Privacy Policy

1. Introduction

Clothink Ltd (“we”, “us”, “our”, or “Company”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use clothink, our AI product development workspace for apparel (the “Service”).

This Privacy Policy complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Where you are based in the European Union or European Economic Area, it also reflects our obligations under the EU General Data Protection Regulation (EU GDPR). By using our Service, you acknowledge the data practices described in this policy.

2. Company Information

Clothink Ltd is a company registered in England and Wales. We are the data controller responsible for your personal data.

Data Controller: Clothink Ltd
Registered Office: 128 City Road, London, United Kingdom, EC1V 2NX
Contact: Through our contact page, via the Contact link in the site footer, or through our support channels.

3. Information We Collect

3.1 Information You Provide

We collect information that you provide directly to us, including:

• Account Information: Name, email address, profile picture (if provided via OAuth)
• User Content: CAD designs, images, logos, fabric swatches, and other content you upload
• Generated Content: Mockups, design concepts, tech packs, and other content generated through the Service
• Payment Information: Billing address, payment method details (processed securely through our payment processor)
• Communication: Messages, feedback, and support requests you send to us
• Preferences: Settings, tags, collections, and other preferences you configure
• Workspace information: Workspace membership, role (e.g. owner, member), and workspace name where you use team features.

3.2 Information Collected Automatically

When you use the Service, we automatically collect:

• Usage Data: How you interact with the Service, features used, generation history, and usage patterns
• Device Information: Browser type, operating system, device type, IP address
• Log Data: Access times, pages viewed, referring URLs, and error logs
• Cookies and Tracking: See our Cookie Policy section below

3.3 Information from Third Parties

We may receive information from:

• Authentication Providers: When you sign in using a third-party OAuth provider (such as Google), we receive your email, name, and profile picture
• Payment Processors: Our payment processor provides us with payment status and subscription information
• AI Service Providers: Third-party AI services process your content to generate results

4. How We Use Your Information

We use your personal information for the following purposes:

4.1 Service Provision

• To provide, maintain, and improve the Service
• To process your requests and generate content
• To manage your account and subscriptions
• To store and organise your content and preferences
• To manage your workspaces and team access (where applicable)

4.2 Communication

• To respond to your enquiries and provide customer support
• To send service-related notifications (e.g., account updates, subscription changes)
• If we offer promotional or marketing emails separate from service notices, we will only send them where we have your consent (which you can withdraw at any time). The Service does not rely on marketing emails for core functionality.

4.3 Legal and Security

• To comply with legal obligations
• To protect our rights and prevent fraud
• To enforce our Terms of Service
• To ensure the security and integrity of the Service

4.4 Analytics and Improvement

• To analyse usage patterns and improve the Service
• To develop new features and functionality
• To conduct research and analytics (using anonymised data where possible)

5. Legal Basis for Processing

Under UK GDPR and, where applicable, EU GDPR, we process your personal data based on the following legal bases:

• Contract: To perform our contract with you (providing the Service)
• Consent: Where you have given clear consent (e.g., marketing communications)
• Legal Obligation: To comply with legal requirements
• Legitimate Interests: To improve the Service, prevent fraud, and ensure security (where your interests do not override ours)

6. Data Sharing and Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

6.1 Service Providers

We share data with trusted third-party service providers who assist us in operating the Service. These providers fall into the following categories:

• Cloud Infrastructure & Hosting: Providers that host our application, databases, and user content
• Authentication Services: Providers that manage user sign-in, including OAuth (e.g. sign in with Google)
• Payment Processing: Providers that handle billing, subscriptions, and payment method details on our behalf
• AI & Content Generation: Providers that process your prompts and images to generate designs, mockups, and tech packs
• Email Delivery: Providers that send transactional emails such as workspace invitations and support notifications
• Error & Performance Monitoring: Providers that log application errors and performance metrics. We do not intentionally send personally identifiable information to these providers.
• Security & Rate Limiting: Providers that help prevent abuse by processing hashed request identifiers; no personally identifiable information is stored by these providers.

These providers are contractually obligated to protect your data and use it only for specified purposes. For a complete list of current subprocessors, including their names, locations, and data processing purposes, please see our Subprocessor List.

6.2 Legal Requirements

We may disclose your information if required by law or in response to valid legal requests, such as:

• Court orders or subpoenas
• Government investigations
• To protect our rights, property, or safety
• To prevent fraud or security threats

6.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity.

7. International Data Transfers

Some of our service providers are located outside the UK and European Economic Area (EEA). When we transfer your personal data internationally, we ensure appropriate safeguards are in place. The safeguards we rely on include:

• UK-approved Standard Contractual Clauses (UK SCCs / International Data Transfer Agreements) approved by the Information Commissioner's Office (ICO)
• EU Standard Contractual Clauses (EU SCCs) adopted by the European Commission, where applicable for transfers affecting EU/EEA residents
• Adequacy decisions by the UK government or European Commission
• Other appropriate safeguards as required by UK GDPR or EU GDPR

AI and other services: Our AI content generation and other service providers may process your content or data in the United States. We rely on the safeguards above for these transfers. See our Subprocessor List for details of which providers are involved, together with links to their own data protection documentation.

8. Data Retention

We retain your personal information for as long as necessary to:

• Provide the Service to you
• Comply with legal obligations
• Resolve disputes and enforce agreements
• Maintain security and prevent fraud

Account Data: Retained while your account is active. After you request account deletion, we process erasure in line with our internal procedures and subprocessors (which may include a short winding-down period and residual backups). Some records may be retained longer where we have a legal obligation (for example tax or fraud-prevention requirements).

User Content: Retained until you delete it or your account is deleted. We may retain backups for a limited period for disaster recovery purposes.

Payment Records: Retained for 7 years as required by UK tax and accounting laws.

Support and correspondence: Information you provide through our contact form or support channels may be stored in our systems (for example a support database) and in our email or ticketing tools for as long as needed to resolve your request and for a reasonable period afterwards for quality, training, and dispute resolution, unless a longer period is required by law.

Error and analytics data: Data processed by our error monitoring and analytics providers is retained according to their respective retention policies and our project settings. Summary retention periods and vendor references are listed on our Subprocessor List.

9. Your Rights Under UK GDPR and EU GDPR

As a data subject, you have the following rights. UK residents can exercise these under UK GDPR; EU/EEA residents can exercise equivalent rights under EU GDPR. Residents of other countries may have similar rights under their applicable local law.

9.1 Right of Access

You have the right to request a copy of the personal data we hold about you.

9.2 Right to Rectification

You can request correction of inaccurate or incomplete personal data.

9.3 Right to Erasure (“Right to be Forgotten”)

You can request deletion of your personal data in certain circumstances (e.g., when it's no longer necessary or you withdraw consent). To request closure of your account and deletion of associated personal data, contact us through our contact page or support channels so we can verify your identity and process your request.

9.4 Right to Restrict Processing

You can request that we limit how we use your personal data in certain situations.

9.5 Right to Data Portability

You can request a copy of your data in a structured, machine-readable format (including, where applicable, your profile, preferences, generations, collections, and tech packs) by contacting us through our contact page or support channels. We fulfil portability requests manually after verifying your identity; the Service does not currently provide a one-click self-serve download for all categories of data. Some derived or third-party-held records (for example certain billing history held by our payment processor) may need to be obtained through that provider's own tools or a separate request.

9.6 Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes.

9.7 Rights Related to Automated Decision-Making

You have rights regarding automated processing that significantly affects you.

9.8 Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time.

To exercise these rights: Contact us through our contact page or support channels. We will respond within one calendar month of verifying your identity (UK GDPR allows up to two further months for complex requests, in which case we will explain the delay). We may require proof of identity before processing your request.

10. Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Maintain your session and authentication state
• Remember your preferences and settings
• Analyse usage patterns and improve the Service
• Capture errors so we can diagnose and fix problems

Types of Cookies:

• Essential: Required for the Service to function (cannot be disabled)
• Functional: Enhance functionality and personalisation
• Analytics: Help us understand how the Service is used (only with your consent — see below)

10.1 Product analytics (consent-based)

We use Vercel Web Analytics and PostHog for aggregated, privacy-conscious usage insights (see Vercel's Web Analytics privacy documentation). They are loaded only after you accept them via our cookie banner. PostHog session recording is disabled in our default analytics setup.

You can change your decision at any time using the Cookies link in the site footer. This re-opens the consent banner so you can accept or reject analytics afresh. Browser settings (e.g. clearing site data) remain a supplementary control, but the cookie banner and footer link are the primary way to manage your preference.

10.2 Error and performance monitoring

We use Sentry to capture application errors so we can debug and secure the Service. Raw error capture runs across the Service on the basis of legitimate interests (debugging and security).

On the signed-in app workspace (e.g. app.clothink.ai), Sentry additionally collects browser performance traces and, on errors, a short session replay of your interaction with the affected page. These richer signals are not collected on the public marketing site.

10.3 Per-site preferences

Cookie preferences are stored in your browser per site. The marketing site (clothink.ai) and the app workspace (app.clothink.ai) keep separate preferences, so you may be asked to choose on each. Essential cookies and storage used for authentication and sessions may still be set by our hosting and authentication providers regardless of your analytics choice.

11. Security

We implement appropriate technical and organisational measures to protect your personal data:

• Encryption of data in transit (HTTPS/TLS)
• Encryption of sensitive data at rest
• Access controls and authentication
• Regular security assessments and updates
• Secure payment processing through our PCI-compliant payment processor
• Employee training on data protection

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

12. Children's Privacy

You must be at least 18 years old to use the Service, or have the involvement and consent of a parent or guardian. We do not knowingly collect personal data from children (under 13 in the UK, or under 16 in the EEA where applicable). If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us and we will take steps to delete such information.

13. Third-Party Links

Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any information.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy on this page
• Updating the “Last updated” date
• Sending an email notification to registered users (for material changes)

Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy.

15. Complaints

If you have concerns about how we handle your personal data, please contact us first. You also have the right to lodge a complaint with a supervisory authority.

UK residentsmay complain to the Information Commissioner's Office (ICO):

• • Website: ico.org.uk
• • Phone: 0303 123 1113
• • Address:Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

EU/EEA residents have the right to complain to the supervisory authority in their EU member state. A directory of EU data protection authorities is available at edpb.europa.eu.

Other jurisdictions: Where applicable local law gives you the right to complain to a local authority or regulator, you may exercise that right in addition to contacting us directly.

16. Contact Us

If you have questions, concerns, or wish to exercise your rights regarding this Privacy Policy or your personal data, please contact us through our contact page, via the Contact link in the site footer, or through our support channels.

We aim to respond within one calendar month of verifying your identity, consistent with UK GDPR (complex requests may take longer — we will tell you if that applies).