Privacy policy

Sleqk is an AI stylist for people with real calendars. You upload the clothes you own, connect your calendar, and Sleqk proposes outfits and renders photoreal try-ons for specific events. We also let you share those renders with friends for a quick vote.

Sleqk is operated by Lytis Software Private Limited, a company registered in Belgium (VAT BE 0798.128.569), with its registered office at Rue de Grand-Bigard 14, 1082 Berchem-Sainte-Agathe, Brussels, Belgium. For the purposes of the EU GDPR (and the UK GDPR for users in the United Kingdom), Lytis Software Private Limited is the data controller of the personal data described on this page.

For privacy-specific questions, write to privacy@sleqk.com. [LEGAL-REVIEW: confirm whether a formal Data Protection Officer needs to be appointed under GDPR Art. 37 given we do large-scale processing of users’ photos; appoint and name here if so.]

We try to collect only what we actually need. Concretely, that breaks down into six groups:

Account data

Your email address, your name (either the one you type or the one your identity provider returns), a salted password hash if you sign up with email and password, and the anonymous subject identifier we receive from Google or Apple if you use Sign in with Google or Sign in with Apple. If you use Sign in with Apple and choose Apple’s Hide My Emailoption, the address we receive is a private Apple relay (…@privaterelay.appleid.com); we store it and email you through it exactly as we would any other address, and we never see your real email unless you later choose to share it.

Your content

The photos you upload of your clothes (the “closet”), the profile or body photos you upload so we can render try-ons on you, the AI-generated try-on renders we create from those inputs, the tags and notes you add to looks, and the calendar-linked event entries you create in the planner (title, date, time, location, your notes).

Device data

Your Apple Push Notification (APNs) token if you install the iOS app and opt in to notifications, basic browser session data, your browser user-agent, and a salted hash of your IP address (we do not store the raw IP) for abuse prevention and rate limiting.

Subscription data

If you subscribe, we receive your Stripe customer ID, the status of your subscription, and counters showing how many AI renders you have used in the current billing period. Your card number, expiry, and CVC are handled by Stripe and never touch our servers. On iOS, subscription status will come from Apple StoreKit; we only ever see that you are entitled, not your card details. (iOS billing is not yet live.)

Sharing data

When you generate a share link for a look or a vote poll, we create a random share token tied to that look. When a friend opens that link and votes, we store a random 16-byte device identifier in their browser’s local storage so each device votes once, and we record their name if they choose to type one. Voters do not need an account.

Analytics and telemetry

Structured logs about how the product performs, mostly errors and latency. On iOS we use Apple’s OSLog, which stays on the device. On the server we emit OpenTelemetry traces; at the date above we do not forward these to any third-party analytics provider. If we later add product analytics (the current plan is a self-hosted PostHog instance), we will update this page and the analytics tracker will only load after you opt in through the in-product cookie consent banner. See the Cookies page for the up-to-date list of what we set in your browser.

We do not use the Apple IDFA. We do not integrate any third-party advertising SDKs. We do not track you across other apps or websites.

Under UK GDPR Art. 6 and EU GDPR Art. 6 we must have a specific legal basis for each use of your data. Ours are:

• Account data— to form and perform the contract with you (Art. 6(1)(b)).
• Your content— your explicit consent for AI processing, specifically for phenotype extraction, photo enhancement, and try-on rendering (Art. 6(1)(a) and, where the photo lets us infer things like body size, Art. 9(2)(a) for special category data). We ask for this consent separately the first time you use each of these features, and you can withdraw it in the profile screen of the app at any time.
• Device data— our legitimate interest in keeping the service secure and preventing abuse (Art. 6(1)(f)). IP addresses are only ever held as a salted hash.
• Subscription data— to perform the contract (Art. 6(1)(b)) and to comply with our tax and accounting obligations (Art. 6(1)(c)).
• Sharing data— to perform the contract with you, the sharer (Art. 6(1)(b)), and our legitimate interest in running the vote-dedup mechanism so one voter equals one vote (Art. 6(1)(f)). [LEGAL-REVIEW: confirm that the voter, as a third party who did not sign up, is sufficiently informed of processing; a short cookie-style notice on the vote page should be added.]
• Analytics and telemetry— our legitimate interest in keeping the product reliable and debugging failures (Art. 6(1)(f)). We do not use analytics for advertising or profiling.

We only share your data with the service providers that make Sleqk work. Each one is bound by a written agreement that limits them to processing on our behalf. The current list is:

• Google (Gemini API)— we send your closet and profile photos to Google’s Gemini API so it can remove backgrounds, classify garments, extract features, and render the photoreal try-on images. We use the paid Gemini API. Under Google’s published policy for the paid tier, inputs and outputs are not used to train Google’s models (see ai.google.dev/gemini-api/docs/api-key-api-user-data-policy). We rely on that policy and recommend you read it yourself. [LEGAL-REVIEW: confirm the exact paid-tier training carve-out wording at launch date and the retention window Google applies for abuse monitoring.]
• Apple and Google (Sign in with Apple / Sign in with Google)— if you choose to sign in with Apple or Google instead of a password, you authenticate with them directly. They return a signed token containing an anonymous subject identifier and, with your permission, your name and email (or, for Apple, a Hide My Email relay address). We do not send them your wardrobe, your renders, or your in-app activity. Their handling of the sign-in itself is governed by their own privacy policies.
• Stripe— for web subscription payments. We send Stripe your email and receive back a customer ID and subscription state. Stripe is the data controller of your payment card data; we are not.
• Apple (StoreKit)— once iOS in-app purchase is live, Apple will handle the payment on our behalf and only tell us whether your entitlement is active. This is not yet live.
• Google Cloud Platform— where the Sleqk backend, databases, and uploaded media are hosted. EU users’ data is provisioned in the europe-west4 region (the Netherlands) at launch.
• A GDPR-compliant email service provider— for transactional and (if you opt in) product emails. We have not named one publicly yet; we will update this page once we do.
• Firebase— for parts of the authentication flow in some regions. No photos are sent to Firebase.

We do not sell your data. We do not rent your data. We do not trade your data for advertising reach.

For users in the UK and EU, your account, your content, and your subscription records live in the EU — specifically Google Cloud’s europe-west4 region in the Netherlands. We chose an EU-first launch deliberately.

Some processing unavoidably crosses borders. In particular, when we call the Gemini API to generate a try-on render, the request may be served on Google infrastructure outside the UK or EU. Where that happens, Google relies on the European Commission’s Standard Contractual Clauses and, for UK users, the UK International Data Transfer Addendum as the legal transfer mechanism. [LEGAL-REVIEW: confirm current SCC module and IDTA version, and note any supplementary safeguards in place.]

When we launch in the United States we plan to run a separate US regional stack rather than a single shared transatlantic database. Until then, Sleqk is not offered in the US and this page only addresses EU and UK users.

The table below sets out our standard retention periods. You can shorten these by deleting your content or your account at any time. [LEGAL-REVIEW: confirm each row matches what the backend actually enforces; the consent-records row in particular may conflict with the current behaviour which cascades consent records when a user deletes their account.]

Account

Kept until you delete your account. Deletion is a user-initiated action in the app (GDPR Art. 17).

Closet and profile photos

Kept until you delete each item individually, or until you delete your account. You can always see and remove them from the wardrobe screen.

AI-generated try-on renders

Kept on the same terms as the source photos. If you delete the source wardrobe item or your account, the renders are deleted too.

C2PA provenance sidecars

Kept alongside the render they describe. These are the small signed metadata files that prove a given image was generated by Sleqk’s AI; removing them would break our transparency obligations under the EU AI Act.

Consent records

We keep a record of the consents you have given or withdrawn so we can prove to a regulator under GDPR Art. 7(1) that we had your consent at the moment we processed your photos. [LEGAL-REVIEW: decide whether consent rows should survive account deletion — current code cascades them, which may leave us unable to defend historic processing.]

Support tickets

Up to three years from the last message in the thread, for business records and fraud detection.

Deletion tombstones

Up to 90 days after you delete your account. We keep a minimal row listing what needs to be scrubbed from cloud storage and Firebase, so the cleanup can complete reliably even if a batch job fails once.

Subscription records

Up to seven years after the end of the tax year in which the payment was made, to meet UK and EU tax and accounting obligations.

Usage analytics

Currently ephemeral: our telemetry is not forwarded to any external analytics provider. If we add one we will cap retention at 18 months and update this page.

Under UK GDPR and EU GDPR you have the following rights over your personal data. You can exercise any of them by writing to privacy@sleqk.com. We aim to reply within 30 days (GDPR Art. 12(3)).

• Access (Art. 15)— ask for a copy of the personal data we hold about you.
• Rectification (Art. 16)— correct anything inaccurate. Most account fields can be edited directly in the app.
• Erasure (Art. 17)— delete your account and everything attached to it. You can do this yourself from the profile screen; there is no retention-by-default lock-in.
• Restriction (Art. 18)— ask us to pause processing while a dispute is resolved.
• Portability (Art. 20)— ask for a JSON export of your account, closet, events, and renders.
• Object (Art. 21)— object to any processing we do on the basis of legitimate interests.
• Withdraw consent— where we process on the basis of consent (AI photo processing), you can withdraw that consent in the profile screen and the processing will stop. Withdrawal does not affect the lawfulness of processing that happened before.
• Complain to a regulator— you can complain to the UK Information Commissioner’s Office (ico.org.uk) or to the lead supervisory authority in your EU member state.

We do not claim ISO 27001 or SOC 2 certification — we have not pursued either. What we do have:

• All traffic is HTTPS. The app refuses to talk over plain HTTP.
• Passwords are hashed with a modern key-derivation function before they hit the database. We never store the plaintext password.
• IP addresses are stored as salted hashes only, for abuse prevention and rate limiting.
• Calls to our AI provider are protected by circuit breakers so a model outage cannot stampede your data or loop indefinitely on failure.
• Deletions are real. When you delete a look, the render and its C2PA sidecar are removed from storage; when you delete your account, a durable tombstone ensures the cleanup completes across our databases, object storage, and Firebase even if a worker crashes mid-run.
• Access to production data is limited to named members of the team using short-lived credentials, and all access is audit-logged.

Sleqk is for adults. You must be 18 or older to create an account. The product is not designed for, and not marketed to, anyone under 16. If we discover that we hold data from a user under 16, we will delete their account and their content without waiting for a request.

If we change this policy in a way that affects how we handle your data, we will update the “Last updated” date at the top and — for material changes — notify you by email or an in-app prompt before the change takes effect. Historic versions are available on request.