Privacy Policy
Introduction
Trenchcoat (“we,” “us,” or “our”) operates the Trenchcoat web application available at trenchcoat.app (the “Service”). This Privacy Policy explains what information we collect, how we use it, who we share it with, and your rights regarding that information.
By using the Service you agree to the collection and use of information in accordance with this policy. If you disagree, please discontinue use of the Service.
1. Who We Are
The Service is operated by Trenchcoat, an individual doing business under the Trenchcoat brand, currently based in Illinois, United States. For privacy inquiries, contact us at privacy@trenchcoat.app.
2. Information We Collect
2.1 Information You Provide Directly
- Account credentials. When you create an account via email and password, we collect your email address and a securely hashed version of your password (managed by Supabase Auth; we never see your plaintext password).
- OAuth sign-in. If you choose to sign in with Google (currently active), we receive your name, email address, and profile photo URL from Google. Apple Sign-In support is in progress and will be available on additional surfaces following launch.
- Profile information. You may optionally provide your birth month and year, and gender, to personalize recommendations. Your “vibe summary” shown on your profile is system-generated based on your activity—it is not text you type directly.
- Closet and likes. When you add brands to your closet or like brands, we store those associations (brand identifier, want/have status) linked to your account.
- Brand suggestions. If you submit a brand suggestion, we collect the brand name, URL, and your reason. We also store your IP address for abuse-prevention purposes.
- Brand reports. If you flag a brand for review, we collect the report type, notes, and your IP address for abuse-prevention purposes.
- Brand claim requests. If you submit a brand claim, we collect your name, job title, Instagram handle, and proof URL.
- Push notification tokens. If you enable push notifications, we store your device push token to deliver notifications.
2.2 Information Collected Automatically
- IP address handling. Your IP address is processed transiently for rate-limiting purposes (stored as a temporary key in Redis, automatically expiring after 24 hours). For server logs, IP addresses are hashed using SHA-256 with a salt before being written—we do not retain raw IP addresses in our application logs. Raw IP addresses are stored only in brand suggestions and brand reports as described above.
- Browser fingerprint. A client-side fingerprint value may be used as an anonymous rate-limit key (24-hour expiry in Redis) to limit search requests for non-authenticated visitors.
- Usage events. We record first-party analytics events such as brand page views, search appearances and clicks, website link clicks, closet additions, product clicks, and signups. These events are stored in our own database (not sent to a third-party analytics platform). Each event may include an event type, a brand identifier, a country code derived from your request headers, an optional user ID if you are signed in, and a timestamp.
- Country code. We derive your country code from a Cloudflare-provided request header (e.g.,
cf-ipcountry) for regional analytics. We do not store the raw header value beyond the derived two-letter code. - User agent. Your browser's user agent string may appear in server access logs managed by Vercel (our hosting provider).
- Session cookies. We use first-party session cookies issued by Supabase to maintain your authenticated session. These cookies are strictly necessary for the Service to function. See Section 6 for more detail.
- Search query text. When you perform a search, the normalized text of your query is stored in our database in the
search_logstable, along with your user ID (if you are signed in) and the number of results returned. We use this data to improve search quality, for internal analytics, and for abuse prevention. There is no automatic deletion TTL for this table; records are retained as long as necessary to operate and improve the Service. If you delete your account, your associated search log records are deleted as part of that process.
3. How We Use Your Information
We use the information we collect to:
- Create and maintain your account and authenticate you securely.
- Deliver and personalize the Service, including brand recommendations and search results.
- Operate and improve our semantic search pipeline.
- Prevent abuse, fraud, and unauthorized access.
- Communicate with you about your account or the Service (transactional emails only).
- Analyze aggregate usage patterns to improve the Service (using our first-party analytics).
- Comply with our legal obligations.
GDPR legal bases (EEA/UK users). Where the GDPR applies, we process your personal data under the following legal bases: performance of a contract (account management, delivering the Service you requested); legitimate interests (security, abuse prevention, internal analytics, service improvement); and consent (optional profile fields such as birth date and gender, which you may withdraw at any time by deleting them in Settings).
4. How We Share Your Information
We do not sell your personal data. We do not share your personal data with third parties for advertising or marketing purposes.
We share data only in the following circumstances:
- Service providers (subprocessors). We share data with the vendors listed in Section 4.1 solely to operate the Service.
- Legal requirements. We may disclose information if required by law, court order, or government authority, or to protect the rights, property, or safety of Trenchcoat, our users, or the public.
- Business transfer. If Trenchcoat is acquired, merged, or its assets transferred, your data may be transferred as part of that transaction. We will notify you in advance.
4.1 Subprocessors
We rely on the following third-party service providers, each of which processes some personal data on our behalf:
- Supabase (US) — database, authentication, and transactional email.
- OpenAI (US) — semantic search embeddings (see Section 5).
- Upstash Redis (US) — rate-limiting and search embedding cache.
- Vercel (US) — web hosting and edge infrastructure; access logs are subject to Vercel's retention policies (typically 7 days).
- Cloudflare R2 (US) — brand image CDN storage. No user personal data is stored in R2.
- Google (US) — Google OAuth sign-in.
- Apple (US) — Apple OAuth sign-in (in progress; not yet fully available on all surfaces).
5. Search Queries and Third-Party AI Services
When you submit a search query on Trenchcoat, the following happens with your query text:
- Your query is sent to OpenAI to generate a semantic embedding vector (using the
text-embedding-3-smallmodel). OpenAI processes this data in accordance with its Privacy Policy. - The embedding vector for your query is cached in Upstash Redis for up to 30 days to improve performance on repeated searches.
- The normalized text of your query is stored in our database (table:
search_logs) as described in Section 2.2. Search results are ranked entirely by our own internal logic—no third-party reranking service is used.
If you prefer not to have your query sent to OpenAI for embedding generation, please do not use the search feature.
6. Cookies and Tracking Technologies
At launch, Trenchcoat uses essential session cookies only. These are first-party cookies issued by Supabase to maintain your authenticated session. They are strictly necessary for the Service to function and cannot be disabled without logging you out.
We do not currently use any advertising cookies, tracking pixels, or third-party analytics cookies (such as Google Analytics). We may add Google Analytics or similar analytics in the future; if we do, we will provide a cookie consent mechanism for EU/UK users before activating any such service.
Because we use only essential cookies at launch, no cookie consent banner is displayed. This will be revisited if we add non-essential cookies.
7. Data Retention
- Account data. Retained until you delete your account. Deleting your account cascades to remove your profile, closet, likes, and associated records.
- Brand suggestions and reports. Retained indefinitely for moderation and abuse-prevention purposes, including the stored IP addresses.
- Analytics events (
analytics_events). Retained for 24 months from the date of the event, then deleted. - Search logs (
search_logs). Normalized query text, result count, and optional user ID are retained as long as necessary to operate and improve the Service. Records associated with your account are deleted when you delete your account. No automatic TTL is currently configured. - Search embedding cache (Redis). Query embeddings are cached for 30 days with automatic expiry.
- Rate-limit keys (Redis). Anonymous rate-limit keys (IP hash / fingerprint) expire automatically after 24 hours.
- Server access logs. Managed by Vercel; typically retained for 7 days per Vercel's default policy. Hashed IP addresses (not raw) appear in our application-level logs.
- OAuth session tokens. Managed by Supabase; expire and refresh per Supabase's JWT configuration.
8. Your Rights
8.1 GDPR Rights (EEA and UK Users)
If you are located in the European Economic Area or the United Kingdom, you have the following rights:
- Access. Request a copy of the personal data we hold about you.
- Rectification. Request correction of inaccurate data.
- Erasure (“right to be forgotten”). Request deletion of your personal data.
- Restriction. Request that we restrict processing of your data in certain circumstances.
- Portability. Receive your data in a structured, machine-readable format.
- Objection. Object to processing based on legitimate interests.
- Withdraw consent. Withdraw consent at any time where processing is based on consent.
To exercise these rights, email us at privacy@trenchcoat.app. We will respond within 30 days (or as required by applicable law).
You also have the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, or the relevant EU data protection authority).
8.2 CCPA / CPRA Rights (California Residents)
California residents have the right to:
- Know what personal information is collected, used, shared, or sold.
- Delete personal information we hold about you.
- Opt out of the “sale” or “sharing” of personal information.
- Non-discrimination for exercising your privacy rights.
- Correct inaccurate personal information.
- Limit use and disclosure of sensitive personal information.
We do not sell or share your personal information as those terms are defined under CCPA/CPRA. To exercise any other rights, contact us at privacy@trenchcoat.app.
8.3 Account Deletion
You can delete your account at any time in the Settings section of the Service. Account deletion removes your profile and associated data as described in Section 7.
9. Children's Privacy
The Service is intended for users who are at least 13 years old. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child under 13 has provided us personal information, please contact us at privacy@trenchcoat.app and we will delete that information promptly.
Users in the European Union must be at least 16 years old (or the minimum age required by their member state) to use the Service without parental consent, where required by applicable law.
10. International Data Transfers
Trenchcoat is based in the United States, and our subprocessors primarily process data in the United States. If you access the Service from the EEA, UK, or other regions with data protection laws, your information may be transferred to and processed in the United States, which may not provide the same level of data protection as your home jurisdiction.
Where required, we rely on appropriate transfer mechanisms—such as the EU Standard Contractual Clauses (SCCs) as implemented by our subprocessors—to ensure an adequate level of protection for transfers of personal data from the EEA/UK to the United States.
11. Security
We implement reasonable technical and organizational measures to protect your personal information, including hashed passwords, hashed IP addresses in logs, encrypted data transmission (TLS), and access controls. However, no method of transmission over the internet or electronic storage is 100% secure. We encourage you to use a strong, unique password for your account.
We use abuse detection measures (including rate-limiting via hashed IP and fingerprint keys) to protect the Service from unauthorized automated access.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. If we make material changes, we will notify you by email (to the address on your account) or through a prominent notice on the Service at least 30 days before the changes take effect.
Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy.
13. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:
Trenchcoat
privacy@trenchcoat.app
We will respond to all privacy inquiries within 30 days (or sooner where required by applicable law).