Weft Privacy Policy

Last updated: May 21, 2026

1. Overview

Weft ("Weft," "we," "us," or "our") provides a mobile app and Safari extension that help users discover fashion items, save products, generate outfit recommendations, customize looks, publish creator content, and manage wardrobes and galleries.

This Privacy Policy explains what information we collect, how we use it, when we share it, and what choices you have.

2. Information We Collect

We collect the following categories of information when you use Weft:

A. Account and profile information

When you create or use a Weft account, we may collect:

Your phone number
Your Firebase authentication identifier
Your username
Your display name
Your first and last name, if you provide them
Your profile photo, if you upload one
Whether and when you accepted our Terms of Use
Whether your account is a creator account

If you use Weft as a guest (without creating a phone-authenticated account), we may collect:

A device-level identifier (IDFV) used to associate your guest session with your device
Apple App Attest cryptographic keys used to verify that requests originate from a genuine copy of the app on your device
A count of outfit generation jobs you have used, which may persist on your device (in the system Keychain) even if you delete and reinstall the app

Guest accounts do not require a phone number, and we do not collect profile information from guest users unless they later upgrade to a full account.

B. Content you create, save, or submit

When you use Weft features, we may collect and store:

Items you save to your gallery or wardrobe
Products you mark as purchased
Outfit generation requests, including the seed item you selected and any context phrase or prompt you submit
Generated outfit results and generated images
Customized looks you create by swapping items
Creator looks you publish, including notes you choose to add
Reports, block lists, and related safety submissions
Brand request submissions you choose to send to us

C. Device and notification information

If you enable push notifications, we collect and store:

Your push notification token
Basic device information associated with that token, such as device name, operating system, and system version

D. Safari extension page data

When the Weft Safari extension is active on a supported retail site, it sends limited page metadata to our backend so we can match the page to a product we know about. If "Automatically save links" is on (the default, controlled in the iOS app under Account → Extension Settings), we also save this metadata to your account so the page appears in your "Recently Viewed" history. The fields we may store per visit are:

The page URL, canonical URL, and source hostname
Product SKU when the URL resolves to a known catalog item
Open Graph metadata extracted from the page: title, image URL, site/brand name, price, currency, and a truncated description
The timestamp of the visit

This data is shown only to you, inside your own account. We do not use it for advertising or sell it to third parties.

If you use the "request this page" or similar brand-request feature on an unsupported domain, we may store the URL and hostname you submit so we can review that request.

E. Safety and moderation information

To help keep Weft safe, we may collect:

User reports and optional report details
User block relationships
Moderation status and moderation records for certain content
Profanity screening results for profile fields
Image moderation results for certain uploaded or generated images

F. Advertising and attribution information

We run ad campaigns on Meta (Facebook and Instagram) and other platforms to bring new users to Weft. To measure whether those campaigns work, and to send Meta the conversion signal it needs to optimize delivery, we collect and use the attribution information like Identifier for Vendor (IDFV) and Identifier for Advertisers (IDFA). IDFA is only used if you grant permission through Apple's App Tracking Transparency prompt.

Meta SDK identifiers

Meta browser, click, and anonymous-install identifiers (commonly called fbc, fbp, and anon_id) provided by Meta's Facebook SDK for iOS. The Facebook SDK is configured to log standard app events (such as app installs and sessions) and to collect the advertiser identifier when permitted by App Tracking Transparency.

Campaign metadata

Source, campaign name, ad id, and ad name provided by the AppsFlyer install-attribution SDK.
The date and time we captured this attribution information.

Conversion events sent to Meta

When you take a measurement event we care about, we send a server-to-server event to Meta's Conversions API in addition to (and deduplicated with) the corresponding event the Meta SDK sends from the app. The events we currently send include account registration, first item saved, first outfit generated, Safari-extension paired, and a once-per-day session-login signal

If you authorize tracking through Apple's App Tracking Transparency prompt, the event additionally includes:

Your IDFA, sent to Meta as madid.
Meta's browser and click identifiers (fbc, fbp) when present.

We do not use any of this information to show third-party ads inside Weft, and we do not sell it.

3. How We Use Information

We use information we collect to:

Create and maintain your account
Authenticate you and keep you signed in
Let you set up and manage your profile
Upload, store, and display your profile photo
Deliver outfit recommendations and related AI-powered features
Save your products, looks, gallery items, and wardrobe items
Let you customize, save, and publish looks
Send push notifications about completed jobs and other app events
Operate the Safari extension and match supported product pages
Review and process brand requests you submit
Moderate content and profile fields, investigate abuse, and enforce our Terms
Verify device authenticity and prevent abuse using Apple's App Attest framework
Measure the effectiveness of our advertising and attribute app installs and registrations to ad campaigns we run on Meta
Prevent fraud, abuse, and misuse of the service
Comply with legal obligations and protect our rights and users

4. When We Share Information

We share information with service providers that help us operate Weft. Based on the current implementation, those providers may include:

Firebase for phone-number authentication and push messaging
Amazon Web Services (AWS) for file storage and, if enabled, image moderation services
Apple (App Attest / DeviceCheck) for device attestation and fraud prevention for guest accounts
Meta Platforms (Facebook Conversions API and the Facebook SDK for iOS) for measuring the performance of ad campaigns we run on Meta. The Facebook SDK transmits standard app events (such as installs and sessions) from your device directly to Meta. Separately, our backend sends server-to-server conversion events through Meta's Conversions API. We send Meta the identifiers described in Section 2.F, with IDFA and Meta's browser/click identifiers sent only when permitted by your App Tracking Transparency choice.
AppsFlyer for mobile install attribution. AppsFlyer's iOS SDK helps us determine which ad campaign, if any, led to a given app install.

We may also share information:

If you publish creator content or otherwise make content visible to other users through public features
If required by law, legal process, or valid government request
To enforce our agreements, prevent fraud or abuse, or protect the safety, rights, or property of Weft, our users, or others
In connection with a merger, financing, acquisition, reorganization, sale of assets, or similar transaction

We use Meta's Conversions API and AppsFlyer's install-attribution SDK to measure the performance of ad campaigns we run to promote Weft, as described in Section 2.F. We do not show third-party ads inside Weft, we do not sell your personal information, and we do not use your gallery, saved items, generated looks, or other in-app activity for cross-app advertising.

5. Safari Extension Details

The Safari extension is configured to run only on select retail websites that Weft supports, not on every website you visit. When active on a supported site, it may automatically analyze the current page and send limited page metadata to our backend to determine whether the page matches an item we know of.

When "Automatically save links" is on, we retain the per-page metadata described in Section 2.D so you can revisit recently viewed products from the Discover tab. You can:

Turn off "Automatically save links" in Account → Extension Settings to stop saving new pages. Existing saved links are preserved until you clear them.
Delete an individual saved link by swiping it left in the Recently Viewed grid, or from its detail screen.
Clear your full saved-links history at any time from Account → Extension Settings.

Saved links are visible only to you. We do not share them with other users or advertisers, and we do not use them for cross-site tracking.

If you explicitly submit a request asking us to support a new brand or product, we may retain the URL and hostname you submit for review.

6. User Content and Public Sharing

Some Weft features allow you to create and publish content. If you publish creator looks or other content through public or shared features, that content may be visible to other users.

If your account is deleted, Weft may unpublish creator looks associated with your account. Some records may remain in de-identified or disassociated form as described below.

7. Retention

We retain information for as long as reasonably necessary to provide the service, operate features you use, maintain safety and moderation systems, comply with legal obligations, resolve disputes, and enforce our agreements.

Examples based on the current product implementation include:

Account records while your account is active
Saved items, jobs, generated looks, and related records until deleted, anonymized, or no longer needed
Recently-viewed page records (when "Automatically save links" is on) until you clear them, individually delete them, or delete your account
Push notification tokens until they are deactivated, replaced, or removed
Safety, moderation, and abuse-prevention records as needed for trust and safety purposes
Guest usage quotas stored in the device Keychain, which may persist on your device even after you delete the app or delete your guest account

8. Account Deletion

You can request deletion of your account from within the app.

Based on the current implementation, when you delete your account we:

Remove or clear direct account identifiers such as your Firebase identifier, username, display name, first name, last name, and profile image reference
Replace your stored phone number with a deleted-account placeholder
Mark the account as deleted
Delete your "Recently Viewed" / saved-links history
Clear the advertising and attribution information described in Section 2.F (your IDFV, your IDFA when present, Meta's click, browser, and anonymous identifiers, and ad-campaign metadata) from your account record
Unpublish creator looks associated with your account
Deactivate stored push tokens for that account
Attempt to delete the corresponding Firebase authentication user

For guest accounts, we additionally clear your App Attest cryptographic keys from our servers. Your guest usage quota may remain stored in your device's Keychain.

Some related records may remain in de-identified, orphaned, or disassociated form for analytics, safety, integrity, legal, and operational purposes.

9. Your Choices

You can:

Choose whether to provide optional profile details
Choose whether to upload a profile photo
Choose whether to enable push notifications
Save or delete items and looks in your gallery
Mark saved items as purchased or unpurchased
Block users and report content
Turn off automatic saving of the product pages you visit on supported retail sites
Delete individual saved links, or your full saved-links history, at any time
Continue to use the Safari extension's product-matching feature without saving any pages by turning off the "Automatically save links" setting
Use the Service as a guest without providing a phone number, with limited features and a usage quota
Upgrade from a guest account to a full account at any time, which preserves your existing data
Manage cross-app tracking permissions for Weft through iOS Settings → Privacy & Security → Tracking. Weft requests App Tracking Transparency permission shortly after you first open the app. If you deny permission, or revoke it later, Weft will not read your IDFA.
Stop further ad-attribution events from being generated by uninstalling the Weft app, which prevents future Conversions API events tied to that install
Delete your account, which clears the attribution information described in Section 2.F as part of the deletion steps in Section 8

You may also be able to manage certain permissions, such as photo-library access and notifications, through your device settings.

10. Security

We use administrative, technical, and organizational measures intended to protect personal information. No method of transmission over the internet or electronic storage is completely secure, so we cannot guarantee absolute security.

11. Children's Privacy

Weft is not intended for children under 16, and we do not knowingly collect personal information from children in violation of applicable law. If you believe a child has provided personal information to us, contact us and we will investigate.

12. International Transfers

Weft and our service providers may process information in the United States and other countries where they operate. Those countries may have data protection rules that differ from those in your jurisdiction.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will post the updated version and update the "Last updated" date above. If required by law, we will provide additional notice.

14. Contact Us

If you have questions about this Privacy Policy or our privacy practices, contact us at:

Email: support@weft-app.com