Security and privacy

Privacy-first by design

Personalization without compromise. We built GetMyLook with privacy at its core—no sensitive data collection, GDPR-ready architecture, and transparent data practices.

Request our security brief GDPR compliance

Data practices

What we process

We process only what is needed to deliver personalized styling—nothing more.

Appearance cues

Converted to style embeddings for personalization—never stored as raw images or biometrics.

Interaction events

Anonymized session data like item selections, swaps, and time spent—no personal identifiers.

Non-sensitive preferences

Style choices, color preferences, and size selections shared during the session.

Never collected

What we do not collect

We made deliberate architectural decisions to avoid collecting sensitive data entirely.

  • Facial recognition data or biometric identifiers
  • Personal contact information from screens
  • Location data beyond store/zone context
  • Purchase history or payment information
  • Device identifiers that enable cross-session tracking
  • Any data that could identify individuals outside the session

Data retention

Minimal retention by default

We keep data only as long as necessary. Session data disappears when the interaction ends. Analytics are aggregated to prevent re-identification.

Session data

Session only

Cleared immediately after the interaction ends. Nothing persists to disk.

Aggregate analytics

Configurable

Anonymized, aggregated metrics about styling trends and engagement patterns.

System logs

30 days typical

Operational logs for troubleshooting, rotated and purged on schedule.

Architecture

Flexible processing architecture

Choose the processing model that fits your privacy and performance requirements. We support on-device, cloud, and hybrid approaches.

Recommended

On-device processing

Where hardware supports it, appearance analysis happens locally on the signage device. Data never leaves the store.

Cloud processing

When on-device is not feasible, secure cloud processing with privacy-preserving defaults. Data is encrypted in transit and at rest.

Hybrid deployment

Configurable per deployment to balance performance, capability, and privacy requirements.

Compliance

GDPR-ready for EU retail

GetMyLook is built to support GDPR compliance. We provide the documentation, agreements, and technical controls you need.

Controller/processor clarity

Roles are clearly defined for each deployment. You retain control of your data.

Data Processing Agreements

DPAs available on request to formalize data handling responsibilities.

DPIA documentation

Data Protection Impact Assessment materials available for your compliance reviews.

Data subject rights

Built-in support for access, erasure, and portability requests where applicable.

Cross-border transfers

Standard contractual clauses and appropriate safeguards for international deployments.

Audit support

Documentation and access to support your regulatory audits and assessments.

Ready for EU deployments

We have worked with EU retail partners and understand the regulatory landscape. Our architecture was designed with GDPR principles from day one—not retrofitted after the fact.

Security

Security built in, not bolted on

Encryption everywhere

TLS 1.3 for data in transit. AES-256 for data at rest. No exceptions, no shortcuts.

Access controls

Role-based access, audit logging, and principle of least privilege throughout our systems.

Secure development

Code reviews, dependency scanning, and security testing integrated into our development pipeline.

Incident response

Documented response procedures, breach notification protocols, and regular tabletop exercises.

Documentation

Need more details for your security review?

Request our comprehensive security brief with detailed architecture documentation, compliance certifications, and answers to common vendor security questionnaires.

Request our security brief Book a demo