Uverest Privacy Policy

1. What this Policy covers

This Policy covers how we handle personal data when you access the Services and/or interact with the Content. It explains what we collect, why we collect it, how we use and share it, where we store it, and the choices and rights available to you.

2. Data we collect

We collect the following categories of information (depending on how you use the Services):

• Identifiers & Contact Details: name, username, email, phone, addresses (billing/shipping), age/date of birth (where permitted/required).
• Account & Profile Data: preferences (size, fit, style, budget), saved items/wishlists, avatars/profile photos, social sign-in identifiers.
• Order & Transaction Data: items viewed/purchased, order IDs, prices, quantities, taxes/duties, returns/exchanges, delivery information. Payment card data is handled by our payment processors and not stored in full by Uverest.
• Device/Technical Data: IP address, device IDs, OS, app version, browser type, SDK logs, diagnostics, crash reports, security signals.
• Usage Data: event logs (clicks, views, searches), session timestamps, referral URLs, cookie IDs/SDK identifiers (see our Cookie Policy).
• Location Data: city/region (derived from IP); where you opt in, coarse or device-level location for localised features.
• User-Generated Content (UGC): reviews, lists, comments, prompts, photos (including try-on images), and any content you upload or generate.
• Communications: emails, in-app messages, support tickets, survey/interview recordings (with notice).
• Inferences: taste/style predictions, size recommendations, scores and segments derived from other data.

3. How we collect data

• Directly from you: account registration, profile setup, checkout, support, surveys/interviews, UGC uploads.
• Automatically: cookies/SDKs, analytics, logs when you browse, search, or interact with the Services.
• From third parties: identity providers (e.g., Apple/Google), payment processors, anti-fraud providers, logistics partners and analytics/advertising partners where necessary to track referrals and attribute sales.

See our separate Cookie Policy for details on cookies, SDKs, and similar technologies.

4. Why we use your data (purposes)

We use personal data to:

• Provide the Services: account creation, product discovery, cart/checkout, order routing, returns assistance.
• Personalise & recommend: curate items and looks based on your style, size, and behaviour; remember settings; show relevant Content.
• Operate Try-On & Sizing: render AR/AI previews; offer fit/size guidance (advisory only).
• Process payments: via third-party processors/wallets; manage authorisations, captures, refunds, chargebacks.
• Communicate: order and service messages, support, technical notices; - with your consent where required - marketing and sale alerts.
• Improve & secure: analytics, debugging, service quality, fraud prevention, abuse detection, security monitoring.
• Research & development: surveys/tests to improve features and models (with safeguards; training on UGC only with opt-in).
• Legal & compliance: recordkeeping, sanctions/export controls, tax and accounting, responding to lawful requests.

4A. Face Data & Virtual Try-On

What we keep (and don't keep).

• We do not retain face geometry, facial landmarks, depth maps, or other face-mapping signals; these are processed transiently to render the preview and then discarded after the session.
• If you save a 2D try-on result photo (which can include your face), we store it solely so you can revisit looks and retry faster across web and mobile, and to assist support if needed.

Why we store try-on result photos.

• To let you revisit looks, enable faster re-try, and help customer support troubleshoot sizing/fit or order issues.
• We do not use try-on photos or face-related signals for advertising, we do not sell face data, and we do not create biometric identifiers/"faceprints".

How long we keep them (and why).

• Try-on result photos are retained for up to 60 days, then deleted. Sixty days covers typical return/support windows and provides convenient cross-device access.
• You can delete any try-on photo at any time from the Try-On Gallery (or request deletion via service@mtlab.ai).

Third parties we share with (processors only) & reasons.

• AWS (US) - secure cloud hosting/storage and delivery acting only as our processor; used to store and serve your try-on photos so you can access them across devices.
• Our content delivery network (CDN) provider(s) - temporary caching at the network edge acting only as our processor to speed load times.

Do these third parties also store face data? How long?

• AWS (US) stores the try-on photo only on our instructions and follows our deletion requests; when we delete at 60 days (or sooner at your request), the primary object is removed; residual encrypted backups roll off within standard backup cycles (typically ≤ 30 days).
• CDN nodes may hold short-lived cache copies controlled by our cache settings (generally days or less) and are purged when we delete or when cache TTL expires.
• Neither AWS nor our CDN may sell, use for targeted advertising, or repurpose try-on photos.

5. Legal bases for processing (EEA/UK)

Where GDPR/UK GDPR applies, we process data on the following bases: Contract (to provide the Services and fulfil orders); Legitimate interests (to personalise, secure, prevent fraud, improve the Services); Consent (for certain marketing, cookies/SDKs, precise location, and training on try-on images); Legal obligation (tax, accounting, compliance). You can withdraw consent at any time without affecting prior processing.

6. Sharing & disclosures

We share personal data as follows, using appropriate contractual and technical safeguards:

• Retail/Marketplace Partners (independent controllers): to fulfil your order, manage returns/warranty, verify stock/price, and attribute referrals. Their privacy notices apply to their processing.
• Payment & Risk Providers (processors/controllers): payment gateways, wallets, fraud-prevention and chargeback services.
• Logistics & Customer Support: shipping, returns, label/RMA providers; contact-centre tooling.
• Cloud/IT/Engineering: hosting, content delivery, monitoring, ticketing, email/SMS providers.
  • Try-On specific processors: Amazon Web Services, Inc. (US) (hosting/storage) and our CDN provider(s) (temporary edge caching) act solely as our processors; they retain only as needed to provide the service and purge according to our deletion instructions and cache/backup cycles.
• Analytics & Measurement: product analytics, A/B testing, app store measurement.
• Advertising & Marketing: ad networks and platforms for interest-based advertising where permitted; you can opt out (see 8 and 11).
• Social Sign-In & Sharing: if you connect a social account or share Content externally.
• Corporate transactions: merger, financing, acquisition, or sale of assets (subject to continuity of protections).
• Legal & safety: to comply with law, enforce terms, or protect rights, safety, and security.
• With your direction or consent.

We do not sell personal data for money. Under some U.S. state laws, certain data sharing for cross-context behavioural advertising may be considered a "sale" or "sharing"; you can opt out (see 8 and 11).

7. International transfers & data location

• Primary storage: We host and store personal data in the United States (primary storage and backups).
• Cross-border transfers: If we transfer personal data to other countries (e.g., to Partners or providers), we use lawful transfer mechanisms, such as Standard Contractual Clauses (SCCs)/UK IDTA, and where applicable, rely on recipients' participation in an EU-US/UK-US Data Privacy Framework.
• Local laws: Your data may be subject to access by foreign authorities under their laws.

8. Advertising, cookies & signals

We and partners use cookies/SDKs to operate the Services, remember preferences, measure performance, and deliver ads. See our Cookie Policy for details and choices.

US state choices & Opt-out link requirement. Use our 'Do Not Sell or Share / Opt Out of Targeted Ads' control in the app/web footer (or send a GPC signal in supported browsers). We honor Global Privacy Control signals as required by law. You can also email us with the subject line "Do Not Sell or Share My Personal Information."

9. Retention

We keep personal data only as long as needed for the purposes above, and to comply with legal, tax, and accounting requirements. Typical periods include:

• Account data: retained while your account is active and for up to 24 months after inactivity, then deleted or anonymised unless longer is required.
• Orders & payments: kept for 7 years (or longer as required by tax/accounting laws).
• Logs & analytics: typically 12–24 months.
• Marketing consents & opt-outs: stored to evidence preferences.
• Try-on result photos: kept for up to 60 days to support revisit/redo and support flows, then deleted. Upon deletion (by you or at 60 days), primary copies are removed; residual encrypted backups at our cloud provider roll off within standard backup cycles (typically ≤ 30 days). You can delete any time from the Try-On Gallery.

10. Security

We implement administrative, technical, and physical safeguards, including encryption in transit, access controls, network segmentation, and monitoring. No system is 100% secure; transmission over the internet carries risk. If you believe your account has been compromised, contact service@mtlab.ai.

Delaware breach notice. In the event of a data breach affecting Delaware residents, we will provide notice without unreasonable delay and no later than 60 days after determination of the breach, subject to lawful delay.

11. Your choices & rights

Controls. You can update profile data, manage communications, and adjust cookie/SDK preferences (where available). You can opt out of marketing emails via unsubscribe links; you may still receive transactional messages.

Try-On deletion controls. Delete individual try-on photos directly in the Try-On Gallery, or you can also request deletion via service@mtlab.ai.

Rights. Depending on your location, you may have rights to access, correct, delete, restrict, object (including to profiling for direct marketing), portability, and withdraw consent. To exercise rights, email service@mtlab.ai (no embedded forms). We may verify your request, and may deny or limit requests as permitted by law. If we decline, you may appeal by replying to our decision within 30 days.

Do Not Track. We currently do not respond to DNT signals. We honour GPC where required.

12. US state privacy notice (California, Delaware & others)

If you are a resident of California (CPRA) or other states with similar laws (e.g., CO, CT, VA, UT), you may have additional rights:

• US State Privacy Notice - Delaware (DPDPA): Delaware residents may exercise rights to access, correct, delete, obtain a portable copy of personal data, and opt out of targeted advertising and the sale of personal data. We respond to verified requests within 45 days (we may extend once by 45 days and will explain why). If we deny your request, you may appeal by replying to our decision; we will respond to your appeal within 60 days. If your appeal is denied, you may contact the Delaware Department of Justice to submit a complaint.
• Categories collected: identifiers; commercial info; internet/network activity; geolocation (coarse); UGC; inferences; and, where you provide them, precise location or images used for try-on. We do not intentionally collect government IDs or precise geolocation unless you enable it; we do not collect or use biometric identifiers for identification.
• Purposes: as in Sections 4 and 8.
• Sources: as in Section 3.
• Disclosures: to categories in Section 6.
• Sell/Share: we do not sell for money; some disclosures for cross-context behavioural advertising may be a "sale"/"share" - you can opt out via GPC, in-app/web settings (when available), or by emailing service@mtlab.ai with the subject line above.
• Sensitive personal information: if collected (e.g., precise location), we limit use to permitted purposes and honour requests to limit its use/disclosure.
• Teens (13–17): We do not sell personal data or process it for targeted advertising for consumers aged 13–17 without the consumer's consent where we have actual knowledge or willfully disregard the consumer's age.
• Non-discrimination: we will not discriminate against you for exercising your rights.
• Authorized agents: you may designate an agent; we will need proof of authority and verification.

13. Children

The Services are not directed to children under 13, and we do not knowingly collect personal data from them. If you believe a child under 13 has provided data, contact service@mtlab.ai and we will delete it. If local law requires a higher age of consent for certain processing, we will honour that requirement.

14. Notice of Financial Incentive (e.g., referral credits)

From time to time we offer financial incentives (e.g., referral credits). Participation is voluntary and you may withdraw at any time. We collect identifiers (e.g., email, device IDs) and commercial info (e.g., referral attribution) to provide the incentive. We estimate the value of consumer data by reference to program costs, expected engagement, and incremental revenue.

15. Changes to this Policy

We may update this Policy from time to time. The latest version will be posted with the "Last revised" date. If a change is material, we will provide reasonable notice (e.g., in app or by email). Your continued use of the Services after the effective date means you accept the updated Policy.