Privacy Policy

Effective Date: April 17, 2026

Welcome to Aesty.ai. This Privacy Policy explains how Aesty Labs Pte. Ltd. (UEN 202526091G), a private limited company incorporated in Singapore (“Aesty,” “we,” “us,” or “our”), collects, uses, shares, and protects your personal information when you visit our website at aesty.ai (including the style quiz at aesty.ai/quiz), use our mobile app, or otherwise interact with our services (collectively, the “Services”). Aesty Labs Pte. Ltd. is the controller of personal data processed in connection with the Services.

Contents

1. Information We Collect
2. How We Use Your Information
3. How We Share Your Information
4. Special Categories of Information
5. Advertising, Pixels, and Conversion Measurement
6. Cookies and Similar Technologies
7. Data Retention
8. Data Security
9. Your Privacy Rights — California Residents
10. Your Privacy Rights — Other US States
11. Your Privacy Rights — EU/EEA, UK, and Switzerland
12. International Data Transfers
13. Age Requirement
14. Changes to This Privacy Policy
15. Contact Us

1. Information We Collect

We collect information in the following categories.

a. Information you provide directly

• Contact information: email address and (optionally) first name, provided during the quiz, account sign-up, or when you contact support.
• Style quiz answers: if you complete the quiz on our website, we collect the responses you submit. Depending on the questions answered, this may include age range, height, weight, body shape, clothing sizes (tops, bottoms, shoes, bra), skin tone, eye color, hair color, body areas you wish to emphasize or de-emphasize, style preferences, occasions you dress for, shopping budget, brand preferences, climate, and gender. These responses are used to generate your personalized style profile.
• Photos: if you use the virtual try-on feature in our mobile app, we process the full-body photos you upload to generate try-on images. See our Terms of Use for more on photo usage.
• Wardrobe content: photos and metadata of the clothing items you save in the mobile app.
• Subscription information: when you purchase a subscription, we record the plan, transaction status, and a customer identifier. We do not store full payment card details — these are handled by Apple, RevenueCat, or our other payment processors.

b. Information collected automatically

• Device and connection data: IP address, browser user agent, browser type, operating system, language, time zone, and approximate location derived from IP address.
• Usage data: pages visited, features used, screens viewed in the quiz, answers submitted, time spent, referral source, and similar interaction events.
• Cookies and similar identifiers: first-party cookies, browser local storage, and identifiers set by our analytics and advertising partners (including the Facebook Pixel _fbp cookie, the Facebook click identifier _fbc, and the Pinterest Tag _epik cookie). See Section 6 for details.
• Anonymous customer identifier: we generate and store in your browser a random customer identifier used by our subscription platform (RevenueCat) to associate your purchases. We may also pass this identifier in hashed form to advertising partners.

2. How We Use Your Information

• To provide and operate the Services, including generating your personalized style profile and outfit recommendations.
• To process your subscription, deliver purchase receipts, and handle refund requests.
• To communicate with you about your account, the Services, and changes to our terms or policies.
• To send marketing communications about features and offers. You may opt out at any time using the unsubscribe link in any marketing email or by emailing support@aesty.ai.
• To measure the performance of our advertising, including attributing conversions back to ads you may have seen on Meta (Facebook and Instagram), Pinterest, and other platforms.
• To detect, investigate, and prevent fraud, abuse, and security incidents.
• To comply with legal obligations and enforce our Terms of Use.

3. How We Share Your Information

We share personal information with the following categories of recipients:

• Service providers: companies that help us operate the Services, including hosting (Vercel, Google Cloud), backend infrastructure and database (Firebase, Firestore, Google Cloud Storage), product analytics (Amplitude, Vercel Analytics), subscription management (RevenueCat), and AI processing for try-on and styling features (OpenAI, Google Gemini).
• Advertising partners: we share limited identifiers with Meta Platforms, Inc. (Facebook and Instagram), Pinterest, Inc., and may share with other advertising platforms, in order to measure ad performance and to target ads. See Section 5 for what we share.
• Payment processors: Apple App Store, RevenueCat, and other processors that handle subscription billing.
• Professional advisors: auditors, accountants, and lawyers when needed to comply with legal obligations or to protect our rights.
• Authorities: law enforcement or government agencies when required by law, subpoena, or court order.
• Successors: in connection with a merger, acquisition, financing, or sale of assets, in which case we will require the recipient to honor this Privacy Policy.

Although we do not sell your personal information in exchange for money, our use of the advertising tools described in Section 5 may qualify as a “sale” or “sharing” of personal information under the California Consumer Privacy Act and similar US state privacy laws. The categories of third parties to whom personal information has been disclosed that may be considered a “sale” or “sharing” under California law are: advertising partners (Meta, Pinterest) and product analytics providers (Amplitude, Vercel Analytics). You have the right to opt out — see Section 9.

4. Special Categories of Information

The style quiz collects information that may be considered sensitive in some jurisdictions, including measurements of your body (height, weight, body shape, clothing and bra size) and physical characteristics (skin tone, eye color, hair color). We collect this information solely to generate your personalized style profile and recommendations. We do not use it to make decisions about employment, insurance, credit, housing, or healthcare. We do not perform facial recognition and we do not create or store biometric identifiers.

The mobile app's virtual try-on feature processes the full-body photos you upload through third-party AI providers (OpenAI, Google Gemini) to generate styled images. These photos are used only to generate try-on results and are not used for facial recognition or identity matching. You may delete your avatar photos at any time within the app.

We do not use automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you. The personalized style profile generated from your quiz answers is intended for informational and styling purposes only.

5. Advertising, Pixels, and Conversion Measurement

We use the Meta Pixel and the Meta Conversions API on our website to measure the effectiveness of our advertising on Facebook and Instagram, to attribute conversions, and to build audiences for future ads. When you interact with our website, we may share the following with Meta:

• A SHA-256 hashed version of your email address, if you provided one.
• A SHA-256 hashed version of your first and last name, if you provided one.
• A SHA-256 hashed version of an anonymous customer identifier we store in your browser.
• Your IP address and browser user agent.
• The Meta browser cookies _fbp and _fbc (the Facebook click identifier).
• The event you triggered (for example, page view, quiz lead, checkout initiation, or purchase) and associated properties such as currency and price.

We hash personal identifiers before sending them to Meta. Hashing is a one-way transformation Meta uses to match users to its own records. It is not the same as anonymization, and Meta processes the resulting data as a joint controller for advertising purposes under its own terms.

For users we detect as residents of California, we send Meta a Limited Data Use signal that instructs Meta to apply restricted processing in line with the California Consumer Privacy Act.

We use the Pinterest Tag and the Pinterest Conversions API in the same way to measure the effectiveness of our advertising on Pinterest. When you interact with our website, we may share the following with Pinterest, Inc.:

• A SHA-256 hashed version of your email address, if you provided one.
• A SHA-256 hashed version of your first and last name, if you provided one.
• A SHA-256 hashed version of an anonymous customer identifier we store in your browser.
• Your IP address and browser user agent.
• The Pinterest _epik cookie and the Pinterest click identifier (epik URL parameter), where present.
• The event you triggered (for example, page visit, lead, or checkout) and associated properties such as currency and price.

For users we detect as residents of California, we also send Pinterest a Limited Data Processing signal that instructs Pinterest to apply restricted processing in line with the California Consumer Privacy Act.

We also use Amplitude and Vercel Analytics for product analytics. These tools collect usage events, device information, and identifiers we generate.

6. Cookies and Similar Technologies

We and our partners use cookies, browser local storage, and similar technologies on our website. We group them into the following categories:

Strictly necessary

These technologies are required for the Services to function. They enable core features such as remembering your preferences as you navigate the quiz, ensuring quick page loads, and supporting basic security. Without them, parts of the Services will not work.

Functional

These technologies remember your choices and personalize your experience — for example, storing your quiz progress so you can return where you left off, or remembering an anonymous customer identifier across visits. If disabled, some features such as resuming the quiz on reload may not work.

Performance

These technologies help us understand how visitors use the Services so we can measure traffic, identify popular features, and improve the product. Examples include counting unique visits, identifying referral sources, and measuring time spent on each step. We use Amplitude and Vercel Analytics for this purpose.

Targeting

These technologies, including the Meta Pixel and Conversions API and the Pinterest Tag and Conversions API, allow us and our advertising partners to measure ad performance, attribute conversions, and show you relevant ads on Facebook, Instagram, Pinterest, and other platforms. If disabled, you may see less relevant ads and we will be less able to measure the effectiveness of our advertising. See Section 5 for details on what is shared with Meta and Pinterest.

Most browsers let you block or delete cookies through browser settings, though some parts of the Services may not work correctly without them.

7. Data Retention

We retain personal information for as long as your account is active or as needed to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements. Quiz responses submitted from the website are retained so we can deliver your personalized plan and process refund eligibility. You may request deletion of your data at any time by emailing support@aesty.ai.

8. Data Security

We implement appropriate technical and organizational measures to protect personal information against unauthorized access, alteration, disclosure, or destruction. No method of transmission or storage over the internet is completely secure, and we cannot guarantee absolute security.

9. Your Privacy Rights — California Residents

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”), gives you the following rights:

• Right to know. You have the right to request that we disclose:
  • The categories and specific pieces of personal information we have collected about you, the categories of sources, and the business or commercial purposes for collecting it.
  • The categories of personal information we have sold or shared about you and the categories of third parties to whom we sold or shared that information.
  • The categories of personal information we have disclosed about you for a business purpose and the categories of recipients.
• Right to delete: request that we delete personal information we have collected from you, subject to certain exceptions.
• Right to correct: request that we correct inaccurate personal information.
• Right to opt out of sale or sharing: direct us to stop sharing your personal information with advertising partners (including Meta and Pinterest) for cross-context behavioral advertising.
• Right to limit use of sensitive personal information: direct us to limit the use of the sensitive categories described in Section 4 to what is necessary to provide the Services.
• Right to non-discrimination: we will not deny you services, charge you a different price, or provide a lower quality of service because you exercised any of these rights.

Categories of personal information collected and shared in the past 12 months: identifiers (email, name, IP address, online identifiers); commercial information (purchase history); internet or other electronic network activity (interactions with our Services); inferences (style profile); and the sensitive categories described in Section 4 (physical characteristics). We have shared identifiers and internet activity information with the advertising and analytics partners listed in Sections 3 and 5.

Exercising your rights. To exercise the right to opt out of sale or sharing on this device, visit Your Privacy Choices. We also automatically honor the Global Privacy Control browser signal as a universal opt-out request — if your browser sends it (Brave, Firefox with the privacy setting enabled, DuckDuckGo browser, and others), we will not load the Facebook Pixel or the Pinterest Tag, and we will not send events to Meta or Pinterest for your visit. To exercise any of the other rights listed above, email us at support@aesty.ai with the subject line “Privacy Request” and tell us which right you want to exercise. We will respond within 45 days, with one possible 45-day extension if reasonably necessary and we notify you.

Verification. To process your request, we are required to verify that you are the person whose data is being requested. Depending on the type of request, we may ask you to confirm the email address associated with your account, the approximate date you signed up, the date of any subscription purchase, or other information that reasonably identifies you as the account holder. For more sensitive requests, we may send a confirmation link or code to your email.

Authorized agent. You may designate an authorized agent to submit a request on your behalf. We will require written proof of the agent's authority (such as a signed power of attorney) and we may also contact you directly to confirm the agent's authorization and verify your identity.

California Shine the Light

Under California's “Shine the Light” law (Cal. Civ. Code § 1798.83), California residents may request once per calendar year information about the categories of personal information (if any) that we shared with third parties for those third parties' own direct marketing purposes during the preceding calendar year, and the names and addresses of those third parties. To make a Shine the Light request, email support@aesty.ai with the subject line “Shine the Light Request” and include your full name, email address, and California address.

Industry opt-outs

In addition to the rights above, you can opt out of many forms of interest-based advertising through these industry self-regulatory programs:

• Network Advertising Initiative: optout.networkadvertising.org
• Digital Advertising Alliance: optout.aboutads.info
• Digital Advertising Alliance (Canada): youradchoices.ca/choices
• DAA AppChoices: aboutads.info/appchoices

10. Your Privacy Rights — Other US States

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other US states with comprehensive privacy laws may have similar rights to access, delete, correct, and opt out of targeted advertising and the sale of personal information. You may exercise these rights by contacting us at support@aesty.ai.

11. Your Privacy Rights — EU/EEA, UK, and Switzerland

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the EU General Data Protection Regulation (“GDPR”), the UK GDPR, and the Swiss Federal Act on Data Protection (FADP) apply to our processing of your personal data. The data controller is Aesty Labs Pte. Ltd., 68 Circular Road, #02-01, Singapore 049422.

Legal bases for processing

We rely on the following legal bases under Article 6 GDPR:

• Performance of a contract (Art. 6(1)(b)) — to provide the Services to you, generate your personalized style profile, deliver your subscription, and respond to support requests.
• Legitimate interests (Art. 6(1)(f)) — to operate, secure, and improve the Services, prevent fraud and abuse, and measure the performance of our marketing. You have the right to object to processing based on legitimate interests at any time.
• Consent (Art. 6(1)(a)) — for non-essential cookies and similar technologies, advertising pixels (including the Meta Pixel and Conversions API and the Pinterest Tag and Conversions API), and marketing communications. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
• Compliance with legal obligations (Art. 6(1)(c)) — where we are required to retain or disclose data to comply with applicable law.

Where we process special category data (such as the body measurements and physical characteristics described in Section 4), we rely on your explicit consent under Article 9(2)(a) GDPR, which you provide by submitting your quiz answers and using the personalization features. You may withdraw this consent at any time by emailing support@aesty.ai or deleting your account.

Your rights

Subject to the conditions and exceptions in the GDPR/UK GDPR, you have the right to:

• Access the personal data we hold about you and obtain a copy.
• Rectification of inaccurate or incomplete data.
• Erasure (“right to be forgotten”) where the legal grounds for retention no longer apply.
• Restriction of processing in certain circumstances.
• Data portability — receive your data in a structured, commonly used, machine-readable format.
• Object to processing based on legitimate interests, including direct marketing and profiling for marketing purposes.
• Withdraw consent at any time for processing based on consent.
• Not be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you. We do not engage in such decision-making (see Section 4).

To exercise any of these rights, email us at support@aesty.ai with the subject line “GDPR Request”. We will respond within one month, with one possible two-month extension if your request is complex.

Right to lodge a complaint. You have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU/EEA member state, UK, or Swiss canton where you reside, work, or where the alleged infringement took place. A list of EU supervisory authorities is available at edpb.europa.eu/about-edpb/about-edpb/members_en. The UK supervisory authority is the Information Commissioner's Office (ico.org.uk). The Swiss authority is the Federal Data Protection and Information Commissioner (edoeb.admin.ch).

12. International Data Transfers

Aesty is established in Singapore and uses service providers located in the United States and other countries outside the European Economic Area, the United Kingdom, and Switzerland (including Vercel, Google Cloud / Firebase, OpenAI, RevenueCat, Amplitude, Meta, and Pinterest). When we transfer personal data of EU/EEA, UK, or Swiss data subjects to a country that has not been recognized by the European Commission (or, for UK data, the UK government) as providing an adequate level of protection, we rely on appropriate safeguards under Article 46 GDPR, including:

• The European Commission's Standard Contractual Clauses (Decision 2021/914), supplemented by the UK International Data Transfer Addendum and the Swiss FADP addendum where applicable.
• Reliance on the EU–US, UK–US, and Swiss–US Data Privacy Framework certifications of recipients in the United States, where the recipient is certified.
• Supplementary technical and organizational measures where required following a transfer impact assessment.

You may obtain a copy of the safeguards we rely on for a given transfer by emailing support@aesty.ai.

13. Age Requirement

Our Services are intended for adults. You must be at least 18 years old to use the Services. We do not knowingly collect personal information from anyone under 18. If you believe a person under 18 has provided us with personal information, please contact support@aesty.ai and we will delete it.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The “Effective Date” at the top indicates when it was last revised. Material changes will be communicated through the Services or by email.

15. Contact Us

For any questions or to exercise your privacy rights, contact us at support@aesty.ai.