OWN

Trattamento dei Dati Personali

Personal Data Processing Agreement (GDPR Compliance)

Last updated: October 14, 2025

1. Data Controller Information

Data Controller: Piazzai Studio

Service: OWN - AI-Powered Virtual Try-On Platform

Contact: info@own-app.com

Data Protection Officer: Riccardo Piazzai

2. Legal Basis for Processing

We process your personal data under the following legal bases as defined by GDPR (Regulation EU 2016/679):

  • Consent (Art. 6(1)(a)): For processing photos and generating AI images
  • Contract Performance (Art. 6(1)(b)): To provide the virtual try-on service
  • Legal Obligation (Art. 6(1)(c)): For tax and accounting purposes
  • Legitimate Interest (Art. 6(1)(f)): For service improvement and fraud prevention

3. Categories of Personal Data

Identification Data

  • Name, surname
  • Email address
  • Account credentials (encrypted)

Biometric Data (Special Category - Art. 9 GDPR)

  • Facial images uploaded for virtual try-on
  • Body measurements derived from photos
  • Legal basis: Explicit consent (Art. 9(2)(a))

Technical Data

  • IP address
  • Browser type and version
  • Device information
  • Usage statistics

Payment Data

  • Payment method information (processed by Stripe)
  • Transaction history
  • Billing address

4. Purpose of Processing

  • Providing AI-powered virtual try-on services
  • Account management and authentication
  • Payment processing and subscription management
  • Customer support and communication
  • Service improvement and analytics
  • Legal compliance and fraud prevention
  • Marketing communications (with consent)

5. Data Recipients and Processors

Your data may be shared with the following categories of recipients:

Cloud Service Providers

  • Vercel (USA): Hosting and infrastructure - Standard Contractual Clauses
  • Supabase (USA): Database services - Standard Contractual Clauses
  • Vercel Blob (USA): Image storage - Standard Contractual Clauses

AI Processing

  • Google AI (USA): Image processing via Gemini API - Standard Contractual Clauses

Payment Processing

  • Stripe (USA/EU): Payment processing - PCI DSS compliant, Standard Contractual Clauses

6. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA). We ensure adequate protection through:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions for certain countries
  • Additional security measures and encryption
  • Regular compliance audits

7. Data Retention Periods

Account data: Duration of account + 1 year after closure

Uploaded photos: 30 days from upload (or immediate deletion upon request)

Generated AI images: 90 days (or immediate deletion upon request)

Transaction records: 7 years (legal obligation for accounting)

Marketing consent: Until consent is withdrawn

Technical logs: 12 months

8. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right of Access (Art. 15): Obtain confirmation and a copy of your data
  • Right to Rectification (Art. 16): Correct inaccurate or incomplete data
  • Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten")
  • Right to Restriction (Art. 18): Limit processing of your data
  • Right to Data Portability (Art. 20): Receive your data in a structured format
  • Right to Object (Art. 21): Object to processing based on legitimate interests
  • Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time
  • Right to Lodge a Complaint: File a complaint with your national data protection authority

To exercise any of these rights, contact us at info@own-app.com. We will respond within 30 days.

9. Security Measures

We implement appropriate technical and organizational measures to ensure data security:

  • End-to-end encryption for data transmission (TLS/SSL)
  • Encryption at rest for stored data
  • Access controls and authentication
  • Regular security audits and penetration testing
  • Employee training on data protection
  • Incident response procedures
  • Regular backups and disaster recovery plans

10. Automated Decision-Making

Our AI technology processes your photos to generate virtual try-on images. This is not automated decision-making that produces legal effects or similarly significantly affects you (Art. 22 GDPR). The AI processing is solely for visualization purposes and does not make decisions about you.

11. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Art. 33 and 34 GDPR.

12. Children's Data

Our service is not directed to children under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without parental consent, we will take steps to delete such information immediately.

13. Updates to This Agreement

We may update this data processing agreement to reflect changes in our practices or legal requirements. Material changes will be communicated via email at least 30 days before they take effect.

14. Contact and Complaints

Data Controller Contact:

Email: info@own-app.com

Data Protection Officer: Riccardo Piazzai

Supervisory Authority (Italy):

Garante per la protezione dei dati personali

Website: www.garanteprivacy.it