Privacy Policy

Effective date: April 21, 2026 · Last updated: April 21, 2026

Clever Closet ("Clever Closet," "we," "us," or "our") operates the Clever Closet website and mobile application (collectively, the "Service"), a consumer style-archetype platform. This Privacy Policy explains what personal information we collect, why we collect it, how we use and share it, and the rights you have over that information.

By creating an account or using the Service, you agree to the collection and use of information in accordance with this Policy. If you do not agree, please do not use the Service.

1. Information we collect

1.1 Information you provide directly

• Google account information. If you sign in with Google, we receive your verified email address, display name, and a stable Google account identifier (the sub claim). We do not receive your Google password.
• Microsoft Entra External ID account identifier. When we provision your account in our identity system, we store the unique account identifier assigned by Microsoft Entra External ID (our identity provider).
• Archetype quiz answers. The choices you make on the style-archetype quiz.
• Archetype profile. The results computed from your quiz answers, including your primary archetype, secondary archetype, and theme selection.
• Avatar image. An optional profile image you upload. Stored as a binary blob in our hosted storage.
• Locale and timezone. Your preferred language and timezone, used to localize dates, times, and messaging.

1.2 Information collected automatically

• Security and diagnostic logs. Limited request metadata (IP address, user-agent, timestamps, request paths, error codes) used to detect abuse, debug issues, and keep the Service available.
• Session cookies. Required to keep you signed in (see §7).
• Local storage. Your theme preference and, for anonymous quiz takers, an in-progress quiz draft (see §7).

1.3 Automated processing and archetype profiling

Your archetype profile is generated by an automated scoring algorithm that maps your quiz answers onto a predefined framework of style archetypes. This is a form of automated profiling. The result is presented for entertainment and self-reflection; it does not affect your access to the Service, your legal rights, or any decision of legal or similarly significant effect. You may request human review of, or request that we delete, your archetype profile at any time (see §6).

2. How we use your information

• To provide, operate, and maintain the Service.
• To authenticate you and protect your account.
• To compute and present your archetype profile.
• To send you transactional email (account confirmations, password resets, security notifications, deletion confirmations) via Azure Communication Services.
• To respond to your questions and support requests.
• To detect, investigate, and prevent fraud and abuse.
• To produce aggregated, anonymized analytics that help us improve the Service.
• To comply with legal obligations.

3. Legal bases for processing (EEA / UK users)

If you are in the European Economic Area, United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR and UK GDPR:

• Performance of a contract — to create and maintain your account and to deliver the core features of the Service (sign-in, archetype profile, avatar storage).
• Consent — for optional information (such as avatar uploads and locale preferences) and for any communications beyond transactional messages. You may withdraw consent at any time.
• Legitimate interests — to operate the Service securely, prevent fraud, and maintain diagnostic logs. We weigh these interests against your privacy rights and expectations.
• Legal obligation — where processing is required to comply with applicable law.

4. How we share information

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We share information only with the service providers below, each of whom processes data on our behalf under a data-processing agreement:

• Google LLC — provides OAuth 2.0 sign-in. When you choose "Continue with Google," Google authenticates you and returns the minimum profile data listed in §1.1.
• Microsoft Corporation — provides the Entra External ID identity tenant, Azure hosting for the Service, and Azure Communication Services for transactional email. Data may be processed in United States Azure regions.

We may also disclose information when required by law, valid legal process, or to protect the rights, property, or safety of Clever Closet, our users, or the public; and in connection with a merger, acquisition, financing, or sale of assets, in which case we will require the recipient to honor this Policy.

5. Data retention and deletion

We retain your personal information only for as long as needed to provide the Service or meet legal obligations.

• When you request account deletion, your account enters a 30-day grace period during which deletion can be cancelled.
• After the 30-day grace period, we hard-delete your account, archetype profile, quiz answers, avatar image, and linked identity records.
• Aggregated or anonymized analytics that can no longer be linked back to you may be retained beyond this period for service-improvement and reporting purposes.
• Security and audit logs are retained for a limited period (typically 90 days) as required to investigate abuse and comply with law.

6. Your rights

Depending on where you live, you may have the following rights. We will respond to verified requests within the timeframes required by applicable law (generally within 30 days under GDPR and 45 days under CCPA, with extensions where permitted).

6.1 All users

• Access — request a copy of the personal information we hold about you.
• Rectification — ask us to correct inaccurate or incomplete information.
• Erasure — request deletion of your account and associated personal information.
• Portability — receive a machine-readable copy of the information you provided to us.
• Objection and restriction — object to certain processing or ask us to restrict it.
• Human review of automated processing — request human review of your archetype profile (see §1.3).

6.2 EEA / UK / Swiss users

You have the right to lodge a complaint with your local data-protection supervisory authority if you believe our processing of your personal information violates applicable law.

6.3 California residents (CCPA / CPRA)

• Right to know the categories and specific pieces of personal information we collect about you, the purposes for which it is used, and the categories of third parties with whom it is shared.
• Right to delete the personal information we collect from you, subject to legal exceptions.
• Right to correct inaccurate personal information.
• Right to limit use of sensitive personal information. We do not use sensitive personal information for purposes other than those permitted without an opt-out under California law.
• Right to opt out of "sale" or "sharing" of personal information. Clever Closet does not sell or share personal information as those terms are defined under California law, so there is nothing to opt out of; our practices already reflect the most protective setting.
• Right to non-discrimination for exercising these rights.

To exercise any of these rights, contact us at the address in §11. You may designate an authorized agent to make a request on your behalf, in which case we may require verification of the agent's authority and proof of your identity.

7. Cookies, local storage, and opt-out signals

• Session cookies — set by our identity provider to keep you signed in and to protect against cross-site request forgery. These cookies are strictly necessary for the Service to function.
• Local storage — theme preference — your selected theme (e.g., neutral-light, neutral-dark) is stored on your device so your choice persists between sessions.
• Local storage — anonymous quiz draft — if you take the quiz without an account, your in-progress answers are stored on your device so you can refresh the page without losing progress. This data never leaves your device unless you submit the quiz and create an account.

You can clear cookies and local storage at any time using your browser's privacy settings. Doing so will sign you out and clear your saved theme and quiz draft.

Global Privacy Control and Do Not Track. We honor recognized browser-level opt-out signals, including the Global Privacy Control (GPC). If your browser transmits a GPC signal, we will treat it as a valid opt-out of sale or sharing of personal information under applicable state law, consistent with §4 and §6.3 above.

8. Age limits

The Service is not directed to, and we do not knowingly collect personal information from, anyone under the age of 13 (or under 16 for users in the European Economic Area and United Kingdom). If you are a parent or guardian and believe we have collected information from a child, please contact us at the address in §11 and we will delete it. Consistent with the Children's Online Privacy Protection Act, we do not knowingly permit users under 13 to create an account, and we do not condition a child's participation in any activity on the disclosure of more information than is reasonably necessary.

9. International data transfers

Clever Closet is operated from the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. Where required by law, we rely on appropriate safeguards (such as the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum) for cross-border transfers of personal information from the EEA, UK, or Switzerland, and we ensure our service providers contractually commit to equivalent protections.

10. Security and breach notification

We use reasonable administrative, technical, and physical safeguards designed to protect personal information, including TLS encryption in transit, encryption at rest for data stored by our cloud provider, role-based access controls, secret management via Azure Key Vault, and routine security review. No online service is perfectly secure; we cannot guarantee absolute security.

If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay — within 72 hours where feasible under GDPR Article 33 — and we will notify affected users without undue delay when the breach is likely to result in a high risk to their rights, in plain language and through the email address on file.

11. Contact

For privacy questions, access requests, or complaints, contact us at:

12. Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will notify you by email (for account holders) and by updating the "Last updated" date above before the changes take effect. Continued use of the Service after a change becomes effective constitutes acceptance of the revised Policy. Prior versions are available on request.