PRIVACY NOTICE

Effective as of: May 29, 2026

Welcome to Suit AI, a mobile application that allows you to virtually “try on” outfits using AI-based image generation (collectively, “Suit AI”, “App”).

This Privacy Notice explains how the developer of Suit AI, Ali Kömürcü, an individual developer residing in Austria (“I”, “me”, or “my”), collects, uses, and protects your personal information, and how you can exercise your privacy rights.

I am committed to processing your personal information in accordance with the General Data Protection Regulation (GDPR) and, where applicable, the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA) and other relevant data protection laws.

1. Scope

This Privacy Notice applies to personal information processed by me in connection with Suit AI, including the App and any related online or offline features (collectively, the “Services”).

2. Changes to This Privacy Notice

I may update this Privacy Notice from time to time. If I make material changes, I will update the “Effective as of” date and may notify you within the App where legally required.

If you continue to use the Services after the updated Privacy Notice becomes effective, you are deemed to have accepted it.

3. Personal Information I Collect

I intentionally minimize the personal data I collect. For Suit AI, this is primarily authentication data, the photos you submit for try-on generation, subscription/credit status, and a limited amount of advertising and diagnostic data.

3.1 Information You Provide Directly

I may collect the following information that you provide:

a) Account & Login Data

Suit AI supports four ways to sign in:

• Email and password — I receive your email address and a Firebase Auth-managed password hash. I do not see or store your plaintext password.
• Sign in with Google — Google returns your email, display name, and profile photo URL to the App. This data is stored in your Suit AI user profile in Firebase.
• Sign in with Apple — Apple returns an Apple-issued user identifier and, on first sign-in, optionally your name and a private relay email if you choose to hide your real email.
• Continue as guest (anonymous) — Firebase issues an anonymous user identifier. No email is collected for guest accounts. Guest progress (try-on history, credits) is tied to that anonymous ID and may be lost if the App is reinstalled or device data is cleared. You can link a guest account to an email/Google/Apple account later to preserve your data.

b) Photos and Generated Content

Suit AI processes your photos to generate virtual try-on results:

• The photo of you and the clothing image you submit for each try-on are uploaded to my backend (Google Firebase Cloud Functions) and then sent to fal.ai, a third-party AI processing service operated by Features & Labels, Inc. (United States), which runs the try-on model and returns the generated image.
• fal.ai processes your images only to perform the requested generation. Based on fal.ai's terms, your images are not used to train fal.ai's models. fal.ai's privacy practices are described at https://fal.ai/privacy.
• I do not use your photos to train models or to build profiles for advertising.
• I do not sell your photos or generated content.
• Before any photo leaves your device, the App asks for your explicit consent and names fal.ai as the recipient. If you do not agree, no photo is transmitted.
• Metadata about each generation (a job identifier, your user ID, and timing information) is stored in my backend so you can view your try-on history; the raw photos themselves are not persisted on the history record.

c) Purchases and Subscriptions

Suit AI offers:

• A free tier with a limited number of try-on credits.
• Auto-renewable subscriptions ("Starter" and "Premium" weekly plans) that provide a recurring allotment of credits.

Payments are handled by the Apple App Store or Google Play. Subscription state is managed and validated through Adapty (Adapty, Inc.), which acts as my processor for subscription data. Specifically:

• I do not receive or store your full payment card information. Apple/Google handle the entire payment flow.
• Adapty receives a profile identifier (your Suit AI user ID), the store-issued transaction/receipt data, and basic device information so it can validate and track your subscription status. Adapty returns the validated entitlement to my backend.
• I receive your current subscription status and product identifier from Adapty so I can grant access to paid features and the associated credit allotment.

d) Advertising Identifiers (Free Tier Only)

Users who are not on an active paid subscription may see ads served by Google Mobile Ads (AdMob), a Google LLC service. To deliver ads, the AdMob SDK collects and processes a limited set of data, including:

• Your device's advertising identifier (IDFA on iOS, Advertising ID on Android), if you have not limited ad tracking in your device settings.
• IP address, coarse location derived from IP, device type and operating system version, language, and basic ad interaction events (impressions, clicks).

On iOS, AdMob is configured to use only non-personalized ads unless and until the user grants App Tracking Transparency permission. Users on an active Starter or Premium subscription do not see ads. AdMob does not receive your photos, try-on results, or account email. AdMob's own privacy policy is available at policies.google.com/technologies/ads.

e) Communications with Me

If you contact me (for example, for support or questions):

• I may collect your email address and the content of your message to respond to you.

3.2 Information Collected Automatically

Suit AI is designed to minimize tracking. Depending on your device and operating system, limited technical data is processed automatically by the App and its service providers:

• Device and app data — device type, operating system version, App version, language, and basic diagnostic or crash information (via Firebase Analytics / Crashlytics).
• Firebase App Check token — a short-lived attestation issued by Apple (DeviceCheck/App Attest) or Google (Play Integrity) confirming the request comes from a genuine instance of Suit AI. App Check protects my backend against abuse and does not identify you personally.
• Try-on metadata — a generation job identifier, your user ID, the requested generation mode, and timing information, stored in Firestore so you can view your try-on history.
• Advertising data — only for free-tier users; see Section 3.1(d) above for the data AdMob collects.

Outside of AdMob (which is only active on the free tier), I do not use this information for advertising or cross-app tracking.

3.3 Information from Other Sources

I may receive limited information from:

• App stores (e.g., Apple App Store, Google Play), such as subscription status or basic analytics they provide.
• Email providers when you contact me.

This information is only used to operate and improve Suit AI or to respond to your requests.

4. How I Use Your Information

I use your information only for clearly defined purposes.

4.1 To Provide and Operate Suit AI

I process your information to:

• Create and manage your Suit AI account (email, Google, Apple, or anonymous/guest).
• Process your photos to generate virtual try-on results via fal.ai.
• Track your credit balance and consume credits when you generate a try-on.
• Provide access to free and subscription-based features and verify your subscription status with the App Store, Google Play, and Adapty.
• Display your try-on history within the App.
• Provide customer support and respond to your questions.

4.2 Administrative and Legal Purposes

I may also use your information to:

• Maintain and improve the stability and security of the App, including Firebase App Check enforcement.
• Detect and prevent misuse, fraud, or abuse.
• Debug and fix technical issues (via Firebase Crashlytics and similar diagnostic data).
• Keep records needed for accounting or legal compliance.
• Comply with legal obligations and respond to lawful requests, where required.

4.3 Advertising on the Free Tier

If you are on the free tier (not on an active Starter or Premium subscription), Suit AI may display ads served by Google AdMob. These ads support the cost of providing the free tier. I:

• Do not use your photos, generated try-on images, or email address to target ads.
• Do not sell your personal information to advertisers.
• Do not show ads to users on an active paid subscription.
• Default to non-personalized AdMob ads on iOS unless you grant App Tracking Transparency permission.

If I ever decide to use your information for new purposes not described here, I will inform you in advance and, where required by law, ask for your consent.

5. How I Disclose Your Information

I do not sell your personal data. I may share your information only in limited cases and only when necessary to provide the Services or comply with the law.

5.1 Service Providers

I share specific subsets of your information with third-party service providers that help me operate Suit AI. Each provider only receives the data it needs to perform its function:

• Google Firebase (Google LLC) — Authentication (account creation, login, anonymous sessions), Firestore (user profile, try-on history metadata, credit balance, subscription record), Cloud Functions (server-side try-on requests and account deletion), Analytics, Crashlytics, and App Check. Firebase receives your user ID, email (if you signed up with email/Google), profile data, try-on metadata, and diagnostic data.
• fal.ai (Features & Labels, Inc., United States) — Third-party AI processing service that receives the photo of you and the clothing image you submit, runs the try-on model, and returns the generated image. fal.ai receives only the two images and the generation parameters; it does not receive your account email or user ID. See Section 3.1(b) for full details. fal.ai's privacy policy: https://fal.ai/privacy.
• Adapty (Adapty, Inc., United States) — Subscription management and server-side receipt validation. Adapty receives your Suit AI user ID, store-issued transaction/receipt data, and basic device information to validate and track your entitlement.
• Google Mobile Ads / AdMob (Google LLC) — Serves ads to users on the free tier only. Receives the device advertising identifier (if available), IP address, coarse location, device/OS information, and ad interaction events. Does not receive your photos, try-on results, account email, or user ID. See Section 3.1(d).
• Apple (Apple Inc.) — Sign in with Apple, App Store subscription billing, App Tracking Transparency, and DeviceCheck/App Attest attestation used by Firebase App Check.
• Google (Google LLC) — Sign in with Google, Google Play subscription billing, and Play Integrity attestation used by Firebase App Check on Android.
• Telegram (Telegram Messenger Inc.) — I use the Telegram Bot API to receive operational alerts (for example, a notification when an account is deleted or a new subscription is purchased). The alert contains the affected user ID and event metadata, never your photos.
• Email service providers — Used to deliver and receive support emails when you contact me.

These providers act on my instructions (or, where applicable, as independent controllers for limited purposes such as payment processing) and may only use your data to perform services for me or to comply with their legal obligations.

5.2 Legal and Safety

I may access or disclose information if reasonably necessary to:

• Comply with applicable laws, regulations, or legal processes.
• Respond to valid requests from authorities.
• Protect my rights, property, or safety, or those of users or others.
• Detect and prevent fraud or security issues.

5.3 Business Changes

If Suit AI or its assets are transferred (for example, in a sale or merger), your information may be part of that transfer as permitted by law. In such a case, you will be informed about any major changes to how your data is handled.

6. Your Privacy Choices and Rights

Your choices and privacy rights depend on your location and applicable law (for example, GDPR in the EU/EEA).

6.1 Your Choices

• Account deletion (in-app): You can permanently delete your Suit AI account at any time from within the App by opening Profile → Account → Delete Account. This removes your account, try-on history, credit balance, and subscription record from Firestore and deletes your Firebase Auth user via a server-side Cloud Function. Note that subscriptions are billed by Apple or Google and must be cancelled separately in your App Store or Google Play subscription settings; deleting your Suit AI account does not automatically cancel an active subscription.
• AI processing consent: Before any photo is sent to fal.ai for try-on generation, the App asks for your explicit consent and identifies fal.ai as the recipient. If you decline, no photo is transmitted. You can revoke this consent at any time by deleting your account in-app.
• App Tracking Transparency (iOS): The first time AdMob requests a personalized ad on iOS, the system shows the standard tracking permission prompt. You may allow or deny tracking at any time in Settings → Privacy & Security → Tracking. Denying tracking does not remove ads on the free tier but limits AdMob to non-personalized ads.
• Advertising identifier: You can reset or limit your device advertising identifier at any time in your device's privacy settings.
• Subscription: You can cancel an auto-renewable subscription at any time in your device's App Store or Google Play subscription settings. Cancelling stops future billing; access continues until the end of the current billing period.
• Guest to registered account: If you started as a guest, you can link your guest progress to an email, Google, or Apple account to back it up across devices.
• Photos: You choose which photos to upload. Generated try-on images are returned to your device and not stored on the try-on history record; you can also save them to your Photos library, which you can manage with your device's tools.
• Other rights: You can also contact me to exercise the rights described in Section 6.2.

I do not respond to "Do Not Track" browser signals because Suit AI is a native mobile app and does not rely on web tracking.

6.2 Your Rights Under GDPR (and Similar Laws)

If you are in the European Economic Area (EEA), Switzerland, United Kingdom, or another region with comparable laws, you may have the following rights regarding your personal data:

• Access: To know whether I process your personal data and receive a copy.
• Correction: To request that inaccurate or incomplete data be corrected.
• Erasure: To request deletion of your personal data in certain circumstances.
• Restriction: To request that I restrict processing under certain conditions.
• Objection: To object to processing based on legitimate interests, including direct marketing (I currently do not use your data for direct marketing).
• Data portability: To receive your data in a structured, commonly used, and machine-readable format, where applicable.
• Withdraw consent: Where processing is based on consent, you can withdraw it at any time (this will not affect processing that already took place).

You also have the right to lodge a complaint with a data protection authority (see Section 15). To exercise any of these rights, please contact me using the details in Section 16.

7. Security of Your Information

I take reasonable technical and organizational measures to protect your personal data against unauthorized access, loss, misuse, or alteration.

However, no system can be 100% secure. While I do my best to protect your information, I cannot guarantee absolute security.

If I become aware of a security incident involving your personal data, I will notify you and/or the relevant authorities when required by law.

8. International Data Transfers

I am based in Austria (EU). Depending on the technical setup and service providers used, your data may be processed or stored in other countries.

Where personal data is transferred outside the European Economic Area (EEA), I will ensure that suitable safeguards are in place, such as:

• EU Commission Standard Contractual Clauses (SCCs), or
• Other adequate mechanisms permitted by data protection law.

9. Retention of Personal Information

I keep your personal data only for as long as reasonably necessary to:

• Provide Suit AI and its features,
• Maintain your account and subscriptions,
• Comply with legal obligations,
• Resolve disputes and enforce agreements.

In general:

• Your account data (Firebase Auth record, user profile, credit balance, subscription record) and try-on history metadata are retained while your account is active.
• Photos sent to fal.ai are processed for the requested generation only. Raw uploaded photos are not stored on the try-on history record on my side. Generated result images are returned to your device and may be kept on the try-on history record while your account is active.
• Adapty retains subscription state for the duration of the subscription and as required to support refunds, restores, and tax/accounting obligations.
• AdMob retains advertising and aggregated event data in accordance with Google's policies.
• Diagnostic data (Crashlytics, Analytics) is retained per Firebase defaults (typically up to 14 months).
• If you delete your account in-app, your Firebase Auth user, user profile, credits, subscription record, and try-on history are deleted from my backend immediately. I may retain limited information where I am required to do so for legal, tax, or fraud-prevention reasons.

You can delete your account at any time from within the App (Profile → Account → Delete Account). You can also contact me to request deletion of your data (see Section 16).

10. Supplemental Notice for California Residents

If and to the extent the CCPA/CPRA applies to Suit AI and to you as a California resident, the following supplemental information may be relevant:

• I do not sell your personal information as defined under the CCPA/CPRA.
• I do not share your personal information for cross-context behavioral advertising.
• You have rights of access, deletion, correction, and non-discrimination, as described generally above and in applicable law.

To exercise any California-specific rights, you can contact me as described in Section 16.

11. Supplemental Notice for Nevada Residents

I do not sell personal information as “sale” is defined under Nevada law.

If Nevada law applies to you, you may still request to opt out of any potential future “sale” by contacting me with the subject line “Nevada Do Not Sell Request” using the contact details in Section 16.

12. Supplemental Notice for Virginia Residents

If the Virginia Consumer Data Protection Act (VCDPA) applies:

• I do not sell your personal data.
• I do not use your personal data for targeted advertising.
• You have rights to access, correct, delete, obtain a copy of your data, and opt out of certain processing, as set out in that law.

You can exercise these rights by contacting me (see Section 16).

13. Children’s Information

Suit AI is not directed to children under 16 (or a different minimum age if required by local law), and I do not knowingly process personal information of children.

If you believe a child has provided me with personal data without appropriate consent, please contact me. I will promptly delete such data where required by law.

14. Third-Party Websites/Applications

Suit AI may contain links to third-party websites or services (for example, app store pages or helpful resources). These are not controlled by me.

I am not responsible for the privacy practices of third-party websites or apps. You should review the privacy policies of any third-party services you interact with.

15. Supervisory Authority

If you are in the European Economic Area, Switzerland, or the United Kingdom, you have the right to lodge a complaint with a data protection authority.

As I am based in Austria, my main supervisory authority is:

Austrian Data Protection Authority (Datenschutzbehörde)
Website: https://www.dsb.gv.at
E-mail: dsb@dsb.gv.at

You can also contact your local data protection authority in your country of residence.

16. Contact Me

If you have any questions about this Privacy Notice, Suit AI, or if you want to exercise your privacy rights, please contact:

Developer: Ali Kömürcü
E-mail: alikomurcu.dev@gmail.com

Please indicate clearly what you are asking (for example: access request, deletion request, general question).