Plagg
ENNO
Back to home

Privacy Policy

Last updated: 2026-04-24

This Privacy Policy describes how Plagg ("we", "us", "our") collects, uses, stores, and shares personal data about you as a user of our mobile app and related services. We are committed to protecting your privacy and processing your data in accordance with the EU General Data Protection Regulation (GDPR) and applicable Norwegian privacy law.

1. Data controller

Plagg is currently operated as a sole proprietorship pending incorporation. The data controller is:

  • Plagg (operated by Håkon Kleven and Sindre Monssen)
  • Address: Bergen, Norway
  • Email: [email protected]

Once Plagg is incorporated as a legal entity, the data controller will be updated accordingly and affected users will be notified.

2. What personal data we collect

2.1 Data you provide directly

  • Account data: name, email address, and password (always stored in hashed form). If you sign up with Google or Apple, we additionally receive a unique identifier and email address from those providers.
  • Onboarding data: gender, fashion style preference tags (e.g., "Casual", "Sporty"), and region.
  • Reference photo: a full-body photo that you upload in order to enable the AI-powered virtual fitting room. The photo is stored in two versions: the original, and an AI-normalised version optimised for try-on generation.
  • User-generated content: outfits, posts (images, captions), favourites, and any comments or reactions you leave.

2.2 Data we collect automatically

  • Usage data: the outfits and products you view, like, save, or click through to retailers.
  • Technical data: device type, operating system, language setting, IP address, session tokens, and timestamps.

3. Purposes and legal basis

We process personal data for the following purposes and on the following legal bases (GDPR Art. 6):

  • Operating your account (authentication, login, account deletion) — basis: contract performance (Art. 6(1)(b)).
  • Delivering core features such as the personal feed, outfit generation, and virtual try-on — basis: contract performance (Art. 6(1)(b)).
  • Processing your reference photo in AI models to generate virtual try-ons — basis: your consent (Art. 6(1)(a)), which you may withdraw at any time by deleting your account or contacting us.
  • Improving recommendations through analysis of interaction data — basis: legitimate interest (Art. 6(1)(f)), with pseudonymisation where practicable.
  • Sending transactional emails (email verification, password reset, deletion confirmation) — basis: contract performance (Art. 6(1)(b)).
  • Detecting and preventing abuse and security incidents — basis: legitimate interest (Art. 6(1)(f)).
  • Complying with legal obligations — basis: legal obligation (Art. 6(1)(c)).

4. Sharing with third parties (data processors)

We never sell your personal data. To deliver the Service we use selected service providers acting as data processors on our behalf, and only to the extent necessary. Our providers fall within the following categories:

  • Cloud infrastructure and storage — hosting of servers, databases, and images.
  • AI and machine learning providers — processing of images and text for outfit generation, virtual try-on, and recommendations.
  • Authentication and sign-in — when you choose to sign in with a third-party provider (e.g., Apple or Google).
  • Email provider — sending transactional emails (verification, password reset, deletion confirmation).
  • Analytics and error reporting — aggregated usage statistics and technical error logs to improve and stabilise the Service.

We have entered into data processing agreements with our providers where required, and share only the data strictly necessary for the specific purpose. You can obtain an up-to-date list of our data processors by contacting us.

5. AI processing of personal data

Plagg uses generative AI models for several core features. When you upload a reference photo or generate a virtual try-on, the image is sent to our AI providers for processing. We use commercial arrangements on terms where the provider does not train its models on your data. The data is used only to produce the response back to you.

AI-generated images and text are automated approximations and should not be interpreted as accurate representations of how a garment will actually look, fit, or feel in real life.

6. Transfers outside the EEA

Some of our data processors are headquartered or operate datacentres outside the EEA, primarily in the United States. For such transfers we rely on the European Commission's Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework. Where possible we select European data-processing regions.

7. Retention periods

  • Account data: retained while your account is active, and deleted within 30 days after you close your account.
  • Reference photos: deleted immediately when you delete your account or remove the photo manually.
  • User-generated content: deleted together with your account, except for backup copies which are deleted within a maximum of 90 days.
  • Logs (technical and security logs): stored for up to 90 days.
  • Product referral clicks: anonymised after 12 months and used only in aggregated form for product analytics.

8. Your rights

Under the GDPR you have the following rights:

  • Access (Art. 15): request a copy of the personal data we process about you.
  • Rectification (Art. 16): have inaccurate or incomplete data corrected.
  • Erasure (Art. 17): request that your data be deleted. Account deletion is available directly in the app via a two-step email confirmation.
  • Restriction (Art. 18): ask us to restrict processing in certain cases.
  • Data portability (Art. 20): receive your data in a machine-readable format.
  • Objection (Art. 21): object to processing based on legitimate interest.
  • Withdrawal of consent: withdraw consent at any time without affecting the lawfulness of processing carried out before the withdrawal.

You can exercise your rights by contacting us at [email protected]. We normally respond within 30 days.

If you believe we are processing personal data in violation of the law, you have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet). More information is available at datatilsynet.no.

9. Children

Plagg is not directed at children under 16, and we do not knowingly collect personal data from persons under 16. If we become aware that we have received data from a child without valid consent, we will delete the data as soon as possible.

10. Security

We use recognised technical and organisational measures to protect your data, including:

  • TLS encryption of all traffic between the app, the browser, and our servers.
  • Passwords are always stored hashed using modern algorithms (via Better Auth).
  • Reference photos and other private images are behind authenticated endpoints.
  • Access control, logging, and regular review of security events.

11. Cookies

Our website uses only technically necessary cookies for authentication and user preferences (e.g., dark/light mode). We do not use third-party advertising or tracking tools on the website.

12. Changes to this Privacy Policy

We may update this policy to reflect changes to the service, the law, or our practices. Material changes will be announced via email or in the app before they take effect. The date at the top of this page indicates when the policy was last updated.

13. Contact us

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us at [email protected].