Política de privacidad
Última actualización: marzo 2026
FittingMe.AI — Virtual Fitting Room Application
Last updated: March 1, 2026 Version: 1.0
Notice: This English version is provided as a courtesy translation only. In the event of any discrepancy or conflict between the French and English versions, the French version shall prevail. The authoritative French version is available at [link to politique-confidentialite-fr].
1. Identity of the Data Controller
The data controller responsible for the processing of your personal data is:
FittingMe.AI SAS (simplified joint-stock company, registration in progress) Registered office: [To be completed] Share capital: [To be completed] SIRET: [To be completed] RCS: [To be completed]
Email: contact@fittingme.ai
2. Data Protection Officer (DPO)
As of the date of this policy, FittingMe.AI has not appointed a Data Protection Officer within the meaning of Article 37 of the GDPR. The necessity of such an appointment will be reassessed in accordance with the criteria of Article 37, particularly when the number of users reaches a significant threshold.
For any questions regarding the protection of your personal data, you may contact:
Email: contact@fittingme.ai Subject line: "Personal Data Protection"
3. Data Collected and Processing Purposes
FittingMe.AI collects and processes your personal data as part of the processing activities described below. For each processing activity, we specify the data concerned, the purpose, the applicable legal basis (under Articles 6 and 9 of the GDPR), and the retention period.
3.1. User Account Creation and Management
| Element | Detail |
|---|---|
| Data processed | Email address, Firebase ID, display name, Google profile photo (if applicable) |
| Purpose | Create and manage your user account, authenticate your logins |
| Legal basis | Performance of a contract (Art. 6(1)(b) GDPR) — necessary for the provision of the Service |
| Retention period | Duration of the account + 30 days after deletion |
3.2. Face Photo Capture and Storage
| Element | Detail |
|---|---|
| Data processed | User face photographs |
| Purpose | Enable the creation of a personalized virtual body model |
| Legal basis | Explicit consent (Art. 6(1)(a) and Art. 9(2)(a) GDPR) — face photographs constitute biometric data within the meaning of Article 9 when processed for the purpose of identifying or characterizing a natural person |
| Retention period | Duration of the account. Deletion within 30 days of account deletion or withdrawal of consent |
3.3. AI-Powered Facial Attribute Extraction
| Element | Detail |
|---|---|
| Data processed | Face photographs sent to Google Gemini; extracted attributes: skin tone, eye color, hair color, age range |
| Purpose | Characterize the user's physical attributes to personalize virtual try-on results and clothing suggestions |
| Legal basis | Explicit consent (Art. 6(1)(a) and Art. 9(2)(a) GDPR) |
| Sub-processor | Google Ireland Limited (Google Gemini API) |
| Retention period | Extracted attributes: duration of the account. Photos are not retained by the sub-processor beyond the API request processing (Google's API data non-retention policy) |
3.4. Body Photo Capture and Storage
| Element | Detail |
|---|---|
| Data processed | User body photographs (full-length photos) |
| Purpose | Enable the creation of a virtual body model for try-on |
| Legal basis | Explicit consent (Art. 6(1)(a) and Art. 9(2)(a) GDPR) |
| Retention period | Duration of the account. Deletion within 30 days of account deletion or withdrawal of consent |
3.5. Virtual Body Model Generation
| Element | Detail |
|---|---|
| Data processed | Body photos sent to OpenAI and/or Google Gemini; synthetic image generated representing the user's body model |
| Purpose | Create a virtual representation of the user's body for garment try-on |
| Legal basis | Explicit consent (Art. 6(1)(a) and Art. 9(2)(a) GDPR) |
| Sub-processors | OpenAI, L.L.C. (primary provider); Google Ireland Limited — Gemini (fallback provider) |
| Retention period | Generated images: duration of the account. Source photos are not retained by sub-processors beyond API request processing |
3.6. Virtual Try-On (Image Generation)
| Element | Detail |
|---|---|
| Data processed | Virtual body model, garment images, request parameters; AI-generated try-on images |
| Purpose | Generate images showing the user virtually wearing one or more garments |
| Legal basis | Explicit consent (Art. 6(1)(a) and Art. 9(2)(a) GDPR) for body image processing; performance of a contract (Art. 6(1)(b) GDPR) for the try-on feature itself |
| Sub-processors | OpenAI, L.L.C. (primary provider); Google Ireland Limited — Gemini (fallback provider) |
| Retention period | Try-on images: duration of the account or until deleted by the user. Automatic cleanup of older try-ons per cleanup policy |
3.7. On-Device Face and Body Detection
| Element | Detail |
|---|---|
| Data processed | Camera feed processed locally by Google ML Kit (face and pose detection) |
| Purpose | Guide the user during photo capture (framing, posture); no data is transmitted to external servers |
| Legal basis | Performance of a contract (Art. 6(1)(b) GDPR) — feature integrated into photo capture |
| Retention period | No retention: real-time on-device processing only |
3.8. Garment Import and Analysis
| Element | Detail |
|---|---|
| Data processed | Garment photographs (uploaded or imported from third-party websites); extracted attributes: garment type, color, pattern, material |
| Purpose | Identify and categorize garments for virtual try-on and suggestions |
| Legal basis | Performance of a contract (Art. 6(1)(b) GDPR) |
| Sub-processor | Mistral AI (AI-powered image analysis for attribute extraction) |
| Retention period | Duration of the account or until the garment is deleted by the user |
3.9. Virtual Wardrobe and Collection Management
| Element | Detail |
|---|---|
| Data processed | Garment-user associations, outfit collections, organizational metadata |
| Purpose | Allow the user to organize garments and outfits into collections and share them |
| Legal basis | Performance of a contract (Art. 6(1)(b) GDPR) |
| Retention period | Duration of the account |
3.10. Weather-Based Clothing Suggestions
| Element | Detail |
|---|---|
| Data processed | Geographic coordinates (latitude/longitude), location name; weather data obtained from OpenWeatherMap |
| Purpose | Provide clothing suggestions adapted to the weather conditions of the user's location |
| Legal basis | Consent (Art. 6(1)(a) GDPR) — optional feature activated at the user's request |
| Sub-processor | OpenWeather Ltd (OpenWeatherMap API) — receives only GPS coordinates, no personally identifiable data |
| Retention period | Coordinates: duration of the account. Weather data: not retained (temporary cache only) |
3.11. Push Notifications (Clothing Planning)
| Element | Detail |
|---|---|
| Data processed | FCM token (Firebase Cloud Messaging), notification preferences, timestamp of last notification |
| Purpose | Send clothing planning notifications to the user |
| Legal basis | Consent (Art. 6(1)(a) GDPR) — optional feature |
| Sub-processor | Google Ireland Limited (Firebase Cloud Messaging) |
| Retention period | FCM token: duration of the account. Automatically refreshed by the device |
3.12. Image Storage and Delivery (Hosting)
| Element | Detail |
|---|---|
| Data processed | All images (photos, body models, try-on results, garment images) stored on Google Cloud Storage and delivered via Google Cloud CDN |
| Purpose | Host and distribute visual content necessary for the operation of the Service |
| Legal basis | Performance of a contract (Art. 6(1)(b) GDPR) |
| Sub-processor | Google Ireland Limited (Google Cloud Storage, Cloud CDN) |
| Retention period | As per the retention periods of the respective processing activities |
3.13. Audience Measurement and Analytics
| Element | Detail |
|---|---|
| Data processed | Anonymized usage events, analytics identifier, device type, application version, user journey |
| Purpose | Measure the Service's audience, understand usage patterns, and improve user experience |
| Legal basis | Consent (Art. 6(1)(a) GDPR) — in accordance with CNIL guidelines on trackers (see Cookie Policy) |
| Sub-processor | PostHog, Inc. |
| Retention period | 25 months from collection (CNIL recommendation) |
3.14. Session Recording
| Element | Detail |
|---|---|
| Data processed | Visual recordings of usage sessions (interactions, navigation) |
| Purpose | Diagnose usability issues, improve user interface |
| Legal basis | Consent (Art. 6(1)(a) GDPR) |
| Sub-processor | PostHog, Inc. |
| Retention period | 90 days |
3.15. Quota Management and Billing
| Element | Detail |
|---|---|
| Data processed | Usage counters (number of try-ons, number of analyses), user identifier |
| Purpose | Manage freemium usage limits and, where applicable, billing for premium services |
| Legal basis | Performance of a contract (Art. 6(1)(b) GDPR) |
| Retention period | Duration of the account + statutory retention period for accounting records (10 years for billing data, Art. L123-22 of the French Commercial Code) |
3.16. Inquiries and Support
| Element | Detail |
|---|---|
| Data processed | Email address, content of exchanges, technical diagnostic metadata |
| Purpose | Respond to user inquiries, provide technical support |
| Legal basis | Legitimate interest (Art. 6(1)(f) GDPR) — the controller's legitimate interest in ensuring service quality and responding to user inquiries |
| Retention period | 3 years from the closure of the inquiry (general statute of limitations under French law) |
4. Recipients and Sub-processors
Your personal data may be communicated to the following categories of recipients:
4.1. Sub-processors within the meaning of Article 28 GDPR
| Sub-processor | Country | Data Processed | Purpose | Transfer Safeguards |
|---|---|---|---|---|
| Google Ireland Limited (Gemini API, Firebase Auth, Cloud Storage, Cloud CDN, FCM) | Ireland (EU); processing possible in the United States | Face photos (attribute extraction), body photos (model generation, try-on), image storage, authentication, notifications | AI analysis, hosting, authentication, notifications | Standard Contractual Clauses (SCCs); EU-US Data Privacy Framework (DPF) for transfers to Google LLC |
| OpenAI, L.L.C. | United States | Body photos, virtual model, try-on requests | AI image generation (body model, virtual try-on) | EU-US Data Privacy Framework (DPF); Standard Contractual Clauses (SCCs) |
| Mistral AI | France (EU) | Garment images | AI-powered garment analysis and categorization | Processing within the EU — no transfer outside the EU |
| PostHog, Inc. | United States (EU hosting available) | Usage events, session recordings | Analytics, audience measurement | EU-US Data Privacy Framework (DPF); Standard Contractual Clauses (SCCs) |
| OpenWeather Ltd | United Kingdom | GPS coordinates | Weather data | UK adequacy decision (Art. 45 GDPR) |
4.2. Other Recipients
Your data is not subject to any commercial communication to third parties. It may be communicated:
- to judicial or administrative authorities when required by law;
- to service providers acting within the scope of a legal obligation (statutory auditors, lawyers).
5. International Data Transfers
Some of your data is transferred outside the European Economic Area (EEA), particularly to the United States. These transfers are governed by the following mechanisms:
5.1. EU-US Data Privacy Framework (DPF)
Transfers to OpenAI, L.L.C., Google LLC, and PostHog, Inc. are based on the EU-US Data Privacy Framework (European Commission adequacy decision of July 10, 2023, C(2023) 4745), insofar as these entities are certified under the DPF.
5.2. Standard Contractual Clauses (SCCs)
In addition to the DPF, Standard Contractual Clauses adopted by the European Commission (implementing decision 2021/914 of June 4, 2021) are incorporated into the data processing agreements with providers located outside the EEA.
5.3. Supplementary Measures
In accordance with the EDPB recommendations (Recommendations 01/2020 on supplementary measures to transfer tools), we implement the following supplementary measures:
- Technical measures: encryption of data in transit (TLS 1.2+) and at rest; minimization of data sent to third-party APIs; non-retention policy by AI providers (request data is not used for model training);
- Organizational measures: regular assessment of our sub-processors' DPF certifications; monitoring of US surveillance legislation.
6. Retention Periods
Retention periods are detailed for each processing activity in Section 3. The general principles are as follows:
| Data Type | Retention Period |
|---|---|
| Account data | Duration of the account + 30 days after deletion |
| Photos (face, body) | Duration of the account or until withdrawal of consent |
| AI-generated images | Duration of the account or until deleted by the user |
| AI-extracted attributes | Duration of the account |
| Wardrobe data | Duration of the account |
| Analytics data | 25 months from collection |
| Session recordings | 90 days |
| Billing data | 10 years (legal obligation — Art. L123-22 French Commercial Code) |
| Support data | 3 years from closure of the inquiry |
| Geographic coordinates | Duration of the account |
At the end of these periods, data is deleted or irreversibly anonymized.
Upon deletion of your account, all your personal data is deleted within 30 days, except for data subject to a legal retention obligation.
7. Your Rights
In accordance with the General Data Protection Regulation (GDPR) and French Law No. 78-17 of January 6, 1978, as amended (Data Protection Act), you have the following rights:
7.1. Right of Access (Art. 15 GDPR)
You have the right to obtain confirmation as to whether or not personal data concerning you is being processed and, where it is, access to such data together with the information specified in Article 15 of the GDPR.
7.2. Right to Rectification (Art. 16 GDPR)
You have the right to obtain the rectification of inaccurate personal data concerning you, as well as the completion of incomplete data.
7.3. Right to Erasure (Art. 17 GDPR)
You have the right to obtain the erasure of your personal data in the cases provided for in Article 17 of the GDPR, including when you withdraw your consent, when the data is no longer necessary for the purposes for which it was collected, or when you object to the processing.
Deleting your account will result in the erasure of all your data within 30 days.
7.4. Right to Data Portability (Art. 20 GDPR)
You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit it to another controller. This right applies to data processed on the basis of your consent or the performance of a contract, by automated means.
7.5. Right to Restriction of Processing (Art. 18 GDPR)
You have the right to obtain the restriction of processing in the cases provided for in Article 18 of the GDPR, including when you contest the accuracy of the data or when the processing is unlawful.
7.6. Right to Object (Art. 21 GDPR)
You have the right to object at any time, on grounds relating to your particular situation, to the processing of your data based on legitimate interest (Art. 6(1)(f) GDPR). We will cease processing unless we demonstrate compelling legitimate grounds.
7.7. Right to Withdraw Consent (Art. 7(3) GDPR)
Where processing is based on your consent, you may withdraw that consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. You may exercise this right:
- For photos and AI processing: by deleting your photos from the application or deleting your account;
- For geolocation: by disabling the weather planning feature in the application;
- For notifications: by disabling notifications in the application settings;
- For analytics and cookies: by changing your consent preferences in the application settings (see Cookie Policy).
7.8. Right to Define Post-Mortem Directives (Art. 85 French Data Protection Act)
You have the right to define directives regarding the retention, erasure, and communication of your personal data after your death.
7.9. Exercising Your Rights
To exercise any of these rights, you may contact us:
- By email: contact@fittingme.ai — subject: "GDPR Rights Request"
- By postal mail: FittingMe.AI SAS, [registered office address — to be completed]
We undertake to respond to your request within one month of its receipt. This period may be extended by two months given the complexity and number of requests, in accordance with Article 12(3) of the GDPR. In such cases, we will inform you of the extension within the initial one-month period.
We may ask you to verify your identity if there is reasonable doubt regarding the identity of the requester.
7.10. Right to Lodge a Complaint with the CNIL
If you believe that the processing of your personal data constitutes a violation of the GDPR, you have the right to lodge a complaint with the French Data Protection Authority (CNIL):
Commission nationale de l'informatique et des libertés (CNIL) 3, Place de Fontenoy — TSA 80715 75334 PARIS CEDEX 07 Phone: +33 1 53 73 22 22 Website: www.cnil.fr
8. Cookie and Tracker Policy
The use of cookies and trackers by FittingMe.AI is governed by a dedicated policy, available within the application and at the following address: [link to cookie policy].
For more information, please refer to our Cookie Policy.
9. Artificial Intelligence Information
FittingMe.AI uses several artificial intelligence systems to provide its features. In accordance with Article 50 of Regulation (EU) 2024/1689 (AI Act), a dedicated transparency notice is made available to you within the application and at the following address: [link to AI notice].
In summary:
- Virtual try-on images are generated by artificial intelligence. They are not real photographs. They do not constitute a faithful representation of reality.
- Facial attributes (skin tone, eye color, hair color, age range) are extracted by AI from your photos. These results are estimates and may be inaccurate.
- Clothing suggestions are generated by AI and do not constitute professional advice.
- You may delete your photos and the data derived from them at any time.
For more information, please refer to our AI Transparency Notice.
10. Protection of Minors
10.1. Prohibition for Children Under 13
FittingMe.AI is not intended for children under 13 years of age. We do not knowingly collect personal data from minors under 13. If we learn that we have collected data from a child under 13, we will proceed with its immediate deletion.
10.2. Parental Consent for Minors Aged 13 and 14
In accordance with Article 45 of French Law No. 78-17 of January 6, 1978, as amended (which sets the autonomous consent threshold at 15 years of age in France), minors aged 13 and 14 may only use the Service with the verifiable authorization of a holder of parental authority.
10.3. Minors Aged 15 and Over
Minors aged 15 and over may autonomously consent to the processing of their personal data within the scope of the Service, in accordance with Article 45 of the French Data Protection Act.
10.4. Reporting
If you are a parent or guardian and you discover that your minor child is using the Service without your consent, please contact us at contact@fittingme.ai so that we can take the necessary measures.
11. Data Security
FittingMe.AI implements appropriate technical and organizational measures to ensure the security and confidentiality of your data, including:
- Encryption in transit: all communications between the application, our servers, and third-party APIs are encrypted using TLS 1.2 or higher;
- Encryption at rest: data stored on Google Cloud Storage is encrypted at rest (AES-256);
- Access control: per-user data isolation (Row-Level Security) at the database level;
- Secure authentication: authentication via Firebase Auth (OAuth 2.0 protocol);
- Minimization: only strictly necessary data is transmitted to sub-processors;
- Non-retention by AI providers: data transmitted to AI APIs (OpenAI, Google Gemini, Mistral) is not retained by these providers beyond request processing and is not used for training their models;
- Signed URLs: access to stored images is protected by time-limited signed URLs.
12. Changes to This Privacy Policy
We reserve the right to modify this privacy policy at any time. In the event of a material change, you will be informed:
- by notification within the application;
- where applicable, by email.
The date of the last update is indicated at the top of this document. Your continued use of the Service after notification of the changes constitutes acceptance of the modified policy. If you do not accept the changes, you are free to delete your account.
13. Governing Law
This privacy policy is governed by French law. Any dispute relating to the interpretation or performance of this policy shall be submitted to the competent courts of Paris, without prejudice to the mandatory jurisdiction rules applicable for the benefit of consumers under the French Consumer Code.
14. Contact
For any questions regarding this privacy policy or your personal data:
FittingMe.AI SAS Address: [To be completed] Email: contact@fittingme.ai
This English version is provided as a courtesy translation. In the event of any discrepancy between the French and English versions, the French version shall prevail.