Short version: we keep your data only as long as we need it. Source photos auto-delete after 30 days; you can delete anything sooner; and we permanently destroy biometric data on a fixed schedule.

Retention schedule

Uploaded source photos — automatically deleted 30 days after the design is generated, or sooner if you delete them. Enforced nightly by an automated job, not by hand.
Generated designs — kept in your gallery until you delete them or close your account.
Biometric / face data — destroyed when the purpose it was collected for is satisfied, or within three years of your last interaction with us, whichever comes first.
Account + profile data — kept while your account is active; deleted when you close it.
Billing records — retained as long as required by tax/accounting law (handled by Stripe).
Consent records — the log of your upload-consent acceptances is kept as an audit trail for as long as legally useful, then deleted with your account.

How we destroy data

When data is deleted it is permanently erased from our database (D1) and object storage (R2) so it cannot be recovered or reconstructed. A nightly automated sweep also removes any orphaned files whose records no longer exist. We do not sell, rent, or trade your data, and our AI provider is contractually barred from retaining or training on the images we send it.

Delete it yourself, anytime

Delete individual photos/designs in /app/media-library and /app/designs.
Delete your whole account in Settings → Danger zone — instant, irreversible.
Export a full copy first via Settings → Privacy & data → Export my data.

Contact

Questions about retention or a data request: privacy@changeoutfit.app.