Privacy Policy

Effective Date: April 26, 2026

Ma Styla LLC (“Ma Styla,” “we,” “us,” or “our”) operates the Ma Styla mobile application and the website at mastyla.app. This Privacy Policy explains what information we collect, how we use it, who we share it with, and your choices.

1. Data Controller

The data controller responsible for your personal data is:

Ma Styla LLC
8 The Green, #12856
Dover, DE 19901
United States
Email: privacy@mastyla.app

We have not appointed a Data Protection Officer as we do not meet the threshold requiring one under Article 37 of the GDPR. For all data protection inquiries, please contact us at the address above.

2. Information We Collect

2.1 Account Information

When you create an account we collect:

• Email address
• Username and optional display name
• Password (stored in hashed form) or Google account identifier if you sign in with Google
• Profile image (if you choose to upload one)

2.2 Images and Content

Ma Styla is an AI-powered fashion platform. When you use our services you may upload:

• Person images (photos of yourself or others)
• Clothing images
• Pose reference images

We also store the AI-generated images produced from your uploads, along with captions you add (up to 140 characters).

Note on biometric data: Our AI services do not extract, store, or process biometric identifiers (such as facial geometry or body measurements) from your images. The AI models perform image-to-image transformation (overlaying clothing or transferring poses) without identifying or recognizing individuals. Your images are not used for biometric identification or authentication purposes.

2.3 Social and Interaction Data

• Follow and follow-request relationships
• Likes and saved images
• Block and report actions
• Share events (which platform you shared to)

2.4 Purchase and Credit Data

If you purchase credits through the Apple App Store or Google Play Store, we record:

• Transaction ID from the app store
• Product purchased, amount, and currency
• Credits granted and your credit balance

We do not collect or store your payment card details. All payment processing is handled by Apple or Google.

2.5 Device and Technical Data

• IP address (recorded during login, registration, and legal-consent events)
• User-Agent string (browser or app version information)
• Device platform (Android or iOS)
• Push-notification device token (if you enable notifications)

2.6 Notification Preferences

You can independently enable or disable notifications for: new followers, follow requests, likes, and AI generation completion.

3. Legal Basis for Processing (GDPR Art. 6)

We process your personal data on the following legal bases:

• Performance of contract (Art. 6(1)(b)): Account creation and management, AI image generation, credit and purchase processing, transactional emails (verification, password reset, account deletion), data export, and referral program.
• Legitimate interest (Art. 6(1)(f)): Content moderation and safety (to protect our users and comply with platform policies), fraud and abuse prevention (IP logging, failed-login counters, audit logs), and security of the Service.
• Consent (Art. 6(1)(a)): Push notifications and analytics data collection. You can withdraw consent at any time by disabling notifications or analytics in the app settings.
• Legal obligation (Art. 6(1)(c)): Where we are required to retain or disclose data to comply with applicable law, regulation, or legal process.

4. How We Use Your Information

• Provide and operate the app — Account info, images, social data, credits
• AI image generation — Uploaded images sent to Google AI services for virtual try-on and pose transfer
• Content moderation and safety — Uploaded and generated images analyzed for prohibited content
• Transactional emails — Verification, password reset, account deletion notices sent to your email
• Push notifications — Delivered using your device token and notification preferences
• Process purchases — Transaction data from app stores used to manage credits
• Prevent fraud and abuse — IP address, User-Agent, failed-login counters, audit logs
• Referral program — Referral code and referrer/referee relationship
• Legal compliance — Any data as required by law

5. AI Image Generation

When you generate an image, your uploaded photos are sent to Google Cloud AI services (Vertex AI and Gemini) for processing. These images are transmitted in encoded form to produce virtual try-on or pose-transfer results. The AI models perform image transformation only — they do not extract biometric data, perform facial recognition, or uniquely identify individuals.

Google processes this data as a data processor under their Cloud Data Processing Addendum. We do not use your images to train our own AI models.

All uploaded and generated images are also analyzed by the Google Cloud Vision API for automated content moderation (detecting adult, violent, or otherwise prohibited content).

6. Automated Decision-Making

We use automated processing in the following ways:

• Content moderation: The Google Cloud Vision API automatically analyzes uploaded and generated images for prohibited content (adult, violent, or racy material). Images that exceed our safety thresholds may be automatically rejected or flagged.
• AI safety filters: The Gemini model applies safety filters that may block generation requests containing potentially harmful content.

These automated decisions may result in content being removed or generation requests being declined. You have the right to request human review of any automated moderation decision by contacting us at privacy@mastyla.app. We will review your request and respond within 30 days.

7. Third-Party Services and Data Processors

We share data with the following service providers, all of whom are bound by Data Processing Agreements (DPAs) that ensure your data is protected in accordance with applicable data protection laws:

• Google Cloud Platform (Vertex AI, Gemini, Vision API, Cloud Storage, Cloud SQL) — AI generation, content moderation, file storage, database hosting
• Google Sign-In — Authentication via Google account
• Firebase Cloud Messaging — Push notification delivery
• Firebase Crashlytics — Crash reporting
• Firebase Analytics — Anonymous usage analytics (with your consent)
• Resend — Transactional email delivery
• Apple App Store / Google Play Store — Purchase verification

We do not sell your personal information. We do not share your data with advertisers.

8. Analytics and Tracking

We use Firebase Analytics to collect anonymous usage data to understand how our features are used and to improve the app experience. Analytics data collection is disabled by default and only enabled with your explicit consent. You can opt in during account registration and opt out at any time in Settings > Privacy & Connections.

When enabled, Firebase Analytics collects:

• Screen views (which screens you visit)
• Feature usage events (e.g., try-on started, image shared, credit purchased)
• Device information (device model, operating system version)
• App version

This data is anonymous and cannot be used to identify you personally. Analytics data is retained for 14 months (the Firebase Analytics default) and then automatically deleted. Google processes this data as a data processor under their Cloud Data Processing Addendum.

We also use Firebase Crashlytics to collect crash reports to improve app stability. We do not use advertising SDKs or sell analytics data.

9. Data Storage and Security

Your account data and database are stored on Google Cloud Platform infrastructure in the europe-west1 (Belgium) region. Images are stored in Google Cloud Storage in the same region. We use industry-standard security measures including encrypted connections (TLS), hashed passwords (bcrypt), and role-based access controls.

10. International Data Transfers

Your core data (database and stored images) remains in the EU (europe-west1). However, certain processing operations involve transfer of data outside the European Economic Area:

• Virtual try-on generation: Processed within the EU (europe-west1 Vertex AI endpoint).
• Pose-transfer generation: Images are sent to Google’s global Gemini API endpoint, which may process data in the United States or other regions.
• Content moderation: Images are sent to the Google Cloud Vision API global endpoint, which may process data in the United States or other regions.
• Email delivery: Email addresses and message content are processed by Resend (Resend Inc.) in the EU region (eu-west-1, Ireland). Because data is processed within the EEA, no cross-border transfer occurs for email delivery.

These transfers are protected by the following safeguards:

• Google Cloud’s Data Processing Addendum, which incorporates EU Standard Contractual Clauses (SCCs) for transfers outside the EEA.
• The EU-U.S. Data Privacy Framework, where applicable.

11. Data Retention

• Active accounts: Data is retained for the life of your account.
• Deleted accounts: When you delete your account, it enters a 30-day grace period during which you can restore it by logging back in. After 30 days, your account and associated data are permanently deleted.
• Legal holds: In rare cases, account data may be retained beyond the deletion period if required for legal proceedings.
• Audit logs: Security-related logs (login events, account changes) are retained for 24 months, after which they are permanently deleted.
• Email verification and password reset tokens: Expire within 15 minutes of issuance.

12. Your Rights Under the GDPR

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under data protection law:

• Right of access (Art. 15): Request a copy of your personal data. You can use the data export feature in the app or contact us.
• Right to rectification (Art. 16): Update your account information through the app settings, or contact us to correct inaccuracies.
• Right to erasure (Art. 17): Delete your account from the app settings. Your data will be permanently deleted after the 30-day grace period.
• Right to restriction of processing (Art. 18): Request that we limit how we process your data in certain circumstances.
• Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format via the data export feature.
• Right to object (Art. 21): Object to processing based on legitimate interest. We will cease processing unless we have compelling legitimate grounds.
• Right to withdraw consent (Art. 7(3)): Where processing is based on consent (e.g., push notifications, analytics), you may withdraw consent at any time in the app settings. Withdrawal does not affect the lawfulness of processing before withdrawal.
• Right to human review of automated decisions (Art. 22): Request human review of any automated content moderation decision that significantly affects you.

To exercise any of these rights, contact us at privacy@mastyla.app. We will respond within 30 days. If we need more time, we will inform you of the extension and the reasons for it.

Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu.

13. Account Privacy

Your account is public by default. You can set your account to private in the app settings, which requires others to send a follow request to see your content.

14. Children’s Privacy

Ma Styla is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16. If you believe a child under 16 has provided us with personal information, please contact us and we will promptly delete it.

15. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.

16. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the app and request your acceptance of the updated policy. The version you accepted is recorded in your account.

17. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, or want to lodge a complaint, contact us at:

Ma Styla LLC
8 The Green, #12856
Dover, DE 19901
United States
Email: privacy@mastyla.app