← Back to Ditto

Privacy Policy

Last updated: May 19, 2026

Ditto (operated by Veloura) is an AI-powered fashion discovery service. This policy explains what we collect, why we collect it, who we share it with, and how to delete it. We've written it in plain English. If anything is unclear, email support@velouraapp.com.

1. What we collect

  • Photos you upload — outfit images you submit for analysis.
  • Wardrobe items you save — closet photos and tags you create.
  • Account information — email address and authentication state via Supabase Auth.
  • Interaction signals — which products you click, save, share, or mark "wore it" — used to personalize your results.
  • Device + session data — anonymous identifiers, IP address, browser/device type, and approximate location (derived from IP, used for currency and weather-aware outfit suggestions only).
  • Creator data — if you apply to become a Ditto creator, we collect your stated motivation, social handles, and audience size; if approved, we collect Stripe Connect onboarding details to pay you.

2. How we use it

  • Run AI vision models on your uploads to detect clothing items.
  • Match detected items against affiliate-network product catalogs and rank the results for you.
  • Personalize recommendations from your click and save signals.
  • Attribute affiliate clicks so we (and where applicable, creators) get paid the commission that funds the free tier.
  • Send transactional email — password resets, creator-application status, price-drop alerts you opted into.
  • Improve the product through aggregated, anonymized analytics.

We do not sell your personal information. We do not show third-party advertising. We do not use your photos to train AI models.

3. Who we share it with

We share the minimum data needed with these processors:

  • Supabase — authentication, database, image storage
  • Vercel — frontend hosting and edge cache
  • Hostinger — backend server hosting
  • Anthropic (Claude) — primary vision model that analyzes uploaded photos
  • OpenAI — fallback vision model and text embeddings
  • Redis Cloud / Upstash — short-lived cache + job queue
  • n8n (self-hosted) — workflow orchestration
  • Affiliate networks — Rakuten, Amazon Associates, CJ Affiliate, Impact, ShareASale, AWIN, SkimLinks (click attribution only — they do not receive your photos)
  • Resend — transactional email delivery
  • PostHog — product analytics (anonymized device/session level)
  • Stripe — creator payouts (and, when paid subscriptions launch, your subscription billing)

We may also share information when required by law (subpoena, court order) or to protect users from fraud or abuse.

4. Retention

  • Uploaded photos: retained up to 90 days, then automatically deleted unless you save them to a closet or album.
  • Closet / album items: retained as long as your account is active.
  • Click + save signals: retained up to 18 months for personalization, then aggregated.
  • Account record: retained until you request deletion.
  • Affiliate transactions: retained 7 years for tax / financial-records compliance.

5. Your rights

You can, at any time:

  • Access — request a copy of the data we hold about you.
  • Correct — update email, display name, or other profile fields from your account settings.
  • Delete — close your account and have your personal data removed (see § 6).
  • Opt out of marketing email — unsubscribe link in every non-transactional email.
  • Disable analytics — reject non-essential cookies in our consent banner; we also honor Global Privacy Control (GPC) signals.

California residents: you may also request information about categories of personal information collected and shared. We do not sell or share personal information as defined under the CPRA. To submit a request, email privacy@velouraapp.com.

6. How to delete your account

Email privacy@velouraapp.com from your registered email address with the subject line "Delete my account". We will confirm receipt within 3 business days and hard-delete your account, photos, wardrobe items, and personalization signals within 30 days. We retain affiliate-transaction records as required by tax law (see § 4).

7. Children

Ditto is intended for users 13 years and older. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, email privacy@velouraapp.com and we will delete it promptly.

8. Cookies + tracking

We use essential cookies for sign-in and a small set of optional cookies for analytics and personalization. You can accept or reject the optional ones from the consent banner shown on your first visit. We do not use cross-site advertising trackers. We honor Global Privacy Control (GPC) — if your browser sends a GPC signal, we treat it as an opt-out of personalization-based tracking.

9. Where your data is stored

Ditto's databases and image storage are hosted in the United States. Some processors (e.g., AI vision providers) may process data in other regions. If you are accessing Ditto from outside the U.S., you consent to your data being transferred to and processed in the U.S. We do not currently offer the service to users in the European Economic Area / UK; if you are in those regions, please do not use the service until we publish a GDPR-compliant policy.

10. Security

We use industry-standard measures including TLS in transit, encrypted storage at rest via Supabase, Row-Level Security in our database, and least-privilege service-role tokens for backend writes. No system is fully secure — if you believe your account has been compromised, email security@velouraapp.com.

11. Changes to this policy

We may update this policy as the product evolves. When we make material changes we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email or in-app banner.

12. Contact

Privacy questions: privacy@velouraapp.com
General support: support@velouraapp.com
Security issues: security@velouraapp.com