Privacy Policy

1. Overview

Drape (“we”, “us”, or “our”) is committed to protecting your personal information. This Privacy Policy describes what data we collect, how we use it, and your rights with respect to that data.

This policy applies to the Drape mobile application, our waitlist, and our website. By using any of these services, you agree to the collection and use of data as described here.

2. Data We Collect

We collect the following categories of personal data:

• Email address — collected when you join the waitlist or create an account
• Wardrobe photos and descriptions — images and metadata you upload to catalog your clothing
• Email order data — parsed purchase history (retailer, item name, approximate date) from order confirmation emails, collected only with your explicit consent when you connect your email account
• Location data — your city-level location (latitude and longitude), used to provide weather-appropriate outfit suggestions. You may deny location access at any time; the app will fall back to a default location
• Calendar context — we read your on-device calendar events to classify the type of day you have (e.g. formal, casual, athletic). Only the classified category, event count, and timing flags are sent to our servers — raw event titles are never transmitted, stored, or logged
• Push notification token — a device token issued by Firebase Cloud Messaging, along with your timezone, used solely to deliver outfit notifications you have opted into
• Usage data — anonymized analytics about feature usage, session duration, and app interactions
• Device information — operating system version, device type, and app version for debugging and compatibility

3. How We Use Your Data

We use the data we collect for the following purposes:

• Providing and personalizing the App, including AI-powered outfit suggestions that use your location, calendar context, and wardrobe data to recommend what to wear
• Sending waitlist communications and product updates (email only, with opt-out)
• Parsing your email order history to pre-populate your wardrobe catalog
• Improving the accuracy and relevance of AI recommendations using anonymized, aggregated data
• Suggesting relevant clothing items via affiliate links to help you fill gaps in your wardrobe — these recommendations are based on your wardrobe data and style preferences
• Debugging issues, preventing fraud, and maintaining the security of the App
• Complying with applicable legal obligations

We do not sell your personal data. We do not serve third-party display ads. We may earn a commission when you purchase items through affiliate links shown in the App — these links are based on your wardrobe data to suggest relevant items, not on tracking your activity across other apps or websites.

4. Gmail Integration

Drape offers an optional feature to connect your Gmail account so the app can parse order confirmation emails from clothing retailers and pre-populate your wardrobe. This section describes exactly what Gmail data we access, why, what happens to it, and your rights.

4.1 Scope requested and why

When you choose to connect Gmail, Drape requests a single Google OAuth scope: https://www.googleapis.com/auth/gmail.readonly.

This scope grants read-only access to your Gmail messages and metadata. We request it because Drape must read the HTML body of specific order confirmation emails to extract purchase details (item name, retailer, order date, product image URL). Google does not offer a narrower scope that permits reading message bodies.

We do not request: gmail.modify, gmail.send, gmail.compose, gmail.labels, or any Google Drive, Calendar, Contacts, or Photos scope in connection with this feature.

4.2 What we read and what we ignore

When Gmail is connected, Drape's backend queries your inbox using the Gmail API with a narrow server-side filter that restricts results to messages whose From: address belongs to one of the following retailers:

• order-update@myntra.com and related Myntra order domains
• auto-confirm@amazon.in and related Amazon India order domains
• ordersupport@ajio.com and related Ajio order domains
• noreply@tatacliq.com and related Tata CLiQ order domains

Drape does not read, scan, index, or transmit any email that falls outside this allowlist. We do not read drafts, sent mail, trashed mail, labels, attachments, or any other Gmail feature.

4.3 How we use the data

For each matching order confirmation email, Drape's backend extracts:

• Retailer name
• Order ID (hashed)
• Order date
• Item name(s) and category
• Item image URL (hotlinked from the retailer's CDN)
• Item price

These extracted fields are stored in your Drape wardrobe catalog and linked to your account. The raw email body is processed in-memory on our backend and is never written to disk, logged, cached, or stored. Only the extracted structured fields above are retained.

4.4 Limited Use — explicit commitments

Drape's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, Drape will never:

• Use Gmail data to serve advertising of any kind, first-party or third-party
• Sell, rent, or license Gmail data to any party
• Transfer Gmail data to any third party except as strictly necessary to provide and improve user-facing features of the Drape app (see Section 4.5), in compliance with applicable law, or as part of a merger, acquisition, or sale of assets with notice to you
• Use Gmail data to train generalized or third-party AI/ML models
• Allow humans to read Gmail data, except (a) with your affirmative agreement for specific messages, (b) as necessary for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) for internal operations where the data has been aggregated and anonymized

4.5 Third-party processing of Gmail-derived data

To classify imported item images into wardrobe categories (e.g. “shirt”, “jeans”, “footwear”), Drape sends the extracted image URL (not the email body, not Gmail metadata) to Azure OpenAI (GPT-4o Vision) under Microsoft's standard commercial data processing agreement. Azure OpenAI does not use Drape customer data to train Microsoft or OpenAI models, and data is processed within Microsoft's Azure cloud in the United States region.

No other third party receives Gmail-derived data.

4.6 Storage, encryption, and residency

• Your Gmail OAuth refresh token is encrypted at rest in our primary database (Supabase PostgreSQL, region aws-1-ap-northeast-1, Japan) using envelope encryption; the envelope key is held in Azure Key Vault and is never logged or transmitted
• Extracted order metadata is stored in the same primary database alongside your wardrobe items
• Order confirmation image files, when cached for display, are stored in Azure Blob Storage in the southeastasia region
• Backups are encrypted at rest and retained for 30 days
• All transport uses TLS 1.2 or higher

4.7 Retention and deletion

• You may revoke Drape's Gmail access at any time by visiting your Google Account security page → Third-party apps with account access → Drape → Remove access. Revocation takes effect immediately on Google's side; Drape's stored refresh token becomes unusable
• You may also delete your Drape account from within the app (Settings → Account → Delete Account) or at drape.co.in/delete-account. Account deletion removes the Gmail refresh token and all Gmail-derived data within 30 days
• Revoking Gmail access alone does not automatically delete order data already imported. To remove imported order data, use the in-app deletion tool or email mail@drape.co.in; we will complete the deletion within 30 days

4.8 When Drape reads Gmail

Drape reads your Gmail only when:

• You initially connect your account — a one-time historical backfill of up to 18 months of order confirmation emails
• Once per 24 hours thereafter, in an automated background job, to import any new order confirmations
• If you tap “Refresh now” inside the app

Drape does not read Gmail in response to third-party requests and does not expose any webhook or automation endpoint that could be triggered by another party to read your Gmail.

5. AI-Powered Features

Drape uses artificial intelligence to generate personalized outfit suggestions. When you request an outfit recommendation, the following data may be sent to our servers:

• Your current location (for local weather conditions)
• Classified calendar context (event type, count, and timing — not raw event titles)
• Your wardrobe catalog (items you have previously uploaded)

AI suggestions are provided for informational and personal use only. They do not constitute professional fashion or styling advice. You may disable AI-powered suggestions at any time from within the App; outfit suggestions will then be generated locally on your device.

We do not use your individual wardrobe data to train third-party AI models. Aggregated, anonymized data may be used to improve the overall quality of recommendations.

6. Third-Party Services

We rely on the following third-party services to operate the App:

• Google OAuth — for email integration and optional sign-in. Governed by Google's Privacy Policy
• Firebase — for authentication, cloud storage, and database. Governed by Firebase's Privacy and Security documentation
• Supabase (PostgreSQL) — for primary application data storage. Operates under Supabase's SOC 2 Type II certified infrastructure. See Supabase's Privacy Policy
• Azure OpenAI (GPT-4o, GPT-4o Vision) — for outfit recommendations and classifying imported item images into wardrobe categories. Drape sends only (a) your wardrobe catalog metadata, (b) current weather conditions, (c) classified calendar context, and (d) imported item image URLs. Azure OpenAI operates under Microsoft's commercial data processing agreement and does not use Drape customer data to train Microsoft or OpenAI models. See Microsoft's Azure OpenAI data, privacy, and security documentation

We select service providers that maintain appropriate security standards and data processing agreements. We do not allow our service providers to use your data for their own purposes.

7. Data Retention and Deletion

We retain your data as long as your account is active or as necessary to provide the service:

• Waitlist email addresses are retained until you unsubscribe or the waitlist closes
• Wardrobe photos and descriptions are retained until you delete them or your account
• Imported order data is retained until you delete it or your account
• Usage analytics are retained in aggregated, anonymized form for up to 24 months
• Gmail OAuth refresh tokens are retained until you revoke Drape's access (from within the app, from your Google Account security page, or by deleting your Drape account); upon revocation the token is deleted within 24 hours
• Gmail-derived order metadata is retained for as long as the corresponding wardrobe item exists in your catalog; deleting the wardrobe item deletes the associated order record within 30 days

When you request account deletion, we will delete your personal data within 30 days, except where retention is required by applicable law or legitimate business necessity (such as fraud prevention records).

8. Your Rights

You have the following rights with respect to your personal data:

• Access — request a copy of the personal data we hold about you
• Correction — request correction of inaccurate or incomplete data
• Deletion — request deletion of your personal data (subject to legal retention requirements)
• Portability — request an export of your wardrobe data in a machine-readable format
• Opt-out — unsubscribe from marketing emails at any time

To exercise any of these rights, contact us at mail@drape.co.in. We will respond within 30 days.

9. Data Security

We implement industry-standard security measures to protect your data, including encryption in transit (TLS) and at rest, access controls, and regular security reviews. However, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security and encourage you to use strong, unique passwords.

In the event of a data breach that affects your personal data, we will notify you in accordance with applicable law, including the Information Technology Act, 2000 and its rules.

10. Children's Privacy

The App is not directed at children under 13 years of age. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, contact us at mail@drape.co.in and we will delete it promptly.

11. Governing Law

This Privacy Policy is governed by the laws of India, including the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”).

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (if you have an account) or by posting a notice in the App. Continued use of the App after changes are posted constitutes your acceptance of the updated policy.

13. Google Limited Use Disclosure

Drape's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Drape uses the gmail.readonly scope strictly to provide the Gmail order import feature described in Section 4 and for no other purpose.