Legal Entity Information
Driply B.V.
Chamber of Commerce (KVK): 12345678
VAT Number (BTW): NL123456789B01
Registered Address: [Street Address], [Postal Code] [City], Netherlands
Data Controller: Driply B.V.
Privacy Officer: [email protected]
General Support: [email protected]
1. Data Controller
Driply B.V. is the data controller responsible for processing your personal data. However, for certain data processing activities (particularly those involving third-party services as described in section 11), the external company providing the service may act as the data controller for their specific processing activities.
Supervisory Authority
For privacy complaints, you may contact the Dutch Data Protection Authority (Autoriteit Persoonsgegevens):
- Website: autoriteitpersoonsgegevens.nl
- Phone: +31 (0)70 888 8500
- Address: Bezuidenhoutseweg 30, 2594 AV The Hague, Netherlands
Alternative: You may also lodge a complaint with the supervisory authority in your country of residence, place of work, or where the alleged infringement occurred.
2. Data We Collect
2.1 Personal Information
- Account Data: Name, email address, date of birth (if provided), username, password
- Profile Data: Profile picture, bio, preferences, style preferences
- Wardrobe Data: Photos and descriptions of items in your digital wardrobe
2.2 Usage Data
We collect certain information automatically when you use our app:
Strictly Necessary Usage Data (Always Collected)
- Device Information: Device type, operating system, app version, device identifiers
- Log Data: IP address, date and time of access, crash reports, error diagnostics
- Security Data: Session identifiers, authentication checks, login attempts
Legal Basis: Legitimate interest (Art. 6(1)(f) GDPR) and contractual necessity
Optional Usage Data (Consent-Based)
- Analytics Data: App interactions, feature usage, navigation patterns, performance metrics
- Personalization Data: Style preferences, outfit ratings, feedback on recommendations
Legal Basis: Consent (Art. 6(1)(a) GDPR) via Usercentrics Consent Banner
3. How We Use Your Data
- Service Provision: To provide and improve app functionality, including personalized outfit recommendations
- User Experience: To analyze usage patterns and enhance user experience
- Communication: To communicate updates, features, or support
- Security: To detect and prevent fraud, abuse, and security incidents
- Legal Compliance: To comply with legal obligations and enforce our terms
4. Legal Basis for Processing
- Consent (Art. 6(1)(a) GDPR): For optional analytics and personalization features
- Contract (Art. 6(1)(b) GDPR): To fulfill obligations under the Terms of Service
- Legitimate Interests (Art. 6(1)(f) GDPR): To improve services, ensure security, and prevent fraud
- Legal Obligation (Art. 6(1)(c) GDPR): To comply with laws and regulations
5. Data Retention Schedule
| Data Category | Retention Period | Basis |
|---|---|---|
| Account Information | Until account deletion + 30 days | Contract performance |
| Wardrobe Photos | Until account deletion + 30 days | Contract performance |
| Authentication Logs | 12 months | Security & fraud prevention |
| Analytics Data (GA4) | 2 months (default), 14 months (configurable) | Consent |
| Firebase Analytics | Until deletion + 30 days | Contract performance |
| Error Logs | 90 days | Service improvement |
| Billing Records | 7 years | Legal obligation (tax) |
Account Deletion: Upon account deletion, personal data is securely erased within 30 days, except where legal retention obligations apply.
Analytics Retention: Google Analytics 4 (GA4) retention is configurable. By default, we use 2-month retention for analytics data. You can request 14-month retention for enhanced insights, but this requires explicit consent.
6. Children's Data Protection
Our services are not intended for children under the age of 16. We do not knowingly collect personal data from children under 16.
Age Verification: If you are between 16-18 years old, you may use our services with appropriate parental or guardian consent as required by applicable law.
Parental Rights: If you are a parent or guardian and believe your child has provided personal data to us, please contact us immediately at [email protected]. We will take steps to delete the information and verify the child's age.
Note: Under GDPR, the minimum age for digital consent in many EU countries, including the Netherlands, is 16 years old.
7. Your Rights (GDPR)
Under the GDPR, you have the following rights regarding your personal data:
7.1 Core Rights
- Right of Access (Art. 15): Request a copy of your personal data and processing information
- Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data
- Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
- Right to Restriction (Art. 18): Request limitation of processing under certain conditions
- Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format
- Right to Object (Art. 21): Object to processing based on legitimate interests
7.2 Consent Management
- Right to Withdraw Consent: Withdraw consent for consent-based processing at any time
- Consent Preferences: Manage your consent preferences via the Usercentrics Consent Banner
7.3 How to Exercise Your Rights
To exercise these rights, you can:
- Email: [email protected]
- DSR Form: Complete our Data Subject Rights Request Form
- Postal: [Street Address], [Postal Code] [City], Netherlands
Response Time: We will respond to your request within 30 days. Complex requests may take up to 60 days.
8. Data Security
We implement comprehensive technical and organizational measures to protect your data:
8.1 Technical Measures
- Encryption: Industry-standard encryption at rest and in transit
- Access Control: Role-based access control (RBAC), multi-factor authentication
- Network Security: Firewalls, intrusion detection, DDoS protection
- Application Security: Regular security testing, vulnerability assessments
8.2 Organizational Measures
- Employee Training: Regular privacy and security training
- Incident Response: Documented incident response procedures with 24-hour SLA
- Vendor Management: Annual sub-processor security reviews
- Data Minimization: Collecting only necessary data for specified purposes
9. International Data Transfers
Your data may be transferred to and processed in countries outside the European Economic Area (EEA). We ensure appropriate safeguards are in place:
9.1 Transfer Safeguards
- EU-US Data Privacy Framework (DPF): For US-based services that have received adequacy decisions
- Standard Contractual Clauses (SCCs): EU-approved data transfer agreements for other international transfers
- Adequacy Decisions: For countries with EU adequacy status
9.2 Transfer Locations
Data may be transferred to:
- United States: Via DPF or SCCs for services like Firebase, OpenAI
- European Union: Direct transfers within EEA
- Other Countries: Only with appropriate safeguards
10. Sub-Processors & Vendor Matrix
The following third-party services process your data as sub-processors under our Data Processing Agreements (DPAs):
| Vendor | Purpose | Data Processed | Region | Legal Basis | Transfer Safeguard | Data Location | Retention Default | ZDR Available | Vendor Policy |
|---|---|---|---|---|---|---|---|---|---|
| Google Firebase | App infrastructure, storage, analytics | User data, app usage, crash reports | EU/US | Contract + Legitimate Interest | DPF/SCCs | EU (primary), US (backup) | Until deletion + 30 days | No | Firebase Privacy |
| OpenAI | AI-powered outfit recommendations | Wardrobe data, preferences (anonymized) | US | Contract | SCCs | US | Up to 30 days (abuse monitoring) | Yes (eligible endpoints) | OpenAI Privacy |
| OpenWeather | Weather data for outfit suggestions | Location/ZIP code (processed) | EU | Contract | Direct transfer | EU | No personal data stored | N/A | OpenWeather Privacy |
| Nominatim (OSM) | Geocoding services | Location text (processed) | EU | Contract | Direct transfer | EU | No personal data stored | N/A | OSM Privacy |
| RevenueCat | Subscription management | Purchase history, subscription status | US | Contract | SCCs | US | 7 years (billing) | No | RevenueCat Privacy |
| Usercentrics | Consent management | Consent preferences, consent history | EU | Legitimate Interest | Direct transfer | EU | Until consent withdrawal | No | Usercentrics Privacy |
Sub-Processor Updates: We will notify you of any new sub-processors at least 30 days in advance via email or app notification.
Zero Data Retention (ZDR): OpenAI offers ZDR for eligible endpoints, which means API data is not retained for abuse monitoring. Contact us to enable ZDR for your account if needed.
12. Automated Decision Making & AI
Our service uses artificial intelligence to provide personalized outfit recommendations:
12.1 AI Processing
- Purpose: Generate personalized outfit suggestions based on your wardrobe and preferences
- Data Used: Your wardrobe photos, style preferences, weather data, and usage patterns
- Processing: Automated analysis using machine learning algorithms
12.2 Your Rights
- Human Review: You can request human review of AI-generated recommendations
- Explanation: We can explain how recommendations are generated
- Opt-Out: You can opt out of AI-powered features (may limit functionality)
Important: AI-generated outfit suggestions are advisory only and do not have legal significance. You remain responsible for your clothing choices.
13. Updates to This Privacy Policy
We may update this Privacy Policy to reflect changes in our practices or applicable laws. We will notify you of material changes via:
- Email notification to your registered email address
- In-app notification
- Updated version available in the app settings
Continued Use: Your continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.
14. Contact & Data Subject Rights
For privacy questions, concerns, or to exercise your data subject rights:
14.1 Contact Information
- Privacy Officer: [email protected]
- General Support: [email protected]
- Postal Address: [Street Address], [Postal Code] [City], Netherlands
14.2 Data Subject Rights Requests
To exercise your GDPR rights, you can:
- Email: Send detailed request to [email protected]
- Postal: Send written request to our registered address
- In-App: Use the privacy settings in the Driply app
14.3 Response Timeline
- Standard Requests: Response within 30 days
- Complex Requests: Response within 60 days (with notification)
- Urgent Requests: Expedited processing for urgent matters