Get the app
← Back to homepage

Privacy Policy

Last updated: 27 May 2026

§1. Data Controller

  1. The controller of the personal data of the users of the Vougly mobile application (available on the App Store and Google Play, hereinafter: the "Application") and of the marketing website available at vougly.app (hereinafter: the "Website") is Windify Digital Services, with its registered office at ul. Płocka 127/16, 87-800 Włocławek, Poland, NIP: 8943145650, REGON: 384382857 (hereinafter: the "Controller").
  2. The Controller may be contacted on matters concerning personal data at: [email protected].
  3. The Controller processes personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the General Data Protection Regulation, hereinafter: the "GDPR"), the Polish Personal Data Protection Act of 10 May 2018 (ustawa o ochronie danych osobowych), the Polish Act of 18 July 2002 on the provision of electronic services (ustawa o świadczeniu usług drogą elektroniczną), and the Polish Telecommunications Law Act of 16 July 2004 (Prawo telekomunikacyjne) (as regards Articles 173 and 174 concerning cookies).

§2. Scope of Data Collected

The Controller collects and processes the following categories of personal data:

Account Data

  • Email address, required to create an Account, log in, verify identity, communicate, and send purchase confirmations.
  • First name (optional), provided by the user to personalise correspondence and the Application interface.
  • Avatar / profile picture (optional), uploaded by the user from their device.
  • Authentication identifier, where a user logs in with an Apple ID or Google account: the identifier returned by the sign-in provider (Sign in with Apple, Google Sign-In). A password, used solely for email login, is stored in encrypted form (bcrypt hash). The Controller has no access to the password in plain text.

Content Uploaded by the User

  • Photographs of clothing, uploaded to the Application in order to perform a Generation (e.g. a photo of a dress laid flat taken at home). The photographs are sent to the AI model provider, which returns the Generation result.
  • Reference photographs ("selfies") for the "own model" feature, optionally uploaded by the user in order to train an embedding of her own model within the Application. Raw reference photographs are deleted 30 days after the model is created; only the vector embedding used for further Generations remains within the Application.
  • Generated Content, photographs produced by the Application's AI models on the basis of the user's Content. Stored in the Account "Archive" until the user deletes her Account.
  • The "own model" feature requires that the person depicted in the reference photographs has consented to such use of her likeness; responsibility for obtaining that consent rests with the user (in accordance with the Terms of Service).

Technical and Diagnostic Data

  • IP address, collected in server logs and security systems for the purpose of detecting abuse.
  • Device data, device model, operating system and its version, Application version, interface language.
  • Application installation identifier, an internal identifier generated by the Application. The Controller does not use advertising device identifiers (IDFA on iOS, GAID on Android) for marketing purposes, nor does it share them with third parties for that purpose.
  • Application activity data, the type of Generations performed, technical errors, diagnostic logs (processed in order to improve stability).
  • Push notification token, for sending notifications via Apple Push Notifications (APNs) or Firebase Cloud Messaging (FCM).
  • Cookies and similar technologies, on the Website only (vougly.app). The Application does not use cookies in the traditional sense. Detailed information is set out in the Cookies Policy.

Transaction Data

  • History of Credit Pack purchases, date, amount, Pack selected, transaction identifier (App Store / Google Play).
  • Credit balance and history, accruals, deductions, bonuses.
  • The Controller does not store payment card details. All payments within the Application are handled exclusively by the Apple App Store and Google Play, in accordance with their terms and payment mechanisms.

§3. Purposes and Legal Bases of Processing

Purpose of processingLegal basis (GDPR)
Creating and maintaining an Account in the ApplicationArt. 6(1)(b), performance of a contract
Provision of the Services (receiving Photographs, performing Generations, archiving Generated Content)Art. 6(1)(b), performance of a contract
The "own model" feature, processing of reference photographs and creation of the embeddingArt. 6(1)(b), performance of a contract / Art. 9(2)(a), explicit consent (where the photographs reveal special category data)
Handling payments and settlementsArt. 6(1)(b), performance of a contract
Sending push notifications and emails (transactional, account-related)Art. 6(1)(b), performance of a contract / Art. 6(1)(f), legitimate interest
Ensuring security, detecting abuse, protecting the ApplicationArt. 6(1)(f), legitimate interest
Handling complaints and contact with the userArt. 6(1)(b), performance of a contract / Art. 6(1)(f), legitimate interest
Fulfilling legal obligations (accounting, taxes, invoicing)Art. 6(1)(c), legal obligation
Analytics and marketing on the Website (analytical and marketing cookies)Art. 6(1)(a), consent (cookie banner)
Training AI models on anonymised user Content in order to improve Generation qualityArt. 6(1)(f), legitimate interest; with the option to withdraw consent in the Application settings
Establishment, exercise or defence of legal claimsArt. 6(1)(f), legitimate interest

§4. Recipients of Data

Users' personal data may be transferred to the following categories of recipients (processors and separate controllers):

  1. Cloudflare, Inc. (USA), provider of the hosting infrastructure for the vougly.app Website (Cloudflare Pages), content delivery network (CDN), bot and DDoS attack protection, and email forwarding services (Cloudflare Email Routing) for addresses in the vougly.app domain. Cloudflare processes the technical data (IP address, User-Agent, HTTP headers) necessary to deliver the Website's content, as well as emails forwarded to addresses in the vougly.app domain.
  2. Object storage provider, on which Account data, Photographs and Generated Content of the Application are stored (including Cloudflare R2). The data is encrypted at rest and in transit.
  3. OpenRouter, Inc. (USA), provider of a proxy service routing requests to large language models (LLMs), used to process metadata, descriptions and generation instructions. The Controller configures OpenRouter with the Zero Data Retention (ZDR) setting enabled and the data_collection: deny filter; this means that requests are routed exclusively to downstream providers that do not retain the submitted data after inference is performed and do not use it to train their models.
  4. Google LLC and Google Ireland Limited, provider of the Google Gemini model API (multimodal language models), used to analyse and describe Photographs of clothing. In accordance with the Google Gemini API terms (paid, production tier), content submitted via the API is not used to train Google's models.
  5. A specialised virtual try-on AI model provider (based in the USA), the entity that performs the actual Generation of the clothing photograph on a model or on a surface. The user's Content (the Photograph of clothing, and optionally the reference photographs for the "own model" feature) is transmitted solely for the purpose of performing a single Generation and is not used by that provider to train models. The identity of this provider constitutes a trade secret of the Controller for competitive reasons. The Controller will disclose the exact name and registered office of this provider to any user upon a written request sent to [email protected] (in accordance with Art. 13(1)(e) and Art. 15 GDPR).
  6. Apple Inc. and Google LLC, in connection with the sale of Credit Packs within the Application via the App Store and Google Play, and in connection with the sending of push notifications (Apple Push Notifications, Firebase Cloud Messaging).
  7. Formsubmit.co (USA), provider of a service that forwards contact-form submissions from the vougly.app/contact page. It receives the data entered in the form (name, email address, subject, message content) and forwards it as an email to the Controller at [email protected].
  8. Google LLC (Google Analytics 4, identifier G-H319FJRQ28), an analytics tool for the vougly.app Website used to measure traffic, sources of visits and interactions with the site. Enabled only after the user has given consent in the cookie banner (Consent Mode v2). The IP address is anonymised (the anonymize_ip: true parameter). Details are set out in the Cookies Policy.
  9. Public authorities, at the request of authorised bodies, on the basis of applicable law.
  10. Legal and tax advisers, to the extent necessary for the establishment, exercise or defence of legal claims.

The Controller does not sell users' personal data to third parties. Users' Content (Photographs of clothing, reference photographs) is not shared with data brokers or advertising networks, nor is it used by the AI model providers to train their models.

Nature of the Use of AI Models

  1. The Generation of a photograph is performed by AI models in a probabilistic manner; the result is not deterministic and may differ with each generation, even from the same input data. Complaints concerning defective results are governed by the Terms of Service (a Credit refund in the case of manifest defects).
  2. The user's Content (Photographs of clothing, reference photographs, selfies for the "own model" feature) is transmitted to the AI model providers solely for the purpose of performing the given Generation. The Controller deletes the Content from the providers' systems promptly after the result has been successfully delivered, using the data-deletion interfaces made available by the providers. The AI model providers do not use the submitted Content to train or fine-tune their models; the Controller concludes a data processing agreement (DPA) containing such an undertaking with each provider.
  3. A Generation does not constitute automated decision-making within the meaning of Art. 22 GDPR; the Generation result is graphic content delivered to the user for any use, and not a decision producing legal effects concerning her or significantly affecting her situation.
  4. The full list of the Controller's subprocessors, including the exact name of the virtual try-on model provider, is made available to the user upon a written request sent to [email protected].

§5. Transfers of Data Outside the EEA

  1. Some of the entities to which the Controller entrusts the processing of data have their registered office outside the European Economic Area (EEA), in particular in the United States. This applies in particular to: Cloudflare, Inc., OpenRouter, Inc., Google LLC (Gemini API and Google Analytics 4), the specialised virtual try-on model provider (USA), Formsubmit.co, as well as Apple Inc. and Google LLC in respect of push notifications and app stores.
  2. Transfers of data to the USA take place on the basis of the EU-US Data Privacy Framework (European Commission implementing decision of 10 July 2023) or Standard Contractual Clauses (SCC) approved by the European Commission, in accordance with Art. 46 GDPR.
  3. The Controller uses only providers that ensure an adequate level of personal data protection in accordance with the requirements of the GDPR.
  4. In the event that a data transfer mechanism is invalidated or changed, the Controller will promptly take steps to ensure that the transfer complies with applicable law.

§6. Data Retention Period

Category of dataRetention period
Account data (email, first name, avatar)Until the Account is deleted by the user or the Controller + 30 days (for possible restoration)
Photographs of clothing uploaded for a GenerationUp to 90 days from the last Account activity, then automatically deleted
Raw reference photographs (selfies) for the "own model" feature30 days from creation of the model, then automatically deleted. Only the embedding remains within the Application.
Own model embeddingUntil the model is deleted by the user or the Account is deleted
Generated Content (Archive)Until the specific Generation is deleted by the user or the Account is deleted
Transaction history (Pack purchases, invoices)5 years from the end of the tax year (accounting obligation)
Contact-form data / complaint correspondenceUntil the request has been dealt with + 12 months
Server logs (IP addresses, technical data)Up to 90 days
Analytics data (cookies on the Website)In accordance with the Cookies Policy, up to 14 months
Data for the establishment/defence of claimsUntil the expiry of the limitation period (up to 6 years)
  1. Once the retention period has expired, the data is permanently deleted or anonymised.
  2. Where an Account is deleted, the user's data is deleted promptly (with a 30-day restoration window), with the exception of data the retention of which is required by law (e.g. transaction data, 5 years).

§7. Rights of the User

Under the GDPR, the user has the following rights:

  • Right of access (Art. 15), to obtain information about the data processed, including a copy of the data.
  • Right to rectification (Art. 16), to correct inaccurate data or complete incomplete data.
  • Right to erasure (Art. 17), to request deletion of the data (the "right to be forgotten"). The user may delete her Account herself in the Application settings. This right does not apply to data the retention of which is required by law.
  • Right to restriction (Art. 18), to restrict the processing of data in certain cases.
  • Right to data portability (Art. 20), to receive the data in a structured, commonly used and machine-readable format.
  • Right to object (Art. 21), to object to processing based on the Controller's legitimate interest, including objection to the use of anonymised Content for training AI models.
  • Right to withdraw consent (Art. 7(3)), at any time, without affecting the lawfulness of processing carried out beforehand. This applies in particular to consent to analytical and marketing cookies and to consent to the "own model" feature.
  • Right to lodge a complaint, with the supervisory authority: the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych), ul. Stawki 2, 00-193 Warsaw, Poland (uodo.gov.pl).

To exercise the above rights, please contact the Controller at [email protected]. The Controller will deal with the request within 30 days. In the case of complex or numerous requests, this period may be extended by a further 60 days, of which the Controller will inform the user.

§8. Data Security

  1. The Controller applies appropriate technical and organisational measures to protect personal data, including:

    • SSL/TLS encryption, all communication with the Application and the Website takes place over an encrypted HTTPS connection.
    • Encryption of data at rest, Photographs of clothing, reference photographs and Generated Content are stored in encrypted object storage.
    • Password hashing, passwords (for email login) are stored solely as a bcrypt hash.
    • Token-based authentication, Application sessions are based on signed tokens, which can be revoked.
    • No storage of card details, payment data is processed exclusively by the Apple App Store / Google Play.
    • Access control, access to data is limited to authorised persons, with an access log.
    • Restrictions on photograph processing, raw reference photographs are deleted after 30 days; photographs of clothing after 90 days from the last activity.
  2. Notwithstanding the above safeguards, the Controller is unable to guarantee the complete security of data transmitted over the Internet. The user is responsible for securing her own device and login credentials.

§9. Personal Data Breach

  1. In the event of a personal data breach that may result in a risk to the rights or freedoms of natural persons, the Controller will report such breach to the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych) without undue delay, and no later than 72 hours after becoming aware of the breach (Art. 33 GDPR).
  2. Where a personal data breach may result in a high risk to the rights or freedoms of natural persons, the Controller will promptly inform the affected users (Art. 34 GDPR), including of the nature of the breach, the possible consequences, and the remedial measures.

§10. Profiling and Automated Decision-Making

  1. The Application uses AI models to generate photographs (including the virtual try-on of clothing on a model). This is carried out solely at the user's request and does not constitute automated decision-making within the meaning of Art. 22 GDPR, as it produces no legal effects and does not significantly affect the user's situation.
  2. The marketing Website may use analytics tools (on the basis of consent) that create aggregated audience segments for statistical purposes; details are set out in the Cookies Policy.

§11. Children's Personal Data

  1. The Application and the Website are not intended for persons under 16 years of age. The Controller does not knowingly collect children's personal data.
  2. Uploading photographs depicting minors to the Application is prohibited (in accordance with §5 of the Terms of Service). If the Controller becomes aware that the Content contains the likeness of a child or that an Account belongs to a person under 16 years of age, it will promptly delete the relevant data and block the Account.

§12. Obligation to Provide Data

  1. Providing Account data (email address) is voluntary but necessary to create an Account and use the Application.
  2. Uploading photographs of clothing is voluntary and necessary to perform a Generation.
  3. Uploading reference photographs for the "own model" feature is entirely voluntary; without them, that feature is unavailable, but the other features of the Application function normally.
  4. Giving consent to analytical and marketing cookies on the Website is voluntary and does not affect the ability to use the Website or the Application.

§13. Changes to the Privacy Policy

  1. The Controller reserves the right to amend this Privacy Policy at any time, in particular in order to adapt it to changes in the law, technological changes or changes in the scope of data processing.
  2. The Controller will inform users who hold an Account of material changes by email or by notification within the Application, at least 14 days in advance.
  3. We recommend reviewing the content of this Policy regularly; it is available at vougly.app/privacy-policy.

§14. Controller's Details

Windify Digital Services
ul. Płocka 127/16, 87-800 Włocławek
NIP: 8943145650 · REGON: 384382857
Contact: [email protected]