1. Overview
This page provides detailed information about how Leroy Labs LLC collects, processes, stores, and protects data in connection with the StyleIt service. It supplements our Privacy Policy with additional technical and regulatory detail. Our goal is to be fully transparent about our data practices and to demonstrate our commitment to compliance with applicable data protection regulations, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Children's Online Privacy Protection Act (COPPA).
2. Data Collection Practices
We collect data through the following categories, each serving a specific purpose in delivering the StyleIt service:
| Category | Data Collected | Purpose |
|---|
| Account | Email address, name, OAuth provider ID | Authentication, account management |
| Profile | Gender, date of birth, height, weight, body type, skin tone, style preferences, budget range, country | Personalizing AI-generated try-on results |
| Photos | Full-body photos, face photos, clothing images, accessory images | AI virtual try-on generation |
| Usage | Features accessed, credits consumed, generation count, interaction patterns, timestamps | Service improvement, analytics |
| Device | Browser type, OS, IP address, device identifiers, screen resolution | Security, compatibility, debugging |
| Payment | Subscription status, plan type, billing dates (via our payment processor — we never store card details) | Billing, subscription management |
Data minimization: We only collect data that is necessary for providing the Service. Profile fields are optional (except gender and date of birth for accurate AI results), and you may choose how much information to provide.
3. Data Processing & AI Usage
Our AI-powered virtual try-on feature involves the following data flow:
Processing Pipeline
- Upload: When you initiate a try-on, your person photo and clothing images are uploaded to our servers via encrypted TLS connection and temporarily stored in secure cloud storage.
- AI Inference: The images are sent to our AI provider's API for processing. The AI generates virtual try-on result images based on the input photos and your profile data.
- Result Delivery: The generated images are returned to our servers and delivered to you through the app. Results are stored in your try-on history.
- Cleanup: Transient processing data (uploaded clothing images for individual try-ons) is not permanently stored after generation is complete.
AI Data Handling Commitments
- Your photos are never used to train any AI models
- Our AI provider processes images under their enterprise API terms, which prohibit using customer data for model training
- AI processing is stateless — no user data persists in the AI system between requests
- We do not perform facial recognition, biometric identification, or emotion detection
- The AI generates visual approximations only; no automated decisions with legal or similarly significant effects are made
4. Data Storage & Retention
Your data is stored across the following systems:
| Data Type | Storage System | Retention Period |
|---|
| Account & profile data | Encrypted database | While account is active; deleted on account closure |
| Profile & face photos | Encrypted cloud storage | Until user deletes or account closure |
| Wardrobe images | Encrypted cloud storage | Until user deletes or account closure |
| Generated try-on images | Encrypted cloud storage | Until user deletes from history or account closure |
| Try-on input photos | Transient cloud storage | Not stored permanently after generation |
| Usage & analytics logs | Analytics platform | 90 days in identifiable form; then aggregated |
| Session & cache data | Cache layer | Temporary; expires automatically |
| Payment & billing records | Payment processor + database | As required by law (typically 7 years) |
5. Security Measures
We implement multiple layers of security to protect your data:
Encryption
- In Transit: All data transmitted between your device, our servers, and third-party services is encrypted using TLS 1.2 or higher
- At Rest: Data stored in our cloud storage and database is encrypted using AES-256 encryption
- Secrets Management: API keys, tokens, and credentials are stored securely and never exposed in client-side code
Authentication & Access Control
- User authentication is managed by a SOC 2 Type II compliant provider
- JWT-based authentication with secure token handling across all platforms
- Production system access is restricted through role-based access controls (RBAC)
- Administrative access requires multi-factor authentication
Infrastructure Security
- Payment processing by a PCI DSS Level 1 certified provider
- Database hosted with automated backups and point-in-time recovery
- Regular security reviews and vulnerability assessments
- Monitoring and alerting for suspicious activity
- CORS policies restrict API access to authorized origins only
6. GDPR Compliance
The General Data Protection Regulation (GDPR) applies to processing of personal data of individuals in the European Economic Area (EEA), United Kingdom, and Switzerland. Here is how we comply:
Lawful Basis for Processing
| Processing Activity | Lawful Basis (Art. 6) | Details |
|---|
| Photo uploads for AI try-on | Consent | Explicit consent when uploading; withdrawable at any time |
| Account management & service delivery | Contract Performance | Necessary to provide the subscribed service |
| Analytics & service improvement | Legitimate Interests | Improving user experience; does not override user rights |
| Fraud prevention & security | Legitimate Interests | Protecting users and the service from abuse |
| Tax & accounting records | Legal Obligation | Required by applicable financial regulations |
Data Subject Rights
Under GDPR, you have the following rights. We respond to all requests within one month, free of charge for the first request:
- Right of Access (Art. 15) — Obtain a copy of all personal data we hold about you
- Right to Rectification (Art. 16) — Correct inaccurate data (also available via dashboard)
- Right to Erasure (Art. 17) — Request deletion of your personal data
- Right to Restrict Processing (Art. 18) — Limit how we process your data
- Right to Data Portability (Art. 20) — Receive your data in a machine-readable format
- Right to Object (Art. 21) — Object to processing based on legitimate interests
- Rights Regarding Automated Decisions (Art. 22) — Our AI does not make decisions with legal effects
Data Processing Records
We maintain records of our processing activities as required under GDPR Article 30, including the purposes of processing, categories of data subjects and personal data, recipients, transfer safeguards, and retention periods.
7. CCPA Compliance
The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant California residents specific data protection rights.
Consumer Rights
- Right to Know — Request disclosure of categories and specific pieces of personal information collected, sources, purposes, and third parties it is shared with
- Right to Delete — Request deletion of personal information, subject to legal exceptions
- Right to Opt-Out of Sale — We do not sell personal information; no opt-out action is needed
- Right to Correct — Request correction of inaccurate information
- Right to Limit Sensitive Information Use — Limit use of sensitive personal information to what is necessary
- Right to Non-Discrimination — No different pricing, quality, or access for exercising rights
Exercising Your Rights
- Email your request to hi@leroylabs.io
- We will verify your identity before processing (typically by confirming your account email)
- We respond within 45 days of receiving a verifiable request (extendable to 90 days with notice)
- You may designate an authorized agent to submit requests on your behalf
- Requests are free of charge; we do not charge a fee for processing your first request in a 12-month period
8. COPPA Compliance
The Children's Online Privacy Protection Act (COPPA) imposes requirements on operators of websites and online services directed at children under 13, or that have actual knowledge of collecting data from children under 13.
- StyleIt is not directed at children under 13 and is designed for users aged 13 and older
- Our Terms of Service require users to be at least 13 years old; users aged 13–17 require parental consent
- We do not knowingly collect, use, or disclose personal information from children under 13
- If we discover that we have collected data from a child under 13, we will delete it promptly and notify the parent or guardian if contact information is available
- Parents or guardians who believe their child has provided data to StyleIt may contact us at hi@leroylabs.io to request deletion
9. International Data Transfers
Leroy Labs LLC is based in the United States. When you use StyleIt from outside the US, your data may be transferred internationally:
Our data and the data of our third-party service providers are primarily processed in the United States. All of our providers maintain appropriate data transfer safeguards including Standard Contractual Clauses (SCCs), EU-US Data Privacy Framework participation, SOC 2 compliance, and/or PCI DSS certification as applicable.
For transfers to countries without an EU adequacy decision, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and supplementary measures where necessary.
10. Data Breach Procedures
We maintain a comprehensive data breach response plan:
Detection & Assessment
- Automated monitoring and alerting systems detect unusual access patterns
- Security incidents are immediately escalated to our response team
- We assess the scope, nature of data affected, and risk to individuals
Notification
- Regulatory authorities: Notified within 72 hours of discovery where required under GDPR (Art. 33), unless the breach is unlikely to result in a risk to individuals' rights and freedoms
- Affected users: Notified without undue delay via email and in-app notification when the breach is likely to result in a high risk to their rights and freedoms
- Notification content: Description of the breach, categories and approximate number of data subjects affected, likely consequences, measures taken to address and mitigate the breach
Remediation
- Immediate containment of the breach
- Root cause analysis and vulnerability remediation
- Enhanced monitoring of affected systems
- Post-incident review and process improvements
11. Cookie Policy
The following cookies and tracking technologies are used by StyleIt:
| Purpose | Type | Duration |
|---|
| Authentication & session management | Essential | Session / 7 days |
| Anonymous usage analytics | Analytics | 1 year |
| Performance monitoring | Analytics | Session |
No advertising cookies are used. We do not engage in behavioral advertising, retargeting, or cross-site tracking. You can manage cookie preferences through your browser settings. Note that blocking essential cookies will prevent you from using the Service. The Chrome extension stores authentication tokens using Chrome's session storage API and does not set browser cookies.
12. Third-Party Data Processors
We engage third-party processors to operate StyleIt. Each is bound by a data processing agreement. The categories of processors we use include:
- Authentication provider — Manages user login, account security, and session tokens. Located in the United States.
- Payment processor — Handles subscription billing, credit purchases, and payment details. Located in the United States.
- AI inference provider — Processes user photos transiently to generate virtual try-on images. Located in the United States.
- Cloud storage provider — Stores profile images, wardrobe images, and generated results in encrypted storage. Located in the United States.
- Analytics provider — Collects anonymized usage events and device information. Located in the United States / EU.
- Database provider — Hosts account data, profile data, and transaction records. Located in the United States.
- Caching provider — Handles rate limiting and temporary non-sensitive operational data. Located in the United States.
13. User Rights Exercise Procedures
To exercise any of your data protection rights:
Step 1: Submit Your Request
Send an email to hi@leroylabs.io with the subject line “Data Rights Request” and include:
- Your full name and account email address
- The specific right(s) you wish to exercise
- Any relevant details to help us locate the data in question
Step 2: Identity Verification
We will verify your identity by confirming your account email address. For sensitive requests, we may ask for additional verification. We will not request more information than necessary.
Step 3: Processing
We process requests within the following timeframes:
- GDPR requests: Within 1 month (extendable by 2 months for complex requests, with notice)
- CCPA requests: Within 45 days (extendable to 90 days with notice)
Self-Service Options
Many actions can be performed directly through your account without contacting us:
- Edit profile data: Dashboard → Profile
- Delete try-on history: Dashboard → History → Delete
- Delete wardrobe items: Dashboard → Wardrobe → Delete
- Delete profile/face photos: Dashboard → Profile → Remove photo
- Manage subscription: Dashboard → Billing → Manage Subscription