Privacy Policy

Sign inGet started

Effective date: 2025-07-16

Version: 1.0.0

Introduction

Welcome to TCA ("The Clothing App"), a subscription-based service owned and operated by Hello Computer, a registered trade name of MY STATIC SELF Ltd. ("Company," "we," "us," or "our"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services, including any related websites, applications, or platforms (collectively, the "Services").

By accessing or using our Services, you indicate that you have read, understand, and agree to the terms of this Privacy Policy. If you do not agree, you should discontinue use of our Services.

Information We Collect

  1. Personal Information

    • Username
    • Email address
    • First and last name
    • Any images of clothing or other user-generated content that you choose to upload

    We do not collect sensitive personal information (e.g., health or financial details) beyond the necessary payment details that may be handled by our payment processor.

  2. Non-Personal Information

    • Log and Usage Data: This can include your IP address, browser type, operating system, and device type.
    • Cookie Data: We use strictly necessary cookies (e.g., for authentication) and analytics cookies (e.g., PostHog) to help us understand how you interact with our Services.

  3. Payment Information

    We partner with Polar (our Merchant of Record) for subscription and payment management. When you purchase or subscribe to our Services, your payment information is provided directly to Polar and is subject to their privacy practices.

How We Collect Your Information

  1. Information You Provide Directly

    • Account Creation: When you create or update your account, we collect the information you provide.
    • Communications: If you contact us by email or through any support channels, we collect the information you provide.

  2. Automated Data Collection

    • Analytics: We use PostHog for analyzing user behavior and improving our Services.

  3. Third-Party Sources

    • Payment Processor: Transaction-related data may be shared with us by our payment partner, Polar, for purposes of subscription management and record-keeping.

Cookies & Tracking Technologies

We use two categories of cookies and similar technologies on TCA:

Cookie / Storage ItemProviderPurposeExpiryCategory
sb-<project-ref>-auth-token.0
sb-<project-ref>-auth-token.1		SupabaseKeeps you signed in and routes requests to the correct user account.12 months*Strictly necessary
ph_phc_<projectKey>_posthogPostHogPersistent analytics cookie that helps us understand feature usage. IP addresses are truncated and not stored in full.13 monthsAnalytics (optional)
ph_<randomHash>_posthogPostHogSession cookie that groups page views into a single visit.30 minutes after inactivityAnalytics (optional)

* Supabase may refresh the token on each login, resetting the expiry.

Your Choices

Strictly necessary cookies (Supabase auth) are always set because the Service cannot function without them.
Analytics cookies (PostHog) are set only if you click “Accept all.” You can withdraw consent at any time under My Account → Privacy.

You can also clear cookies through your browser settings, but doing so may log you out of TCA.

How We Use Your Information

We use the information we collect for various purposes, including to:

  • Provide and Maintain the Services: Ensure proper account functionality, process payments, and facilitate image uploads.
  • Improve User Experience: Analyze usage patterns and tailor your interaction with the platform.
  • Communicate With You: Send you updates, respond to inquiries, and provide customer support.
  • Perform Analytics: Understand how users interact with our Services, refine our features, and troubleshoot performance issues.
  • Enforce Our Terms and Policies: Comply with legal requirements and protect our rights and interests.

Marketing Communications

From time to time we may send you emails about TCA or other products and services we offer.

Legal Basis

  • EU / UK: We rely on the“soft opt-in” legitimate interest exception for existing customers (Art 21(2) e-Privacy Directive). You can object at any time by clicking Unsubscribe.
  • Canada: Under CASL we send messages only where we have express consent or anexisting business relationship. Implied consent lasts for 24 months after your last purchase or account activity.
  • United States: We comply with theCAN-SPAM Act (15 U.S.C. §7701 et seq.).

Your Choices

Every marketing email includes a one-click Unsubscribe link. You may also email hello@theclothingapp.com with the subject line “Unsubscribe” and we will honour your request within 10 business days. Opting out does not affect transactional or service emails (e.g. password resets, billing notices).

Sender Information

All commercial messages are sent by:
Hello Computer / MY STATIC SELF Ltd.
172 Manitou Way, Ancaster, Ontario, Canada L9G 1X8

Legal Basis for Processing (EU/UK Residents)

Purpose & Data CategoryLawful Basis (GDPR/UK GDPR Art 6)Notes / Your Rights
Account creation & authentication (email, password, OAuth token)Contract – Art 6 (1)(b)Necessary to deliver the Service you request.
Subscription fulfilment (transaction ID, plan tier)Contract – Art 6 (1)(b)
Accounting & tax records (transaction logs)Legal obligation – Art 6 (1)(c)Required for tax compliance and audits.
Product analytics (PostHog event data; IP addresses are pseudonymised and truncated)1Legitimate interest – Art 6 (1)(f)Used to improve the Service. You can opt-out at any time in My Account → Privacy.
Marketing & product-update emailsLegitimate interest (“soft opt-in”) – Art 6 (1)(f)Emails relate to our own, similar services. Every message includes an unsubscribe link.
User-uploaded images (clothing photos)Contract – Art 6 (1)(b)Processed solely to power closet and outfit features you request.
Security & fraud prevention logs (IP, failed login metadata)Legitimate interest – Art 6 (1)(f)Essential to keep accounts secure and detect abuse.
Legal or dispute-resolution archivingLegitimate interest / Legal obligation – Art 6 (1)(f) or (c)Data may be retained as needed to establish, exercise, or defend legal claims.
1 If PostHog is later configured to store full IP addresses or other identifiers, we will switch to a consent-based model for EU/UK visitors and update this Policy accordingly.

Disclosure of Your Information

We may share your information in the following situations:

  1. Service Providers

    We engage third parties (e.g., Supabase for cloud hosting, Polar for payment processing) to assist with certain tasks. These third parties are contractually bound to protect your data and only use it to perform specific services for us.

    All third-party vendors that process personal information on our behalf have executed a Data-Processing Agreement (DPA) or equivalent Article 28 GDPR terms, except where a vendor acts as an independent controller (see table). We review DPA compliance annually and will update the sub-processor list at least 30 days in advance of adding or replacing a vendor.

    ProviderPurposePersonal DataLocation / Transfer MechanismDPA Status
    SupabaseDatabase, authentication, image storageEmail, hashed password, clothing imagesus-east-1 (USA) — SCCsSigned
    VercelHosting & edge delivery for the front-endIP addresses in server logsus-east-1 (USA) — SCCsSigned
    Polar (Merchant of Record)Payment processing & tax remittanceBilling name, email, transaction detailsWorldwide — independent controllerActs as controller; DPA not required*
    PostHogProduct analyticsPseudonymised event data, truncated IPUS Cloud — SCCsSigned
    ResendTransactional & marketing email deliveryEmail address, message metadataus-east-1 (USA) — SCCsSigned
    SentryError monitoringStack traces, possible user IDsUS — SCCsSigned

    * As Merchant of Record, Polar determines its own purposes for processing payment data and therefore acts as an independent controller under GDPR/CCPA.

    Need a copy of our DPA? If you are an EU/UK business customer acting as a data controller, email hello@theclothingapp.comand we will provide our standard controller–processor agreement for signature.

  2. Legal Obligations

    We may disclose information if we believe doing so is necessary to comply with applicable laws, respond to legal processes, or protect the rights, property, or safety of Hello Computer, our users, or others.

  3. Business Transactions

    In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred. We will notify you if such a transfer occurs and becomes subject to a different privacy policy.

  4. With Your Consent

    We may share your personal information in other ways if you have provided explicit consent.

Data Storage & Retention

We keep personal information only as long as necessary for the purposes described in this Policy—or as required by law. The table below outlines our standard retention periods and the criteria we use to determine when data is deleted or anonymised.

Data CategoryExamplesRetention Rule / Period
Account credentials & identifiersEmail, username, OAuth UIDUntil the user deletes their account + 30 days
Authentication tokenssb-…auth-token cookiesRotates on each login;
max 12 months of inactivity1
User-uploaded imagesCloset & outfit photosUntil the user deletes their account + 30 days
Subscription & payment recordsTransaction ID, invoicesFor as long as required by applicable tax law (typically 7–10 years)
Product analytics eventsPage views, button clicks, truncated IPPostHog default retention: 25 months2
Support communicationsEmails or in-app messagesUntil the user deletes their account + 30 days
Server / access logsVercel edge logs, Supabase query logs7 days
Backup archivesAutomated DB snapshots7 days (point-in-time recovery window)
Email marketing lists & opt-out listActive subscriber list, suppression listFor as long as we send marketing emails
Legal / dispute-resolution filesChargeback records, legal correspondence6 years

1 Supabase auth tokens expire 12 months after issuance but are refreshed on each successful login.
2 PostHog's default retention is 25 months; we periodically aggregate older data or delete it outright.

Security Measures

We implement commercially reasonable security measures to protect your information, including encryption, secure servers, and restricted access. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

Your Rights and Choices

Depending on your location, you may have legal rights to:

  • Access and Review: Request details of the personal information we hold about you.
  • Correction: Update or correct any inaccuracies.
  • Deletion: Delete your account and associated data.
  • Objection/Restriction: Object to or restrict certain data processing activities.
  • Withdrawal of Consent: Withdraw any previously given consent.

To exercise these rights, please contact us at hello@theclothingapp.com.

Note on Jurisdiction:

  • If you are an EU resident, the GDPR may govern how we process your data. We endeavor to comply with GDPR principles for EU residents.
  • If you are a California resident, the CCPA may provide certain additional rights regarding your personal information.
  • If you are a Canadian resident, PIPEDA may apply.

Because we may have customers globally, we aim to follow relevant data protection regulations to the extent they apply to us.

Supplemental Notice for California Residents

This section applies only to residents of California and supplements the information elsewhere in this Privacy Policy. Capitalized terms have the same meaning as in the California Consumer Privacy Act (as amended by the CPRA).

Personal Information Collected in the Last 12 Months

Category (Cal. Civ. Code §1798.140)ExamplesCollectedSold / SharedDisclosed to Service ProvidersBusiness / Commercial PurposeRetention Period
IdentifiersName, email, usernameYesNoSupabase (auth), Resend (email)Account creation, login, supportUntil account deletion
Customer RecordsTransaction ID, plan tierYesNoPolar (Merchant of Record)Subscription fulfilment, tax complianceIndefinite (tax & audit)
Internet / Electronic ActivityIn-app events, truncated IPYesNoPostHog (analytics)Product improvementIndefinite
Audio, Electronic, Visual InfoUser-uploaded clothing imagesYesNoSupabase (storage)Provide closet / outfit featuresUntil account deletion
Sensitive Personal InformationNoneNoN/AN/AN/AN/A

“Sell” means exchanging personal information for money or other valuable consideration. “Share” means disclosing it for cross-context behavioural advertising. We do not currently sell or share personal information. If that ever changes (e.g., we add third-party ad pixels), we will update this notice and provide a“Do Not Sell or Share My Personal Information” link before such activity begins.

Your CCPA / CPRA Rights

California residents may request to (1) know, (2) correct, (3) delete, or (4) obtain a copy of their personal information. You also have the right to limit the use of any sensitive personal information (none is collected) and to be free from retaliation for exercising these rights. To submit a request, email hello@theclothingapp.com. We will verify your identity as required by law and respond within 45 days.

Children's Privacy

Our Services are not directed to, and we do not knowingly collect personal information from, any person under 13 years of age in the United States or Canada, or 16 years of age in the European Economic Area (“EEA”) and United Kingdom—except where the applicable member-state or local law sets a lower age of digital consent (never below 13).

If we learn that we have collected personal information from a child below the relevant age threshold without verifiable parental consent, we will delete that information as quickly as possible. Parents or legal guardians who believe their child has provided us with personal information may email hello@theclothingapp.com to request deletion.

International Data Transfers

Hello Computer is based in Canada, but several of our service providers operate from — or store data in — the United States. Whenever personal information leaves your jurisdiction, we rely on one of the following legal safeguards:

  • EU Standard Contractual Clauses (SCCs).
  • EU-US & UK-US Data-Privacy Framework (DPF) for vendors that are self-certified in the U.S.
ProviderHost Country / RegionTransfer MechanismKey Safeguards
SupabaseUSA (us-east-1)SCCs (2021/914)End-to-end TLS, encryption at rest [oai_citation:0‡Supabase](https://supabase.com/downloads/docs/Supabase%2BTIA%2B250314.pdf) [oai_citation:1‡Supabase](https://supabase.com/privacy)
VercelUSA (edge network)EU-US DPF
UK Extension DPF		Self-certified June 4 2024 [oai_citation:2‡Vercel](https://vercel.com/changelog/vercel-is-now-certified-under-the-eu-us-data-privacy-framework-dpf)
PostHog CloudUSAEU-US DPF
UK Extension DPF		Active certification since May 8 2024 [oai_citation:3‡Data Privacy Framework](https://www.dataprivacyframework.gov/participant/2915)
ResendUSAEU-US DPF
UK Extension DPF		DPA §11 confirms DPF adherence [oai_citation:4‡Resend](https://resend.com/legal/dpa)
SentryUSAEU-US DPF
UK Extension DPF		Self-certified; public listing available [oai_citation:5‡Sentry](https://sentry.io/trust/privacy/)
Polar (Merchant of Record)Payment processing & tax remittanceBilling name, email, transaction detailsUSA — Privacy Shield† / SCCs
*Acts as independent controller

For copies of the SCCs or details on a vendor's DPF certification, please contact us at hello@theclothingapp.com.

Third-Party Links

Our Services may contain links to third-party websites. We do not control, and are not responsible for, the privacy practices or content of these third-party sites. We encourage you to review their privacy policies before providing them with any personal data.

Updates to This Policy

We may update this Privacy Policy from time to time. When we do, we will change the "Effective date" at the top of this page. Your continued use of our Services after these changes indicates your acceptance of the revised policy.

Contact Us

If you have questions about this Privacy Policy or wish to exercise any data rights, please contact:

Hello Computer / MY STATIC SELF Ltd.
172 Manitou Way
Ancaster, Ontario
Canada L9G 1X8

Email:hello@theclothingapp.com

Complaints

We hope to resolve any privacy concern quickly and satisfactorily. If you believe we have not addressed your issue, you have the right to lodge a complaint with your local supervisory authority:

  • European Economic Area (EEA) — You may contact the data-protection authority in the member state of your habitual residence or workplace. A full list is available at edpb.europa.eu.
  • United Kingdom — Information Commissioner's Office (ICO), ico.org.uk.
  • Canada — Office of the Privacy Commissioner of Canada (OPC):
    30 Victoria Street, Gatineau QC K1A 1H3 — Tel 1-800-282-1376 — priv.gc.ca

We have not appointed an EU representative under GDPR Art 27 because we do not undertake large-scale processing in the EEA. Should this change, we will update this section accordingly.

Change Log

DateVersionSummary of Changes
2025-07-16v1.0.0Initial publication of comprehensive Privacy Policy.

The
Clothing
App

Product

Sign inGet startedFAQPricing

Contact

Get supportSubmit feedbackReport an issueSay hello