Privacy Notice

1. Introduction

Anproba GmbH ("Anproba", "we", "us", "our") is committed to protecting your personal data and respecting your privacy. This Privacy Notice explains how we collect, use, store, and protect personal data when you use our Virtual Try-On (VTO) platform and related services.

This Notice applies to: (a) consumers who use Anproba-powered Virtual Try-On experiences on merchant platforms; (b) merchant businesses that access the Anproba platform via our API, SDK, or dashboard; and (c) visitors to our website (anproba.de).

2. Data We Collect

2.1 Identity and Contact Data

Name, business email address, company name, phone number. Collected when you create an account or submit a partner application.

2.2 Biometric Data — Digital Twin Payload (DTPv3)

When a consumer creates a Digital Twin, Module B processes a body photograph to generate a Digital Twin Payload (DTPv3). This includes: body keypoints (24-point ABLS system), body measurements, SMPL 3D body mesh parameters, and Pose Pack data. The output is encrypted with AES-256-GCM using a unique per-user KMS CMK. The original master photograph is deleted from our systems within 30 days of processing.

2.3 Technical Data

IP address, device type, browser, operating system, session tokens, and access logs. Collected automatically when you interact with our platform.

2.4 Usage Data

VTO session counts, garment interaction events, sizing recommendation events, timestamp data. Used for service delivery and analytics.

2.5 Payment Data

Payment processing is handled exclusively by Stripe, Inc. Anproba never stores, processes, or has access to raw card numbers, CVV codes, or bank account details. We store only Stripe-generated customer identifiers and invoice records.

3. Legal Bases for Processing

We process your personal data under the following legal bases as permitted by GDPR:

• Contract performance (Art. 6(1)(b)): Account management, service delivery, API access, billing.
• Legitimate interests (Art. 6(1)(f)): Fraud prevention, platform security, abuse detection. We conduct a balancing test for each legitimate interest.
• Legal obligation (Art. 6(1)(c)): Tax records, invoicing, compliance with German commercial law (HGB), anti-money laundering obligations.
• Explicit consent (Art. 9(2)(a)): Biometric Digital Twin data. Consent is requested separately, must be freely given, and may be withdrawn at any time without affecting the lawfulness of prior processing.

4. The Three Processing Modules

4.1 Module A — Garment Asset Generation Pipeline

Processes brand-uploaded garment images (no personal data). Output: APv4 binary (FlatBuffers + GZIP, ≤500 KB per SKU). Stored in Amazon S3 (eu-central-1), served via CloudFront CDN. Retained for the duration of the merchant contract.

4.2 Module B — Digital Twin Pipeline (Biometric)

Processes consumer body images in a dedicated biometric enclave (isolated VPC subnet, no outbound internet except allowlist). Uses: SAM (Segment Anything Model), SCHP (clothing parser), MoveNet Thunder + OpenPose body_25 (pose estimation), Stable Diffusion Inpainting + ControlNet (virtual undressing — output NEVER shown to user or any client), PnP SMPL solver (3D body fit). Output: DTPv3, encrypted AES-256-GCM with per-user AWS KMS CMK. Stored in S3 with server-side encryption. Master photo deleted after 30 days (S3 lifecycle policy — no manual override).

The bare_body field in DTPv3 is NEVER served to any client, logged, or exported. A CodeQL rule (AC-012) enforces this on every pull request.

4.3 Module C — On-Device Rendering

All rendering occurs on the consumer's device (iOS/Metal, Android/Vulkan, WebAssembly/WebGPU). Zero ML inference at runtime. No biometric data is transmitted during the rendering phase. The device receives: DTPv3 (from device Keychain/Keystore) + APv4 (from CloudFront CDN). The composite render is computed locally.

5. Data Transfers

Primary data centre: AWS EU (Frankfurt, eu-central-1). Disaster recovery: AWS EU (Ireland, eu-west-1). All data remains within the European Economic Area (EEA). We do not transfer personal data outside the EEA without Standard Contractual Clauses (SCCs) or equivalent safeguards.

6. Data Retention

• Digital Twin (DTPv3): Retained until account deletion or accepted erasure request.
• Master photograph: Deleted 30 days after Module B processing (S3 lifecycle policy).
• Garment assets (APv4): Retained for the duration of the merchant contract.
• Audit logs: 7 years (WORM, Object Lock-backed).
• Payment records: 10 years (German tax law, §147 AO).
• Session and technical logs: 90 days.

7. Your Rights Under GDPR

You have the following rights regarding your personal data:

• Access (Art. 15): Request a copy of the personal data we hold about you.
• Rectification (Art. 16): Request correction of inaccurate data.
• Erasure (Art. 17): Request deletion of your data. See Section 8.
• Restriction (Art. 18): Request that we restrict processing while a dispute is resolved.
• Portability (Art. 20): Receive your data in a structured, machine-readable format.
• Object (Art. 21): Object to processing based on legitimate interests.
• Withdraw Consent (Art. 7(3)): Withdraw consent for biometric processing at any time. This does not affect the lawfulness of processing before withdrawal.
• Lodge a Complaint: You have the right to lodge a complaint with the supervisory authority: Der Landesbeauftragte für Datenschutz und Informationsfreiheit Bremen, Arndtstraße 1, 27570 Bremerhaven.

8. Right to Erasure — GDPR Article 17

Anproba processes erasure requests within 24 hours via an 8-step cryptographic destruction workflow:

1. AWS KMS CMK scheduled for deletion (7-day AWS minimum waiting period)
2. S3 DTPv3 objects deleted (all encrypted Digital Twin files)
3. PostgreSQL PII fields pseudonymised (name, email → hashed identifiers)
4. OpenSearch index entries purged
5. Redis cache flushed for user
6. Stripe customer data anonymised via Stripe API
7. Analytics events pseudonymised
8. Erasure confirmation email sent to data subject

To submit an erasure request: privacy@anproba.de

9. No Advertising. No Sale. No AI Training.

• Anproba does not serve advertising and does not use personal data for any advertising or profiling for third parties.
• Anproba does not sell personal data to any third party.
• Consumer Digital Twin data (DTPv3) is NEVER used to train, fine-tune, distil, or improve any AI/ML model — internal or external. This is an absolute contractual commitment reflected in our AI Policy and DPA.

10. Cookies

Please see our Cookie Policy for details on how we use cookies and how to manage your preferences.

11. Sub-Processors

We use the following sub-processors to deliver our services:

• Amazon Web Services (AWS): Infrastructure, storage, KMS encryption — EU regions only (Frankfurt, Ireland)
• Stripe, Inc.: Payment processing — Standard Contractual Clauses in place
• Clerk, Inc.: Authentication and identity management — SCCs in place

12. Contact

For any privacy-related enquiries: privacy@anproba.de