Privacy Policy

1. Data Controller

The Lookout ("we", "us") is the data controller for your personal data. We are committed to protecting your privacy in compliance with the EU General Data Protection Regulation (GDPR) and the Spanish Organic Law on Data Protection (LOPDGDD).

2. Data We Collect

We collect the following categories of personal data:

• Account data: email address and hashed password (via Supabase Auth)
• Subscription data: Stripe customer ID and subscription status (we do not store payment card details)
• Usage data: product URLs you track, purchase history you log, closet items, outfit configurations, and budget settings
• Technical data: IP address, browser type, and device information (collected automatically via server logs)

3. How We Use Your Data

• To provide and maintain the Service (price tracking, notifications, budget management)
• To process your subscription payments via Stripe
• To send price drop alerts via in-app notifications and push notifications (ntfy.sh)
• To improve the Service through aggregated, anonymised analytics

4. Legal Basis for Processing

• Contract: processing your data is necessary to provide the Service you signed up for
• Consent: for optional analytics cookies (you can accept or decline via our cookie banner)
• Legitimate interest: to improve the Service and prevent abuse

5. Data Sharing

We share data with the following third-party processors:

• Supabase (EU region) — authentication and database hosting
• Stripe — payment processing (PCI-DSS compliant)
• Vercel — web application hosting
• Railway — backend scraper service hosting
• ntfy.sh — push notification delivery (Pro users only, via unique topic ID)

We do not sell your personal data. We do not share your data with advertisers or data brokers.

6. Cookies

We use the following types of cookies:

• Essential cookies: required for authentication and session management. These cannot be disabled.
• Analytics cookies: help us understand how you use the Service. These are only set with your explicit consent via the cookie banner.

You can change your cookie preferences at any time by clearing your browser's local storage.

7. Data Retention

We retain your data for as long as your account is active. If you delete your account, all personal data will be permanently removed within 30 days. Price history data may be retained in anonymised, aggregated form for analytical purposes.

8. Your Rights (GDPR)

Under the GDPR, you have the right to:

• Access: request a copy of the data we hold about you
• Rectification: correct inaccurate personal data
• Erasure: request deletion of your personal data ("right to be forgotten")
• Portability: receive your data in a structured, machine-readable format
• Objection: object to processing based on legitimate interest
• Withdraw consent: for analytics cookies at any time

To exercise any of these rights, contact us at privacy@thelookout.app. We will respond within 30 days.

9. Data Security

We implement industry-standard security measures including AES-256 encryption for sensitive data, Row Level Security (RLS) at the database level, HTTPS for all communications, and secure authentication via Supabase Auth with hashed passwords.

10. International Transfers

Your data is primarily stored in the EU (Supabase EU region). Where data is transferred outside the EU (e.g., Stripe, Vercel), these providers operate under Standard Contractual Clauses (SCCs) or equivalent safeguards approved by the European Commission.

11. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es or with your local supervisory authority.

12. Contact

For privacy-related inquiries, contact us at privacy@thelookout.app.