Privacy Policy

TheDress.ai Last Updated: March 2026 Effective Date: March 2026

1. Identity & Contact Details

TheDress.ai is operated by TheDress.ai, based in the United Kingdom.

Detail	Information
Service Name	TheDress.ai
Registered Address	United Kingdom
Data Protection Contact	TheDress.ai Privacy Team
Privacy Email	[email protected]
Website	https://thedress.ai

If you are located in the European Economic Area (EEA) or the United Kingdom, TheDress.ai acts as the data controller for the personal data processed through this service. We have not appointed an EU/UK representative under GDPR Article 27 at this time. If you have questions about your data, please contact us at [email protected].

2. What Data We Collect

We collect the following categories of personal data:

2.1 Selfie Photos & Biometric Data

Facial photographs (selfie images you upload)
Facial geometry and features extracted or inferred from your photos during AI image generation
These constitute biometric data under certain laws (EU/UK GDPR, Illinois BIPA, and others)

2.2 Account Data

Email address
Display name (if provided)
Password (hashed -- we never store plaintext passwords)
Authentication tokens and session identifiers
Account creation date and last login timestamp

2.3 Payment Data

Billing name and email
Payment method type (e.g., credit card brand, last four digits)
Transaction history, amounts, and dates
Stripe customer ID and subscription status
We do not store full credit card numbers, CVVs, or bank account details -- these are held exclusively by Stripe

2.4 Device & Usage Data

IP address
Browser type and version
Operating system and device type
Pages visited, features used, and session duration
Referral source (how you found us)
Crash logs and performance data

2.5 Cookies & Tracking Data

Google Analytics (GA4) identifiers and session data
Meta Pixel event data (page views, conversions)
Cookie consent preferences
See Section 9 for full details

3. Purposes of Processing & Legal Basis

3.1 Under EU/UK GDPR

Data Category	Purpose	Legal Basis (Article 6)	Additional Basis (Article 9, if applicable)
Selfie photos / biometric data	AI image generation -- creating visualizations of you in wedding attire	Consent (Art. 6(1)(a))	Explicit consent for biometric processing (Art. 9(2)(a))
Account data	Account creation, authentication, service delivery	Performance of contract (Art. 6(1)(b))	--
Payment data	Processing purchases, managing subscriptions, refunds	Performance of contract (Art. 6(1)(b))	--
Payment data	Tax and financial record-keeping	Legal obligation (Art. 6(1)(c))	--
Device & usage data	Service improvement, bug fixing, performance monitoring	Legitimate interest (Art. 6(1)(f))	--
Cookies (GA4, Meta Pixel)	Analytics and marketing attribution	Consent (Art. 6(1)(a))	--
All categories	Responding to legal requests and enforcing our terms	Legal obligation (Art. 6(1)(c)) / Legitimate interest (Art. 6(1)(f))	--

Legitimate interest balancing: Where we rely on legitimate interest, we have conducted balancing assessments to ensure our interests do not override your fundamental rights. You may request a copy of these assessments by contacting us.

3.2 Under UK Data Protection Act 2018

We process your personal data in accordance with the UK Data Protection Act 2018 and the UK GDPR. The legal bases for our processing are set out in the table above.

3.3 Under Other Jurisdictions

For users in Singapore (PDPA 2012), India (DPDP Act 2023), and other jurisdictions, we process data based on consent and/or as necessary for the performance of a contract with you, in accordance with applicable local law.

4. Biometric Data Notice

This section provides specific disclosures required by laws governing biometric data, including EU/UK GDPR (Article 9), Illinois BIPA, and other applicable regulations.

What biometric data we collect

When you upload a selfie photo, the image contains your facial features. During the AI image generation process, facial geometry, facial landmarks, and other biometric identifiers may be extracted, inferred, or processed by Google's Gemini AI to generate the output image of you in wedding attire.

How biometric data is processed

You upload a selfie photo through our app.
The photo is transmitted securely (TLS-encrypted) to Google's Gemini API servers for AI image generation.
Google Gemini processes facial features to generate the wedding attire visualization.
The generated image is returned to our platform and stored temporarily.

Retention of biometric data

Uploaded selfie photos: Automatically deleted within 30 days of upload.
Generated images: Automatically deleted within 30 days of creation.
Biometric data in transit: Not separately stored by us. Google's retention of data processed through the Gemini API is governed by Google's API data usage policies.

Biometric data is never sold

We do not sell, lease, trade, or otherwise profit from your biometric data. Biometric data is shared with Google Gemini solely for the purpose of generating your requested images.

Consent

Before uploading your first selfie, we request your explicit, informed consent to the collection and processing of your biometric data. You may withdraw consent at any time by deleting your account or contacting us.

> Illinois Residents: Please also refer to our standalone Biometric Data Policy (available at https://thedress.ai/biometric-policy) for disclosures required under the Illinois Biometric Information Privacy Act (BIPA), including written release requirements and specific retention and destruction schedules.

5. Third-Party Data Sharing

We share personal data with the following third-party service providers. We do not sell your personal data (see Section 8 for California-specific disclosures).

Third Party	Data Shared	Role	Purpose
Google Gemini API (Google LLC, USA)	Selfie photos, facial/biometric data	Data processor	AI image generation -- processing your photos to create wedding attire visualizations
Supabase (USA)	Account data (email, hashed password, auth tokens), uploaded photos, generated images	Data processor	Authentication, database hosting, file storage
Stripe (Stripe Inc., USA)	Billing name, email, payment method details, transaction data	Independent controller / Data processor	Payment processing, subscription management, fraud prevention
Google Analytics (GA4) (Google LLC, USA)	Device data, usage data, IP address (anonymized where required), cookie identifiers	Data processor	Website and app analytics, understanding usage patterns
Meta Pixel (Meta Platforms Inc., USA)	Page view events, conversion events, IP address, browser/device data	Independent controller / Data processor	Marketing attribution, conversion tracking, ad optimization

All processors are bound by data processing agreements (DPAs) that require them to process personal data only on our instructions and to maintain appropriate security measures.

We may also disclose personal data:

To comply with legal obligations, court orders, or government requests
To enforce our Terms of Service
To protect the rights, safety, or property of our users or the public
In connection with a merger, acquisition, or sale of assets (with prior notice to you)

6. International Data Transfers

TheDress.ai is based in the United Kingdom. Your personal data may be transferred to and processed in countries outside your jurisdiction, including the United States, where our key service providers (Google, Supabase, Stripe, Meta) operate.

Safeguards for EU/UK transfers

For transfers of personal data from the EEA or UK to countries not recognized as providing adequate protection, we rely on:

EU-US Data Privacy Framework (DPF): Google LLC and Meta Platforms Inc. are certified under the DPF. Stripe Inc. is also a DPF participant.
Standard Contractual Clauses (SCCs): Where DPF certification is not applicable, we execute the European Commission's Standard Contractual Clauses (SCCs) with our processors, including the UK International Data Transfer Addendum where required.
Supplementary measures: Including encryption in transit, access controls, and data minimization.

Safeguards for Asia-Pacific transfers

UK adequacy decisions: Where applicable, we transfer data to countries recognised as providing adequate protection by the UK Secretary of State.
Singapore PDPA: Transfers are protected by contractual arrangements ensuring a comparable standard of protection.
India DPDP Act: We transfer data only to jurisdictions not restricted by the Central Government, or under contractual safeguards.

You may request a copy of the relevant transfer safeguards by contacting us at [email protected].

7. Data Retention

Data Type	Retention Period	Deletion Method
Uploaded selfie photos	30 days from upload	Automatic deletion from storage
Generated wedding attire images	30 days from creation	Automatic deletion from storage
Account data	Until you delete your account, or 12 months of inactivity	Manual deletion on request; automatic deletion after inactivity period
Payment and transaction records	As required by applicable tax and financial law (typically 7 years)	Deleted after legal retention period expires
Device and usage data (analytics)	14 months (aligned with GA4 default retention)	Automatic expiry within GA4 and Meta systems
Cookie consent records	Until consent is withdrawn or expires	Cleared on withdrawal or expiry

When you delete your account:

Your selfie photos and generated images are deleted immediately (or within 30 days if not already expired).
Account data is deleted from active systems within 30 days.
Residual copies in encrypted backups are purged within 90 days.
Payment records subject to legal retention obligations are retained as required by law, then deleted.

8. Your Rights

8.1 EU/UK GDPR Rights

If you are in the European Economic Area or the United Kingdom, you have the right to:

Access your personal data (Article 15)
Rectify inaccurate or incomplete data (Article 16)
Erase your data ("right to be forgotten") (Article 17)
Restrict processing in certain circumstances (Article 18)
Data portability -- receive your data in a structured, machine-readable format (Article 20)
Object to processing based on legitimate interest or direct marketing (Article 21)
Withdraw consent at any time, without affecting the lawfulness of prior processing (Article 7(3))
Not be subject to automated decision-making, including profiling, that produces legal or similarly significant effects (Article 22)

Response timeframe: We will respond to your request within 30 days. If the request is complex, we may extend this by a further 60 days with notice.

8.2 California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) grants you the right to:

Know what personal information we collect, use, disclose, and sell
Delete your personal information
Correct inaccurate personal information
Opt out of the sale or sharing of personal information
Limit the use and disclosure of sensitive personal information
Non-discrimination for exercising your privacy rights

CCPA Disclosure Table

Category of PI (per Cal. Civ. Code 1798.140)	Examples Collected	Sources	Business Purpose	Third Parties Disclosed To
A. Identifiers	Email address, display name, IP address, Stripe customer ID	Directly from you; automatically collected	Account creation, service delivery, payment processing, analytics	Supabase, Stripe, Google Analytics, Meta Pixel
B. Personal information (Cal. Civ. Code 1798.80(e))	Name, email address	Directly from you	Account management, communications	Supabase, Stripe
D. Commercial information	Purchase history, transaction amounts, subscription status	Directly from you; Stripe	Payment processing, service delivery	Stripe
F. Internet or electronic network activity	Browser type, pages visited, session data, referral source	Automatically collected	Analytics, service improvement, marketing attribution	Google Analytics (GA4), Meta Pixel
H. Sensory data	Selfie photographs	Directly from you	AI image generation	Google Gemini API, Supabase (storage)
Sensitive PI: Biometric information	Facial geometry/features from uploaded selfies	Directly from you (inferred during AI processing)	AI image generation	Google Gemini API

Sale and sharing of personal information:

We do not sell personal information as defined by the CCPA.
We may share personal information (device/usage data) with Google Analytics and Meta Pixel for cross-context behavioral advertising purposes. You have the right to opt out of this sharing.
To opt out, use our cookie settings or contact us at [email protected].

Sensitive personal information: We collect biometric data (selfie photos / facial features) solely for AI image generation. We do not use sensitive personal information for purposes beyond what is necessary to provide the service. You may limit this use at any time by not uploading photos or by deleting your account.

Authorized agents: You may designate an authorized agent to submit requests on your behalf by providing written authorization to [email protected].

Financial incentives: We do not offer financial incentives related to the collection of personal information.

8.3 Singapore PDPA Rights

Under the Personal Data Protection Act 2012, you have the right to:

Access your personal data in our possession
Correct errors or omissions in your personal data
Withdraw consent for the collection, use, or disclosure of your personal data
Request information about how your data has been used or disclosed in the past year

8.4 India DPDP Act Rights

Under the Digital Personal Data Protection Act 2023, as a Data Principal you have the right to:

Access information about your personal data being processed
Correct and erase your personal data
Grievance redressal -- contact our Grievance Officer at [email protected]
Nominate another person to exercise your rights in certain circumstances

8.5 UK Data Protection Rights

Under the UK GDPR and Data Protection Act 2018, you have the same rights as described in Section 8.1 above.

8.6 General Rights (All Users)

Regardless of your location, you may:

Access your personal data
Delete your account and associated data
Correct inaccurate personal data
Withdraw consent for optional processing (e.g., cookies, marketing)

To exercise any of these rights, contact us at [email protected]. We will verify your identity before processing your request.

9. Cookies & Tracking Technologies

We use cookies and similar tracking technologies on our website and app.

Cookies we use

Cookie / Technology	Provider	Type	Purpose	Data Collected
Google Analytics (GA4)	Google LLC	Analytics	Understanding site usage, page views, user journeys, performance	Anonymized IP, session ID, device data, pages visited, events
Meta Pixel	Meta Platforms Inc.	Marketing	Conversion tracking, ad performance measurement, audience building	Page views, conversion events, IP address, browser data
Session cookies	Supabase	Strictly necessary	Authentication, keeping you logged in	Session token
Consent cookie	TheDress.ai	Strictly necessary	Remembering your cookie preferences	Consent choices

Consent before loading

We implement a consent management platform that:

Loads only strictly necessary cookies before you provide consent
Requires your affirmative opt-in before loading GA4 or Meta Pixel (as required by EU/UK GDPR and the ePrivacy Directive)
Allows you to change your preferences at any time via the cookie settings link in the app footer

Manage your cookie preferences: Use the "Cookie Settings" option in the app footer to update your preferences at any time.

Do Not Track

We respect the Global Privacy Control (GPC) signal. If your browser sends a GPC signal, we treat it as a valid opt-out of the sale/sharing of personal information under the CCPA.

10. AI & Automated Processing

How we use AI

TheDress.ai uses Google Gemini AI to generate images of you in wedding attire based on the selfie photos you upload. This involves:

Submitting your uploaded photo to the Google Gemini API
AI processing of your facial features to generate a realistic visualization
Returning the generated image for you to view and optionally save

No automated decision-making with legal effect

The AI processing performed by our service is purely creative and generative. We do not use AI or automated processing to make decisions that produce legal effects or similarly significant effects concerning you (e.g., we do not use AI for credit decisions, employment screening, or access to services).

EU AI Act transparency

In accordance with the EU AI Act (Regulation 2024/1689):

We disclose that content generated by our service is AI-generated. Generated images are labeled accordingly.
The AI system used (Google Gemini) processes biometric data (facial features) for the purpose of image generation. Users are clearly informed of this before uploading photos.
We classify our use as a limited-risk AI system subject to transparency obligations, and we comply with applicable requirements.

Human oversight

You control whether to upload photos and which photos to upload.
You may delete any uploaded or generated images at any time.
No consequential decisions are made about you based on AI output.

11. Children's Privacy

TheDress.ai is intended for users aged 18 and older. We do not knowingly collect personal data from children.

Age verification

At account registration, users must confirm they are 18 years of age or older.
Users must confirm they are 18 or older via a checkbox confirmation during account creation.

Accidental collection

If we become aware that we have inadvertently collected personal data from a person under 18, we will:

Immediately delete all personal data associated with that account, including any uploaded photos, generated images, and biometric data.
Terminate the account.
Notify the individual (or their parent/guardian, where feasible) of the deletion.

If you believe a child under 18 has provided personal data to us, please contact us immediately at [email protected].

Specific age thresholds by jurisdiction

Jurisdiction	Minimum Age for Processing	Basis
EU/EEA	16 (or lower as set by member state, minimum 13)	GDPR Article 8
United Kingdom	13	UK GDPR / Age Appropriate Design Code
United States (COPPA)	13	Children's Online Privacy Protection Act
United Kingdom	13	UK GDPR / Data Protection Act 2018
Singapore	18 (our policy)	PDPA 2012
India	18 (our policy)	DPDP Act 2023

Our service applies an 18+ age requirement globally, which exceeds the minimum in all jurisdictions listed above.

12. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.

Technical measures

Encryption in transit: All data transmitted between your device and our servers, and between our servers and third-party services, is encrypted using TLS 1.2 or higher.
Encryption at rest: Stored data (including photos and generated images) is encrypted at rest using industry-standard encryption provided by our infrastructure providers.
Content safety screening: Uploaded images are screened for inappropriate content before AI processing.
Access controls: Access to personal data is restricted to authorized personnel on a need-to-know basis, with role-based access controls and multi-factor authentication.
Authentication security: Passwords are hashed using bcrypt (or equivalent) via Supabase Auth. We never store plaintext passwords.

Organizational measures

Vendor assessments: We evaluate the security practices of all third-party processors before engagement.
Regular security reviews: We conduct periodic reviews of our security measures and update them as needed, at least annually.
Incident response: We maintain an incident response plan. In the event of a data breach affecting your personal data, we will notify you and the relevant supervisory authority within the timeframes required by applicable law (72 hours under GDPR).
Employee training: Team members with access to personal data receive security awareness training.

Limitation

While we take security seriously, no system is 100% secure. We cannot guarantee the absolute security of your data. If you suspect unauthorized access to your account, contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

How we notify you

Non-material changes: We will update the "Last Updated" date at the top of this policy.
Material changes: We will provide at least 30 days' advance notice via:
Email to the address associated with your account
A prominent in-app notification
Changes requiring re-consent: If a material change affects the legal basis for processing (e.g., changes to biometric data processing or new categories of sensitive data), we will request your renewed explicit consent before applying the change to your data.

Your options

If you do not agree with an updated policy, you may delete your account before the changes take effect. Continued use of the service after the effective date of a revised policy constitutes acceptance of the changes (except where re-consent is required).

14. Contact Us & Complaints

How to reach us

Method	Details
Email	[email protected]
Postal Mail	United Kingdom (contact via email for postal address)
Data Protection Contact	TheDress.ai Privacy Team, reachable at [email protected]

Response timeframes

Jurisdiction	Request Type	Response Time
EU/UK (GDPR)	Data subject access / rights request	30 days (extendable by 60 days for complex requests, with notice)
California (CCPA/CPRA)	Consumer rights request	45 days (extendable by an additional 45 days, with notice)
UK (DPA 2018)	Data subject request	30 days
Singapore (PDPA)	Data access / correction request	30 days
India (DPDP)	Grievance	30 days
All other jurisdictions	General request	30 days

Filing a complaint

If you are unsatisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority:

Jurisdiction	Authority	Contact
United Kingdom	Information Commissioner's Office (ICO)	ico.org.uk
EU Member State	Your local Data Protection Authority	edpb.europa.eu
California, USA	California Attorney General	oag.ca.gov
Illinois, USA	Illinois Attorney General	illinoisattorneygeneral.gov
Singapore	Personal Data Protection Commission (PDPC)	pdpc.gov.sg
India	Data Protection Board of India	dpdboard.gov.in

We encourage you to contact us first so we can attempt to resolve your concern directly.

Appendix: Jurisdiction-Specific Notices

For Illinois Residents

If you are a resident of Illinois, our collection and use of biometric data (facial geometry from your selfie photos) may be subject to the Illinois Biometric Information Privacy Act (BIPA). Please refer to our standalone Biometric Data Policy at https://thedress.ai/biometric-policy for the required BIPA disclosures, including:

The specific purpose and length of time for which your biometric data is collected, stored, and used
Our written policy for retention and destruction of biometric data
Your right to provide or withhold written consent

For Texas Residents

If you are a Texas resident, our use of biometric data is also governed by the Texas Capture or Use of Biometric Identifier Act (CUBI). We do not sell, lease, or otherwise disclose your biometric data. Biometric data is destroyed within a reasonable time (and no later than 30 days after the purpose for collection has been satisfied).

For Washington State Residents

Our collection of biometric data complies with Washington's Biometric Identifiers law (RCW 19.375). We provide notice and obtain consent before enrolling biometric identifiers and do not sell or disclose biometric data except as permitted by law.

This Privacy Policy is provided in English. If there is any conflict between a translated version and the English version, the English version shall prevail.

If you have any questions about this Privacy Policy, please contact us at [email protected].