Privacy Policy

Last updated: 20 April 2026.

This Policy explains what personal data Wearlo ("we", "Wearlo") processes, why, on what legal basis, and what rights data subjects have. We try to write it in plain English — not just legalese.

1. Who is the controller

The controller for the operation of this website, demo request handling and business relationships with customers (fashion stores) is Ailo sp. z o.o. (operating under the Wearlo brand), seated at Parkowe Wzgórze 100, 32-031 Mogilany, Poland, Tax ID (NIP) 6762430848. Contact: [email protected].

For data that our customers (fashion stores) feed into Wearlo — in particular, shopper photos used to generate try-ons — we act as a data processor. The store remains the controller. Details are governed by our Data Processing Agreement.

2. What data we collect

From visitors to wearlo.ai

• Email address — if you submit a demo request.
• Technical data: IP address (stored hashed), browser/device info, entry and exit pages — for analytics and security.

From customers (fashion stores) using the Wearlo admin panel

• Contact details of the account holder (name, business email).
• Business billing data (VAT number, address, company name).
• Admin panel operational logs (who logged in, when, from which IP).

From shoppers using the try-on widget

• The selfie the shopper uploads — used solely to generate the photoreal try-on of the selected garment.
• The generation result (the "after" image) along with product ID and session number. Every result carries a visible "AI" watermark in accordance with Article 50 of the EU AI Act.
• Shopper IP address — hashed with a per-store salt. We never log raw IPs.

3. Why and on what legal basis

• Service delivery (Art. 6(1)(b) GDPR) — we can't generate a try-on without the photo, or reply to your demo request without your email.
• Legitimate interest (Art. 6(1)(f) GDPR) — service security, abuse prevention, analytics, business contact.
• Legal obligation (Art. 6(1)(c) GDPR) — billing data retained as long as required by tax and accounting law (typically 5 years from the end of the fiscal year).
• Consent (Art. 6(1)(a) GDPR) — consent to upload a selfie and generate a try-on is collected by the store before the shopper enters Wearlo. Consent is voluntary and may be withdrawn at any time.

4. Who we share data with (sub-processors)

We don't sell your data and don't share it for marketing purposes. It's processed only by service providers we rely on to run the product, bound by appropriate agreements:

• Kie.ai — AI model provider (nano-banana-2) that generates try-ons. Data shared: shopper photo and product photo.
• Amazon Web Services (AWS), eu-central-1 region — file hosting (selfies, generation results) via S3.
• Railway.com — application and database hosting.
• Sentry — error monitoring (PII-scrubbed logs).

The full, up-to-date list is in our Data Processing Agreement. Customers are notified of any change 14 days in advance.

5. Where data is stored

All personal data is stored on servers in the European Economic Area (Germany, AWS eu-central-1). AI generation (kie.ai) may involve data transfer outside the EEA — in that case we rely on the Standard Contractual Clauses (SCCs) approved by the European Commission.

6. How long we keep data

• Shopper photos (selfie + result): up to 90 days from upload, configurable down to 24 hours at the store level. After that, the file and the database record are irreversibly deleted.
• Demo requests: up to 24 months from last contact.
• Billing data (invoices): 5 years from the end of the fiscal year (statutory obligation).
• Admin operational logs: 90 days.

7. Your rights

You have the right to:

• access your data and receive a copy,
• rectify inaccurate data,
• erase your data ("right to be forgotten"),
• restrict processing,
• port your data to another controller,
• object to processing based on legitimate interest,
• withdraw consent — without affecting the lawfulness of processing before withdrawal,
• lodge a complaint with the President of the Personal Data Protection Office in Poland (UODO, ul. Stawki 2, Warsaw).

To exercise any of these, email [email protected]. We respond within 30 days, usually sooner.

8. Cookies

wearlo.ai uses a minimal set of cookies — only those strictly required for the site to work (e.g. remembering your language). No advertising or retargeting cookies.

9. Changes to this policy

When we update this Policy, we update the date at the top and — for material changes — notify customers 14 days in advance. Older versions are available on request.

10. Contact

For anything data-protection-related, email [email protected]. We reply in plain language — no auto-responder templates.