Security, Privacy & Data Use

What we collect

We collect the minimum data needed to provide the Service: your account information (via Clerk authentication), style preferences from your liked outfits, and images you upload for virtual try-on.

Image handling

• Uploaded images (selfies, clothing photos) are processed in memory and not stored permanently
• Any cached images are automatically deleted after 3 days
• Your images are never used to train AI models
• Try-on results are returned directly in the API response and not stored server-side

Transport security

• All API endpoints are served over HTTPS (TLS 1.2+)
• Plaintext HTTP requests are rejected
• API traffic is routed through AWS CloudFront with modern TLS configuration

API key security

• API keys are stored securely in DynamoDB
• You can generate new keys and revoke old ones at any time from the Developer Portal
• Every API call is logged with timestamp and endpoint for audit purposes
• All keys start with ss_ for easy identification in code reviews and secret scanning

Infrastructure

• AWS Lambda — serverless compute (no persistent servers to compromise)
• DynamoDB — encrypted at rest with AWS-managed keys
• CloudFront — edge-level DDoS protection and TLS termination

Data retention

• All data is processed in the US East (N. Virginia) AWS region
• No personal data is shared with third parties beyond our subprocessors
• API usage logs are retained for 90 days
• You can request deletion of your data at any time

Cookies

We use essential cookies for authentication (Clerk session tokens) and theme preference. We do not use third-party tracking cookies or analytics.

Reporting security issues

If you discover a security vulnerability, please email danielxiepriority@gmail.com. We take all reports seriously and will respond within 48 hours.

Contact

Questions about privacy or data handling? Reach out at danielxiepriority@gmail.com.