Privacy Policy
Last updated: · Version 1.0 (draft)
Draft for legal review. This document is written to align with the EU/UK GDPR and Türkiye’s KVKK (Law No. 6698). Placeholders in [brackets] must be completed and the text reviewed by qualified counsel before launch. A Turkish-language version must accompany this policy for users in Türkiye.
1. Who we are (Data Controller)
DRIPX is operated by [Legal entity name], [registered address], [country]. For privacy questions, contact privacy@dripx.app. [If a Data Protection Officer / KVKK data controller representative (VERBİS) is appointed, list their contact details here.]
2. What we collect
- Account & identity: email address, authentication provider (Apple, Google or email), your handle, and date of birth (used only to derive an age band, not shown publicly).
- Profile & avatar: display name, bio, profile photo and avatar configuration.
- Wardrobe & photos: images you add and derived pixel sprites. Background removal runs on your device where possible; original photos are stored privately and are not public.
- Social content: posts, share cards, comments, likes, follows and borrow requests you create.
- Usage & diagnostics: aggregated product analytics and crash reports to keep the app working and improve it.
- Device & notifications: a push notification identifier and basic device information, only if you enable notifications.
- Purchases: subscription status for DRIPX+ (processed by the app stores and RevenueCat; we do not receive your card details).
- Approximate location: only if you allow it, and only to suggest weather-appropriate outfits. It is not stored with your profile.
3. Why we use it and our legal bases
We process personal data on the following legal bases (GDPR Art. 6 / KVKK Art. 5):
- Performance of a contract: to provide the core features — closet, avatar, outfits, share cards and social interactions.
- Consent: for analytics, crash reporting, push notifications and location-based suggestions. You can withdraw consent at any time.
- Legitimate interests / legal obligation: to keep the service secure, moderate content for safety, prevent abuse, and comply with applicable law.
- Protection of minors: date of birth is used to keep accounts of users under 18 private by default and to restrict their discoverability.
4. On-device processing
Wherever feasible, image processing (e.g. background removal) happens on your device, so your photos are not sent to a server for that step. AI enrichment that requires a server (tagging, sprite generation, optional AI Studio, content moderation) is described below.
5. Service providers & international transfers
We share the minimum data necessary with vetted processors who act on our instructions. These may process data outside your country, including outside the EEA/UK/Türkiye, under appropriate safeguards (e.g. Standard Contractual Clauses). Current providers:
- Supabase — authentication, database, storage and edge functions.
- OneSignal — push notifications (only if enabled).
- PostHog — product analytics (only with consent).
- Sentry — crash and error reporting (only with consent).
- RevenueCat and the Apple App Store / Google Play — subscription management and billing.
- AI & media providers for garment enrichment and safety: Google Gemini (tagging), Photoroom / remove.bg (background removal), Hive (content moderation), OpenWeather (weather). Only the specific image or query needed for the task is sent; these providers act as processors.
[Confirm the final list of sub-processors and their transfer mechanisms with counsel, and publish a sub-processor list if required.]
6. Retention
We keep your data while your account is active. When you delete your account, your profile, wardrobe, posts and related content are permanently deleted, except where we must retain limited records to meet legal obligations (e.g. transaction or safety records) for the period required by law. Aggregated, non-identifying analytics may be retained.
7. Children & minors
DRIPX is not for children under 13, and we do not knowingly collect their data. Users under 18 have private accounts by default with restricted discovery and social features. [Confirm age thresholds and any parental-consent requirements for your target markets with counsel.]
8. Your rights
Depending on where you live, you have rights to access, correct, delete, restrict or object to processing, to data portability, and to withdraw consent (GDPR Art. 15–22; KVKK Art. 11). You can export or permanently delete your account and data at any time in Settings → Privacy & data. Deletion is irreversible. To exercise other rights, email privacy@dripx.app. You may also lodge a complaint with your local supervisory authority (in Türkiye, the KVKK Board).
9. Security
We use industry-standard measures including encryption in transit, access controls and row-level security on our database. No method of transmission or storage is 100% secure.
10. Cookies (website)
This marketing website uses only essential cookies/local storage needed to function. The DRIPX app does not use advertising cookies.
11. Changes
We will update this policy as the product evolves and note the “Last updated” date above. Material changes will be communicated in-app or by email.
12. Contact
Privacy: privacy@dripx.app · Support: support@dripx.app