Introduction
Thank you for using Polypo.
For the purposes of this Privacy Policy, references to “Polypo,” “we,” “our,” and “us” refer to the following legal entity:
Polypo or the “Company” is operated by Polypo LTD, a limited liability partnership, incorporated under the laws of England and Wales, under number 14241417 & at 167-169 Great Portland Street London, W1W 5PF.
We collect, use, and disclose information primarily to market, sell, and provide our Services as defined in our Terms of Use, including but not limited to our website (https://polypo.io/), personalized digital avatars, digital stylist services, virtual try-on technologies, and any associated content, features, products and services provided by Polypo (collectively, the “Services”), to businesses and organizations, as well as individual consumers.
As such, we are committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, and disclose your personal data in accordance with the Regulation (EU) 2016/679 of 27 April 2016 on the protection of personal data (GDPR) and the UK GDPR Data Protection Act 2018 (UK Regulation, “DPA 2018”),
1. Data We Collect
We collect data related to our users, as part of providing our Services.
The data we collect may include “Personal Data”, which is information that can be used to identify you as a natural person, directly or indirectly, in particular in combination with information available to us.
We may collect Personal Data that may include, but is not limited to:
- Contact details: First name and last name, Email address, Phone number, Addresses and other contact details;
- Avatar Data: Gender, height, weight, skin color and body measurements extracted from the picture of your face and body; user ID;
- Registration data may include information from newsletter requests, event/seminar registrations, subscriptions, downloads, and username/passwords;
- Prospect data collected through forms, CRM, social media ads;
Polypo does not collect and process your personal data, including your image, when you use the virtual mirror feature on your device. If you choose to click “take a photo,” the image will be saved solely on your device, and Polypo will not have access to it.
The image is used in real-time solely to enable the virtual try-on experience and is neither stored nor retained by Polypo, nor shared to third parties. It is processed locally on your device in a live session only.
2. How We Use Your Data
We only collect, use and store your Personal Data for the purposes of operating our business, delivering, improving and customizing our website, as well as the Services we provide, sending direct marketing and other communications related to our business and Services, providing you with information and services that your request from us and for other legitimate purposes permitted by applicable law.
Polypo collects and processes Personal Data for a variety of purposes, including the following:
- To provide and maintain our Services, including to monitor its usage;
- To manage client accounts: to manage user registration as a user of the Services. The Personal Data you provide can give you access to different functionalities of the Service that are available to you as a registered user;
- For the performance of a contract: the development, compliance and undertaking of the contract for the Services you have purchased or of any other contract with us through our Services;
- To generate your personalized avatar using artificial intelligence features, in order based on your body measurements, for the purpose of enabling virtual fitting functionalities and generating personalized product recommendations. This processing is intended to improve the relevance, accuracy, and user experience of the shopping journey.
- To contact you: to contact you by email, telephone calls, SMS, or other equivalent forms of electronic communication;
- To provide you with news, special offers and general information about other services and events which we offer that are similar to those that you have already purchased or enquired about unless you have opted not to receive such information;
- To manage your requests: to attend and manage your requests to us;
- To inform you prior to any substantial update of this Privacy Policy;
- For research and development purposes, only if you consent to it.
- For human resources purposes, through Linkedin or other professional social networking platforms or websites, to process applications we receive when we post job offers.
Kindly refer to clause 5 “Your Privacy at a glance” for the corresponding legal basis.
3. How We Share Your Data
Where required or permitted by applicable law, we may share your Personal Data with our affiliated entities and other third-party business partners, providers, vendors or contractors who help provide the Services.
Please note that any collection and use of Personal Data by third parties through their products or services that integrate our API is governed by their own privacy policies and terms. This Privacy Policy applies solely to data collected directly through our API and received by us.
Where mandated or permitted by applicable law, regulation or legal process, we will disclose your Personal Data to law enforcement officials, government authorities or other third parties, located inside and outside of the EU/EEA where such disclosure is in accordance with due process of law and binding upon Polypo, to the extent necessary to comply with legal process or meet national security requirements, protect the rights, property or safety of Polypo, our business partners, you, or others.
4. Data Retention
We will retain your Personal Data only for as long as is necessary to fulfill the purposes for which it is collected and to the extent necessary to comply with our legal obligations, resolve disputes, and enforce agreements and policies to which Polypo is a party.
Kindly refer to clause 5 “Your Privacy at a glance” for further details on data retention periods.
5. Your Privacy at a Glance
| CATEGORIES OF PERSONAL DATA | PURPOSES | LEGAL BASIS | DATA RETENTION PERIOD |
|---|---|---|---|
| Name, Address, Phone Number, E-mail address, company role, country & other contact details | Respond to an inquiry from you (submitted via the contact form available on the website) | Legitimate interest of Polypo to follow up on your query (Art. 6(1)(f)) GDPR). | Three years following the last contact from you, augmented by any applicable statute of limitation. |
| Name, Address, Phone Number, E-mail address, company role, country & other contact details | Send direct marketing communications (newsletter, offers, etc.) | Legitimate interest of Polypo to keep you informed of our latest developments, promotions and customer surveys (Art. 6(1)(f)) GDPR). | Three years following the last contact from you, augmented by any applicable statute of limitation. |
| Name, Address, Phone Number, E-mail address, company role, country & other contact details | To allow access to the Stylist chat, send updates or replies if needed. | Necessary for the performance of the contract (Art.6(1)(b) GDPR) | Retained until user deletes account or unsubscribes; then stored for 3 years for compliance purposes |
| Name, Address, Phone Number, E-mail address, company role, country & other contact details | Inform you of any substantial update of this Privacy Policy. | Necessary for compliance with legal obligations(Art.6(1)(c) GDPR) | Three years following the last contact from you, augmented by any applicable statute of limitation. |
| Image of user’s face and body | Create your personalized digital avatar with accurate body measurements for an easier shopping journey | Explicit consent of the user | Images will be stored for a period of six (6) months. |
| Image of user’s face and/or body | For research and development purposes, specifically to refine and improve the accuracy of our Services, to enhance performance, optimize user experience, ensuring continuous improvement without requiring users to resubmit data. | Consent of the user (Article 6(1)(a) GDPR). | After the testing period, explicit user consent will be sought to retain the image for an additional two (2) years. In the absence of such consent, the image will be permanently deleted. |
| Image of user’s face and/or body & IP address | Providing you with a customized experience of virtual try-on based on virtual mirror technology (i.e. to virtually try on garments, clothes, accessories and so on). | Necessary for the performance of the contract (Art.6(1)(b) GDPR) | Please note that your image will not be stored by us, even if you choose to take a photo and download it to your device. |
| Gender, height, weight, skin color and body measurements (extracted from the pictures) | Create your personalized digital avatar with accurate body measurements for an easier shopping journey. | Necessary for the performance of the contract (Art.6(1)(b) GDPR) | For the duration of the user’s active account. Upon deletion of the user profile, the data will be retained for an additional period of three (3) years for administrative, legal, or compliance purposes. |
| User-provided text inputs (e.g., messages in the chat, style preferences, questions) | To generate personalized styling recommendations and interact with the user via the AI chat | Necessary for the performance of the contract (Art.6(1)(b) GDPR) | Stored for the duration of the session; may be anonymized for training/improvement purposes if the user consents. |
| User ID or pseudonym | To assign a unique identifier to each user, enabling the provision of our Services in a pseudonymized manner while ensuring secure and efficient functionality. | Necessary for the performance of the contract (Art.6(1)(b) GDPR) | For the duration of the contract, and for five years following its term. |
| User ID or pseudonym (Stylist chat) | To associate chat history or preferences with a specific user profile without using directly identifiable data. | Legitimate interest (Art. 6(1)(f)) GDPR) | Retained as long as the user profile is active; deleted or anonymized 3 years after profile deletion. |
| Technical metadata (e.g., IP address, browser type, timestamps) | For security, diagnostics, and to monitor chat performance and prevent abuse | Legitimate interest (Art. 6(1)(f)) GDPR) | Retained for up to 12 months, unless needed longer for legal or security reasons |
6. Choice and Opt-Out
We collect and manage consent through opt-ins and opt-outs. When you subscribe to our marketing communications or other services, you give us explicit consent to process your data for these purposes. You can withdraw your consent at any time by using the opt-out link in our communications or by contacting us at info@polypo.io.
We may send you non-commercial communications such as notices in case of a substantial update of this Privacy Policy. As such communications are necessary to comply with our legal obligations, you will not be able to opt-out from receiving them.
7. International Data Transfers
We may transfer personal data to countries outside the European Economic Area (EEA), including to contractors or cloud-based service providers located in other countries. In such cases, we ensure that appropriate safeguards are in place, such as the use of Standard Contractual Clauses or reliance on other legal mechanisms, to ensure that the said parties comply with the GDPR and the UK GDPR, and comply with all obligations incumbent upon us, regarding data protection security and confidentiality.
Personal data transferred outside of the UK will be subject to the laws of the country to which it is transferred, and we ensure that data will be processed with an adequate level of protection.
8. Security
We implement technical and organisational measures in an effort to safeguard your Personal Data in our custody and control. Such measures include, but are not limited to:
- User authentication and verification protocols to ensure that only authorized users can access their accounts and the Services.
- Multi-factor authentication (MFA), including the use of Microsoft Authenticator, for internal access to systems and tools that handle personal data.
- Role-based access controls (RBAC) to ensure that employees and contractors only have access to the data necessary for their role.
- Secure login procedures and session management, regularly reviewed and updated.
- Regular audits and monitoring of access logs to detect and respond to unauthorized activity.
- Encryption in transit and at rest, where applicable, to safeguard sensitive data.
While we endeavor to always protect our systems, website, operations and information against unauthorized access, use, modification and disclosure, due to the inherent nature of the Internet as an open global communications vehicle and other risk factors, we cannot guarantee that any information, during transmission or while stored on our systems, will be absolutely safe from intrusion by others.
9. Users’ Rights
Under applicable laws, you have the following rights concerning your personal data:
- Right to Access: You can request access to the personal data we hold about you.
- Right to Rectification: You can request corrections to any inaccurate or incomplete data.
- Right to Erasure: You can request the deletion of your personal data, subject to legal requirements.
- Right to Object to Processing: You can object to the processing of your personal data for specific purposes, including marketing.
- Right to Data Portability: You can request a copy of your personal data in a structured, commonly used format for transfer to another service.
To exercise any of these rights, please contact us at info@polypo.io. Please note that we may ask you to verify your identity before responding to such requests.
We will engage with you when you place such a request within 30 days from receipt. Please note that we may not fully comply with your request, where we have a legitimate interest for us to do so, or as applicable, it would adversely affect the rights and freedoms of others. We will inform you in any case.
10. Regular Updates
We regularly review and update this privacy policy to ensure that it remains in compliance with applicable laws and accurately reflects our data processing practices. This privacy policy will be reviewed and updated at least annually. Any changes will be posted on this page with an updated revision date.
11. Contact Us
If you have any privacy-related inquiries or requests, please contact us at info@polypo.io.
If you are not satisfied with our answer or the way we process your Personal Data pursuant to this Privacy Policy, you may also have the right to lodge a complaint with a data protection authority or a Court of competent jurisdiction.
If you reside within the UK, you may contact the Information Commissioner’s Office.
If you are in the European Economic Area (EEA), please contact your competent local data protection authority in the EEA.