Privacy Policy

Version 1.0 — Effective date: 5 June 2026

Publication URL: https://mytenue.com/privacy

This Privacy Policy explains how MYTENUE SASU collects, processes and protects your personal data when you use the website https://mytenue.com and the MyTenue mobile application (together, the "Service").

It complies with Regulation (EU) 2016/679 ("GDPR"), the French Data Protection Act of 6 January 1978 as amended, the recommendations of the French Data Protection Authority (CNIL) and Regulation (EU) 2024/1689 on artificial intelligence ("EU AI Act").

Article 1 — Data controller

The data controller is:

MYTENUE SASU — Business registration number (SIREN): 105 776 215
Registered office: 17 Rue Benoît Malon, 92150 Suresnes, France
Legal representative: Mr Ahmed Ghariani, President
Data Protection Officer (DPO): dpo@mytenue.com

For any question regarding this Policy or to exercise your rights, please contact dpo@mytenue.com or write to MYTENUE SASU at the registered office address.

Article 2 — Categories of personal data collected

2.1 Account and identification data

Email address
First and last name (optional)
Unique account identifier
Hashed and salted password
Authentication method (email, Apple, Google)
Account creation date

2.2 Profile and preferences

Declared gender (M, F, other, not provided)
Style preferences (favourite styles, occasions, colours)
Subscription tier (Free, Basic, Premium, Gold)
Interface language

2.3 User-generated content

Photographs of your clothes and accessories
Photographs you upload for virtual try-on — these may contain your face; they are used only to generate the try-on result and are never used for facial recognition or any biometric processing
Associated metadata (category, colour, declared brand)
Outfits created by you

2.4 Connection and technical data

IP address
Device identifiers (IDFA for iOS, GAID for Android)
Device type, operating system, app version
Connection and activity logs
Performance metrics

2.5 Behavioural usage data

Browsing history within the Service
Items viewed, outfits created, virtual try-ons performed
Interactions with AI recommendations
Clicks on affiliate links

2.6 Payment data

Subscription information (status, billing cycle, history)
MYTENUE never stores complete payment card data. Payment card data is tokenised and processed exclusively by Stripe Payments Europe Ltd and RevenueCat, depending on the channel.

2.7 Location data

Approximate country and region (derived from IP address)
Precise location only with your explicit consent

2.8 Communications

Emails and messages exchanged with support
Optional survey responses

Article 3 — Purposes and legal bases

In accordance with Article 6 of the GDPR, each processing activity relies on a specific legal basis.

Purpose	Legal basis	Data
Account creation and management	Contract performance (art. 6.1.b)	Identification, authentication
Provision of the Service (wardrobe digitisation, AI, suggestions)	Contract performance (art. 6.1.b)	Profile, uploaded content, preferences
Billing and subscription management	Contract + legal obligation (art. 6.1.b and c)	Payment data, identification
Accounting retention	Legal obligation (art. 6.1.c)	Invoices, financial data
Service improvement and anonymised statistics	Legitimate interest (art. 6.1.f)	Anonymised usage data
Security, fraud prevention	Legitimate interest (art. 6.1.f)	Logs, IP, device identifiers
Marketing communications	Consent (art. 6.1.a)	Email, preferences
Non-essential cookies and advertising trackers	Consent (art. 6.1.a)	Technical identifiers
Push notifications	Consent (art. 6.1.a)	Notification token
AI personalisation	Contract performance (art. 6.1.b)	Preferences, wardrobe

Article 4 — Retention periods

Category	Retention period
Active account data	While the account is active
Inactive account data	3 years after last login
Uploaded photographs (active account)	While the account is active
Uploaded photographs after account deletion	30 days (recovery), then permanent deletion
Accounting data and invoices	10 years
Connection logs	1 year
Consent data (cookies)	13 months
Prospect data	3 years from last contact
Customer service tickets	5 years after closure

Article 5 — Recipients and processors

Your data is accessible, within the strict limit of their respective missions, to MYTENUE's authorised personnel and to its processors bound by a Data Processing Agreement (DPA) compliant with Article 28 of the GDPR.

Processor	Purpose	Data location	Safeguards
Amazon Web Services EMEA SARL	Hosting, S3 storage, Lambda, RDS Aurora	EU — eu-west-3 (Paris)	AWS DPA, ISO 27001/27018
Stripe Payments Europe Ltd	Payment processing	EU / US (SCC + DPF)	Stripe DPA, PCI-DSS Level 1
RevenueCat Inc.	iOS / Android subscription management	US (SCC + DPF)	RevenueCat DPA
Google LLC — Vertex AI	AI clothing analysis (Gemini), image generation and virtual try-on (Imagen)	EU / US (SCC + DPF)	Google Cloud DPA
Resend Inc.	Transactional and marketing emails	EU / US (SCC + DPF)	Resend DPA
Sentry / Crashlytics	Error and performance monitoring	EU / US (SCC + DPF)	DPA, user data anonymisation
Google Analytics 4	Website audience measurement	EU / US (SCC + DPF)	IP anonymisation, CNIL-compliant configuration
Meta Platforms Ireland Ltd	Advertising tracking (consent required)	EU / US (SCC + DPF)	Triggered only after explicit consent
Apple App Store / Google Play	App distribution	US (SCC + DPF)	Store policies
Affiliate networks: Rakuten Advertising (SUIT Negozi, Ann Demeulemeester, COUTR, Etsy), CJ Affiliate (iQueens, TOUS), Awin (drestige), Tradedoubler (Tamaris)	Commercial performance tracking	EU / US (SCC + DPF)	Bilateral DPAs

Article 6 — Transfers outside the European Union

Your data is primarily stored on EU infrastructure (AWS eu-west-3 Paris). When transfers outside the EU occur (mainly to the United States), MYTENUE relies on Chapter V GDPR safeguards:

Standard Contractual Clauses (SCC) (Decision 2021/914);
EU-US Data Privacy Framework (DPF) for certified processors;
Transfer Impact Assessments (TIA) for risk-bearing flows.

A copy of the applicable safeguards is available on request at dpo@mytenue.com.

Article 7 — Your rights

Under Articles 15 to 22 of the GDPR, you have the following rights:

Right of access (Art. 15)
Right to rectification (Art. 16)
Right to erasure (Art. 17)
Right to restriction (Art. 18)
Right to data portability (Art. 20)
Right to object (Art. 21)
Right to withdraw consent at any time
Right to give post-mortem directives

How to exercise your rights

Send an email to dpo@mytenue.com;
Or write to MYTENUE SASU — DPO, 17 Rue Benoît Malon, 92150 Suresnes, France.

For security reasons, proof of identity may be requested.

MYTENUE will respond within one (1) month, extendable to three (3) months in case of complex requests.

Remedies

You have the right to lodge a complaint with the French Data Protection Authority (CNIL) — 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07 — https://www.cnil.fr — or with the supervisory authority of your country of residence within the EU/EEA.

Account deletion (Article 17 GDPR)

You may delete your account and all your personal data at any time:

From the app: Profile → "Delete my account" (2-step confirmation).
By email: send a request to privacy@mytenue.com with proof of identity.

Deletion is immediate on the app side. Strictly personal data (profile, wardrobe, photos, AI preferences) is erased without delay. Invoices and accounting data are retained for 10 years for legal reasons (French Commercial Code art. L.123-22), in anonymised form.

Full procedure: https://mytenue.com/account-deletion-en

Article 8 — Data security

MYTENUE implements appropriate technical and organisational measures pursuant to Article 32 GDPR:

In transit: TLS 1.3 encryption;
At rest: AES-256 encryption (S3, Aurora);
Authentication: AWS Cognito + short-lived JWT tokens;
Access control: least-privilege principle, granular IAM;
Logging: auditable access logs;
Backups: encrypted daily backups, business continuity plan;
Monitoring: real-time security incident monitoring;
Testing: periodic security audits.

Breach notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, MYTENUE will notify the CNIL within 72 hours and, where required, affected individuals without undue delay.

Article 9 — Minors

The Service is reserved for individuals aged at least 16 years.

Minors between 13 and 16 years old may register only with the express consent of the holders of parental authority. MYTENUE does not knowingly collect data from children under 13.

Article 10 — Artificial intelligence and automated decision-making

10.1 AI systems used

MYTENUE uses AI systems for:

analysing your digitised clothes (Google Vertex AI Gemini);
generating outfit recommendations;
providing virtual try-on (Google Vertex AI Imagen);
translating and enriching product descriptions (Google Vertex AI Gemini).

10.2 No solely automated decisions

No processing carried out by MYTENUE results in a decision based solely on automated processing producing legal effects concerning you or significantly affecting you within the meaning of Article 22 GDPR.

AI suggestions are informative and non-binding.

10.3 Human intervention

You may at any time request human intervention regarding AI recommendations at support@mytenue.com.

10.4 EU AI Act compliance

In accordance with Regulation (EU) 2024/1689, AI-generated content is flagged within the Service where required.

Article 11 — Cookies and trackers

See our Cookies Policy.

Article 12 — Changes to this Policy

MYTENUE may modify this Policy. Substantial changes will be notified by email and/or in-app notification at least 30 days before entry into force.

Version history is available on request at dpo@mytenue.com.

Article 13 — Contact

Data Protection Officer: dpo@mytenue.com
Postal address: MYTENUE SASU — DPO, 17 Rue Benoît Malon, 92150 Suresnes, France

Approved by: Ahmed Ghariani, President Version: 1.0 Last updated: 5 June 2026