Privacy Policy | Enclothed

Status: Draft for legal review. Replace bracketed placeholders before publication.

Last updated: [DATE]

Document control

Legal name: [Insert company legal name, e.g. Enclothed Pty Ltd]
ABN: [Insert ABN]
Australian address: [Insert principal place of business]
Privacy contact: [privacy@enclothed.ai]
EU/UK representative (if required): [Name, address] — required for some non-EU controllers under GDPR/UK GDPR

1. Who we are

This Privacy Policy explains how [Insert legal name] (“Enclothed”, “we”, “us”) collects, uses, stores, and shares personal information when you use our virtual try-on services embedded on retailer websites, our websites (including enclothed.ai and app.enclothed.ai), mobile web experiences, and related features such as fitting rooms, sharing, and accounts.

If you do not agree with this policy, do not use the Services.

2. Scope

This policy applies to consumers who use Enclothed through a brand’s online store or our consumer experiences. Merchants (brands) that contract with Enclothed are also subject to separate commercial terms and data-processing arrangements.

3. What personal information we collect

Depending on how you use Enclothed, we may collect:

Identity & contact: name, email address, phone number, account login identifiers.
Photos you provide: selfies and other images you upload for try-on, including images that may show your face or body.
Generated media: AI-generated try-on images and related derivatives (for example, processed or background-removed images).
Technical identifiers: device and browser data, IP address, session and security logs, and a browser identifier (such as a randomly generated “fingerprint” stored in local storage on your device) used to associate your activity where you have not signed in.
Usage data: pages and products you view, try-on requests, fitting-room activity, share links you create, and similar interaction data.
Commerce-related data (where available): information we receive from retailers or their platforms (for example via integrations) to attribute purchases or provide features to brands, such as order events matched to your activity.
Communications: messages you send us and records of marketing preferences.

We do not intentionally collect information from children under 16 (or the minimum age in your jurisdiction). The Services are not directed at children.

4. Why we collect and use personal information

We use personal information for the following purposes and, where the GDPR or UK GDPR applies, on the following lawful bases:

Provide the Services — Examples: process uploads, run virtual try-on, display results, sync your wardrobe across sessions. Lawful basis (GDPR/UK GDPR): performance of a contract; steps at your request prior to a contract.
Operate accounts & security — Examples: authentication, fraud prevention, abuse detection. Lawful basis: legitimate interests; legal obligations.
Improve and develop the product — Examples: analytics, debugging, quality measurement. Lawful basis: legitimate interests; consent where required.
AI processing — Examples: sending images and prompts to AI providers to generate try-on outputs. Lawful basis: performance of a contract; legitimate interests; consent where required for optional processing.
Enclothed Network features — Examples: where permitted by your settings and applicable law, enabling brands to recognise you across participating stores (for example by matching email addresses) to power features such as campaign creatives. Lawful basis: consent and/or legitimate interests, as appropriate to the feature and jurisdiction.
Marketing — Examples: email or other communications about Enclothed or partners, where permitted. Lawful basis: consent; soft opt-in only where strictly permitted by law; legitimate interests for non-electronic channels where allowed.
Legal compliance — Examples: respond to lawful requests, enforce our terms. Lawful basis: legal obligation; legitimate interests.

Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.

Australian Privacy Act: We handle personal information in accordance with the Australian Privacy Principles (APPs), including by collecting information only where reasonably necessary for our functions, notifying you of collection where required, and providing access and correction mechanisms.

5. AI, automation, and profiling

Parts of the Services use machine-learning and generative AI (including third-party models) to create try-on images. This involves automated processing of your photos and related inputs.

Outputs may be imperfect, may not reflect real fit, colour, or fabric behaviour, and must not be relied on as professional advice (see Terms).
Where Australian law requires additional transparency about automated decision-making with legal or similarly significant effects, we will update this policy and in-product notices as required.

6. Disclosure of personal information

We may share personal information with:

The brand(s) whose sites you use, to the extent needed to provide try-on on their storefront, attribute activity, or deliver merchant-facing features they subscribe to.
Service providers and processors who assist us (hosting, databases, analytics, customer support tooling, email delivery, security).
AI and infrastructure providers (for example Google cloud and AI services) who process content to generate images.
Professional advisers, regulators, or law enforcement when required by law or to protect rights, safety, and integrity of users and the Services.

We do not sell your personal information for money. Where “sale” or “sharing” has specific meanings under local laws (for example some US state laws), we describe your choices in those jurisdictions as required.

7. International transfers

We may store and process personal information in Australia, the United States, the European Economic Area, the United Kingdom, and other countries where we or our suppliers operate. When we transfer personal information from the EEA, UK, or Switzerland to countries not subject to an adequacy decision, we use appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms, and supplementary measures where required.

8. Direct marketing (email, SMS, push)

We may send you commercial electronic messages where:

you have consented; or
another legal exception applies (for example, inferred consent or existing relationship rules under the Australian Spam Act 2003, or “soft opt-in” where valid under the UK Privacy and Electronic Communications Regulations — only if all conditions are met).

Every marketing message will include a way to opt out (for example an unsubscribe link). You may also contact us using the details below.

9. Cookies, local storage, and similar technologies

We use cookies, local storage, and similar technologies to remember your session, store technical identifiers (such as your Enclothed fingerprint), maintain try-on queues, prevent fraud, and understand usage. You can clear stored data through your browser settings; some features may not work without it.

10. Retention

We retain personal information only as long as needed for the purposes above, including legal, accounting, and dispute-resolution needs. Try-on media may be retained to let you revisit results unless you delete them or exercise your rights below. Aggregated or de-identified data may be retained longer.

11. Security

We implement technical and organisational measures appropriate to the risk, including access controls and encryption in transit where appropriate. No method of transmission or storage is 100% secure.

12. Your rights

Australia

You may request access to the personal information we hold about you and ask us to correct inaccurate information. You may complain to us (see below) and, if unsatisfied, to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

EEA, UK, and Switzerland (GDPR / UK GDPR)

You may have the right to: access, rectification, erasure, restriction, data portability, object to processing (including direct marketing), and withdraw consent. You may lodge a complaint with your local supervisory authority.

Other regions

If a specific law applies to you (for example certain US state privacy laws), we will honour applicable rights as required.

13. How to request deletion of your data

You can request deletion of your personal information (subject to legal exceptions) by:

Email: [privacy@enclothed.ai] with the subject line “Data deletion request”, including:
- the email address associated with your account (if any);
- the retailer sites where you used Enclothed (if known);
- a description of your request; and
- information reasonably needed to verify your identity (we may ask for additional details to protect your account).
In-product controls: where available, use account settings or deletion tools in the fitting room or widget (for example, data deletion actions exposed in the product).

We will confirm receipt and respond within a reasonable period, and in any case within timeframes required by applicable law. In some cases we must retain certain records (for example, billing records, security logs, or data needed to establish legal claims).

If you are an anonymous user identified only by a browser fingerprint, we may need you to use the same device or provide verification tokens we provide in the app flow.

14. Third-party sites and merchants

Retailers’ websites are operated by independent businesses. Their own privacy policies govern how they collect data outside what Enclothed processes to provide try-on. We are not responsible for merchants’ practices, but we require our merchant agreements to reflect applicable privacy obligations for data they receive from us.

15. Changes

We may update this Privacy Policy from time to time. We will post the updated version and revise the “Last updated” date. Where required, we will provide additional notice (for example, in-product notification or email).

16. Contact

[Insert legal name]

[Insert Australian address]

Email: [privacy@enclothed.ai]