this threshold. Nevertheless, you may request human intervention, express your point of view, and contest any automated decision by contacting us.
Right to Lodge a Complaint. You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at https://ico.org.uk.
10.3 Additional Rights for California Residents (CCPA/CPRA)
See Section 22 (Additional Disclosures for California Residents) for a comprehensive description of your rights under California law, including the right to know, the right to delete, the right to correct, the right to opt out of sale or sharing, and the right to limit use of sensitive personal information.
10.4 How to Exercise Your Rights
You may exercise your privacy rights through any of the following methods:
In-App. Access your privacy settings through Profile > Settings > Privacy to manage consent, download your data, or initiate account deletion.
Email. Send a request to nouva@uniquepresident.com specifying: the right you wish to exercise; sufficient information for us to verify your identity (such as the email address associated with your account); and any additional details relevant to your request.
Authorized Agents. California residents may designate an authorized agent to submit requests on their behalf. Agents must provide: written authorization signed by the consumer; proof of the agent's identity; and sufficient information to verify the consumer's identity. We may still contact the consumer directly to verify the request.
10.5 Verification
To protect your privacy and the security of your Personal Information, we verify your identity before fulfilling rights requests. Verification methods may include: confirming your identity through your authenticated App session; matching information you provide with information we have on file; or sending a verification code to the email address associated with your account. We will not fulfill a request if we cannot verify your identity to a reasonable degree of certainty.
10.6 Response Timelines
| Regulation | Acknowledgment | Substantive Response | Extension |
|---|---|---|---|
| UK GDPR | Promptly (best practice: within 3 business days) | 30 days from receipt | +60 days (with notice and explanation) |
| CCPA/CPRA | 10 business days | 45 calendar days | +45 days (with notice) |
10.7 Non-Discrimination
We will not discriminate against you for exercising any of your privacy rights. Specifically, we will not: deny you goods or services; charge you different prices or rates; provide you a different level or quality of goods or services; or suggest that you may receive a different price or level of service. This applies regardless of which right you exercise, regardless of jurisdiction.
11. Account Deletion
You have the right to delete your account and associated Personal Information at any time. We have designed our account deletion process to be comprehensive, transparent, and in compliance with GDPR, CCPA/CPRA, and other applicable data protection laws.
11.1 How to Delete Your Account
You may request account deletion through either of the following methods:
In-App deletion. Navigate to Profile > Settings > Delete Account. You will be asked to confirm your deletion request. Upon confirmation, the deletion process begins immediately.
Email request. Send a deletion request to nouva@uniquepresident.com from the email address associated with your account. We will verify your identity and initiate the deletion process within 3 business days.
11.2 Deletion Process and Timeline
Our account deletion follows a structured process designed to balance your right to deletion with the practical need for error recovery:
Step 1 — Immediate deactivation (Day 0). Upon confirmation of your deletion request: your account is immediately deactivated; your profile and content become inaccessible to other users; you are signed out of all devices; and any active subscription is flagged for cancellation (you must also cancel directly through the Apple App Store or Google Play Store to stop recurring charges).
Step 2 — Grace period (Days 1–30). Your data is retained in a deactivated state for 30 calendar days. During this period: your data is not accessible to anyone, including our staff (except as needed for legal compliance); you may reactivate your account by signing back in, which will restore all your data; and no AI processing occurs on your data. This grace period exists to protect you from accidental deletion or unauthorized account deletion by a third party.
Step 3 — Permanent deletion (Day 31). After the 30-day grace period expires, we permanently and irreversibly delete the following data: your account profile and authentication credentials from Firebase Authentication; all closet images and photographs from Firebase Storage; all wardrobe metadata, item descriptions, categories, tags, and attributes from Firestore; all AI-generated outfit combinations, recommendations, and style data from Firestore; all fashion embeddings and vector representations from Firestore; all segmentation data and processed images from Firebase Storage; your user preferences, style settings, and App configuration; and your data held by third-party Processors (we send deletion requests to Fal.ai and RevenueCat to remove your associated data).
Step 4 — Confirmation (Day 31+). Upon completion of the deletion process, we send a confirmation to the email address associated with your (now-deleted) account.
11.3 Data We May Retain After Deletion
Certain limited categories of data may be retained after account deletion where required by law or where a legitimate basis exists:
Transaction and subscription records. We retain records of financial transactions for up to 7 years after the transaction date to comply with tax, financial, and accounting obligations. These records contain only transaction identifiers, amounts, and dates — not your closet images or personal content.
Anonymized aggregate data. Statistical and analytical data that has been irreversibly anonymized (and thus is no longer Personal Information) may be retained indefinitely.
Legal hold data. If your data is subject to a litigation hold, regulatory investigation, or other legal preservation obligation, we will retain the necessary data until the hold is released, after which it will be promptly deleted.
Fraud prevention records. If your account was terminated for violations of our Terms of Service (such as fraud or abuse), we may retain limited identification data for a reasonable period to prevent re-registration and protect the safety of our users.
12. Data Portability and Export
You have the right to receive a copy of your Personal Information in a structured, commonly used, and machine-readable format. We provide this through our Data Export feature.
12.1 What Your Export Includes
Your data export package will include the following, provided as a ZIP archive:
Closet images. All photographs you uploaded, in their original format and resolution (JPEG or PNG), organized by item.
Wardrobe metadata. A JSON file containing all item details: names, descriptions, categories, tags, colors, brands, sizes, prices, and creation dates.
AI-generated content. A folder containing: all AI-generated outfit combinations created for you (as images, where available); and a JSON file listing all outfit recommendations, including the items included in each outfit.
Account information. A JSON file containing your profile data: name, email address, phone number, account creation date, subscription status, and preference settings.
Style preferences. A JSON file containing your configured style preferences, favorite categories, and recommendation settings.
12.2 How to Request an Export
In-App. Navigate to Profile > Settings > Export My Data. The App will prepare your export and notify you when it is ready for download.
Email. Send a request to nouva@uniquepresident.com and we will prepare and deliver your export package.
12.3 Export Timeline and Format
We will provide your data export within 30 days of your request. In most cases, exports are available within 7 business days. The export is delivered as a ZIP archive containing the files described above, which you can open and use with standard software.
13. Children's Privacy and Age Verification
Nouva is not designed for, marketed to, or intended for use by children. We take children's privacy seriously and comply with the Children's Online Privacy Protection Act ("COPPA") in the United States and Article 8 of the GDPR in the UK.
13.1 Age Requirements
United States. You must be at least 13 years old to create an account and use the App, in accordance with COPPA.
United Kingdom. You must be at least 13 years old to create an account and use the App, in accordance with the UK Age Appropriate Design Code and UK GDPR. (Note: While the UK has set the age of digital consent at 13, parental consent is required for users between 13 and 16.)
All other jurisdictions. You must be at least 16 years old to create an account and use the App, unless a higher age is required by the laws of your jurisdiction.
13.2 Age Verification
During account registration, users are required to confirm that they meet the applicable minimum age requirement. We implement the following age verification measures: an age confirmation step during the account creation flow, where users must affirm they meet the minimum age requirement; and monitoring for indicators that suggest a user may be under the applicable age threshold.
13.3 What We Do If a Child Creates an Account
If we discover or are informed that we have collected Personal Information from a child who does not meet the applicable age requirement: we will immediately deactivate the account; we will delete all Personal Information associated with the account as promptly as possible, and in all cases within 30 days of discovery; we will not use the child's data for any purpose other than deletion; and we will notify the parent or guardian if we have their contact information.
13.4 Parental Rights
If you are a parent or legal guardian and believe that your child has created an account on Nouva or provided Personal Information to us without your consent, please contact us immediately at nouva@uniquepresident.com. We will take prompt steps to investigate and, if confirmed, delete the child's account and Personal Information.
13.5 No Targeted Advertising to Minors
We do not knowingly serve targeted or personalized advertising to any user under 18 years of age. If a user's age indicates they are under 18, we will disable personalized advertising for that user.
14. Biometric and Image Data
Nouva's core functionality involves processing photographs of clothing items using AI and machine learning. Because some jurisdictions have enacted laws specifically governing the collection and use of biometric data and image-derived information, we provide the following detailed disclosures.
14.1 Nature of Our Image Processing
Our image processing is designed to analyze clothing and garments, not to identify, recognize, or analyze human beings. Specifically:
What our AI analyzes. Our AI systems analyze: the visual characteristics of clothing items (color, pattern, texture, silhouette, style); garment type and category (shirt, pants, dress, jacket, etc.); clothing brand logos or text (when visible and relevant to categorization); background content (for the purpose of removing it and isolating the garment); and overall outfit composition and compatibility.
What our AI does NOT analyze. Our AI systems do not analyze: facial features, facial geometry, or facial expressions; body measurements, body shape, or body composition; gait, posture, or movement patterns; skin characteristics, hair, or other physical features of individuals; iris patterns, fingerprints, voiceprints, or other biometric identifiers; or any other characteristics used to identify a specific individual based on their physical, physiological, or behavioral features.
14.2 Biometric Data Classification
We do not believe that our image processing constitutes the collection, capture, or storage of "biometric identifiers" or "biometric information" as those terms are defined under the Illinois Biometric Information Privacy Act (740 ILCS 14/1 et seq.), the Texas Capture or Use of Biometric Identifier Act (Tex. Bus. & Com. Code § 503.001), the Washington Biometric Identifier statute (RCW 19.375), or similar state biometric privacy laws. Our reasoning is as follows: we do not use facial recognition or facial geometry scanning technology; the mathematical representations (embeddings) generated by our systems encode clothing characteristics, not human biological characteristics; our segmentation technology is designed to isolate garments from backgrounds, not to scan, analyze, or map human features; and the data generated by our systems cannot be used to identify a specific individual based on their biological characteristics.
14.3 Your Consent for Image Processing
Regardless of our classification of the data, we obtain your consent for image processing as follows: when you first use the App, you are informed that your clothing photos will be processed by AI systems for closet management, outfit generation, and style recommendations; by uploading photos and using the App's AI features, you affirmatively consent to such processing; you may withdraw consent at any time by deleting individual items (which deletes the images and all derived data) or by deleting your account (which deletes all of your data as described in Section 11); and you are not required to upload photos to use the App (though core features depend on it).
14.4 Illinois, Texas, Washington, and Other State Residents
If you reside in a state with a biometric privacy law and have questions or concerns about how your photographs are processed, we encourage you to contact us at nouva@uniquepresident.com. We are committed to transparency about our image processing practices and will provide additional information upon request.
15. Data Security
We implement a comprehensive set of technical and organizational measures designed to protect your Personal Information against unauthorized access, alteration, disclosure, destruction, and other forms of unlawful processing.
15.1 Technical Measures
Encryption. All data transmitted between the App and our servers is encrypted using Transport Layer Security (TLS) 1.2 or higher. Data stored in Firebase / Google Cloud Platform is encrypted at rest using AES-256 encryption. Encryption keys are managed by Google Cloud's Key Management Service (KMS).
Authentication and Access Control. User authentication is handled through Firebase Authentication using industry-standard OAuth 2.0 protocols with Google and Apple identity providers and SMS-based phone verification. Access to our backend systems and databases is restricted to authorized personnel using role-based access controls (RBAC), multi-factor authentication (MFA), and the principle of least privilege.
Infrastructure Security. Our backend services run on Google Cloud Platform, which maintains SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018, and other certifications. Firebase Cloud Functions execute in isolated, sandboxed environments. Secret management (API keys, credentials) is handled through Firebase Secret Manager, ensuring that sensitive credentials are never stored in source code or configuration files.
15.2 Organizational Measures
Access Restrictions. Access to Personal Information is limited to authorized personnel who require access to perform their job functions. All personnel with access to Personal Data are bound by confidentiality obligations.
Security Review. We conduct periodic security reviews of our codebase, infrastructure configuration, and data processing practices. Third-party dependencies are monitored for known vulnerabilities.
Incident Response. We maintain an incident response plan that defines procedures for detecting, assessing, containing, and recovering from security incidents (see Section 16).
15.3 Limitations
While we employ industry-standard security measures, no method of electronic transmission or storage is completely secure. We cannot guarantee the absolute security of your Personal Information. If you have reason to believe that your account has been compromised, please contact us immediately at nouva@uniquepresident.com.
16. Data Breach Notification
We maintain a Data Breach Response Plan that defines our procedures for detecting, assessing, containing, and responding to personal data breaches.
16.1 Definition of a Data Breach
A "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information transmitted, stored, or otherwise processed.
16.2 Detection and Assessment
We use automated monitoring, logging, and alerting systems to detect potential security incidents. Upon detection of a potential breach, we promptly assess: the nature and scope of the breach; the categories and approximate number of individuals affected; the categories and approximate volume of Personal Data affected; the likely consequences for affected individuals; and the measures taken or proposed to address the breach and mitigate its effects.
16.3 Notification to Regulatory Authorities
GDPR (UK). We will notify the relevant supervisory authority within 72 hours of becoming aware of a Personal Data Breach that is likely to result in a risk to the rights and freedoms of individuals. The notification will include: the nature of the breach, including the categories and approximate number of individuals and data records concerned; the name and contact details of our Data Protection contact; a description of the likely consequences of the breach; and a description of the measures taken or proposed to address the breach.
CCPA/CPRA (California). We will notify the California Attorney General if a breach affects more than 500 California residents. Individual notification is provided as described below.
Other Jurisdictions. We comply with breach notification requirements in all applicable jurisdictions, including any state-level breach notification laws in the United States.
16.4 Notification to Affected Individuals
If a Personal Data Breach is likely to result in a high risk to your rights and freedoms (under GDPR) or involves your Personal Information (under applicable state breach notification laws), we will notify you without undue delay through: email notification to the address associated with your account; in-app notification upon your next login; and, where required by law, notification by mail or public notice.
Our notification to you will include: a description of the breach in clear, plain language; the types of Personal Information involved; what steps we have taken and are taking to address the breach; what steps you can take to protect yourself; and contact information for our team to answer your questions.
17. Analytics, Advertising, and Tracking Technologies
17.1 Firebase Analytics
We use Firebase Analytics (provided by Google) to collect usage and engagement data that helps us understand how the App is used and identify areas for improvement. Firebase Analytics collects data such as: session duration and frequency; screens viewed and features used; user engagement events (such as uploading items, generating outfits, saving recommendations); device and operating system information; and general geographic information (country/region level).
UK Users. For users located in the UK, Firebase Analytics data collection is subject to your consent, collected through the App in compliance with Google Consent Mode v2. If you do not provide consent, analytics data will not be collected from your device.
Opt-Out. You can disable analytics data collection through the App's privacy settings (Profile > Settings > Privacy > Analytics).
17.2 Firebase Performance Monitoring
We use Firebase Performance Monitoring to collect technical performance data, including: app startup time; HTTP request latency and success rates; screen rendering performance; and custom performance traces for critical App operations.
This data is used solely for technical optimization and does not include the content of your User Content. Firebase Performance Monitoring runs under our legitimate interest in maintaining a reliable App.
17.3 Firebase Crashlytics
We use Firebase Crashlytics to collect crash reports and error data that help us identify, diagnose, and fix bugs and technical issues. Crash reports may include: device state at the time of the crash; stack traces and error messages; device model and operating system version; and an anonymized crash instance identifier.
17.4 Google Mobile Ads
For users on the free tier, the App displays advertisements served by Google Mobile Ads (AdMob). In connection with advertising: Google may collect your device's advertising identifier (IDFA on iOS, GAID on Android); ad personalization is subject to your consent (for UK users) and your device's ad tracking settings; and you can manage your advertising preferences through your device settings (Settings > Privacy > Advertising on iOS; Settings > Google > Ads on Android).
We do not share your closet images, wardrobe data, or AI-generated content with advertising networks.
17.5 No Web Cookies
As a mobile application, Nouva does not use web browser cookies. However, the SDKs described above may use local storage mechanisms on your device (such as shared preferences or local databases) to store configuration and state information necessary for their operation.
18. Do Not Track Signals
Some web browsers transmit "Do Not Track" (DNT) signals. As Nouva is a mobile application and not a website, we do not currently respond to DNT signals. For information about managing tracking and advertising on your mobile device, please see Section 17.4.
19. Links to Third-Party Services
The App may contain links to, or integrations with, third-party websites, applications, or services that are not owned or controlled by Nouva (such as fashion retailers, style inspiration content, or social media platforms). This Privacy Policy does not apply to the practices of third parties. We encourage you to read the privacy policies of any third-party services you access through the App. We are not responsible for the content, privacy practices, or security of third-party services.
20. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or business operations.
20.1 How We Notify You
Material changes. For changes that materially affect how we collect, use, or share your Personal Information, we will: provide at least 30 days' advance notice before the changes take effect; notify you via email to the address associated with your account; display a prominent notice within the App; and, where required by law, obtain your consent before implementing the changes.
Non-material changes. For minor changes (such as typographical corrections, clarifications that do not alter the substance of the Policy, or updates to contact information), we will update the "Last Updated" date at the top of this Policy. We encourage you to review this Policy periodically.
20.2 Changes Requiring Fresh Consent
Certain categories of changes will always require us to obtain your fresh, explicit consent before they take effect, including: introducing new categories of Personal Information collection; using your data for materially different purposes; sharing your data with new categories of third parties for their own purposes; and changing our AI training practices to include your Personal Data.
20.3 Your Choices
If you do not agree with an updated Privacy Policy, you may: delete your account and data before the changes take effect (see Section 11); or contact us to discuss your concerns at nouva@uniquepresident.com. Your continued use of the App after the effective date of an updated Policy constitutes your acceptance of the updated Policy.
21. Contact Us
If you have questions, concerns, or complaints about this Privacy Policy, our data practices, or your privacy rights, you may contact us through the following channels:
Nouva Privacy Team Email: nouva@uniquepresident.com Mailing Address: 54b Trundleys Road, 26 Anayah Apartments, London SE8 5FB, United Kingdom
Response Times. We aim to respond to all privacy-related inquiries within 5 business days. Formal rights requests are subject to the response timelines described in Section 10.6.
Data Protection Officer. We have not appointed a Data Protection Officer as we do not meet the appointment thresholds under UK GDPR Article 37. However, our Privacy Team handles all data protection inquiries and can be reached at the contact details above.
22. Additional Disclosures for California Residents
This section provides additional information required under the California Consumer Privacy Act (as amended by the California Privacy Rights Act, collectively "CCPA/CPRA") for California residents.
22.1 Categories of Personal Information Collected
In the preceding 12 months, we have collected the following categories of Personal Information (as defined by the CCPA, Cal. Civ. Code § 1798.140(v)):
| CCPA Category | Examples from Nouva | Source | Business Purpose |
|---|---|---|---|
| A. Identifiers | Name, email address, phone number, unique device identifiers, IP address, account ID | You (via sign-in and phone verification), automatically | Account management, identity verification, service delivery |
| B. Personal information categories listed in Cal. Civ. Code § 1798.80(e) | Name, email address, telephone number | You (via sign-in and phone verification) | Account management, identity verification |
| D. Commercial information | Subscription tier, purchase history, transaction records | You, RevenueCat | Subscription management |
| F. Internet or other electronic network activity | App usage data, interaction data, feature engagement | Automatically | App improvement, analytics |
| G. Geolocation data | Precise location (when enabled for weather/location features) | You (via device permissions) | Location-based features |
| H. Sensory data | Photographs of clothing items (audio, visual, thermal, olfactory, or similar information) | You (via upload) | Core App features, AI processing |
| K. Inferences drawn from the above | Style preferences, fashion embeddings, wardrobe analysis, outfit compatibility scores | AI processing | Personalization, recommendations |
22.2 Categories Not Collected
We do not collect: Protected classification characteristics (race, religion, sexual orientation, etc.); biometric information (as defined under the CCPA); education information; or professional or employment information.
22.3 Sale and Sharing of Personal Information
We do not sell your Personal Information. We have not sold Personal Information in the preceding 12 months.
We do not share your Personal Information for cross-context behavioral advertising. As defined under the CCPA/CPRA, "sharing" means disclosing Personal Information to a third party for cross-context behavioral advertising purposes. We do not engage in this practice.
22.4 Sensitive Personal Information
We may collect the following categories of Sensitive Personal Information (as defined under the CCPA/CPRA): precise geolocation (only when you enable location features). We use this Sensitive Personal Information only for the purposes of providing the location-based features you have requested. You have the right to limit our use of Sensitive Personal Information to purposes necessary to provide the Service.
22.5 Your California Privacy Rights
As a California resident, you have the following rights:
Right to Know. You have the right to request that we disclose: the categories of Personal Information we have collected about you; the categories of sources from which we collected it; our business or commercial purpose for collecting or selling it; the categories of third parties with whom we share it; and the specific pieces of Personal Information we have collected about you.
Right to Delete. You have the right to request deletion of your Personal Information, subject to certain exceptions (such as data necessary for completing a transaction, detecting security incidents, complying with legal obligations, or enabling solely internal uses that are reasonably aligned with your expectations).
Right to Correct. You have the right to request correction of inaccurate Personal Information.
Right to Opt Out of Sale/Sharing. Because we do not sell or share (as defined by the CCPA/CPRA) your Personal Information, there is no need to opt out. If our practices change, we will provide a "Do Not Sell or Share My Personal Information" link.
Right to Limit Use of Sensitive Personal Information. You may limit our use of Sensitive Personal Information (precise geolocation) to purposes necessary to provide the Service by disabling location permissions on your device.
Right to Non-Discrimination. We will not discriminate against you for exercising your CCPA/CPRA rights.
How to Exercise Your Rights. See Section 10.4 for details on how to submit requests.
22.6 Financial Incentive Programs
We do not offer financial incentives or price differences in exchange for the retention or sale of your Personal Information.
22.7 Metrics (Annual Disclosure)
In accordance with CCPA regulations, we will publish annual metrics regarding consumer rights requests (access, deletion, opt-out) on our website, including the number of requests received, complied with (in whole or in part), and denied, as well as the median response time.
23. Additional Disclosures for UK Residents
This section provides additional information for users located in the United Kingdom.
23.1 Identity and Contact Details of the Controller
The controller of your Personal Data is:
Nouva Unique President Ltd. 54b Trundleys Road, 26 Anayah Apartments, London SE8 5FB, United Kingdom nouva@uniquepresident.com
23.2 Data Protection Impact Assessments
We have conducted Data Protection Impact Assessments (DPIAs) under GDPR Article 35 for the following processing activities that are likely to result in high risk to individuals: cloud-based AI processing of user photographs (Fal.ai and CLIP); fashion embedding generation and storage; and personalized profiling for style recommendations. These DPIAs evaluate the necessity and proportionality of the processing, assess the risks to individuals, and identify measures to mitigate those risks. Our DPIAs are reviewed annually or when there are material changes to the relevant processing activities.
23.3 Records of Processing Activities
In accordance with GDPR Article 30, we maintain records of our processing activities, including: the purposes of processing; the categories of data subjects and Personal Data; the categories of recipients; details of international transfers; retention periods; and a description of technical and organizational security measures. These records are available to supervisory authorities upon request.
23.4 Right to Lodge a Complaint
If you believe that our processing of your Personal Data infringes the UK GDPR, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):
- Website: https://ico.org.uk
- Telephone: 0303 123 1113
You also have the right to an effective judicial remedy against the ICO or against Nouva if you consider that your rights under the UK GDPR have been infringed.
This Privacy Policy is provided to assist with legal workflows. It should be reviewed by qualified legal professionals before publication. Regulatory requirements change frequently; verify current requirements with authoritative sources. This document does not constitute legal advice.