Privacy Policy

Data Controller

sök is a mobile fashion-styling application operated by Anastasiia Tokar (sole proprietor, Poland), acting as data controller within the meaning of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR").

All privacy inquiries and data-subject requests should be directed to: [email protected]

Personal Data Collected

Account data — email address and authentication credentials, collected at registration.
Style profile — aesthetic preferences, body silhouette, colour analysis responses, fashion experience level, gender presentation (used solely to scope recommendations), home city for weather-based styling, and style-axis settings configured during onboarding.
Wardrobe content — photographs of garments uploaded by the user, together with AI-generated metadata (category, colours, fabric, season) and user-supplied notes.
Inspiration board — images saved by the user as style references.
Outfit history — AI-composed daily outfits, user approval or rejection events, item-swap actions, and wear logs.
Feedback signals — ratings on outfit suggestions and chat responses, swipe interactions on the Discover feed, and freetext corrections submitted to the AI stylist.
Usage counters — daily tallies of AI-feature usage, retained for plan-limit enforcement.

sök does not collect device identifiers, advertising IDs, contact lists, microphone audio, or precise geolocation data.

Legal Basis for Processing

Performance of a contract (Art. 6(1)(b) GDPR) — processing necessary to deliver the styling service to which the user has subscribed.
Legitimate interests (Art. 6(1)(f) GDPR) — processing of feedback signals to improve recommendation quality. Users may withdraw from this processing at any time by deleting their account.

sök does not process personal data for direct marketing purposes and does not rely on consent as a legal basis for any current processing activity.

Sub-Processors and International Data Transfers

Personal data is disclosed to the following sub-processors, solely to the extent necessary to operate the service:

Supabase (Singapore / United States) — relational database, authentication infrastructure, and object storage.
Anthropic (United States) — large language model provider. Style profile text and wardrobe item metadata are transmitted per request; photo URLs are transmitted where visual context is required (e.g. inspiration board processing).
remove.bg / Kaleido (Germany) — background removal applied to each uploaded garment photograph.
SerpAPI (United States) — image search proxy used to source retailer product photographs for wardrobe gap recommendations.
Open-Meteo (Germany) — weather forecast data retrieved for the user's home city to inform outfit suggestions.

Transfers of personal data to sub-processors located outside the European Economic Area are conducted pursuant to Standard Contractual Clauses adopted under Art. 46(2)(c) GDPR, or such other lawful transfer mechanism as may apply.

Data Retention

Personal data is retained for the duration of the user's account. Upon account deletion (initiated via Settings → Delete my account), all associated records — including wardrobe items, outfit history, feedback signals, and stored files — are permanently deleted within 24 hours. Deleted accounts are not retained in backup systems.

Anonymised operational logs generated by edge functions may be retained for up to 30 days for security and debugging purposes.

Data Subject Rights

Under the GDPR, users have the right to:

Obtain access to their personal data (Art. 15)
Rectification of inaccurate data (Art. 16)
Erasure of personal data (Art. 17) — exercisable via the in-app deletion flow or by written request
Restriction of processing (Art. 18)
Data portability (Art. 20)
Object to processing based on legitimate interests (Art. 21)
Lodge a supervisory authority complaint with the Polish Personal Data Protection Office (UODO) — uodo.gov.pl

Requests should be submitted to [email protected]. Responses will be provided within 30 days of receipt.

Minors

The service is not directed to individuals under 16 years of age. sök does not knowingly collect personal data from minors. Where such data is identified, it will be deleted without delay upon notification to [email protected].

Security Measures

All data is encrypted in transit via TLS. Access to production systems is restricted to the data controller. Stored photographs are accessible only via time-limited signed URLs; access is scoped to the authenticated user and authorised server-side functions.

Amendments

This policy may be updated from time to time. Material changes will be reflected by a revised effective date. Continued use of the service following publication of an updated policy constitutes acceptance of the revised terms.

Effective: 21 May 2026 · Operator: sök (Anastasiia Tokar, Poland) · Contact: [email protected]