Legal
Privacy Policy
Effective date: March 14, 2026
Who we are
NGUYENER (“we,” “our,” “us”) is operated by NGUYENER LLC, a limited liability company organized under the laws of the State of California. We operate the personal styling service available at nguyener.app and are committed to protecting your privacy and being transparent about how we handle your data.
Business address: NGUYENER LLC, 1021 5th Street, Suite 100, Sacramento, CA 95814, United States
Contact email: [email protected]
Privacy inquiries: [email protected]
Age requirement
Our service is intended for users who are 18 years of age or older. We do not knowingly collect personal information from anyone under 18. If you become aware that a minor has provided us with personal information, please contact us and we will delete it promptly.
Information we collect
Account information
When you create an account, we collect your email address and, optionally, your name. Authentication is handled by Clerk, Inc. — your password is never stored by NGUYENER directly.
Style profile
To personalize your experience, you may voluntarily provide: skin tone, undertone, hair color, build, eye color, age range, height, color season (Spring/Summer/Autumn/Winter), style preferences, budget range, and items you own. This information is stored in your browser (localStorage) and synced to our servers (Supabase) for cross-device access. It is used solely to improve your styling recommendations. You may delete your profile at any time from the Profile page.
Photos you upload
You may choose to upload photos of yourself or clothing items to receive visual styling advice. Photos are analyzed entirely on your device using machine learning models that run in your web browser (WebGPU/WebAssembly). Your photos are never uploaded to our servers. We do not have access to, store, or process your photos on any server infrastructure. The analysis results (detected garments, colors, body attributes) may be sent to our servers to generate recommendations, but the original images remain on your device at all times.
Illinois residents — Biometric Information: If you are a resident of Illinois, photo analysis for body type or facial feature recognition may involve biometric data as defined under the Illinois Biometric Information Privacy Act (BIPA). By uploading photos for analysis, Illinois residents explicitly consent to this collection and processing. You may withdraw this consent at any time by contacting us at [email protected]. Biometric data will be retained only for as long as necessary to provide styling recommendations and will be permanently destroyed within 3 years, or within 1 year of your last interaction, whichever is sooner.
Consultation history
We store the messages exchanged during your styling consultations to provide continuity across sessions and to improve our service. You may request deletion of your consultation history at any time.
Usage data
We automatically collect limited technical data including IP address, browser type, pages visited, and consultation timestamps. This data is used for security monitoring, rate limiting, and service improvement.
How we use your information
- To provide personalized fashion recommendations through our ML-powered styling service
- To manage your account and authenticate you
- To enforce usage limits on our free tier
- To improve the quality of our recommendations over time
- To communicate service updates, security notices, and promotional offers (with your consent)
- To comply with legal obligations
We do not sell your personal information to third parties.
AI and machine learning
NGUYENER uses machine learning to power styling recommendations. No large language models (LLMs) or third-party AI services process your personal data. Here is how our ML pipeline works:
- Client-side clothing analysis: When you upload a photo, it is analyzed entirely in your web browser using open-source ML models (Transformers.js with WebGPU/WebAssembly). Your photos never leave your device — no image data is sent to any server or AI service.
- Product embeddings: We use the HuggingFace Inference API to generate text embeddings from product descriptions (titles, colors, categories). Only product catalog text is sent to HuggingFace — no user data, photos, or personal information.
- Recommendation engine: Personalized recommendations are generated using vector similarity search within our own database (Supabase with pgvector). Your style preferences and swipe history are compared against product embeddings to surface relevant items. This processing happens on our servers — no data is sent to external AI services.
We disclose that our styling recommendations are powered by machine learning; we never claim otherwise.
Automated decision-making (GDPR Article 22)
NGUYENER uses machine learning to generate personalized style recommendations based on your style profile, interaction history, and product catalog data. This constitutes automated profiling as described under GDPR Article 22.
How automated profiling works
When you use NGUYENER, our recommendation engine analyzes your style preferences, swipe history, and profile attributes (such as color season, body type, and budget) to surface products that match your taste. This analysis is performed using vector similarity search and Thompson Sampling — no large language models or external AI services process your personal data for recommendation purposes.
No decisions with legal or significant effects
You are not subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you. Our automated profiling is used exclusively to suggest fashion products — it does not determine pricing, creditworthiness, employment eligibility, or any other outcome with legal or similarly significant consequences. You are always free to disregard any recommendation.
Your rights regarding automated decisions
You have the right to:
- Request human review of any recommendation or profile assessment
- Express your point of view and contest any automated decision
- Receive a meaningful explanation of the logic involved in the profiling
- Opt out of personalized recommendations and receive non-profiled product listings
To exercise any of these rights, contact us at [email protected]. We will respond to your request within 30 days.
Affiliate relationships and product recommendations
Some product links in our styling recommendations may be affiliate links. If you make a purchase through an affiliate link, we may earn a commission at no additional cost to you. Affiliate commissions do not influence the styling advice we provide — recommendations are made based solely on what we believe best serves your style needs.
Affiliate partners may include Amazon Associates, Shopify merchants, and other retail programs. These relationships are disclosed wherever affiliate links appear.
Third-party services
We use the following third-party services, each governed by their own privacy policies:
- Clerk — Authentication, user management, and session handling. Processes: email address, authentication tokens.
- Supabase — Database storage (hosted on AWS US-East-2). Processes: style profile, consultation history, product interactions.
- Vercel — Web hosting and analytics. Processes: IP address, page views, performance metrics.
- Stripe — Payment processing for Pro subscriptions. Processes: payment method, billing address, transaction history. Stripe is PCI-DSS Level 1 certified.
- HuggingFace — ML model hosting and Inference API for product text embeddings. Processes: product descriptions only (no user data, photos, or personal information).
Sub-processors
We engage the following sub-processors to deliver our service. Each sub-processor processes data only as necessary to perform its designated function and is bound by contractual obligations to protect your personal information.
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel, Inc. | Web hosting, CDN, edge computing, and analytics | San Francisco, CA |
| Supabase, Inc. | Database hosting, authentication infrastructure, and vector search | San Francisco, CA |
| Clerk, Inc. | User authentication, session management, and identity verification | San Francisco, CA |
| Stripe, Inc. | Payment processing and subscription billing | San Francisco, CA |
| Hugging Face, Inc. | ML inference API for product text embeddings (no user data processed) | New York, NY |
| Cloudflare, Inc. | DNS resolution, DDoS protection, and network security | San Francisco, CA |
We will update this list when we engage new sub-processors or change existing ones. Material changes to our sub-processor list will be communicated in accordance with the “Changes to this policy” section below.
Data processing agreements
We maintain Data Processing Agreements (DPAs) with our sub-processors as required under the General Data Protection Regulation (GDPR) and other applicable data protection laws. These agreements ensure that sub-processors implement appropriate technical and organizational measures to protect your personal data.
If you require a copy of our DPA for your records, or if your organization needs to execute a DPA with NGUYENER, please contact us at [email protected]. We will respond to DPA requests within 10 business days.
International data transfers
NGUYENER is based in the United States, and your personal data is primarily processed and stored in the United States. Our sub-processors — including Vercel, Supabase, Clerk, and Stripe — are headquartered in and operate infrastructure within the United States.
If you access our service from outside the United States, please be aware that your data may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.
EU/EEA users
For users in the European Union or European Economic Area, transfers of personal data to the United States rely on Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable. Our sub-processors maintain SCCs as part of their data processing agreements to provide appropriate safeguards for your personal data.
UK users
For users in the United Kingdom, international data transfers are governed by the UK Addendum to the EU Standard Contractual Clauses, as approved by the UK Information Commissioner's Office (ICO), where applicable.
If you would like more information about the safeguards we have in place for international data transfers, or to request copies of the relevant transfer mechanisms, please contact us at [email protected].
Data retention
We retain different categories of personal data for different periods, depending on their purpose and applicable legal requirements. Below is our data retention schedule:
Account data
Your account information (email address, name, authentication records) is retained for as long as your account remains active. Upon account closure, account data is permanently deleted within 30 days, subject to any legal obligations to retain certain records.
Swipe and interaction data
Your swipe history, product interactions, and style preferences are retained to improve recommendation quality. This data is anonymized after 12 months — meaning it is stripped of all personally identifiable information and can no longer be linked back to your account. Anonymized interaction data may be retained indefinitely for aggregate analysis and model improvement.
Analytics data
Usage analytics (page views, feature engagement, performance metrics) are aggregated and anonymized at the point of collection. This aggregated data contains no personally identifiable information and is retained indefinitely for service improvement and business analysis.
Payment data
Payment information (card details, billing address, transaction history) is managed entirely by Stripe and is retained in accordance with Stripe's own data retention policy and PCI-DSS requirements. NGUYENER does not store payment card details on its own servers. We retain subscription status and billing event records for as long as your account is active, plus any period required by tax and accounting regulations.
ML embeddings and style profile
Machine learning embeddings generated from your style profile and interaction history are retained for as long as your account is active. Upon account deletion, all associated embeddings are permanently deleted along with your account data within 30 days.
You may request deletion of your account and all associated data at any time by contacting us at [email protected] or by using the account deletion option on the Profile page.
Your rights
All users
- Access a copy of your personal data
- Correct inaccurate data
- Delete your account and data
- Opt out of marketing communications
European residents (GDPR)
In addition to the above, you have the right to data portability, the right to restrict processing, and the right to lodge a complaint with your supervisory authority. Our legal basis for processing is performance of contract (account services), legitimate interests (security, abuse prevention), and consent (marketing, biometric data where applicable).
California residents (CCPA / CPRA)
California residents have the right to know what personal information we collect and how it is used, to delete personal information, to opt out of the sale or sharing of personal information (we do not sell or share personal information), and to non-discrimination for exercising these rights. To exercise your rights, contact us at [email protected].
Cookies
We use essential cookies required for authentication and session management. We do not use third-party advertising cookies. You may disable cookies in your browser settings, though this may affect functionality.
Security
We use industry-standard security practices including TLS encryption in transit, encrypted storage at rest, and row-level security on our database. No system is 100% secure — if you believe your account has been compromised, contact us immediately.
Data breach notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we are committed to notifying affected users within 72 hours of becoming aware of the breach, consistent with the requirements of GDPR Article 34 and applicable U.S. state breach notification laws, including the California Consumer Privacy Act (CCPA).
How we will notify you
We will use one or more of the following methods to inform you of a qualifying breach:
- Email: Direct notification to the email address associated with your account
- In-app notice: A prominent banner or alert displayed when you next access the service
- Website notice: A conspicuous posting on our website at nguyener.app if the breach affects a large number of users or if individual contact is not feasible
What we will disclose
Our breach notification will include, at minimum:
- The nature and scope of the breach, including the categories of data affected
- The approximate number of individuals affected, where known
- The likely consequences of the breach
- The remedial measures we have taken or propose to take to address the breach and mitigate its effects
- Contact information for our privacy team where you can obtain further information
Your rights following a breach
If you are affected by a data breach, you retain all rights described in the Your rights section of this policy. In addition, European residents have the right to lodge a complaint with their local data protection supervisory authority. California residents may contact the California Attorney General's office. We will cooperate fully with any regulatory investigation arising from a breach.
Changes to this policy
We may update this policy from time to time. Material changes will be communicated via email or a prominent notice on our website at least 30 days before taking effect. Continued use of our service after changes take effect constitutes acceptance of the updated policy.
Contact
NGUYENER LLC
1021 5th Street, Suite 100, Sacramento, CA 95814, United States
General inquiries: [email protected]
Privacy inquiries: [email protected]
nguyener.app