Privacy Policy

Effective date: July 10, 2026

1. Introduction

Aimily: Vintage Shopper (the "app") is operated by StudioNN Agency S.L. (NIF: B42978130, VAT: ESB42978130), with registered address in Alicante, Spain ("aimily," "we," "our," or "us"). This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use the aimily app and the website at aimily.app. This policy complies with the EU General Data Protection Regulation (GDPR), Spain's Organic Law 3/2018 (LOPDGDD), Spain's Law 34/2002 (LSSI-CE), the California Consumer Privacy Act (CCPA/CPRA), Brazil's Lei Geral de Proteção de Dados (LGPD), and other applicable data protection laws.

2. Information We Collect

2.1 Information You Provide

  • Account information: email address and password
  • Photos you upload or take to search for a garment
  • Text searches and garment descriptions you enter
  • Your "hunts" (saved pieces you want us to keep looking for) and the shops or brands you follow
  • Subscription status: your purchase is processed by Apple; we receive only a transaction identifier, never your card details

2.2 Information Collected Automatically

When you use the app, we automatically collect:

  • Device information and a push notification token, so we can send you "hunt" alerts
  • Your device language, so we can show results and messages in your language
  • Usage data: features used and timestamps, to operate and improve the app

On our website we use only the cookies and technologies strictly necessary to run it, as described in our Cookie Policy.

3. How We Use Your Information

We process your data for the following purposes and legal bases:

  • To identify the garment in your photo or description and find it second-hand. Legal basis: performance of contract (Art. 6(1)(b) GDPR)
  • To run your "hunt" (watch a piece and notify you when it appears). Legal basis: performance of contract
  • To manage your subscription and access. Legal basis: performance of contract
  • To personalise your results and your "for you" feed based on your searches. Legal basis: consent or legitimate interest
  • To communicate with you about your account and to improve the app. Legal basis: legitimate interest
  • To comply with legal obligations (tax, regulatory). Legal basis: legal obligation (Art. 6(1)(c) GDPR)

IMPORTANT. AI processing: to identify the garment, your photo (or the crop you select) and your text are sent to the AI providers listed in Section 4. They process your data solely to return a result and do NOT use it to train their models. aimily does NOT use your photos or searches to train any AI model. Our AI identifies garments (objects), not people; we do not perform facial recognition.

4. Data Sharing & Sub-Processors

We do NOT sell your personal information. We do NOT share your data for advertising. We share data only with the following service providers (sub-processors), strictly as needed to run the app:

  • Supabase (Supabase, Inc.): database, authentication, and storage of your photos and account data.
  • Anthropic (Anthropic PBC): AI vision that identifies the garment in your photo or description. Not used to train models under our API terms.
  • Scrapingdog (Scrapingdog): visual search (Google Lens) and listing search. Receives the temporary crop of your photo and your queries to find the piece.
  • SearchApi (SearchApi): visual and text search, used as an alternative and in parallel to the above.
  • Apple (Apple Inc.): in-app purchases, subscription management and delivery of push notifications.
  • Resend (Resend, Inc.): transactional email, such as account confirmation.
  • Vercel (Vercel, Inc.): application hosting, serverless functions, and CDN.
  • We may also disclose data when required by law, court order, or to protect our legal rights.

All sub-processors are bound by data processing agreements (DPAs) and comply with applicable data protection regulations. For international data transfers outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission or the sub-processor's participation in recognized frameworks.

5. Payment Data

Your subscription is purchased and processed directly by Apple through in-app purchase. We never see or store your card number, CVV, or full payment details; we receive only a transaction identifier to activate your access. See Apple's Privacy Policy for details on how Apple handles your payment information.

6. AI Data Processing

When you search, the following processing occurs:

  • The photo you upload, or the crop you select, is sent to our AI vision provider (Anthropic) and to visual search (Google Lens, via Scrapingdog and SearchApi) to identify the piece. The crop published for visual search is temporary and deleted right after the search.
  • Your text descriptions are sent to Anthropic to build a "garment profile" for the search. These are processed in real time and not retained to train models.
  • aimily does NOT use your photos, searches, or any uploaded material to train, fine-tune, or improve any AI model, whether owned by aimily or by any third party.
  • The reference crop of a saved "hunt" is stored in your account (on our Supabase infrastructure) so we can match new listings against it. You may delete it at any time by deleting the hunt or your account.
  • Our AI identifies garments (objects), not people. We do not run facial recognition or build biometric templates. We do not create advertising profiles or sell AI processing data.

7. Data Security

We implement industry-standard security measures to protect your data, including: encryption in transit (TLS 1.2+) and at rest; secure authentication via Supabase Auth with HTTP-only cookies; role-based access control for all API endpoints; regular security audits and code reviews; server-side validation and input sanitization; and secure file upload processing with type and size validation. No system is 100% secure, and we cannot guarantee absolute security. If you discover a security vulnerability, please report it to security@aimily.app.

8. Your Rights

8.1 EU/EEA Users (GDPR)

Under the GDPR, you have the right to:

  • Access: obtain a copy of all personal data we hold about you
  • Rectification: correct inaccurate or incomplete data
  • Erasure ("Right to be forgotten"): permanently delete your account and all associated data from your account settings
  • Portability: export your data in a structured, machine-readable format (JSON)
  • Objection: object to processing based on legitimate interest
  • Restriction: request limitation of processing in certain circumstances
  • Withdraw consent at any time, as easily as you gave it, for processing based on consent

To exercise any of these rights, visit your account settings or contact us at privacy@aimily.app.

You have the right to lodge a complaint with the Spanish Data Protection Authority (Agencia Española de Protección de Datos, AEPD, www.aepd.es) or with the supervisory authority in your country of residence.

8.2 California Users (CCPA/CPRA)

If you are a California resident, you have additional rights under the CCPA/CPRA:

  • Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
  • Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
  • Right to Opt-Out of Sale: We do NOT sell your personal information. No opt-out is necessary.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
  • To exercise your CCPA rights, contact us at privacy@aimily.app or use the deletion feature in your account settings.

8.3 Brazilian Users (LGPD)

If you are a Brazilian resident, you have rights under the Lei Geral de Proteção de Dados (LGPD), including: confirmation of data processing; access to your data; correction of incomplete or inaccurate data; anonymization, blocking, or deletion of unnecessary data; data portability; information about shared data; and the right to revoke consent. Contact privacy@aimily.app to exercise these rights.

8.4 Other Latin American Users

Users in Mexico (LFPDPPP), Argentina (Ley 25.326), Colombia (Ley 1581/2012), Chile, Peru, and other Latin American countries with data protection legislation may exercise their rights under applicable local law by contacting privacy@aimily.app.

9. Data Retention

We retain your data for as long as your account is active. Upon account deletion, all personal data and associated content (photos, searches, hunts, follows) are permanently deleted within 30 days. Payment records held by Apple are governed by Apple; any records we are legally required to keep under Spanish tax law are retained for the legal minimum (5 years). Anonymized, aggregated usage statistics may be retained for service improvement.

10. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, where our sub-processors are located. For all such transfers, we ensure adequate safeguards through: Standard Contractual Clauses (SCCs) approved by the European Commission; the sub-processor's compliance with recognized data protection frameworks; and contractual data processing agreements. By using the Service, you acknowledge these international transfers as necessary for service delivery.

11. Children's Privacy

The app is not directed to children. We do not knowingly collect personal information from children under 16 (or the minimum age set by the law of your country). If we become aware that we have collected data from a minor, we will delete it promptly.

12. Data Controller

The data controller responsible for your personal data is:

  • StudioNN Agency S.L.
  • NIF: B42978130 | VAT: ESB42978130
  • Alicante, Spain
  • Data Protection Contact: privacy@aimily.app
  • Supervisory Authority: Agencia Española de Protección de Datos (AEPD), www.aepd.es

13. Contact Us

For privacy-related questions, data subject requests, or complaints, contact us at: privacy@aimily.app

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the effective date at the top of this page. Continued use of the Service after the effective date constitutes acceptance of the updated policy.