Drape
Back
Legal

Privacy Policy

Last updated: June 1, 2025

We built Drape to feel magical, not creepy. This Privacy Policy explains what we collect, why, and the choices you have. We follow GDPR, CCPA, and basic decency.

Overview at a glance

  • We don't train our models on your photos.
  • Your uploads live in private encrypted buckets in Supabase, accessed only via short-lived signed URLs.
  • We never sell your data.
  • You can delete your account and all data from your profile at any time.

1. Information we collect

You give us

  • Account info: email, password (hashed), display name.
  • Content: photos you upload (yourself or garment images), prompts you send to the AI stylist, generated results.
  • Billing info: handled by Stripe — we receive only a customer ID and the last 4 digits of your card; we never see full card numbers.

Automatic

  • Usage data: IP address, browser, device, pages visited, actions taken, error logs. Used to keep the Service running and detect abuse.
  • Cookies: a Supabase session cookie to keep you logged in, and a small analytics cookie (see §8).

2. How we use your information

  • To provide the Service — sign you in, generate try-ons, store your archive, take payment.
  • To improve the Service — analyze aggregate usage patterns. We do not use your photos for this.
  • To communicate — service notifications, billing receipts, security alerts. Marketing emails only if you opt in, and always with an unsubscribe link.
  • To detect abuse — automated systems flag content that may violate our Acceptable Use rules.
  • Legal compliance — to respond to lawful subpoenas or court orders.

3. AI processing

When you generate a try-on, your photos are sent securely to our AI provider (FAL, running the FASHN v1.5 model) over HTTPS. The provider holds the images only for the duration of the inference and does not retain them after processing under our Data Processing Agreement.

For the AI Stylist, messages are sent to OpenAI's gpt-4o-mini API. OpenAI does not use API content to train its models (per their API data usage policy).

Generated images are saved to your private Drape Storage bucket immediately and are accessible only to you (and admins under audit-logged conditions).

4. Storage & security

Data is stored on Supabase (Postgres + Storage) in encrypted-at-rest databases located in the US/EU regions. We use Row Level Security so that users can never access each other's rows or files.

Image access is gated by signed URLs with short TTLs (typically 1 hour). Raw bucket paths are private — they cannot be guessed or enumerated.

We use industry-standard practices: HTTPS everywhere, bcrypt password hashing (managed by Supabase Auth), audit logging, and least-privilege service keys (never exposed to browsers).

5. Who we share data with

We share data only with carefully vetted sub-processors:

  • Supabase — database, auth, and storage (US/EU)
  • FAL.ai — AI image generation
  • OpenAI — AI stylist text generation
  • Stripe — payment processing (when subscriptions are active)
  • Emergent — hosting platform

We do not sell, rent, or otherwise share your personal data with advertisers or data brokers.

6. Retention

  • Account data: retained while your account is active.
  • Uploaded photos & generated images: retained while your account is active; you can delete individual items from your Archive at any time.
  • Deleted accounts: data fully purged within 30 days, except where retained for legal or fraud-prevention reasons.
  • Billing records: retained for 7 years as required by US tax law.

7. Your rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Delete your data (right to erasure / "right to be forgotten").
  • Export your data in a portable format.
  • Object to processing or withdraw consent at any time.
  • Lodge a complaint with your local data protection authority.

Email [email protected] and we'll respond within 30 days.

8. Cookies & similar technologies

We use a small number of cookies, only for things that genuinely need them:

  • Essential — Supabase auth cookies to keep you logged in. Cannot be disabled.
  • Functional — theme preference (dark/light mode) stored in localStorage.
  • Analytics — privacy-friendly aggregate counts (no third-party trackers).

We do not use advertising cookies. We do not embed Facebook Pixel, Google Ads, or similar trackers.

9. Children's privacy

Drape is not for children under 13 (or 16 in the EEA). We don't knowingly collect data from anyone in that age range. If we learn we have, we delete it immediately. Parents — please email [email protected] if you have concerns.

10. International transfers

Our infrastructure is in the United States. If you're in the EEA or UK, your data may be transferred to the US. We rely on Standard Contractual Clauses and our sub-processors' equivalent safeguards to protect those transfers.

11. Changes to this Policy

If we make material changes, we'll notify you by email or in-app at least 14 days in advance. The "Last updated" date at the top of this page always reflects the current version.

12. Contact us

Privacy questions, requests, or complaints:

Drape Labs Inc., Data Protection Officer
[email protected]

Questions? Email [email protected]

PricingTermsPrivacyRefundsContact

© 2026 Drape Try-On. All rights reserved.