Privacy Policy
Last updated: May 3, 2026 · Effective: May 3, 2026
Curate ("Curate", "we", "us", or "our") operates the Curate virtual try-on Chrome extension, the companion mobile experience, and the website at curatefashions.com (collectively, the "Service"). This Privacy Policy explains what personal information we collect when you use the Service, how we use and share it, the safeguards we apply, and the choices and rights you have over your data. By creating an account or otherwise using the Service, you confirm that you have read this policy and consent to the practices described below.
1. Information we collect
Account information
When you create an account we collect your email address, display name, profile picture (if provided), and authentication identifiers from your sign-in provider (Google, Apple, or email/password). Authentication is handled by Firebase Authentication, a Google service. We never see or store your password directly when you sign in with a federated provider; for email/password we store only a salted, hashed credential.
Photos and body data
• User photos — full-body or selfie images you upload so the Service can generate virtual try-on results. We store the originals plus any AI-enhanced versions on AWS S3 with delivery via CloudFront.
• Body measurements — chest, waist, hips, height, weight, inseam, shoulder, and arm length. Provided voluntarily and editable from your profile screen at any time. Used to generate accurate size recommendations.
• Generated try-on images — the synthetic images produced by our AI when you try on a product. Tied to your account and visible only to you unless you explicitly share them.
• Saved looks and closet items — products and outfits you mark as saved, along with their source URL, brand, and image references.
Browsing context (extension only)
When you click an action button (Try On, Check Size, Find Similar) on a supported retail site, the extension reads from the active tab the product's page URL, image URLs, name, brand, category, price, and the size chart HTML. This data is transmitted to our backend only after an explicit click. The extension does not stream tab content to us in the background, does not run on non-shopping sites, and does not have host permissions for sensitive domains such as banks, government services, or healthcare providers.
Device and usage data
Browser type and version, operating system, screen size, and approximate region (derived from IP). Anonymized event metrics: which features are used, how long try-on jobs take, and which retailers see most traffic. Error logs, including stack traces and the time of the error. Logs do not include the contents of your photos or chat messages.
Cookies and local storage
We use Firebase session cookies to keep you signed in across page reloads, and Chrome local storage to cache your preferences (language, panel size, recently viewed products). We do not use third-party advertising cookies, browser fingerprinting libraries, or cross-site tracking.
2. How we use your information
We use the data described above only for the following purposes:
• To run the core try-on, size recommendation, similar-products, and stylist chat features.
• To authenticate you and protect your account from unauthorized access.
• To improve our AI models — only with aggregated and anonymized signals. We do not use your individual photos or measurements to train third-party models.
• To communicate operational notices, security alerts, and (only if you opt in) feature announcements.
• To detect and prevent fraud, abuse, and violations of our Terms of Service.
• To comply with applicable legal obligations.
We do not sell your personal information, share it with advertising networks, or use it for purposes unrelated to the Service.
3. Legal basis for processing (EEA / UK users)
Where GDPR or UK GDPR applies, we rely on the following legal bases:
• Performance of a contract — to provide the Service you signed up for.
• Consent — for optional features such as marketing emails and the use of your photos in opt-in product showcases.
• Legitimate interests — to debug, secure, and improve the Service in ways that do not override your rights and freedoms.
• Legal obligation — to comply with subpoenas, tax law, anti-money-laundering rules, and similar requirements.
You can withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
4. Third-party services
We use a small number of vetted sub-processors. Each is bound by a data-processing agreement that requires appropriate technical and organizational safeguards.
• Firebase Authentication (Google LLC) — sign-in and identity management.
• Google Gemini API (Google LLC) — AI image generation for try-on results, size analysis, and stylist chat. Photos and product context are sent under Google's enterprise terms; Google does not retain or use this data to train its public models.
• Stripe, Inc. — subscription billing. Stripe processes card details directly under PCI-DSS compliance; we never receive raw card numbers.
• Amazon Web Services (S3, CloudFront, ECS Fargate, SSM, IAM) — image storage, image delivery, application hosting, and secret management. Region: US East (N. Virginia).
• MongoDB Atlas (MongoDB Inc.) — primary database for accounts, closet items, and saved recommendations. Region: AWS US East.
• PostHog — product analytics for anonymized event metrics. No personally identifying data is sent.
• Sentry — error tracking and crash reporting. Stack traces and minimal device metadata only.
We review this list at least annually and will update it here whenever a sub-processor is added or removed.
5. Data storage and security
We take the protection of your data seriously and apply the following measures:
• All data in transit is encrypted using TLS 1.2 or higher.
• Photos and try-on results stored in S3 are encrypted at rest with AES-256 (SSE-S3).
• API access requires authenticated bearer tokens; tokens expire and are rotated.
• Production databases are accessible only from our backend over a private VPC with IP allow-listing.
• Secrets are stored in AWS SSM Parameter Store; no credentials are committed to source control.
• Access to production systems is limited to a small number of engineers under the principle of least privilege, with all access logged.
No system is perfectly secure. If you suspect unauthorized access to your account, email us immediately at security@curatefashions.com and we will investigate within 24 hours.
6. Data retention and deletion
• Account record — retained while your account is active.
• Photos and try-on results — retained until you delete them in the app or close your account.
• Body measurements — retained until you clear them in the profile screen or close your account.
• Logs and analytics events — retained for up to 90 days, then deleted or anonymized.
You can delete your account at any time from the extension's profile screen (Profile → Settings → Delete Account). We complete deletion of your photos, measurements, saved looks, and account record within 30 days of your request. Encrypted backups containing your data roll off within an additional 60 days. Some minimal records may be retained longer if required by law (for example, financial records for tax purposes).
7. Your rights
Depending on where you live, you may have the right to:
• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Delete your data ("right to erasure").
• Receive a copy of your data in a portable format.
• Restrict or object to certain processing.
• Lodge a complaint with a supervisory authority.
California residents have specific rights under CCPA/CPRA, including the right to know, the right to delete, the right to correct, and the right to opt out of the sale or sharing of personal information. We do not sell or share personal information for cross-context behavioral advertising.
To exercise any right, email privacy@curatefashions.com from the address tied to your account. We will respond within 30 days, or sooner where the law requires it.
8. Children's privacy
The Service is not directed to children under 13, and we do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe your child has provided us with personal data, please contact privacy@curatefashions.com and we will delete the information promptly.
9. International data transfers
Curate is operated from the United States. If you access the Service from outside the U.S., your information will be transferred to and processed in the U.S., where data protection laws may differ from those in your country. Where required by law, we rely on Standard Contractual Clauses approved by the European Commission and the UK Information Commissioner's Office to govern these transfers.
10. Changes to this policy
We may update this Privacy Policy from time to time as the Service evolves or as legal requirements change. Material changes will be announced via in-product notice or by email at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the latest revision. Continued use of the Service after the effective date of an update constitutes acceptance of the revised policy.
11. Contact
For questions, requests, or complaints about this Privacy Policy or about how your data is handled:
• General privacy and data-rights requests — privacy@curatefashions.com
• Security concerns — security@curatefashions.com
• Product support — support@curatefashions.com
We aim to respond to every privacy or security email within two business days.