Privacy Policy

1. Introduction

Welcome to Trends. Trends is a virtual try-on fashion application that lets you preview clothing on a photo of yourself, build a digital wardrobe, share outfit posts, and discover new looks. The app is available on iOS, Android, and the web at trends.house.

This Privacy Policy explains how Quatron Studios ("we", "us", "our", or "Trends") collects, uses, stores, shares, and protects information when you use the Trends mobile applications, the trends.house website, and any related services (collectively, the "Service"). It also describes the rights you have over your personal information and how to exercise them.

We take privacy seriously because the Service involves photos of your body and outfits. We have written this policy to be readable in plain English, and we keep it accurate to what the app actually does. If you have questions after reading it, write to us at support@trends.house.

By using Trends, you confirm that you have read this Privacy Policy and understand how we handle your information. If you do not agree, please do not use the Service.

This policy is the global baseline. Sections labeled with a specific jurisdiction (for example, California or EEA/UK) supplement the baseline for users in those regions. Where local law gives you stronger rights, those local rights apply.

2. Data Controller & Contact

The controller responsible for your personal information under applicable data protection laws is:

Controller

Quatron Studios (Turkish sole proprietorship / işletme)

Jurisdiction

Republic of Türkiye

Service

Trends. The Virtual Try-On Fashion App, plus the website at trends.house.

Privacy contact

support@trends.house

General support

support@trends.house

For users in the European Economic Area and the United Kingdom, you can contact us through the same email above for any GDPR-related inquiries. We are not currently required to appoint a representative under Article 27 GDPR because we do not target users in the EEA at scale, but we still honor GDPR rights for any EEA user who uses our Service.

The primary data protection law that governs our processing is the Turkish Personal Data Protection Law No. 6698 ("KVKK"). Where you are located in the European Economic Area, the United Kingdom, California, Brazil, Canada, or another region with specific data protection rules, we apply those rules in addition to KVKK as described in the regional sections below.

3. Information We Collect

We collect three categories of information: information you provide to us, information we collect automatically when you use the Service, and information we receive from third parties such as sign-in providers and stores.

3.1 Information you provide

• Account information: your email address, a hashed password (we never see the plaintext), your display name, username, profile bio, self-reported location text, website, language, and timezone. You may also choose an avatar image.
• Sign-in identifiers: if you sign in with Google or Apple, we receive a stable user identifier, your name as your provider chooses to share it, and an email address. If you use "Hide my email" with Apple Sign-In, we receive an Apple private relay address and never see your real address.
• Body images Sensitive: photos that show you, captured in the app or uploaded from your photo library, used as input for a virtual try-on. Body images live in a private storage bucket and are only accessible to you and to the AI service that generates your try-on result.
• Garment images: photos of clothing items that you capture or upload, used to try them on your body image.
• Try-on results: composite images created by our AI provider from your body image and a garment image. Stored in your account.
• Posts, outfits, and collections: images, captions, tags, and any content you publish or save into a personal collection. Visibility is set by you.
• Onboarding answers: optional preferences you share when you first set up the app, such as style interests and preferred categories, used to personalize your feed.
• Social activity: follows, likes, comments, blocks, friend requests, and reports you submit against other content or users.
• Support and feedback: messages, screenshots, ratings, and the device context you choose to attach when you contact support, leave feedback, or write an in-app review.

3.2 Information we collect automatically

• Device data: device type and model, operating system and version, app version, screen size, system language, network type, and a non-resettable installation identifier we generate for the Service.
• Diagnostics: crash logs, error reports, and stack traces when something goes wrong. We use these to fix bugs.
• Engagement metrics: try-on count, wardrobe count, posting activity, streak, and last-active date.
• Network and IP data: your IP address and approximate geolocation derived from it, captured for security, fraud prevention, and to choose the right server region.
• Advertising identifiers (free tier only): on iOS we read the Identifier for Advertisers (IDFA) only after you grant App Tracking Transparency permission. On Android we may read the Google Advertising ID where you have not opted out at the OS level. Premium subscribers do not see ads, and we do not read these identifiers for them.
• Push notification tokens: tokens issued by Apple Push Notification service or Firebase Cloud Messaging so that we can deliver notifications you have enabled.

3.3 Information from third parties

• App stores: Apple App Store and Google Play Store share purchase and subscription status with us through their billing systems. We do not receive your full payment card number.
• RevenueCat: subscription orchestration data, including entitlement status, renewal status, and anonymized purchase events.
• Stripe: on the web, Stripe processes payments and returns transaction status and a customer reference. We do not store full card numbers; Stripe holds those as a PCI DSS Level 1 processor.
• Sign-in providers: Apple and Google return profile fields you authorize during sign-in.

3.4 Mobile permissions we may request

The app asks for the following operating-system permissions. You can grant or deny each one and change your choice later in your device settings.

• Camera: to take photos for body images, garment images, and posts.
• Photo library: to select existing photos for body images, garment images, and posts. On Android 13 and later we use the system Photo Picker, so we do not need broad storage access.
• Photo library write: to save your try-on results back to your camera roll when you tap save.
• Notifications: to deliver in-app notifications you opt into (likes, follows, comments, reminders).
• App Tracking Transparency (iOS): optional. If you say no, ads still appear for free users, but without the IDFA.

4. How We Use Your Information

We process personal information only for the purposes described below. Where you are protected by the GDPR or the UK GDPR, the legal basis for each purpose is shown in brackets.

4.1 To provide the Service

• Create and manage your account, authenticate you, and keep you signed in. [Contract, Article 6(1)(b)]
• Generate virtual try-on images from your body image and a chosen garment. [Contract, Article 6(1)(b)]
• Store your wardrobe, collections, posts, and history. [Contract]
• Deliver social features such as following, commenting, and friend requests. [Contract]

4.2 To improve and personalize

• Recommend content, trending outfits, and people you may want to follow, based on your engagement and stated preferences. [Legitimate interest, Article 6(1)(f); consent where required for analytics]
• Run product analytics to understand which features people use, so we can improve them. [Legitimate interest; consent where required]

4.3 To communicate with you

• Send transactional emails such as account verification, password reset, billing receipts, and important service notices. [Contract / Legal obligation]
• Send product updates and tips, only if you opt in. [Consent, Article 6(1)(a)]
• Reply to your support questions and feedback. [Legitimate interest]

4.4 To keep the Service safe

• Detect and prevent fraud, abuse, spam, scraping, and unauthorized access. [Legitimate interest; legal obligation]
• Enforce our Terms of Service, including responding to reports of harmful content. [Legitimate interest]
• Investigate incidents and notify affected users where required. [Legal obligation]

4.5 To meet legal obligations

• Keep financial records, including subscription receipts, for tax law purposes. [Legal obligation, Turkish Tax Procedure Law]
• Respond to lawful requests from competent authorities. [Legal obligation]
• Handle privacy rights requests. [Legal obligation]

4.6 To show ads to free users

• Display ads inside the app for users on the free tier through Google AdMob. By default we use contextual ads and SKAdNetwork (iOS) so no personal identifier is shared with advertisers. If you grant ATT permission on iOS or do not opt out on Android, AdMob may use your advertising identifier for measurement and frequency capping. [Consent on iOS where ATT is granted; legitimate interest with opt-out elsewhere]

5. AI & Image Processing

5.1 What is sent for AI processing

To produce a try-on result, our backend sends the following to Google Vertex AI:

• Your body image (one photo of you that you have uploaded).
• The garment image you have selected (a clothing item from your wardrobe or a discovery feed).
• A prompt that describes the requested composition, garment category, and rendering instructions.
• Optional metadata such as garment type returned by an earlier classification step.

For some helper features we also call OpenAI's API (GPT-4o-mini) to classify garments and improve the prompt. This call sends text describing the garment, not a body image. Under OpenAI's API terms, content submitted by us through the API is not used to train OpenAI's models.

5.2 What we receive and store

• The generated composite image is returned to our backend and stored in your account, in the private tryon-results storage bucket on Supabase.
• You can view, download, share, or delete each try-on result individually.
• Source body images stay in the private body-images bucket; source garments stay in the private clothing-images bucket.

5.3 What we do not do

• We do not run face recognition, identity verification, or any biometric matching on you.
• We do not extract a face embedding, fingerprint, or other biometric template.
• We do not use your body images to train our own AI models.
• We do not sell or license your body images, garments, or try-on results to anyone.
• We do not show your body images or try-on results to other users unless you choose to publish them.

5.4 AI accuracy and limits

The try-on system is a generative model and the output is a synthetic image. It may produce imperfect, stylized, or unrealistic results, and the fit shown is an approximation. You should never rely on a try-on result for medical, fitness, sizing-critical, or safety-related decisions.

6. Sharing & Third-Party Sub-processors

We do not sell personal information. We share personal information only with the service providers ("sub-processors") that help us run the Service, with parties involved in a corporate transaction, with law enforcement when required, and with other users when you publish content publicly.

6.1 Sub-processors

The current list of sub-processors is below. Each one is bound by a data processing agreement that requires equivalent protections to those described in this policy.

6.2 Other recipients of personal data

• Other users: when you publish a post, leave a comment, follow someone, or set your profile to public, that content and the associated profile fields are visible to other users of the Service.
• Authorities: we may disclose information to law enforcement, courts, regulators, or government agencies when required by law, when needed to defend our legal rights, or when there is a credible threat to a person's safety. In Türkiye we comply with valid legal orders issued under KVKK, Law No. 5651, and applicable criminal procedure law.
• Corporate transactions: if Quatron Studios is involved in a merger, acquisition, restructuring, or sale of assets, we may transfer personal information to the successor entity. We will tell you in advance through an in-app or email notice and explain your choices.
• Professional advisors: lawyers, auditors, and accountants who are bound by confidentiality.

7. International Data Transfers

Trends is operated from Türkiye and our sub-processors are located in the European Union, the United States, and other regions. This means your personal information may be transferred across borders.

For transfers from the European Economic Area, the United Kingdom, or Switzerland to countries that have not received an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (SCCs) and equivalent UK and Swiss addenda. Where Vertex AI or other US-based services are used, we use the SCCs and supplementary measures such as encryption in transit and at rest to protect your data.

For transfers under the Turkish KVKK, we rely on the legal bases set out in Article 9, including data processing agreements that contain the safeguards required by the Kişisel Verileri Koruma Kurumu, and explicit consent where required.

You can ask us for a copy of the transfer mechanisms in use at support@trends.house.

8. Data Retention

We keep your personal information only for as long as we need it to provide the Service, to comply with legal obligations, or to defend legal claims. The default retention periods are:

When a retention period expires we delete the data or anonymize it so that you cannot be re-identified.

9. Security Measures

We use a layered set of organizational and technical controls to protect your personal information. No system is perfect, but we apply industry best practices and we review them regularly.

9.1 Technical controls

• Encryption in transit: all traffic between your device and our servers is encrypted with TLS 1.2 or higher.
• Encryption at rest: databases, storage buckets, and backups are encrypted at rest with provider-managed keys.
• Private storage buckets: body images, garment images, and try-on results live in private buckets, accessible only through signed URLs scoped to the owning user.
• Row Level Security (RLS): our Postgres database enforces row-level access policies so a user can only read or modify their own data.
• Hashed passwords: passwords are stored as one-way hashes; nobody at Quatron Studios can see your plaintext password.
• Token-based authentication: short-lived JWTs with rotating refresh tokens.
• Network isolation: backend services run in least-privilege configurations and are not directly exposed to the public internet beyond required endpoints.
• Continuous monitoring: anomaly detection, rate limiting, and abuse heuristics on authentication and write endpoints.

9.2 Organizational controls

• Access to production systems is restricted to authorized personnel and protected with multi-factor authentication.
• Background-checked staff sign confidentiality agreements before they receive access.
• We follow the principle of least privilege and review access at least quarterly.
• We maintain an incident response plan that defines how we detect, contain, investigate, and notify affected users in the event of a personal data breach.
• We require equivalent protections in our written agreements with sub-processors.

9.3 What you can do

• Use a strong, unique password. Never share it.
• Enable biometric unlock on your device.
• Sign out of devices you no longer use.
• Report any suspicious activity to support@trends.house.

10. Your Privacy Rights

Depending on where you live, you have rights over your personal information. The Service honors the rights described below. To exercise any right, use the in-app controls in Settings → Account or write to support@trends.house. We respond within 30 days, and we may extend that window by 30 days more for complex requests, in which case we will notify you.

10.1 Rights everyone has

• Access: ask for a copy of the personal information we hold about you.
• Correction: ask us to fix data that is wrong or out of date.
• Deletion: ask us to delete your account and your data, subject to legal retention requirements (for example, tax records).
• Data export: download a portable copy of your account data in a machine-readable format.
• Withdraw consent: where we process based on consent (for example, marketing email), you can withdraw at any time without affecting prior lawful processing.
• Object: object to processing based on legitimate interest, and we will reassess unless we have compelling lawful grounds.
• Lodge a complaint: complain to the data protection authority in your jurisdiction.

10.2 Rights under KVKK (Türkiye)

Under Article 11 of Law No. 6698, you have the right to learn whether we process your data, request information about the processing, learn the purpose and whether data is used as intended, know the recipients in Türkiye and abroad, request rectification or deletion of incomplete or inaccurate data, request communication of operations to third parties to whom data has been transferred, object to outcomes that are produced solely by automated systems and that affect you adversely, and request compensation if you suffer damage due to unlawful processing. You can lodge a complaint with the Kişisel Verileri Koruma Kurumu (KVKK) at kvkk.gov.tr.

10.3 Rights under the GDPR / UK GDPR (EEA & UK)

You have the rights of access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, and the right to object to processing, including profiling. You can withdraw any consent you have given without affecting the lawfulness of prior processing. You can lodge a complaint with your local supervisory authority or with the UK Information Commissioner's Office (ICO).

10.4 Rights under CCPA / CPRA (California)

California residents have the right to know what personal information we collect and how we use it, the right to delete personal information, the right to correct inaccurate information, the right to opt out of "sale" and "sharing" for cross-context behavioral advertising, the right to limit use of sensitive personal information, and the right not to be discriminated against for exercising any of these rights. Trends does not sell personal information and does not share it for cross-context behavioral advertising. See the dedicated California section below for category-by-category disclosures.

10.5 Rights under LGPD (Brazil)

If you are in Brazil, the Lei Geral de Proteção de Dados (LGPD) grants you the rights of confirmation, access, correction, anonymization, blocking or deletion of unnecessary data, portability, deletion of consent-based data, information about sharing, information about the consequences of refusing consent, and revocation of consent. You can contact the Autoridade Nacional de Proteção de Dados (ANPD) to file a complaint.

10.6 Rights under PIPEDA (Canada)

If you are in Canada, you have the right to access your personal information, request correction, withdraw consent (subject to legal or contractual restrictions), and file a complaint with the Office of the Privacy Commissioner of Canada.

10.7 How to verify your identity

To protect you, we verify identity before honoring a request. We typically do this by asking you to confirm the request from the email address tied to your account, or by signing in to the app. We may ask for more information if the request involves sensitive data such as body images.

10.8 Authorized agents

You can authorize an agent to act on your behalf. We will ask the agent to provide signed written authorization from you and to verify your identity.

11. Children's Privacy

Trends is not intended for children under 13. In the European Economic Area, the minimum age is 16, or a lower age set by local law (no younger than 13 under Article 8 GDPR). In the United Kingdom the minimum age is 13.

We do not knowingly collect personal information from a child below the applicable minimum age. If you are a parent or guardian and you believe your child has provided us with personal information, please write to support@trends.house and we will delete the account and associated data after verifying your relationship.

We do not run targeted advertising aimed at children. Ad providers we work with apply the same protections.

12. Cookies & Tracking Technologies

Trends uses a small set of cookies, local storage entries, and equivalent mobile mechanisms. We do not use third-party advertising cookies on trends.house.

12.1 Cookies and local storage on the web (trends.house)

Essential cookies are required to operate the site and do not need consent. We ask for your consent before loading analytics, and you can change your choice at any time from the cookie banner footer link.

12.2 Mobile equivalents

The mobile app does not use browser cookies. We use the device keychain or secure storage to keep your session token, and the operating system push token registry to deliver notifications. Free-tier users may also have advertising identifiers as described earlier.

12.3 Do Not Track and Global Privacy Control

Where required by law (for example, in California), we treat a Global Privacy Control signal sent by your browser as a valid request to opt out of sale and sharing.

13. Push Notifications & Marketing Communications

13.1 Push notifications

If you allow push notifications, we send messages such as new follower alerts, comments on your posts, friend requests, and reminders. You can disable any category from Settings → Notifications, and you can turn off push notifications entirely in your device settings.

13.2 Marketing email

We only send marketing email to users who opt in. Every marketing email includes a one-click unsubscribe link. Transactional email (password reset, billing receipts, security alerts) is not marketing and is sent based on the contract between us.

13.3 In-app messages

We may show in-app messages such as feature announcements, paywall promos, and product surveys. You can dismiss these and they will not appear again. We do not use these messages to advertise third-party products.

14. California-Specific Disclosures (CCPA / CPRA)

This section applies if you are a California resident. It uses the categories defined by the California Consumer Privacy Act, as amended by the California Privacy Rights Act.

14.1 Categories of personal information collected in the past 12 months

14.2 Sources of personal information

Directly from you when you sign up, use the Service, or contact us. Automatically from your device. From third parties such as Apple, Google, RevenueCat, and Stripe when you use those services together with Trends.

14.3 Business purposes

Service operation, security and fraud prevention, debugging, analytics, marketing only with consent, legal compliance.

14.4 Sale and sharing

We do not "sell" personal information for money, and we do not "share" personal information for cross-context behavioral advertising as those terms are defined in the CCPA.

14.5 Sensitive personal information

We use sensitive personal information only for the purposes listed in Cal. Civ. Code §1798.121, which do not require an opt-out under California regulations.

14.6 How to exercise California rights

Use Settings → Account → Privacy in the app, or write to support@trends.house. We will not discriminate against you for exercising your rights.

15. EEA / UK-Specific Disclosures

15.1 Legal bases by purpose

• Account creation and Service delivery, Article 6(1)(b) GDPR, performance of a contract.
• AI try-on processing, Article 6(1)(b), necessary to deliver the feature you requested.
• Security, fraud prevention, abuse detection, Article 6(1)(f), legitimate interest in keeping the Service safe.
• Analytics, Article 6(1)(a), consent where the local rule (for example, ePrivacy) requires consent, otherwise legitimate interest with opt-out.
• Marketing email, Article 6(1)(a), consent.
• Legal and tax records, Article 6(1)(c), legal obligation.
• Subscription handling, Article 6(1)(b), performance of a contract.

15.2 DPO and representative

We are not legally required to appoint a Data Protection Officer or an Article 27 representative at our current scale, but you can reach our privacy contact at support@trends.house for any GDPR matter and we will respond promptly.

15.3 Right to lodge a complaint

You can complain to your local supervisory authority. A list of EEA authorities is available at edpb.europa.eu. UK residents can complain to the Information Commissioner's Office at ico.org.uk.

16. Turkish KVKK Notice (Aydınlatma Metni Summary)

This section summarizes our Aydınlatma Metni (Information Notice) under Article 10 of KVKK Law No. 6698. The full Turkish-language Aydınlatma Metni is available on request from support@trends.house.

16.1 Veri sorumlusu (Data controller)

Quatron Studios, a Turkish sole proprietorship operating the Trends application and trends.house, acts as veri sorumlusu within the meaning of KVKK.

16.2 İşleme amaçları (Processing purposes)

To provide the Service, to fulfill our contractual obligations to you, to comply with our legal duties (including Tax Procedure Law No. 213 and Law No. 5651), to improve and secure the Service, and to communicate with you.

16.3 Hukuki sebepler (Legal grounds)

Performance of a contract (Article 5/2/c), explicit consent for marketing email and ATT-based identifiers (Article 5/1 and 6/1), compliance with a legal obligation (Article 5/2/ç), establishment, exercise, or protection of legal claims (Article 5/2/e), and legitimate interests of the controller balanced against your fundamental rights (Article 5/2/f).

16.4 Aktarım (Transfers)

Where we transfer personal data outside Türkiye, we rely on the legal bases set out in Article 9 of KVKK, including international data transfer agreements and explicit consent where required.

16.5 İlgili kişi hakları (Rights of the data subject)

You have all rights set out in Article 11 of KVKK, listed in Section 10.2 above. You can lodge a complaint with the Kişisel Verileri Koruma Kurumu (KVKK) at kvkk.gov.tr.

17. Automated Decision-Making

We do not make decisions about you based solely on automated processing that produce legal effects on you or significantly affect you. The recommendation feed and the AI try-on are automated, but they do not deny you access to the Service, change your account status, or impose obligations on you.

We use automated systems to flag spam, scraping, and abuse. Where an automated decision restricts an account, you can ask us to review it manually by writing to support@trends.house.

18. Changes to This Policy

We may update this Privacy Policy from time to time. When we make a material change, we will tell you through an in-app notice or by email at least 30 days before the change takes effect, unless the change is required immediately by law. The "Last updated" date at the top of this page always shows the current version.

Previous versions are kept for one year and are available from support@trends.house on request.

19. Contact Us

If you have any question about this Privacy Policy or about how we handle your personal information, please get in touch. We read every email and we reply within a few business days.

For Turkish-language correspondence under KVKK Law No. 6698, please write in Turkish or English to the address above. We respond in the language of your request whenever possible.