Privacy Policy

Privacy Policy

Last updated: March 2026 · Document version 1.0

This Privacy Policy explains how STIL ("we", "us", "our") collects, uses, and protects your personal data when you use the STIL AI Personal Stylist mobile application ("App").

1. Who We Are (Data Controller)

STIL
IZMIR/TURKEY
Email: stilaistyler@gmail.com
For data-protection/KVKK matters: stilaistyler@gmail.com

2. Data We Collect

  • a) Account data — Email address via Google sign-in.
  • b) Profile photo (biometric data) — Facial photographs for AI visualization. Processing requires explicit consent under GDPR Art. 9 and KVKK Art. 6.
  • c) Wardrobe photos — Clothing items for your digital wardrobe.
  • d) Outfit history — AI-generated recommendations and visualizations.
  • e) Location data — Real-time coordinates for weather checks (NOT stored on servers).
  • f) Subscription & payment data — Status and history via RevenueCat; no raw card data is stored by us.
  • g) Usage data — App interaction events to operate the service and detect abuse.
  • h) Device data — Model, OS, and anonymized identifiers processed by Sentry, Inc. for stability.
  • i) Push notification tokens — Stored solely for service alerts.

3. How and Why We Use Your Data

  • AI Styling & Account Management → Performance of contract (GDPR Art. 6(1)(b)).
  • Biometric Processing (Profile Photo) → Your explicit consent (GDPR Art. 9(2)(a)).
  • Service Improvement → Legitimate interest (GDPR Art. 6(1)(f)).
  • Legal Compliance → Legal obligation (GDPR Art. 6(1)(c)).

4. Sharing Your Data

We share data only with processors under documented instructions:

  • AWS (Frankfurt, Germany) — Infrastructure, encrypted DynamoDB, and S3 storage.
  • OpenAI, LLC (USA) — AI models for outfit generation.
  • RevenueCat, Inc. (USA) — Subscription management.
  • Sentry, Inc. (USA) — Crash reporting (No photos or PID sent).

5. International Data Transfers

For transfers to the USA (OpenAI, RevenueCat, Sentry), we rely on EU Standard Contractual Clauses (SCCs) and Article 9 of KVKK.

6. Data Retention & Deletion

Data is kept while the account is active. Upon deletion (Settings → Delete My Account), all personal data, photos, and history are irreversibly deleted within 30 days.

7. Your Rights

Under GDPR and KVKK, you have the right to access, deletion, rectification, portability, objection, and withdrawal of consent. We respond within 30 days (GDPR) or 30 business days (KVKK).

8. Security

  • In transit: TLS 1.2+ encryption.
  • At rest: AES-256 server-side encryption for S3 and DynamoDB.
  • Breach Response: Notification to authorities within 72 hours (GDPR Art. 33).

9. Automated Decision-Making

Under GDPR Art. 22, you have the right to request human review of AI-generated output and contest results you consider inaccurate.