FashionMe

Overview

FashionMe provides personalised style guidance based on your body shape and colour profile. To do that well, we need to collect some information about you. This policy explains what we collect, how we use it, who we share it with, and what control you have over it.

We operate across New Zealand, Australia, the United States, the United Kingdom, Canada, Singapore, and the European Union. The privacy rights available to you depend on where you live — we have set these out clearly in Section 8.

FashionMe Limited is the controller of your personal information. We are incorporated in New Zealand (NZBN: 9429052151743). As a New Zealand company collecting body measurement data, we are also subject to the Biometric Processing Privacy Code 2025 (BPPC), which imposes specific obligations on us regarding biometric data collection, overseas transfers, and the use of data for categorisation purposes. The relevant BPPC disclosures appear in Section 1 and Section 4 of this policy.

Privacy contact:  support@fashionme.io

Postal:  57 Magma Crescent, Stonefields, Auckland 1072, New Zealand

EU representative (GDPR Article 27):  Euverify Ltd, Unit 3D North Point House, North Point Business Park, New Mallow Road, Cork, T23 AT2P, Ireland

UK representative (UK GDPR):  Euverify Ltd, 3rd Floor, 86-90 Paul Street, London, EC2A 4NE, United Kingdom

EU/UK email:  gdpr@euverify.com

GDPR requests portal:  https://gdpr.euverify.com/verify/dac93137-41f5-4607-a421-abc118cf9ba1

1. What we collect

Account information

When you sign up, we collect your name, email address, phone number, date of birth, and gender. You can add a profile photo if you like. Your password is stored as a cryptographic hash — we cannot read it. If you sign in with Apple or Google, we store only the identifier they provide.

Body measurements

Our body scan feature uses your smartphone camera to capture two photos — one facing forward, one from the side. These travel directly from your device to SAIA, a specialist measurement service operated by 3DLOOK Inc. in San Mateo, California. FashionMe's servers never receive your scan photos. SAIA deletes them as soon as processing is complete.

What we store from your scan: 26 body circumference measurements covering your torso, arms, legs, and neck; derived length measurements including outseam, inseam, and shoulder width; and a body shape profile with your primary and secondary shape type, confidence level, proportion ratios, and garment fit guidance. We also store the height, weight, and gender we sent to SAIA at the time of scanning.

SAIA does not know who you are. We send your photos linked only to a randomly generated identifier — not your name or email address.

Before your first scan, we ask for your explicit consent. You can withdraw consent and delete your measurement data at any time.

NZ Biometric Processing Privacy Code 2025 — overseas transfer disclosure (Rule 3): your scan photos travel to SAIA in the United States. The United States does not have national privacy legislation directly comparable to the New Zealand Privacy Act 2020, and SAIA may not be subject to equivalent privacy protections. FashionMe has a signed Data Processing Agreement with SAIA that includes Standard Contractual Clauses. The body scan is the only means by which the precision required for body-shape classification can be achieved — self-reported measurements are not an adequate alternative. This necessity is documented in FashionMe's BPPC proportionality assessment.

Colour profile

The colour analysis feature works in two steps. First, you complete a short questionnaire about your skin tone, eye colour, and hair colour. Second, you can optionally take a photo to refine your result — the photo is transmitted to our server, analysed for colour information only, and then immediately and permanently deleted. No photo from either step is ever stored.

We store the results of your analysis: your colour season type and confidence scores, personalised colour recommendations, your skin tone and hair colour characteristics, your eye colour, and a note of whether you used the optional photo step.

This information can reflect characteristics related to your racial or ethnic background. We treat it as sensitive personal data, use it solely to generate your colour recommendations, and ask for your explicit consent before collecting it. Under the NZ Biometric Processing Privacy Code 2025 Rule 10, we rely on your express consent as the permitted basis for using this information to categorise you by colour season.

Styling assistant interactions

When you use a FashionMe styling assistant, your messages and the app context needed to respond are sent to OpenAI's API. Your body measurements, colour analysis, payment details, and account identity are never included. We retain pseudonymised session logs for up to 12 months for quality and safety purposes.

Payments and orders

Subscriptions are purchased through Apple App Store or Google Play. We receive a transaction confirmation and your subscription status — not your payment card details. For purchases made through our checkout, we store your order history, items, pricing, and delivery information.

Security and usage information

We maintain session tokens to keep you logged in securely. We log IP addresses and device information to detect suspicious activity. We record your in-app preferences and settings so the app behaves the way you have configured it. None of this is used for marketing or profiling.

Referrals

If you refer a friend, we use their email address to send a single invitation. The invitation email notifies them, as required by NZ Privacy Act IPP 3A and GDPR Article 14, of: the fact that FashionMe holds their email address; that it was provided by a referrer; the purpose for which it is held (to send a one-time invitation); and their right to access and correct their information or to ask us to delete it. If they do not register within 90 days, we delete their email address. By using the referral feature, you confirm you have their permission.

2. How we use your information

We use your information to operate the service: managing your account, processing your subscription, running the body scan and colour analysis features, powering the styling assistants, generating recommendations, and remembering your preferences.

We send you service emails — order confirmations, renewal reminders (7 days before annual, 3 days before monthly), and support responses. We send marketing emails only if you have opted in.

We use aggregated, anonymised information to improve the app and our recommendation models. We do not use your personal information to train AI systems.

We retain transaction records for the periods required by tax and accounting law.

3. Legal bases for processing (EU and UK)

If you are in the EU or UK, the following legal bases apply:

Automated processing: we use automated algorithms to generate your body shape classification and colour season profile. These results power your styling recommendations. They are for personal guidance only and do not produce legally significant effects or decisions that similarly significantly affect you. You may contact us at support@fashionme.io to request a human review of any automated output you believe is inaccurate.

4. Who we share your information with

We do not sell your personal information. We share it with third parties only where it is necessary to run the service.

3DLook may retain anonymised aggregate scan data to improve their technology. This data is not linked to you.

Your scan photos travel to the United States. The US does not have national privacy legislation equivalent to New Zealand's or the EU's. Your data is contractually protected by our Data Processing Agreement with 3DLook, which incorporates Standard Contractual Clauses recognised under EU and UK law.

5. How long we keep your information

6. Security

All data in transit between the app, our servers, SAIA, and OpenAI is encrypted using TLS 1.2 or higher. All data stored on Azure is encrypted at rest. Access to personal data requires multi-factor authentication and is restricted to staff who need it.

Scan photos leave your device directly for SAIA and are never received by our infrastructure. The optional colour photo is processed in server memory and deleted before it can be written to any storage system.

If a security incident affects your personal information, we will notify you and the relevant regulator. Our notification obligations by jurisdiction are:

3DLook will notify us within 48 hours of any incident affecting your scan data, and we will notify you and the relevant regulator accordingly.

7. International transfers

FashionMe is based in New Zealand. Some services we rely on are based in the United States, including 3DLook, OpenAI, Apple, Google, and Shopify. Our Azure infrastructure operates from New Zealand. During body scan processing, your scan photos are temporarily hosted on AWS US-WEST-2 (Oregon, USA) — 3DLook's cloud infrastructure — and deleted immediately upon processing completion.

For EU and UK subscribers, all US transfers are covered by Standard Contractual Clauses. The Irish Data Protection Commission is our lead supervisory authority. Transfers to FashionMe in New Zealand are covered by European Commission Decision 2013/65/EU, which recognises New Zealand's privacy framework as providing adequate protection. This decision remains in force as at the effective date of this policy. We actively monitor the continued validity of this adequacy decision and will implement alternative transfer safeguards without delay if it is withdrawn or materially modified.

To request a copy of the transfer safeguards we have in place, contact us at support@fashionme.io.

8. Your rights

The rights available to you depend on where you live. In all cases, the easiest way to exercise your rights is through the My Data section in the app, or by contacting us at support@fashionme.io.

New Zealand

You have the right to access a copy of your personal information and to ask us to correct anything inaccurate. We respond within 20 working days. If you are unsatisfied, you can contact the Office of the Privacy Commissioner at privacy.org.nz.

EU and EEA

You have the right to access, correct, delete, and export your personal information. You can ask us to restrict how we use it, object to processing based on legitimate interests, and withdraw consent at any time. For body scan data, we will arrange deletion with 3DLook on your behalf.

You have an absolute right to object to your personal information being used for direct marketing at any time, including profiling carried out for direct marketing purposes. If you exercise this right, we will stop immediately without requiring any justification from you.

To submit a data subject request, use our secure portal at https://gdpr.euverify.com/verify/dac93137-41f5-4607-a421-abc118cf9ba1 or email gdpr@euverify.com. We respond within one month. If you are unsatisfied, you can complain to the Irish Data Protection Commission at dataprotection.ie or your local supervisory authority.

EU Representative: Euverify Ltd, Unit 3D North Point House, North Point Business Park, New Mallow Road, Cork, T23 AT2P, Ireland.

United Kingdom

The same rights apply as for EU residents above. UK Representative: Euverify Ltd, 3rd Floor, 86-90 Paul Street, London, EC2A 4NE. You can also contact the Information Commissioner's Office at ico.org.uk.

Portal for UK data requests: https://gdpr.euverify.com/verify/dac93137-41f5-4607-a421-abc118cf9ba1  |  Email: gdpr@euverify.com

Australia

You have the right to access and correct your personal information. If you believe we have mishandled it, you can contact the Office of the Australian Information Commissioner at oaic.gov.au. We comply with the Privacy Act 1988 as amended in 2024.

United States

California residents have the right to know what personal information we hold, to request its deletion or correction, and to opt out of its sale. We do not sell personal information. Similar rights apply in other states. Contact us at support@fashionme.io with your state in the subject line. We respond within 45 days.

Canada

You have the right to access, correct, delete, and port your personal information under PIPEDA and applicable provincial legislation including Quebec Law 25. We respond within 30 days.

Singapore

You have the right to access, correct, and withdraw consent to the use of your personal information under the Personal Data Protection Act 2012.

Response timeframes

‍9. Children

FashionMe is not intended for anyone under 18. We do not knowingly collect personal information from minors. If you believe a child has created an account, please contact us and we will delete it promptly.

10. Cookies and tracking

FashionMe is a native mobile app and does not use web browser cookies. We use session tokens on your device to keep you logged in, and we collect IP addresses and device identifiers to detect suspicious activity. Analytics tools are used only where you have consented. Advertising identifiers are used only with your explicit consent through the iOS or Android permission prompt.

11. Changes to this policy

We will give you at least 30 days' notice of any material change to this policy, by in-app notification and email. If we want to use your information for a new purpose, we will seek fresh consent where the law requires it. The effective date at the top of the policy is always current.

12. Contact us

For general privacy questions:

Email:  support@fashionme.io

Post:  FashionMe Limited, 57 Magma Crescent, Stonefields, Auckland 1072, New Zealand

For EU and UK data subject requests:

Portal:  https://gdpr.euverify.com/verify/dac93137-41f5-4607-a421-abc118cf9ba1

Email:  gdpr@euverify.com

EU Representative:  Euverify Ltd, Unit 3D North Point House, North Point Business Park, New Mallow Road, Cork, T23 AT2P, Ireland

UK Representative:  Euverify Ltd, 3rd Floor, 86-90 Paul Street, London, EC2A 4NE, United Kingdom

Regulatory authorities: