Privacy Policy

Last updated: 2026-05-19

Draft — review before App Store submission. This document is a working draft of the privacy policy used during development. It must be reviewed by counsel and adjusted to match your final data handling, jurisdiction, and analytics setup before shipping to the App Store / Play Store.

1. Who we are

Indossa ("we", "our") is operated by the current developer. Contact: hello@indossa.app. This policy explains what we collect, why, and how to delete it.

2. Data we collect

  • Account data. Your email, Google account ID, and authentication tokens — handled by Firebase Authentication.
  • Photos you upload. Selfies and garment images you upload, plus the AI-generated try-on results. Stored in Firebase Cloud Storage under a path tied to your account.
  • Try-on metadata. Timestamps, model used, and storage references — stored in Cloud Firestore under your account.
  • Usage diagnostics. Crash reports and basic event logs (sign-in, generation success/failure) for product improvement. No advertising identifiers are collected.

We do not collect: location, contacts, calendar, health data, microphone audio, or browsing history outside the app.

3. Why we collect it

  • To run the core feature — generating try-on images from your inputs.
  • To show you a history of try-ons across sessions and devices.
  • To track your try-on pack balance and prevent fraud on purchased credits.
  • To debug crashes and identify quality issues.

4. Third-party processors

We share data only with the providers required to run the service:

  • Google Firebase (Authentication, Firestore, Storage) — stores your account, history, and uploaded images.
  • FAL.ai— receives your photo and garment image for inference. FAL processes them transiently; per FAL's terms, inputs are not used to train models. Result images flow back to us and into your Storage bucket.
  • RevenueCat — manages your try-on pack purchases and balance. Receives an anonymized user ID and purchase receipts only; no photos.
  • Apple App Store / Google Play — process pack purchases and provide receipts. We never see your card details.

5. How long we keep it

Try-on inputs and outputs remain in your Storage bucket until you delete them in-app. When you delete a try-on, the originals are removed within 24 hours. When you delete your account (Settings → Delete account), all stored data is removed within 30 days.

6. Your rights

You can request access, correction, export, or deletion of your data at any time by emailing hello@indossa.app. If you are in the EU / UK, you have rights under the GDPR / UK GDPR. If you are in California, you have rights under the CCPA. We honour valid requests within 30 days.

7. Children

Indossa is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has used the service, email us and we will delete the account.

8. Security

Data in transit is encrypted via TLS. Data at rest is encrypted by Firebase. Access to user data is scoped by Firestore + Storage security rules (per-uid). We do not share data with third parties beyond the processors listed above.

9. Changes

We'll update this page when we change how we handle data and move the effective date forward. Material changes will be announced in the app on first launch after the update.

10. Contact

Questions or data requests: hello@indossa.app.