Privacy Policy

We use your information for the following purposes:

• Provide the Service — process your video generation requests, manage your account, subscription, and credits, and deliver your generated content
• Process payments — charge subscriptions, handle upgrades and cancellations, and maintain billing records as required by law
• Communicate with you — send transactional emails (receipts, generation notifications, password resets), service announcements, and, where you have opted in, product updates
• Improve the Service — analyze usage patterns to fix bugs, optimize performance, and develop new features; we aggregate and anonymize data for this purpose
• Enforce our policies — detect and prevent fraud, abuse, prohibited content, and violations of our Terms of Service
• Comply with legal obligations — respond to lawful requests from authorities, maintain required records, and exercise or defend our legal rights

When you submit a garment image, Drape transmits it to AI systems — including virtual try-on models and video synthesis engines — to generate the requested output. This processing occurs on secure cloud infrastructure and is performed solely to deliver your generation request.

We do not train on your content by default. Your User Content is not used to train or fine-tune any AI model unless you have explicitly opted in through your account settings. You may withdraw that consent at any time.

Intermediate representations (e.g., latent embeddings) created during generation are ephemeral and are not retained beyond the generation session. Completed generated videos are stored in your project library and retained as long as your account is active.

We apply data minimization practices when passing content to third-party AI infrastructure: only the data necessary for the specific generation task is transmitted.

We do not sell your personal information. We share data only in the limited circumstances described below:

Service providers. We work with carefully selected third parties who process data on our behalf under contractual obligations consistent with this Policy:

• Stripe — payment processing
• Google Analytics — anonymized usage analytics (IP anonymization enabled)
• Cloud infrastructure providers — hosting, storage, and compute (data centers located primarily in the United States)
• AI model providers — for video and image generation; data minimization is applied and providers are contractually prohibited from retaining your content

Legal requirements. We may disclose your information if required to do so by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

Business transfers. If Drape is involved in a merger, acquisition, or asset sale, your information may be transferred as part of that transaction. We will notify you before your data becomes subject to a materially different privacy policy.

Retention. We retain your account data and User Content for as long as your account is active. Following account deletion, we retain data for up to 90 days to allow for recovery or dispute resolution, after which it is permanently deleted. Payment records are retained for up to 7 years as required by applicable financial regulations.

Security measures. We implement industry-standard safeguards including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Access controls restricting data access to authorized personnel only
• Regular security assessments and dependency auditing
• JWT-based authentication with short-lived access tokens and refresh token rotation

No method of transmission or storage is 100% secure. In the event of a data breach that affects your rights and freedoms, we will notify you and the relevant supervisory authorities as required by applicable law, without undue delay.

Depending on your location, you may have the following rights regarding your personal data:

All users. You may access, update, or delete your account data through your account settings at any time. You may also unsubscribe from marketing communications via the unsubscribe link in any marketing email.

EEA, UK & Switzerland (GDPR). You have the right to: access a copy of your personal data; request correction of inaccurate data; request erasure ("right to be forgotten"); request restriction of processing; receive your data in a portable format; object to processing based on legitimate interests; and withdraw consent where processing is consent-based. You also have the right to lodge a complaint with your local data protection authority.

California (CCPA / CPRA). You have the right to: know what categories of personal information we collect and how they are used; request deletion of your personal information; correct inaccurate information; opt out of the sale or sharing of personal information (we do not sell or share your data for advertising purposes); and not be discriminated against for exercising these rights.

To exercise any of these rights, contact us at privacy@drapenow.com. We will respond within 30 days (or 45 days for CCPA requests). We may ask you to verify your identity before fulfilling certain requests.

We use the following categories of cookies and similar technologies:

Essential cookies. Required for the Service to function. These include session authentication tokens and security cookies. They cannot be disabled without breaking core functionality.

Analytics cookies. We use Google Analytics (GA4, measurement ID: G-FBQD7W8E0R) to understand how users interact with the Service. IP anonymization is enabled. Google Analytics data is aggregated and does not directly identify you. You can opt out via the Google Analytics opt-out browser add-on.

No advertising cookies. We do not use third-party advertising or cross-site tracking cookies, and we do not sell or share your behavioral data with advertisers.

You can manage cookie preferences through your browser settings. Note that disabling essential cookies will impair your ability to use the Service.

Drape is operated from the United States. If you access the Service from the European Economic Area, United Kingdom, Switzerland, or any other jurisdiction with data protection laws that differ from those of the United States, your personal data will be transferred to and processed in the US.

For transfers from the EEA and UK, we rely on the following legal mechanisms to ensure your data receives adequate protection:

• Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our data processing agreements with sub-processors
• Adequacy decisions where the European Commission has determined that a recipient country provides adequate protection

For UK-based transfers, we use the UK equivalent of SCCs (the International Data Transfer Agreement, or IDTA) where applicable.

The Service is not directed at children under the age of 16, and we do not knowingly collect personal information from anyone under 16. If we become aware that we have collected personal data from a child under 16 without verifiable parental or guardian consent, we will take steps to delete that information promptly. If you believe we may have information from or about a child under 16, please contact us at privacy@drapenow.com.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. For material changes, we will provide at least 14 days' advance notice via email or a prominent in-app notice before the changes take effect. The "Last updated" date at the top of this page always reflects the most recent revision. We encourage you to review this Policy periodically.

Drape acts as the data controller for personal data collected through the Service. If you have questions about this Privacy Policy, wish to exercise your rights, or have a data-related concern, please contact us:

We will respond to privacy-related inquiries within 30 days of receipt. For GDPR or CCPA requests, response times may extend to 45 days where permitted by law, with written notice to you of the extension.