Privacy Policy
Last updated: 30 May 2026 · MyStyleReport, an independently operated online service
This Privacy Policy explains how MyStyleReport ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our AI-powered personal style report service at mystylereport.com ("Service"). We are committed to full compliance with the General Data Protection Regulation (GDPR) and applicable EU/EEA data protection law.
1. Who We Are (Data Controller)
MyStyleReport is the data controller responsible for your personal data.
Contact: [email protected]
The Service is operated independently online. Payment transactions are processed by Paddle.com Market Ltd, acting as the merchant of record. Paddle is a separate data controller for your payment data and operates under its own Privacy Policy at paddle.com/legal/privacy.
2. What Data We Collect
We collect only the data strictly necessary to provide the Service:
- Email address — to deliver your report and send transactional communications.
- Portrait photograph — uploaded voluntarily by you for AI-based style analysis. This constitutes biometric data under GDPR Article 9 and is processed only with your explicit consent.
- Quiz answers — lifestyle, style preferences, body type, skin concerns, hair concerns, age range, climate, and occasions. Used solely to personalise your report.
- Payment information — handled exclusively by Paddle.com Market Ltd as merchant of record. We do not store or access your card details. Paddle is the data controller for your payment data.
- Technical, usage and advertising data — when you visit the Service, we and our advertising and analytics partners (Meta, TikTok, and Google) may collect your IP address, device and browser information, cookies or similar identifiers, the campaign or referral details from the link you arrived through, and information about how you use the Service. This is used to measure and improve our advertising.
We collect only the data described in this Policy, and we use it only for the purposes stated here.
3. Biometric Data Processing (GDPR Article 9)
Your portrait photograph is classified as biometric data under GDPR Article 9. Processing of such data is prohibited unless you provide explicit, informed, and freely given consent. By actively checking the consent checkbox at the photo upload step, you provide this explicit consent. You may withdraw your consent at any time by contacting us at [email protected].
Purpose: AI-based analysis of visual features (colour season, face shape, skin tone) to generate your personalised style report.
No biometric template is stored. No facial recognition is performed. No identification system is used.
Storage: Your photograph is stored on a secured server (Hostinger VPS, Lithuania, EU). It is automatically and permanently deleted within 30 days of upload.
Third parties: Your photograph is processed via two AI providers under their published data retention policies:
- Anthropic (Claude Haiku) — vision baseline analysis. No retention beyond the API call.
- OpenAI image-gpt-2 via fal.ai — image generation. No retention beyond the API call.
Your photograph is never shared with any other third party, sold, or used for model training, advertising, or analytics.
4. Legal Basis for Processing (GDPR Article 6 & 9)
- Email address: Performance of a contract (Article 6(1)(b)).
- Portrait photograph: Explicit consent (Article 9(2)(a)).
- Quiz answers: Performance of a contract (Article 6(1)(b)).
- Payment data: Processed by Paddle.com Market Ltd as merchant of record, under Paddle's own legal basis. See paddle.com/legal/privacy.
- Technical, usage and advertising data: essential technical data — our legitimate interests in operating and securing the Service (Article 6(1)(f)); advertising and analytics cookies and pixels — your consent (Article 6(1)(a)). These trackers are not enabled for visitors in the EU, EEA or UK, or when a Global Privacy Control signal is present.
5. How We Use Your Data
- Generating your personalised AI style report (PDF).
- Delivering your report to your email address.
- Responding to support enquiries and processing refund requests.
- Maintaining transactional records as required by applicable law.
6. Data Retention
- Portrait photograph: Automatically deleted within 30 days of upload.
- Quiz answers: Deleted within 90 days of report generation.
- Email address: Retained for up to 12 months, then deleted.
- Transaction records: Retained by Paddle for the period required by their merchant-of-record obligations.
- Advertising and cookie data: Retained for the lifetime of the relevant cookie and in accordance with each partner's retention policy. You may clear cookies at any time.
7. Data Security
- HTTPS/TLS encryption for all data in transit.
- Encrypted storage on secured EU-based servers (Hostinger VPS, Lithuania).
- Access restricted to authorised personnel only.
- Automatic deletion protocols for biometric data.
8. Third Parties and Data Transfers
- Paddle.com Market Ltd — payment processing and merchant of record. paddle.com/legal/privacy
- Brevo SAS — transactional email delivery (EU data plane). brevo.com/legal/privacypolicy
- Hostinger International Ltd — server hosting within the EU (Lithuania).
- Anthropic PBC — vision baseline (Claude Haiku). No data retained beyond the API call.
- OpenAI OpCo LLC (via fal.ai) — image generation. No data retained beyond the API call.
- Meta Platforms, TikTok, and Google — advertising measurement, optimisation and analytics via their pixels/SDKs and server-side APIs (not enabled for EU/EEA/UK visitors). Data shared may include a hashed email address, cookie identifiers, IP address and event data.
9. Cookies, Advertising and Analytics
We use cookies and similar technologies in two categories:
- Essential cookies — required to operate and secure the Service (for example, cookies set by our security provider, Cloudflare). These are always active.
- Advertising and analytics cookies and pixels — used, where permitted, to measure the performance of our advertising and to attribute purchases to the campaigns that referred them.
We use the Meta Pixel and Conversions API, the TikTok Pixel and Events API, and Google Analytics. These set cookies in your browser and/or receive events about your activity — including, via server-side APIs, a hashed (irreversible) version of your email address, your IP address, and event details such as a completed purchase — so these partners can report on and optimise our advertising.
Your uploaded photograph and quiz answers are never shared with Meta, TikTok, Google, or any other advertising partner.
Your controls (no action needed from you):
- Advertising and analytics trackers are not enabled for visitors located in the EU, EEA or United Kingdom.
- We honour the Global Privacy Control (GPC) browser signal — if your browser sends it, advertising trackers stay off.
- You can manage cookies in your browser settings and your ad preferences in your Meta, TikTok or Google account.
10. Your Rights Under GDPR
- Right of access (Article 15) — request a copy of your data.
- Right to rectification (Article 16) — request correction of inaccurate data.
- Right to erasure (Article 17) — request deletion of your data.
- Right to restriction (Article 18) — request restricted processing.
- Right to data portability (Article 20) — receive your data in machine-readable format.
- Right to object (Article 21) — object to processing based on legitimate interests.
- Right to withdraw consent — withdraw biometric data consent at any time.
To exercise any rights, contact [email protected]. We respond within 30 days.
11. Right to Lodge a Complaint
You may lodge a complaint with the data protection authority in your country of residence.
- EU/EEA residents — contact details for national supervisory authorities can be found at edpb.europa.eu.
- United States residents — California residents may contact the California Privacy Protection Agency (cppa.ca.gov). Residents of other US states may contact their state Attorney General's office. You may also report concerns to the Federal Trade Commission (reportfraud.ftc.gov).
- Other jurisdictions — please contact the data protection authority applicable to your country of residence.
12. Children's Privacy
Our Service is intended for users aged 18 and over. We do not knowingly collect data from individuals under 18.
13. California Residents (CCPA/CPRA Notice)
We do not sell your personal information for money. However, our use of advertising cookies and pixels (Meta, TikTok, Google) may be considered "sharing" of personal information for cross-context behavioral advertising under the California Privacy Rights Act (CPRA). California residents have the right to opt out of this sharing: we honour the Global Privacy Control (GPC) signal as a valid opt-out request, and you may also opt out by emailing [email protected].
14. Changes to This Policy
We may update this policy from time to time. Continued use of the Service after changes constitutes acceptance.
15. Contact Us
[email protected]
16. Governing Law
This Policy applies to a Service provided online to a global audience. Payment-related data processing is governed by Paddle.com Market Ltd's privacy terms. For all other matters, please contact us at [email protected] to resolve amicably. Your statutory data protection rights under your local jurisdiction (including GDPR where applicable) are not affected.