1. Who We Are
Koutura (“we”, “us”, “our”) is the data controller for personal data processed through www.koutura.app. We are based in the Netherlands and subject to the General Data Protection Regulation (GDPR).
Contact: privacy@koutura.app
2. What Data We Collect
Account data
Email address and hashed password, created at registration.
Child profile data
Display name (which can be a nickname) and optional age range. This is provided by you (the parent or legal guardian) and is used solely to personalise the experience.
Images
- Reference photos — a photo of your child used as the basis for try-on previews. Stored in encrypted cloud storage for as long as you keep the child profile.
- Clothing images — photos of outfits you want to try on. These are temporary: automatically deleted within minutes after the AI preview is generated.
- Generated previews — AI-generated results. Only stored if you explicitly choose to save them to your gallery.
Payment data
Payment processing is handled entirely by Stripe. We do not store credit card numbers, bank details, or other payment credentials. We receive only a Stripe customer ID and subscription/payment status.
Technical data
Standard server logs (IP address, browser type, timestamps) retained for up to 30 days for security and debugging purposes.
3. Why We Process Your Data
| Purpose | Legal basis (GDPR) |
|---|
| Provide the virtual try-on service | Performance of contract (Art. 6(1)(b)) |
| Process your child’s image for AI previews | Explicit parental consent (Art. 6(1)(a), Art. 8) |
| Process payments and manage subscriptions | Performance of contract (Art. 6(1)(b)) |
| Send transactional emails (verification, receipts) | Performance of contract (Art. 6(1)(b)) |
| Maintain security and prevent abuse | Legitimate interest (Art. 6(1)(f)) |
4. Children’s Data — Special Protections
We take extra care with children’s data:
- Only a parent or legal guardian may upload a child’s image. You confirm this during account creation.
- Child images are never used to train AI models. They are processed in real-time and only stored as described above.
- Child profiles are completely private — they are never shared with other users, shown publicly, or used for advertising.
- We do not collect data directly from children. The service is designed to be operated by parents.
- You can delete any individual photo, an entire child profile, or your whole account at any time — deletion is immediate and permanent.
5. How We Store & Protect Data
- All data is transmitted over HTTPS/TLS encryption.
- Images are stored in S3-compatible encrypted cloud storage (Cloudflare R2).
- Database is hosted on Railway with encrypted connections and automated backups.
- Passwords are hashed with bcrypt — we never store or see your plaintext password.
- Access to production systems is restricted to the founding team.
- Images are served via signed URLs that expire after 1 hour — they cannot be shared or accessed without a valid, time-limited token.
6. Third-Party Processors
We use a limited number of trusted processors:
| Provider | Purpose | Data |
|---|
| Google (Gemini API) | AI image generation | Images sent for processing only, not retained by Google |
| Cloudflare (R2) | Image storage | Encrypted image files |
| Stripe | Payment processing | Payment credentials (not shared with us) |
| Railway | Database & API hosting | All application data |
| Vercel | Frontend hosting | No personal data stored |
All processors are GDPR-compliant and process data within the EU/EEA or under adequate safeguards (Standard Contractual Clauses).
7. Your Rights (GDPR)
Under the GDPR, you have the right to:
- Access — request a copy of all data we hold about you.
- Rectification — correct any inaccurate personal data.
- Erasure — delete your data at any time. You can do this directly in the app (delete individual photos, child profiles, or your entire account) or by emailing us.
- Data portability — receive your data in a structured, machine-readable format.
- Withdraw consent — you can withdraw consent for processing your child’s images at any time by deleting the child profile or your account.
- Restriction — request we limit processing of your data.
- Object — object to processing based on legitimate interest.
- Complaint — lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.
To exercise any of these rights, email privacy@koutura.app. We will respond within 30 days.
8. Data Retention
- Account data — retained until you delete your account.
- Child profiles & reference photos — retained until you delete the profile or account. Deletion is immediate and permanent.
- Clothing images — automatically deleted within minutes after AI preview generation.
- Saved previews — retained until you delete them or your account.
- Server logs — automatically deleted after 30 days.
- Payment records — retained for 7 years as required by Dutch tax law.
9. Cookies & Tracking
We use only essential cookies required for authentication (HttpOnly session cookies). We do not use analytics trackers, advertising cookies, or third-party tracking scripts. We do not share data with advertisers.
10. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email or in-app notice at least 14 days before they take effect. The “last updated” date at the top will always reflect the most recent version.