A privacy policy matched to the implemented data flows.

This Privacy Policy is tailored to the Closette application as it currently exists in code and names Knightify FlexCo as the operator of the product. It covers account creation, contact requests, wardrobe and image uploads, AI-assisted analysis and styling, weather personalization, premium billing, private sharing, inspiration features, and the export and deletion tools built into the product.

Controller

Name: Knightify FlexCo

Address: Kelsenstrasse, 1030 Vienna, Austria

Email: [email protected]

Version

Effective date: April 2, 2026

Primary market assumption: Austria / EU

Supervisory authority: Austrian Data Protection Authority (Datenschutzbehörde)

1. What data we process

Account and security data

Name, email address, hashed password, email-verification status, locale, timezone, avatar path, password-reset data, session records, IP address, user agent, and two-factor authentication data including encrypted recovery-code material.

Contact-request data

Name, email address, optional company name, inquiry topic, message content, privacy-policy acknowledgement timestamp, IP address, user agent, and internal handling status for messages submitted through the public contact form.

Wardrobe and profile data

Wardrobe items, uploaded images, AI tags, wear history, perfumes, accessories, saved looks, outfit suggestions, outfit requests, outfits, user preferences, favorite and disliked colors, sizes, notification preferences, privacy settings, and feedback you leave on suggested collections.

Location and weather data

A manually entered city or, if you choose the browser location option, latitude, longitude, and a derived location label used to retrieve weather context. Browser geolocation is optional and permission-based.

AI and recommendation data

Prompts, structured outputs, confidence scores, normalized extraction fields, stylist chat messages, context snapshots, recommendation scores, daily look allowance checks, limited memory values, outfit-refinement payloads, collection-rating feedback, and model/provider metadata needed to generate and review AI-supported outputs.

Sharing and inspiration data

Shared collections, invitee email addresses, acceptance and revocation records, shared comments, style posts, likes, comments, style boards, moderation status, moderation notes, and AI-generated style signatures.

Billing and operational data

Stripe customer and subscription identifiers, payment-method type and last four digits where available, trial information, subscription status, subscription items, membership-related quota values, administrator adjustments such as bonus daily looks, audit logs, and AI incident notices sent to administrators.

2. How we collect data

Directly from you when you register, fill in forms, upload images, use the stylist, edit preferences, purchase premium access, create shared collections, or publish inspiration content.
Directly from you when you submit a contact request to Knightify FlexCo through the public contact form.
From your device or browser when session, security, or geolocation features are used.
From third-party sign-in providers when you choose Google or Apple login.
From payment and service providers such as Stripe, email infrastructure, AI providers, and weather providers when they return data needed to complete the requested service.

3. Why we process your data and the legal bases

Purpose

Legal basis

Providing your account, wardrobe tools, stylist features, saved looks, sharing features, premium access, data export, and account deletion.

Art. 6(1)(b) GDPR, performance of a contract or pre-contractual steps.

Receiving, reviewing, and answering product, partnership, premium, investor, or general contact requests submitted through the public form.

Art. 6(1)(b) GDPR for pre-contractual requests and Art. 6(1)(f) GDPR for general business communication and follow-up.

Processing payments, retaining financial records, and handling tax, accounting, and mandatory compliance obligations.

Art. 6(1)(c) GDPR, legal obligation.

Generating daily looks, enforcing membership-based daily limits, and using your ratings to personalize future recommendations inside the service you requested.

Art. 6(1)(b) GDPR, performance of a contract or pre-contractual steps.

Protecting the service, investigating abuse, logging critical actions, moderation, access control, and system security.

Art. 6(1)(f) GDPR, legitimate interests.

Using optional browser geolocation for weather-aware personalization and any future non-essential processing you choose to enable.

Art. 6(1)(a) GDPR, consent, where required.

4. AI processing and automated decision-making

Closette uses AI-supported processing to classify uploaded wardrobe and catalog images, derive style-signature context from inspiration images, refine outfits, generate daily looks, learn from collection ratings, and respond in the premium stylist chat. This processing may include images, item metadata, preferences, weather context, recent outfit history, membership-related limits, and message content that you choose to submit.

In general terms, suggestion ranking can be influenced by factors such as category balance, color harmony, seasonality, wear history, weather relevance, recent outfit usage, and positive or negative feedback that you leave on suggested collections. The implemented product is designed so AI output supports user decisions rather than replacing them. AI-generated tags can be reviewed or overridden, and the service is not intended to make solely automated decisions producing legal or similarly significant effects within the meaning of Art. 22 GDPR.

5. Recipients and service providers

We may disclose personal data to the following categories of recipients where necessary to operate the service:

Hosting, database, storage, and infrastructure providers.
Email delivery providers for account, security, and operational emails.
Stripe for checkout, subscription management, billing portal access, and payment-related status updates.
AI providers configured in the application, currently including OpenAI and Anthropic-related processing paths.
Open-Meteo for weather and reverse-geocoding requests.
Google or Apple if you choose social sign-in.
Other users you intentionally share with through invites, comments, or visible inspiration features.
Authorized administrators who need access for moderation, support, operations, billing, or security review.

6. International data transfers

Some service providers used by Closette may process data outside Austria or the EEA, including in the United States or other third countries. This is especially relevant for payment infrastructure, social sign-in providers, and AI providers. Where such transfers occur, they should be covered by an adequacy decision, standard contractual clauses, or another transfer mechanism recognized under Chapter V GDPR.

This statement is based on the configured providers and is an inference from the codebase; you should confirm the exact processor list and transfer mechanisms used in production before publishing.

7. Cookies, sessions, and similar technologies

The current application uses essential session and security functionality, including database-backed sessions and cookies required for authentication, CSRF protection, and keeping you signed in. The configured session lifetime is 120 minutes of inactivity unless changed in deployment configuration.

The app also registers a service worker for progressive-web-app behavior and may use browser APIs needed for offline shell behavior or geolocation. We have not identified analytics, advertising, or tracking-pixel integrations in the current codebase. If non-essential cookies, analytics, or marketing tools are added later, Austrian telecom and data-protection rules may require prior consent before they are activated.

8. Retention

Account, wardrobe, preference, sharing, inspiration, and recommendation-feedback data are generally kept until you delete them, delete your account, or they are no longer needed for the service.
Contact submissions are retained only as long as reasonably necessary to process the request, manage follow-up, and maintain appropriate business records, unless a longer retention period is required by law or justified for legal defense.
Temporary upload-status cache entries for AI processing are currently stored for up to six hours.
Premium billing, quota-adjustment logs, and related payment-reference data may be retained as required for accounting, tax, fraud-prevention, subscription record-keeping, and support accountability.
Audit logs may be retained in minimized form after account deletion where needed for accountability, abuse prevention, or legal defense. The current schema is designed to null user foreign keys on deletion while preserving minimal audit metadata.
Session and cache data are retained according to technical configuration and cleanup cycles.

9. Your GDPR rights

Subject to the conditions of the GDPR and applicable Austrian law, you have the right to information, access, rectification, erasure, restriction of processing, data portability, objection, and to withdraw consent at any time with future effect where processing is based on consent.

The current application already includes self-service tools for exporting personal data and deleting an account from the settings area. You may also contact the controller using the details above to exercise your rights.

10. Complaints

If you believe that processing of your personal data breaches data-protection law, you may lodge a complaint with a supervisory authority. In Austria, this is the Austrian Data Protection Authority (Datenschutzbehörde), Barichgasse 40-42, 1030 Vienna, Austria, email: [email protected].

11. Changes to this policy

We may update this Privacy Policy where product functionality, legal requirements, processors, or data flows change. The latest version will be published on this page with an updated effective date.