Privacy Policy

This Privacy Policy explains how Jupetto (Pty) Ltd, trading as FVLBI ("FVLBI", "we", "us"), a company being incorporated in the Republic of South Africa, collects, uses, stores, shares, and protects personal information when you use our website at fvlbi.com, our web application at app.fvlbi.com, and our mobile applications (collectively, the "service").

We are committed to processing your personal information lawfully, fairly, and transparently in accordance with the Protection of Personal Information Act 4 of 2013 of the Republic of South Africa ("POPIA"), the EU General Data Protection Regulation 2016/679 ("GDPR") and the UK GDPR where they apply, and other applicable data protection laws.

Jupetto (Pty) Ltd, trading as FVLBI, is the responsible party under POPIA and the data controller under the GDPR for personal information processed through the service.

• Legal name: Jupetto (Pty) Ltd, trading as FVLBI
• Country of incorporation: Republic of South Africa
• Company registration number: [CIPC registration number to be inserted upon registration]
• Registered address: [Registered office address to be inserted upon registration]
• Information Officer (POPIA s.55): [Information Officer name and email to be appointed upon registration]
• EU representative (GDPR Art. 27): [EU representative name and contact to be appointed where required]
• Privacy contact: privacy@fvlbi.com

Account information

• Email address from Google or Apple Sign-In. If you use Apple's private email relay, the relay address is what we receive.
• Display name and profile photo when provided by the sign-in provider.
• Authentication tokens, account identifiers, and session metadata.

User-provided content

• Wardrobe photos and related garment metadata (categories, colours, fabrics, fit notes, custom tags).
• Body photos and body measurements when you choose to provide them.
• Style preferences, occasion preferences, prompt inputs, and AI Outputs you save to your account.

Billing and subscription information

• Subscription tier, billing interval, credit balance, transaction identifiers, and refund history. We do not collect or store full payment-card numbers, bank account details, or comparable financial credentials. Card and bank data are collected directly by the payment processor handling the transaction (Polar.sh, Apple, or Google Play).

Automatically collected data

• Device and browser details: IP address, user agent, device model, operating system version, language, screen size, and crash diagnostics.
• Usage information, app interactions, feature events, error logs, and approximate timestamp data used for security, abuse prevention, and product improvement.
• Location information when you grant permission for weather-aware recommendations. We use approximate (city or region-level) coordinates rounded to a low precision sufficient for weather lookup; we do not need or store precise GPS coordinates for this feature.

We use personal information for the purposes listed below. Where the GDPR or UK GDPR applies, our legal bases are shown in brackets.

• Provide the service, including wardrobe analysis, outfit recommendations, image and video previews, and related features (performance of a contract, GDPR Art. 6(1)(b)).
• Process body photos and measurements to generate visualizations (explicit consent for special-category data, GDPR Art. 9(2)(a); for other data, performance of a contract, Art. 6(1)(b)).
• Personalize your experience based on preferences, past selections, and wardrobe data (performance of a contract, Art. 6(1)(b)).
• Handle subscriptions, top-ups, billing support, and account management (performance of a contract, Art. 6(1)(b); legal obligation for tax and accounting records, Art. 6(1)(c)).
• Maintain security, prevent fraud and abuse, enforce our Terms, and protect rights and safety (legitimate interests, Art. 6(1)(f); legal obligation, Art. 6(1)(c)).
• Improve reliability, performance, and product quality through aggregated and anonymized analytics that do not identify you (legitimate interests, Art. 6(1)(f)).
• Send important service messages, security notices, and account updates (performance of a contract, Art. 6(1)(b); legitimate interests, Art. 6(1)(f)).
• Send optional marketing communications where you have opted in (consent, Art. 6(1)(a)). You can withdraw consent at any time by using the unsubscribe link or by emailing privacy@fvlbi.com.

Body photos and measurements are sensitive personal information used to support outfit visualization and personalization. They receive additional protection inside our systems and workflows.

• Body photos are uploaded only when you choose to provide them, and only after you give explicit consent at the point of upload.
• You may skip body photo upload and continue using core wardrobe features.
• You may delete your body photos at any time from your account settings. Deletion removes the file from our active storage and triggers deletion from backups within 30 days.
• FVLBI does not perform facial recognition. We do not use body photos or measurements to identify you and we do not generate biometric templates that uniquely identify a natural person.
• Body photos and measurements are not sold, are not shared with third parties for their own advertising, and are not used to train FVLBI's or its sub-processors' foundation models.

If you reside in Illinois (United States), the Illinois Biometric Information Privacy Act ("BIPA") may apply to certain biometric identifiers. We do not collect biometric identifiers or biometric information as defined by BIPA. If our practices change in a way that triggers BIPA, we will update this Policy and obtain a separate written release before collecting any such information.

FVLBI uses artificial intelligence to generate styling recommendations, image previews, and video previews. AI processing happens through Google Cloud Vertex AI (Gemini family models). Inputs you submit, including your wardrobe photos, body photos, measurements, and prompts, are sent to Vertex AI to produce the AI Outputs you request.

We rely on Google Cloud's contractual commitments that customer content submitted through Vertex AI is not used by Google to train its generally available foundation models, and we do not use your content to train any FVLBI model.

Although the service uses AI to recommend and visualize outfits, we do not make decisions that produce legal effects concerning you or that similarly significantly affect you, within the meaning of Article 22 of the GDPR. AI Outputs are suggestions intended to be reviewed by you. If you believe an AI Output has produced a meaningful adverse effect, contact privacy@fvlbi.com so we can review the issue and, if appropriate, provide human review.

We use the following sub-processors to operate the service. Each one processes only the personal information needed to perform its services for FVLBI under a written agreement that requires it to protect that information.

• Google LLC and Google Cloud EMEA Limited (Firebase Authentication, Firestore, Cloud Storage, Cloud Functions, App Check, App Hosting, and Vertex AI / Gemini): authentication, database, file storage, serverless compute, abuse protection, and AI processing. Data is stored in regions chosen for residency: United States (us-central1, multi-region nam5) and the European Union (europe-west1, multi-region eur3).
• Polar Software Inc. ("Polar.sh"): subscription management and payment processing for web purchases, acting as merchant of record. Polar processes your name, email, billing country, and payment card or alternative payment instrument under its own privacy policy.
• Apple Inc.: Sign in with Apple authentication, App Store and StoreKit 2 subscription processing, and crash diagnostics for iOS users.
• Google Play Billing (Google Commerce Limited or its regional affiliate): subscription processing and receipt validation for Android users.
• OpenWeather Ltd ("OpenWeather"): weather data lookup using approximate location coordinates for context-aware recommendations.
• Vercel Inc.: hosting and edge delivery of the marketing website at fvlbi.com. Vercel processes IP address, request metadata, and standard server logs.
• Sanity.io (Sanity AS): content management system for marketing copy, support articles, and legal pages. Does not process end-user account data.

We may add, remove, or replace sub-processors over time. Material changes will be reflected on this page and, where required, communicated through the service.

Your personal information may be processed in countries other than your own, including the United States, the European Union, the United Kingdom, and the Republic of South Africa. Where required, we use lawful transfer mechanisms, including the European Commission's Standard Contractual Clauses (2021), the UK International Data Transfer Addendum, and supplementary technical and organizational safeguards. For users in the Republic of South Africa, transfers comply with section 72 of POPIA.

Account data for users routed to our European database is stored in the European Union (Firestore multi-region eur3 and Cloud Storage europe-west1). Account data for other users is stored in the United States (Firestore multi-region nam5).

We use technical and organizational safeguards designed to protect your personal information.

• Encryption in transit (TLS) and encryption at rest for stored content.
• Restricted access controls, principle of least privilege, and audit logging for internal systems.
• Application-level abuse protection, content moderation, and security monitoring.
• Quarantine workflows for newly uploaded content before it is admitted to permanent storage.

No system is perfectly secure. You are responsible for keeping your account credentials secure and notifying us immediately at security@fvlbi.com if you believe your account has been compromised. If we become aware of a personal information breach, we will notify the relevant supervisory authorities and affected users in accordance with POPIA section 22, GDPR Articles 33 and 34, and other applicable laws.

We retain personal information only for as long as needed to provide the service, comply with legal obligations, resolve disputes, and enforce agreements. Indicative retention periods are set out below.

• Account profile and wardrobe data: while your account is active, plus up to 90 days after closure for wind-down, dispute, and security purposes.
• Body photos and measurements: while your account is active, until you delete them, or for up to 30 days from deletion for backup purge.
• AI Outputs you save to your account: until you delete them or until your account is closed.
• Billing, invoicing, and tax records: as required by applicable accounting and tax law (typically 5 years in the Republic of South Africa).
• Server, security, and audit logs: typically up to 12 months, longer where required to investigate an incident.
• Aggregated and anonymized analytics: may be retained indefinitely because they cannot reasonably identify you.

Subject to applicable law, you have the following rights in relation to your personal information:

• Access: request a copy of the personal information we hold about you.
• Correction: request that we correct inaccurate or incomplete information.
• Deletion: request that we delete personal information we no longer need to keep.
• Restriction: request that we restrict processing in certain circumstances.
• Portability: request your personal information in a structured, commonly used, machine-readable format.
• Objection: object to processing carried out on the basis of legitimate interests, including profiling.
• Withdraw consent: withdraw consent for processing where consent is the legal basis (for example, body photo upload or marketing emails).
• Complaint: lodge a complaint with the Information Regulator of South Africa (https://inforegulator.org.za) or with your local data protection supervisory authority in the European Economic Area or United Kingdom.

To exercise these rights, contact privacy@fvlbi.com from the email address linked to your account, or use the in-app data request tools where available. We may need to verify your identity before responding. We aim to respond within 30 days, or within the period required by applicable law.

If you are a resident of California, the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"), gives you specific rights regarding your personal information. The categories of personal information we have collected in the past 12 months are: identifiers (account ID, email), customer records (display name), commercial information (subscriptions, transactions), internet activity (usage data), geolocation (approximate weather location), visual information (wardrobe and body photos), and inferences drawn from the foregoing (style preferences). Body photos and measurements are treated as sensitive personal information and are used only for the purposes described in this Policy.

We do not sell personal information for money and we do not share personal information for cross-context behavioural advertising. You have the right to know, the right to delete, the right to correct, the right to opt out of sale or sharing (not currently applicable, since we do not engage in either), the right to limit the use of sensitive personal information, and the right not to be discriminated against for exercising these rights. To exercise California rights, contact privacy@fvlbi.com.

FVLBI is intended for adults and is not directed to anyone under 18. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will take reasonable steps to delete it. Parents or guardians who believe a child under 18 has provided personal information to us should contact privacy@fvlbi.com.

The marketing website and the web application use cookies and similar technologies that fall into the following categories:

• Strictly necessary cookies: required to keep you signed in, route requests, and protect against abuse. These cannot be disabled while using the service.
• Functional cookies: remember preferences such as language and last-used view.
• Analytics cookies: aggregated, privacy-respecting analytics about how people use the service. We do not use cookies for cross-site advertising.

Where required by EU or UK law, we will request your consent for non-essential cookies through a cookie banner before setting them, and you can withdraw consent at any time through the cookie settings link in the footer.

We will only send you marketing emails if you have opted in. Every marketing email contains an unsubscribe link, and you can also opt out at any time by emailing privacy@fvlbi.com. Service messages such as billing receipts, security alerts, and policy updates are not marketing and cannot be opted out of while you have an account.

We may update this Policy from time to time. When changes are material, we will revise the effective date and provide additional notice through the service or by email. The most recent version is always available at this URL.

For privacy questions, data subject requests, or concerns about this Policy, contact privacy@fvlbi.com. For general support, contact support@fvlbi.com.