5.1 Consent: By registering for an account and using the Service, you provide your explicit, informed, and freely given consent to process your personal data for the purposes described in Section 4.

5.2 Contractual necessity: Processing of your account data, wallet transactions, and uploaded images is necessary to perform the contract for the Service you have requested.

5.3 Legitimate interests: IP address logging and audit trail maintenance are carried out for fraud prevention and platform security as legitimate interests of Kalariq Studios.

5.4 Legal obligation: Retention of financial transaction records may be required under Indian tax and accounting laws.

Firebase / Google (Authentication & Database):Your email, name, hashed password, and Firestore documents (profile, uploads, gallery, transactions, notifications) are stored in Google Firebase infrastructure. Google's servers may be located outside India. Governed by Firebase Privacy Policy.

Google Gemini AI (Image Generation): Your uploaded clothing images and product information are transmitted to Google Gemini's API for AI processing. Google embeds a SynthID watermarkin all generated images as per Google's responsible AI policy. Governed by Google Privacy Policy.

Amazon Web Services — S3 & CloudFront (Image Storage & CDN): All uploaded and generated images are stored on AWS S3 using INTELLIGENT_TIERING storage class and served via AWS CloudFront CDN. Image paths are scoped per user ID and upload ID. Governed by AWS Privacy Policy.

Google Analytics / Firebase Analytics (Usage Analytics): Behavioural analytics data (events, page views, user properties) are collected and processed by Google. Governed by Google Privacy Policy.

Vercel (Hosting & Serverless Functions): The web application and API routes are hosted on Vercel. Request logs including IP addresses are processed by Vercel. Governed by Vercel Privacy Policy.

7.1 Firestore: User profile, uploads, gallery, transaction, and notification data are stored in Google Cloud Firestore. The Firestore project is configured for the Mumbai (asia-south1) region where possible; however, Google may replicate data to other regions for reliability.

7.2 AWS S3: Images are stored in an AWS S3 bucket. The specific AWS region is configured via environment variables. [Assumption: Region may vary; confirm with infrastructure configuration.]

7.3 Cross-border transfers: Your data may be processed on servers outside India (primarily by Google and AWS infrastructure). We rely on the standard contractual clauses and data processing agreements established by these sub-processors to safeguard cross-border transfers as permitted under DPDPA 2023.

We retain your personal data for as long as your account is active or as needed to provide the Service.

8.1 Images: Uploaded clothing images and generated model images are stored on AWS S3 for the duration of your account. You may delete individual gallery items at any time. AWS S3 is configured with a 90-day Glacier transition lifecycle policy for archived images.

8.2 Account data: Upon account deletion, we will use reasonable efforts to remove your personal data from Firestore within 30 days, except where retention is required by law (e.g., financial transaction records).

8.3 Audit logs: Audit logs containing IP addresses and action records may be retained for up to 12 months for security and legal compliance purposes.

8.4 Transaction records: INR wallet transaction history may be retained for up to 7 years as required under applicable Indian financial record-keeping laws.

10.1 Right to Access: You may access your account data, uploaded images, and transaction history at any time through your profile and gallery pages.

10.2 Right to Correction: You may update your name, phone number, business name, city, and logo via your profile settings at any time.

10.3 Right to Erasure: You may delete individual gallery items directly. To request full account deletion and erasure of personal data, please contact our Grievance Officer listed in Section 15.

10.4 Right to Data Portability: You may request a structured copy of your personal data by contacting our Grievance Officer. We will respond within 30 days.

10.5 Right to Withdraw Consent: You may withdraw your consent to processing at any time by requesting account deletion. Withdrawal of consent will not affect the lawfulness of processing prior to withdrawal.

10.6 Right to Grievance Redressal: You have the right to have your grievances addressed by our Grievance Officer within the timeframe prescribed under DPDPA 2023 and the IT Rules, 2011 (typically 30 days).

10.7 Opt-Out of Non-Essential Communications: [Assumption: No promotional email marketing service is currently integrated in the codebase.] Transactional in-app notifications (generation status, wallet alerts) are integral to the Service and cannot be disabled while your account is active.

Authentication session (Firebase Auth): Firebase Authentication uses browser IndexedDB and/or localStorage to persist your login session. These are essential for the Service to function and cannot be disabled.

Analytics cookies (Google Analytics / Firebase Analytics): Google sets cookies (e.g., _ga, _gid) to track unique visitors, session duration, and usage events. These are analytics cookies used to improve the Service.