This Privacy Policy explains what personal data Finds collects, why we collect it, how we use it, who we share it with, and what rights you have in relation to it. It applies to all users of the Finds mobile application (the "App"), regardless of where you are located.

The App is developed and operated by Mindeverse s.r.o. ("Finds", "we", "us", or "our"). If you do not agree with this Privacy Policy, please do not use the App.

1. Who We Are — Data Controller

The entity responsible for your personal data is: Mindeverse s.r.o.

Registered address: Pasecka 863, Albrechtice, Czech Republic

Company type: Limited liability company (s.r.o.), registered in the Czech Republic

Email: support@thefinds.app

Website: thefinds.app

For users in the European Union and European Economic Area, Mindeverse s.r.o. acts as the data controller under the General Data Protection Regulation (GDPR). We have not appointed a Data Protection Officer as we do not meet the thresholds requiring one under GDPR Article 37.

For all data protection enquiries, please contact support@thefinds.app

2. Data We Collect

2.1 Account Registration Data

When you create an account, we collect:

• Full name

• Username

• Email address

• Age (year of birth or age confirmation)

• Gender (optional)

This data is required to create and maintain your account.

2.2 Onboarding Preference Data

During onboarding, you provide information used to personalise your experience:

• Preferred clothing brands (selected from a curated list)

• Clothing and shoe sizes

• Approximate monthly clothing budget

• Style preferences (for example: streetwear, old money, casual, basic)

• Interest in second-hand or sustainable fashion

From these inputs, we automatically generate a style profile for you. This profile includes inferred brand affinities across a wider range of brands (brands you are likely to love, like, be neutral about, or dislike), inferred spending patterns, and a style archetype classification. This processing is described further in Section 5.

All onboarding preference data is optional in the sense that you can choose your answers freely.

However, providing this information is required to receive personalised discovery results. If you prefer not to, you can still use the App's core visual discovery feature without completing onboarding.

2.3 In-App Activity Data

While you use the App, we collect data about your interactions:

• Products you save or mark as liked

• Discovery sessions and results you engage with

• Features you use and screens you visit

• Session duration and frequency of use

This data is used to improve your personalised recommendations and to understand how the App is used.

2.4 Photos and Image Data

When you use the visual discovery feature:

• You upload or take a photo within the App.

• The photo is transmitted securely to our infrastructure.

• Apple Vision processes the image on-device to isolate the clothing item.

• The isolated image is sent via a Supabase edge function to our HuggingFace-hosted AI model, which generates a numerical vector embedding representing the visual characteristics of the item.

• The embedding is immediately used to retrieve visually similar products from our database.

• The original photo is not stored on our servers at any point.

• The embedding is not stored in our database — it is discarded after the results are returned.

• Temporary server logs may capture partial technical data from this process for up to 30 days for security and debugging purposes. These logs are access-restricted and are not used for any other purpose.

By submitting an image, you confirm that you have the right to use it and that doing so does not infringe any third-party rights.

2.5 Device and Technical Data

We automatically collect limited technical information when you use the App:

• Device type and model

• Operating system version

• App version

• IP address — used only to determine your approximate region for the purpose of displaying the relevant currency (EUR or USD). Your IP address is not stored in our database and is not used for any other purpose.

2.6 Payment and Subscription Data

All payments are processed exclusively by Apple App Store. We do not collect, see, or store your payment card number, billing address, or any other payment details. We receive only your subscription status and transaction confirmation from Apple.

2.7 Email Communications Data

We use Resend to send transactional and promotional emails. We collect and store your email address for this purpose. We send the following categories of email:

• Welcome and account-related emails — sent automatically upon account creation.

• Subscription confirmation and billing-related notifications.

• Promotional emails — sent only where you have given separate, explicit consent during onboarding or account settings. You may withdraw consent to promotional emails at any time by clicking the unsubscribe link in any email or by contacting support@thefinds.app.

3. Legal Basis for Processing (EU/EEA Users)

We process your data for the following specific purposes, each with its own legal basis and retention period.

Account creation and management. We process your name, username, email address, age, and gender to create and maintain your account. The legal basis is contract performance — we need this data to provide the service you signed up for. This data is retained for the duration of your account and deleted within 30 days of account deletion.

Personalised fashion discovery. We process your onboarding preferences, style profile, in-app activity, and saved items to personalise your experience and return relevant products. The legal basis is contract performance. This data is retained for the duration of your account and deleted within 30 days of account deletion.

Visual discovery — image processing. We process your uploaded photo, a temporary vector embedding derived from it, and server logs to return visually similar products. The legal basis is contract performance. Your photo and the embedding are discarded immediately after results are returned and are never stored. Server logs are retained for up to 30 days for security and debugging purposes only.

App analytics and performance monitoring. We process device information and app usage patterns to understand how the App is used and to improve it. The legal basis is legitimate interest — we have assessed that this interest does not override your rights. Aggregated analytics data is retained for up to 26 months. Raw session logs are retained for up to 90 days.

Sending transactional emails. We process your email address to send account-related communications such as your welcome email and subscription confirmations. The legal basis is contract performance. Your email address is retained for the duration of your account.

Sending promotional emails. We process your email address to send promotional communications about Finds. The legal basis is your consent, which you provide via a separate explicit opt-in during onboarding. You may withdraw this consent at any time by clicking the unsubscribe link in any email or by contacting support@thefinds.app. Your email address is used for this purpose until you unsubscribe or withdraw consent.

Anonymised B2B trend data program. Where you have given separate explicit consent during onboarding, we include your preference data in a fully anonymised, aggregated dataset that we share with clothing brands and industry partners. The legal basis is consent. You may withdraw consent at any time. Once data has been genuinely anonymised it is no longer personal data under GDPR and cannot be retrieved or linked back to you. Anonymised data has no retention limit.

Preventing free trial abuse. We retain minimal technical identifiers to prevent repeated misuse of our free trial. The legal basis is legitimate interest. This data is retained for up to 2 years after account deletion.

Subscription and payment management. We process your subscription status and transaction confirmation from Apple. The legal basis is contract performance and legal obligation. This data is retained for the duration of your subscription plus 7 years to comply with Czech accounting and tax law.

Legal compliance and fraud prevention. We process account data and usage logs where required to comply with applicable law or to prevent fraud. The legal basis is legal obligation and legitimate interest. Data is retained for as long as required by applicable law.

Where we rely on legitimate interest, we have. carried out a balancing assessment and are satisfied that our interest does not override your fundamental rights and freedoms. You have the. right to object to processing based on legitimate interest at any time (see Section 10).

Where we rely on consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.Finds — Privacy Policy

4. How We Use Your Data

We use the data we collect for the following purposes:

• To provide the visual fashion discovery feature and return relevant product results.

• To personalise the App experience based on your style profile and in-app behaviour.

• To create and maintain your account and manage your subscription.

• To send you account-related and, where consented, promotional emails.

• To monitor and improve App performance and user experience.

• To prevent abuse of our free trial and subscription systems.

• To generate fully anonymised trend data for B2B purposes, where you have explicitly consented (see Section 6).

• To comply with our legal obligations.

We do not use your data to serve third-party advertisements. We do not build advertising profiles.

5. Automated Profiling

The App uses automated processing to generate your style profile from the preferences you provide during onboarding. Specifically:

• Your selected brands are used as inputs to a model that infers your likely affinity for a wider range of brands worldwide.

• Your budget, style, and size inputs are used to classify your style archetype and spending pattern.

• The resulting profile is used solely to personalise your in-app discovery experience — showing you products and brands most relevant to your taste.

This automated processing does not produce legal effects or similarly significant effects on you.

It does not affect your access to financial services, employment, or any other consequential outcome. It is a personalisation mechanism only.

You have the right to request human review of any automated processing that you believe has affected you significantly. To exercise this right, contact support@thefinds.app.

6. Anonymised B2B Trend Data Program

With your explicit, separate consent, we may include your onboarding preference data in an anonymised, aggregated dataset that we share with or sell to clothing brands and industry partners.

It is important to understand precisely what this means:

• We never share your name, username, email, or any data that identifies you personally.

• We aggregate data across all consenting users to produce trend reports. An example

output would be: "Among male users aged 18 to 22 who prefer casual style, 67% show strong affinity for minimalist streetwear brands."

• Individual user data is never extractable from these reports.

• The anonymisation is genuine — it is not possible to re-identify you from the trend data we share.

Participation in this program is entirely optional:

• You will be asked to give explicit, separate consent during onboarding via a clearly labelled opt-in. This is not bundled with acceptance of our Terms of Use or this Privacy Policy.

• If you do not opt in, your data will not be included in any B2B data sharing and you can use the full App without any limitation.

• You may withdraw your consent at any time by contacting support@thefinds.app or adjusting your settings within the App. Withdrawal of consent does not affect the lawfulness of anonymised data already shared, as once genuinely anonymised, the data is no longer personal data and cannot be retrieved or linked back to you.

Why we do this: trend data derived from real user preferences helps clothing brands understand. what styles, price points, and categories their potential customers actually want. This data is commercially valuable and supports Finds as a sustainable business.

7. Third-Party Services and Data Processors

We use the following third-party service providers to operate the App. Each acts as a data processor on our behalf and is contractually bound by appropriate data processing terms.

Supabase Inc. provides our primary database, user authentication, edge functions, and data storage. Supabase is located in the United States. Data transfers are covered by Standard Contractual Clauses approved by the European Commission.

HuggingFace Inc. hosts the AI model that generates visual embeddings from user-uploaded images. HuggingFace is located in the United States. Data transfers are covered by Standard Contractual Clauses.

Apple Inc. — Apple Vision. Apple Vision processes images on your device to isolate the clothing item you are searching for. This processing happens entirely on your device. No data is sent to Apple for this function and no international transfer occurs.

Apple Inc. — App Store and In-App Purchases. Apple processes all payments, manages subscriptions, and provides App Store analytics. Apple is located in the United States. Data transfers are covered by Standard Contractual Clauses.

Resend Inc. delivers our transactional and promotional emails. Resend is located in the United States. Data transfers are covered by Standard Contractual Clauses.

Google LLC — Google Analytics. Google Analytics is used on our website at thefinds.app only. It is not used within the App itself. Google is located in the United States. Data transfers are covered by Standard Contractual Clauses and the EU-US Data Privacy Framework.

We do not sell, rent, or disclose your personal data to any third party for their own independent marketing purposes. The only data sharing that occurs is (a) with processors listed above who act on our instructions, and (b) fully anonymised trend data under the B2B program described in Section 6, where you have given explicit consent.

8. International Data Transfers

Mindeverse s.r.o. is based in the Czech Republic, an EU member state. Some of our third-party service providers are located outside the European Economic Area (EEA), including in the United States.

Whenever we transfer personal data outside the. EEA, we ensure appropriate safeguards are in. place as required by GDPR Chapter V. The primary safeguard we use is Standard Contractual. Clauses (SCCs) approved by the European Commission. Where applicable, we also rely on the EU-US Data Privacy Framework.

You may request a copy of the relevant transfer safeguards by contacting support@thefinds.app.

9. Children's Privacy

The App is intended for users aged 13 and over. The App Store rating of 9+ (or equivalent in certain regions) reflects content classification, not the minimum age for data collection consent.

In the Czech Republic and under GDPR, the age of digital consent is 15. For users between the ages of 13 and 15, verifiable parental or guardian consent is required before the App is used and before we process personal data.

In the United States, the Children's Online Privacy Protection Act (COPPA) applies to users under 13. We do not knowingly collect personal data from children under 13. If we become aware that a child under 13 has created an account without verifiable parental consent, we will delete the account and all associated data without delay.

In Brazil, the App is rated 12+. Users aged 12 or 13 in Brazil require parental consent in accordance with the Lei Geral de Protecao de Dados (LGPD).

Parents or guardians who believe their child has created an account without appropriate consent should contact us immediately at support@thefinds.app.

10. Your Rights

10.1 EU and EEA Users — GDPR Rights

If you are located in the EU or EEA, you have the following rights under GDPR:

• Right of access (Art. 15): request a copy of the personal data we hold about you and information about how we process it.

• Right to rectification (Art. 16): request correction of inaccurate or incomplete personal data.

• Right to erasure (Art. 17): request deletion of your personal data where there is no longer a legitimate reason for us to hold it.

• Right to restriction of processing (Art. 18): request that we temporarily stop processing your data in certain circumstances, for example while a dispute is resolved.

• Right to data portability (Art. 20): receive your personal data in a structured, commonly used, machine-readable format and transfer it to another controller.

• Right to object (Art. 21): object at any time to processing based on legitimate interest.

We will stop unless we can demonstrate compelling legitimate grounds that override your rights.

• Right to withdraw consent (Art. 7(3)): withdraw consent at any time where processing is based on consent. Withdrawal does not affect the lawfulness of processing before withdrawal.

• Right not to be subject to solely automated decisions with significant effects (Art. 22): see Section 5 for details of our automated processing.

To exercise any of these rights, contact support@thefinds.app. We will acknowledge your request within 5 business days and provide a full response within 30 days. We may ask you to. verify your identity before processing your request. In complex cases we may extend our response period by up to a further 60 days — we will inform you if this is necessary.

Right to lodge a complaint: You have the right to lodge a complaint with your national data protection supervisory authority at any time. In the Czech Republic, the supervisory authority is the Office for Personal Data Protection (UOOU), reachable at www.uoou.cz. If you are located in another EU member state, you may contact your local supervisory authority.

10.2 California Residents — CCPA Rights

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the following rights:

• Right to know: request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of collection, the business or commercial purpose, and the categories of third parties with whom we share it.

• Right to delete: request deletion of personal information we have collected about you, subject to certain exceptions permitted by law.

• Right to correct: request correction of inaccurate personal information we hold about you.

• Right to opt out of sale or sharing: we do not sell personal information and do not share it for cross-context behavioural advertising. The B2B program in Section 6 uses only genuinely anonymised data and does not constitute a "sale" under CCPA.

• Right to limit use of sensitive personal information: we do not use sensitive personal information for purposes beyond those permitted under CCPA.

• Right to non-discrimination: we will not discriminate against you for exercising any of your CCPA rights.

To submit a CCPA request, contact support@thefinds.app. We will respond within 45 days. We may extend this period by a further 45 days where reasonably necessary, with prior notice.

10.3 Brazilian Users — LGPD Rights

If you are located in Brazil, the Lei Geral de Protecao de Dados (LGPD) grants you rights including access, correction, anonymisation, blocking, deletion, and portability of your personal data, as well as the right to be informed about third-party sharing and to withdraw consent. To exercise these rights, contact support@thefinds.app.

10.4 All Other Users

Regardless of your location, you may contact us at support@thefinds.app to request access to, correction of, or deletion of your personal data. We will handle all requests within a reasonable timeframe.

11. Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy.

Specific retention periods are set out in the table in Section 3. As a general guide:

• Account and profile data: retained for the duration of your account and deleted within 30 days of account deletion.

• Onboarding preference and style profile data: retained for the duration of your account and deleted within 30 days of account deletion.

• Photos uploaded for visual discovery: never stored. Discarded immediately after processing.

• Vector embeddings: never stored in our database. Discarded after results are returned.

• Server logs (which may contain partial technical processing data): retained for up to 30 days.

• App analytics data: aggregated form up to 26 months; raw logs up to 90 days.

• Technical identifiers retained for abuse prevention: up to 2 years after account deletion.

• Financial and subscription records: up to 7 years to comply with Czech accounting and tax law.

• Anonymised trend data (B2B program): no retention limit, as anonymised data is no. longer personal data under GDPR.

When retention periods expire, data is securely deleted or irreversibly anonymised.

12. Account Deletion

You can delete your account directly within the App settings. After deletion:

• Your name, username, email, and all personalisation data are permanently deleted within 30 days.

• Minimal technical identifiers may be retained for up to 2 years solely for abuse prevention purposes.

• Financial and subscription records are retained for up to 7 years as required by law.

• Any anonymised data already included in the B2B trend dataset cannot be retrieved or linked back to you, as it has been genuinely anonymised and is no longer personal data.

Deleted data cannot be recovered. If you wish to use the App again after deletion, you will need to create a new account.

13. Data Security

We implement appropriate technical and. organisational measures to protect your personal data. against unauthorised access, loss, alteration, or disclosure. These measures include:

• Encrypted data transmission (TLS/HTTPS) between the App and our servers.

• Access controls restricting who can access personal data within our operations.

• Use of reputable, security-certified infrastructure providers (Supabase, HuggingFace).

• Restricted access to server logs containing technical processing data.

In the event of a personal data breach that is likely to result in a risk to your rights and. freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, and will notify you without undue delay where required by applicable law.

No system is entirely secure. While we take data security seriously, we cannot guarantee the. absolute security of your data.

14. Advertising

Finds does not display third-party advertisements within the App. We do not share your. personal data with advertising networks. Any in-app messages are related solely to App. functionality, subscription offers, or feature announcements.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in the App, applicable law, or our data practices.

For material changes — meaning changes that significantly affect how we process your data or your rights — we will provide at least 30 days advance notice via in-app notification or email before the change takes effect, where required by applicable law.

The "Last updated" date at the top of this policy indicates when it was most recently revised.

Continued use of the App after a change takes effect constitutes your acceptance of the nupdated policy. If you do not agree, you must stop using the App and may request deletion of your account.

16. Contact

For any questions, concerns, or requests relating to this Privacy Policy or your personal data:

Mindeverse s.r.o.

Email: support@thefinds.app

Address: Pasecka 863, Albrechtice, Czech Republic

Website: thefinds.app

We will acknowledge all requests within 5 business days and aim to provide a full response within 30 days (GDPR) or 45 days (CCPA).

© 2026 Mindeverse s.r.o. — Finds. All rights reserved.