Privacy Policy – Grimmor

Last updated: 22 January 2026

Grimmor OÜ (“Grimmor”, “we”, “us”, “our”), registry code 17343626 and registered address at Jõe
street 3-315, 10151 Tallinn, Estonia, processes the data of persons who use the virtual shopping and
selling platform in a mobile application Grimmor or online www.grimmor.com or use our services
(hereinafter the Platform).
General provisions
This Privacy Policy sets out the data that we collect, the reasons for which we collect the data, and
how we use and share the data. Specifically, this Privacy Policy describes our practices regarding:

How and what data do we collect
How do we use your personal data
About cookies and other identifiers
Who we share data with
International transfers
Keeping your personal data safe
How long do we retain your personal data for
Are children allowed to use Grimmor Platform
Your data protection rights
How to complain
Updating this Privacy Policy
Our contact details
You acknowledge that by using the Platform, you have reviewed the Privacy Policy. The Privacy Policy
is incorporated by reference into our Terms and Conditions. By using our Platform, you are consenting
to the practices described in this Privacy Policy.
Our Platform may contain links to and from other websites. This Privacy Policy does not apply to those
websites as they have their own privacy policies. Thus, we do not assume any responsibility or liability
for those websites. So please check their policies before you submit any personal data to those
websites.
Grimmor considers the privacy of individuals and the protection of personal data a priority and takes all
possible measures to guarantee the security and safety of the Platform.
Definitions
User (also referred as “you) means a person who creates an account on the Platform or uses the
services offered on the Platform.
Vendor means any professional brand, retailer, or individual user who lists and offers products for sale
on the Platform and acting as an independent data controller responsible when fulfilling your order,
shipping the goods, and handling returns.
Processing of personal data means viewing, collecting, recording, storing, modifying, transmitting or
receiving personal data and other operations related to personal data.
Personal data is any data from or about an identified or identifiable person but does not include
aggregated or anonymized data.
Platform means virtual buying and selling environment offered in the Grimmor mobile application and
www.grimmor.com including services provided by Grimmor through the Platform for account creation,

management, mediation of purchase and sale transactions and other services described in the Terms
and Conditions.
How and what data do we collect?
To use the Platform and our Virtual-try on functionality, you need a Grimmor account. For this, you
need to register as a User on Grimmor mobile application. This means that you enter into a legally
binding agreement with us.
When you use our Platform, we collect and process the following personal data about you.
(1) Personal data you provide us. When you create an account, use the Platform, or
communicate with us, we collect the information you provide directly.
The information you provide us with includes, without limitation, the following information:
● Account registration data includes your name, email address, phone number, and
password when you sign up.
● Virtual Try-On Data. To use this feature, you provide photos of your face and body,
and input body measurements (height, weight, shoe size) and outfit preferences. We
use this data solely to visualize clothing fit and do not use it to uniquely identify or
authenticate you (i.e., we do not process biometric data for identification purposes).
● Purchase & Delivery Data. When you buy a product, you provide your name, email
address, phone number, shipping and billing address (for delivery coordination).
● Communications and feedback. Information you provide to subscribe to our
newsletters, updates and other special offers, including your email address and the
subject for which you wish to receive information about (marketing preferences), or
any other information you decide to provide us with. You may always unsubscribe
from these emails by following the instructions included. Also, information you provide
when you contact support or respond to surveys.
● User Content. Any photos, comments, or messages you voluntarily post on the
Platform. Please be aware that if you disclose personal data in public areas of the
Platform, you do so at your own risk.

(2) Data we receive from other sources and generated data. We may receive data about you
from third parties or generate data during your use of the Platform:
● Your order’s invoice from Vendor to enable you to keep record of your purchases and
easily manage information for any claims you might decide to proceed with.
● Payment service providers. We only receive and store limited payment data including
amount, currency, payment status, payment method, transaction reference number
and risk score generated by our payment service providers to ensure security. We do
not receive full card details.
● Delivery information. From Vendors and shipping providers, we receive tracking IDs
and delivery status updates.
● Usage, device, and attribution data from analytics providers to help us understand
how our Platform is used and how users find Grimmor.
● Campaign and referral information from marketing and social media platforms.
● Social login data. If you log in via Apple or Google, we receive your name and email
address as permitted by your settings.
● Fraud and security signals from service providers to protect our Platform.
We do not receive or store passwords, or private messages from these third parties.
(3) Automatically collected personal data. Most of the data we collect is technical in nature and
processed automatically via SDKs and APIs. The data we collect by automated means may
include, without limitation:

● Device information, including IP address, device type, manufacturer, and model,
operating system and app version, language, time zone, and region, unique device or
app identifiers.
● Usage and interaction data, including features used and actions taken in the app,
searches performed, looks viewed, liked, commented on, or shared, items added to or
removed from shopping carts or wishlists; subscription, credit, and wallet activity.
● Media and AI usage data, including metadata associated with uploaded photos and
AI-generated images; information about AI generation requests (such as time, type of
generation, and technical parameters), performance and quality data related to AI
processing.
● Network and approximate location information, including approximate geographic
location (such as country, city, or region) derived from IP address, network connection
types and basic connectivity information. We do not collect precise GPS location or
scan nearby Wi-Fi or Bluetooth devices.
● Analytics data, including unique device identifiers, IP addresses, and usage data
regarding your interactions with the app to analyze performance and user behavior.

How do we use your personal data?
We process personal data to enable User to use the Platform, including for mediation of purchase and
sale transactions, administer your Grimmor account, also when it is necessary for the administration of
the Platform and to optimise your experience, improve and develop the Platform.
For each purpose we process personal data for, we must have legal grounds (known as a ‘legal basis’)
under data protection law. Next short explanation gives you an overview about each ‘legal basis’ that’s
helps you to understand the explanation below:
● Performance of a contract: when it is necessary for Grimmor (or a third party) to process your
Personal Data to provide you with the services we promised you under Grimmor Terms and
Conditions. Where the legal basis for processing personal data is performance of a contract,
and you choose not to provide the information, you may be unable to use the Platform.
● Consent: when we ask you to actively indicate your agreement to our use of your personal
data for a certain purpose which you have been informed of. Where we rely on consent to
process your personal data, you can withdraw your consent from such activities at any time.
Withdrawal of the consent does not affect the lawfulness of any processing which took place
prior to you giving us your consent.
● Legitimate interests: when we process your personal data relying on legitimate interest. This
includes our commercial and non-commercial interest in providing an innovative, personalised
and safe service to you, and other third parties. If you would like more information about this,
please contact us using the methods set out in this Privacy Policy.
● Compliance with legal obligations: when we must process personal data to comply with a law
or regulation in the markets we operate in, such as to comply with our obligations under tax
and accounting laws or when we are obliged to give personal data to law enforcement
agencies.
Grimmor uses personal data for the following purposes depending on how you interact with us, which
Grimmor services you use, and based on your activity across the devices where you log in to or
interact with Grimmor:

Order fulfillment and delivery. We collect and process your data including your name,
addresses, phone number, and order details, like the products you are buying, the size and
price. This is necessary to transfer the relevant information to the Vendor, who is responsible
for arranging the delivery and fulfilling your order. Legal basis is the performance of a contract
with you. After the order is placed, we retain your order history in your User account to provide
you with an overview of your purchases or sales (performance of contract) and to comply with
our accounting and legal obligations regarding the transaction if this legal obligation lies on us.
To provide Platform and services. To provide you with the services and operate the
Platform. This includes creating and maintaining your account, displaying your purchase

history and order status in one central location, and facilitating secure payment options when
you shop. We need to process this data to fulfill our obligations to you under the Terms and
Conditions and to facilitate your purchases.

To process your payment and prevent fraud. When you make a payment, your payment
data (including credit or debit card number, cardholder’s name and CVV) is transmitted
directly to our authorised payment service providers via secure encrypted connection. We do
not store your raw payment card information. However, to manage the transaction and ensure
security, we receive and store payment confirmation details, including the amount, currency,
payment method, transaction reference number, and fraud risk indicators (risk score) provided
by the payment processor. To process your payment and facilitate the order our legal basis is
the performance of a contract. To detect and prevent fraud and misuse of the Platform using
the transaction data and risk scores is our legitimate business interest in protecting our
Platform, our Vendors, and our Users. We also retain transaction records based on our legal
obligation (tax and accounting laws).
To provide personalized experience. To verify your preferences and recommend features or
products that match your style (such as “Outfit of the Day”) directly within the Platform. We
analyze your browsing behavior and outfit selections to tailor the content you see. We may
process for this your browsing history, device data, shopping preferences, outfit styles
selected, internal identifiers. The legal basis is the performance of a contract as our Platform’s
core service is styling.
Direct marketing and newsletters. To send you newsletters, special offers, and promotional
materials via email or push notifications. For this, we process your name, email, purchase
history, browsing history and behavior, device data, shopping and outfit styles preferences,
internal identifiers and country. The legal basis is your consent.
You may withdraw your consent and unsubscribe from marketing communications at any time
by modifying your preferences in your account profile or by clicking the “unsubscribe” link in
any promotional email. Withdrawal of consent does not affect the lawfulness of processing
based on consent before its withdrawal. After you withdraw your consent, we will stop sending
you marketing communications, but we may continue to process your personal data for other
purposes where we have a different legal basis (such as order fulfilment or compliance with
legal obligations).
To provide you with the Virtual-Try-On Feature, recommend you the sizes and customized
outfits.
To provide you with this service we use a third-party AI model, an artificial intelligence and
image processing algorithms to analyze your photo and body measurements and render the
clothing on your photo. This processing is necessary to provide you with the service (i.e., to
deliver the Virtual-Try-On service you have requested). We process your photos and body
measurement data based on your consent. You provide this consent when you voluntarily
upload a photo to use the Virtual Try-On feature.
Your photos and body measurements are solely used to generate a visual simulation of how
selected clothing items would fit your body shape. We strictly do not use this data to identify
you in other contexts, nor do we cross-reference it with other databases or share it with third
parties for surveillance or identification purposes. We do not create or store unique biometric
face templates for the purpose of identification. Our technology is strictly limited to visual
fitting. We do not analyze your photos to detect emotions, personality traits, or health
conditions. Therefore, this processing does not qualify as ‘facial recognition’ or processing of
‘biometric data’ under Article 9 of the GDPR or the Council of Europe Guidelines.
The Virtual Try-On feature uses automated processing (AI algorithms) to generate visual
simulations. The AI try-on feature generates an illustrative visualisation using a personalised
avatar. To enhance visual appeal and professionalism, the try-on image might undergo pose
refinement and background replacement. It means that your images may be automatically
adjusted by the AI (e.g. lighting, posture) solely to enable this visualisation.
This processing does not involve automated decision-making that produces legal effects or
similarly significantly affects you. The results are purely visual recommendations to assist your

shopping experience, and all purchase decisions remain entirely within your control. You are
free to ignore the recommendations and make your own choices.
You can withdraw your consent at any time by deleting your photo on the Platform.

To provide you with customer services and to communicate with you about our services
and your transactions, including when you contact us to help you to solve any issue you have
with our Services or about your account or with any other User, and to let you know about the
changes in our policies and terms, we might use your name, email, order history, partial
payment information, addresses and your contact history with us. The legal basis is the
performance of a contract with you and our legitimate interests in retaining you as a customer.
To track and implement your settings and privacy preferences with Grimmor so that each
time you return to your account or log-in you may enjoy previously selected settings. The legal
basis is our legitimate interest to ensure the functionality, usability, and convenience of the
Platform and legal obligation to comply with data protection laws by remembering your choice
to accept or reject cookies/tracking.
To obtain feedback from you regarding the Platform, we process your name, email, phone
number, and your response to our inquiries about the quality of the Service and your contact
history with us. Legal basis is our legitimate interest in improving the quality of our services,
developing the Platform features, and understanding User experience.
To administer, optimise and develop our Platform and services, we use your device data,
including IP address, device type, manufacturer, model, operating system, app version,
language, time zone, region, unique device, advertising, or app identifiers. The legal basis is
our legitimate interest in running our business.
For research and analysis. To produce aggregated statistical reports, we may use your
order history, followers, following, likes, closet items and favorites, provided that the result of
such reports do not identify you. The legal basis is our legitimate interest in running our
business and improving our website.
For legal proceedings and compliance with the law. We may process your data to comply
with applicable law (including retaining records of your consents to demonstrate compliance)
or respond to valid legal requests, including court orders, requests from law enforcement or
other compulsory disclosures, and to enforce our Terms and Conditions or other policies also
to further our legitimate interest in protecting our rights, property, or safety and the rights,
property and safety of the Platform, our users or the public. The legal basis is either legal
obligation or our legitimate interest (e.g., for the establishment, exercise, or defense of legal
claims).
About cookies and other identifiers
To enable our systems to recognize your browser or device and to provide and improve Grimmor
Platform, we use cookies and other identifiers.
For more information about cookies and how we use them, please read our Cookies and Similar
Technologies Policy.
Who we share your data with
In certain circumstances, we may share your personal data with third parties without further notice to
you, unless legally required, including without limitation in the situations below:
Sharing with Vendors. Since Grimmor acts as a marketplace connecting you with fashion
brands who act as Vendors, we must share certain data regarding your purchase. Purpose of
this is to enable the Vendor to fulfill your order and arrange the delivery of your goods. For this
purpose, we share your name, contact data (phone number, email address), shipping
address, order details and delivery instructions if you have provided these. Please note that

the Vendor acts as an independent data controller regarding your order fulfillment and
shipping.

Sharing with other third parties. We rely on carefully selected third-party service providers
to help us operate the Platform and provide our services. These parties process data on our
behalf and strictly under our instructions:
o To ensure your order reaches you, we may transfer your shipping address and
contact details to the Vendor and their designated delivery service providers. As the
Vendor is responsible for the fulfillment and shipping of your goods, this data transfer
is strictly necessary to perform the delivery contract.
o Payment service providers that we use to process your payments securely. Note that
payment providers typically act as independent controllers for the financial transaction
data. When you make a payment, we encourage you to read the service provider’s
privacy policy as this applies to the processing of your personal data.
o Analytics and search engine providers, like Google, help us understand how the
Platform is used.
o Customer service management providers that allow us to provide our customer
services and improve and manage your customer experience.
o Marketing/advertising tools providers that help us improve our marketing.
o Cloud infrastructure and storage providers to host the Grimmor Platform and to store
and deliver user content, including uploaded photos and AI-generated images.
o To provide Virtual try-on and AI-generated imagery, we use specialized third-party
technology providers that help us process your photos and body measurements to
generate the virtual try-on visualization.
To comply with legal requests and to prevent harm. We share your personal data when it
is necessary to (a) comply with applicable law or respond to, investigate, or participate in valid
legal process and proceedings, including from law enforcement or government agencies or
other public and government authorities, which may include authorities outside your country of
residence; (b) to secure and protect the services, rights, privacy, safety, and property of
Grimmor, you, and others, including against malicious or fraudulent activity; (c) to enforce or
investigate potential violations of our terms or policies and (d) to resolve disputes and enforce
agreements. Where we consider it appropriate, and provided we are not prohibited from doing
so by law or court order, we will attempt to notify you of these legal demands.
Aggregated data with third parties. We may aggregate your data with the data of other
customers, creating a dataset of data about the usage of our website, purchase of products,
and other general, grouped data about our customers. The legal basis is our legitimate
interest in understanding the usage of our Platform and demand for our services.
This dataset is aggregated and anonymised in such a way that you as an individual cannot be
identified or re-identified. Once properly anonymised, this data is no longer considered
personal data under GDPR. As it provides valuable insight into the use of our Platform, we
may share it with select third parties. These parties may include Vendors (to allow them to
better stock products), and our investors.
Other users. When you share, post or like content publicly or to the other Users on the
Platform.
In case we are considering a corporate transaction. If we enter or intend to enter a
transaction that modifies the structure of our business, such as reorganization, merger, sale,
change of control, or other disposition of all or part of our business, assets, or stock, we may
share your data with third parties in connection with such transactions. If we buy or sell any
business or assets, your personal data may be one of the assets that are transferred.
International transfers
By using our Platform, you understand and acknowledge that your personal information will be
transferred from your location to facilities and servers in the EU/EEA.
Users’ personal data is primarily processed within the European Union. In certain situations, such as
when we share your information with Vendor or third-party service provider, your personal data may

be transferred outside EU/EEA. In such cases, we ensure appropriate safeguards are in place,
including:
● Standard Contractual Clauses approved by the European Commission. This means that the
recipient guarantees that the level of protection for your personal data afforded by the relevant
data protection laws still applies, and that your rights are still protected. In these cases, we
also assess whether there are laws in the recipient country that affect the protection of your
personal data. Where necessary, we take technical and organizational measures so that your
data remains protected during the transfer to the relevant country.
● Adequacy decisions confirming the third country provides adequate protection. If the relevant
authority (e.g. the EU Commission) has decided that the country to which your personal data
is transferred has an adequate level of protection, which corresponds to the level of protection
afforded by the relevant data protection laws. This means, for example, that personal data is
still protected from unauthorized disclosure, and that you may still exercise your
rights regarding your personal data.
● Data Privacy Framework. If the transfer is covered by a relevant data privacy framework, such
as the EU-US Data Privacy Framework (dataprivacyframework.gov), which is an opt-in
certification scheme for US companies, administered by the US Department of
Commerce. Data privacy framework includes sets of enforceable principles and requirements
that must be certified to company, ensuring that your data is still being sufficiently protected.
Keeping your personal data safe
Grimmor takes necessary measures to provide a level of security appropriate to the risk associated
with processing Personal Data. We maintain organizational, technical, and administrative measures
designed to protect the Personal Data covered by this Privacy Policy from unauthorized access,
destruction, loss, alteration, or misuse. However, no method of transmission over the Internet, and
method of electronic storage, can be totally secure. This means also Grimmor cannot guarantee the
absolute security of your Personal Data.
Therefore, Grimmor encourages you to assist us in protecting your Personal Data. If you have an
account with Grimmor, you can do so by using a strong password, safeguarding your password
against unauthorized use, and avoiding using identical login credentials for other services or accounts.
If you have any suspicions that your Grimmor account’s security has been compromised, please
contact us immediately.
We have implemented appropriate technical and organisational controls to protect your Personal Data
against unauthorised processing and against accidental loss, damage or destruction. These measures
include:
● Encryption of personal data in transit and at rest,
● Secure access controls and authentication mechanisms,
● Segmentation of production systems and restricted access to databases,
● Regular security updates, vulnerability management, and patching,
● Logging and monitoring of system activity,
● Secure backup and recovery procedures and
● Use of reputable cloud infrastructure and data storage providers.
Access to personal data is strictly need-based and related to the fulfilment of Grimmor employees’
obligations arising from the employment contract or job description. In certain cases, limited access to
personal data may also be granted to Vendors and service providers who provide us with specific
services (e.g. cloud hosting providers, payment processors, customer support tools, analytics
providers, and AI and image-processing service providers).

How long do we retain your personal data for?
We keep your personal data only as long as necessary to provide you with Grimmor Platform and
services and for the purposes described above or as long as you decide to erase it. This means that
the retention periods will vary according to the type of personal data and the reason that we have
collected it in the first place.
● We retain your personal data for as long as you have an account with Grimmor and you keep
using our services or we have your consent if the processing is consent-based. We retain your
personal data until you remove/delete it or ask us to do it for you, except for data we are
required to retain by law (such as transaction history). It’s your right to request that we delete
your certain data or an account.
● If you have not logged in or used your account for a period of 2 years, your account will be
automatically deactivated. We will send you a notification email 30 days before deactivating
your account. Following deactivation, your account will be kept in a suspended state for 3
months. During this time, you may contact us at privacy@grimmor.com to request the
reactivation of your account. If we do not receive a reactivation request within this period, your
account and personal data will be permanently deleted, except for data we are required to
retain by law (such as transaction history).
● We retain data in the event of disputes until the claim is resolved or the statutory limitation
period for such claims expires (typically 3 years under Estonian law for contractual claims,
unless a different period applies).
● We retain data about instant messages between you and the Customer Support Team directly
in the Grimmor Platform for 12 months, except in cases where messages are related to a
reported incident or in the event, they are related to a dispute, in which cases we will store
them for 3 years from the date the matter is closed.
Please note that even if you delete your account or it is deactivated due to inactivity, we are required
to retain certain personal data to comply with our legal obligations and to protect our legitimate
business interests. We will not retain your data for longer than is necessary for these purposes.
Specifically, we retain data in the following cases:
● Legal Claims and Consumer Disputes: We may retain data related to your orders and
contracts (e.g., purchase history, correspondence regarding claims) for 3 years after the
transaction to settle any potential disputes in accordance with the statutory limitation periods
under Estonian law.
● Enable fraud monitoring, detection, and prevention activities.
● Accounting and Tax Compliance. To comply with our tax, accounting, and financial reporting
obligations, including when such retention is required by our contractual agreements with our
financial service providers (and where data retention is mandated by the payment methods
you’ve used). Financial and accounting records are retained for 7 years to comply with
Estonian tax and accounting legislation.
Please note that uninstalling the Grimmor mobile application from your device does not automatically
delete your personal data from our systems. Your account and data will remain active. If you wish to
delete your account and personal data, please contact us at privacy@grimmor.com or use the account
deletion function in your account settings.
For more information on how long we store your personal data or the criteria we use to determine this
please contact us.

Are children allowed to use Grimmor Platform?
Our Platform is not intended for Users under the age of 18. We do not knowingly collect personal data
from children under 18. By using our Platform, you confirm that you are at least 18 years old.
If we become aware that anyone under the age of 18 has submitted personal data to our Platform, we
will delete that data immediately and will not use it for any purpose whatsoever. If you believe we have
inadvertently collected data from a child, please contact us immediately at privact@grimmor.com.
Your data protection rights
Under GDPR, we must have a “lawful basis” for collecting and using your personal data. Which lawful
basis we rely on may affect your data protection rights which are set out in brief below.
(a) Right to access. You have the right to ask us for copies of your personal data. You
can request other data such as details about where we get personal data from and
who we share personal data with.
(b) Right to rectification. You have the right to ask us to correct or delete personal data
you think is inaccurate or incomplete.
(c) Right to erasure. You may also request that your personal data be erased subject to
certain statutory exceptions if the personal data is no longer necessary for the
purposes for which it was collected, or if you consider that the processing is unlawful
or wish to erase your account and profile in our Platform. For example if you think that
your data has been used without your consent, like somebody has used your photos
unlawfully, you can submit us a complaint, explain the situation and request restriction
of processing and erasing of data; we will investigate your complaint and may restrict
processing at first and after the investigation erase contested data.
(d) Right to restriction of processing. In some cases, you have a right to ask us to limit
how we can use your personal data.
(e) Right to object to processing. You are entitled to object to processing of personal
data, if the processing of your personal data is based on legitimate interest.
(f) Right to data portability. You have the right to ask if we transfer the personal data
you gave us to another organisation, or to you.
(g) Right to withdraw your consent. In cases where the processing is based on your
consent, you have the right to withdraw your consent at any time. You have the right
to opt out of receiving promotional communications at any time by following the
instructions in those communications.
(h) File a complaint. If you have any concerns regarding the processing of your personal
data, you have the right to lodge a complaint with the Estonian Data Protection
Inspectorate (“AKI”) who is our lead supervisory authority or your local data protection
authority. You can find their contact details on their websites. You may also have a
right to seek a judicial remedy.
To make a data protection rights request, please contact us at privacy@grimmor.com.
If you make a request, we must respond to you without undue delay and in any event within
one month.
How to complain

If you have any concerns about our use of your personal data, you can make a complaint to us at
privacy@grimmor.com.
When submitting a complaint, please include your contact details, a description of your concern and
any relevant supporting information.
We will answer your request within a reasonable time, but no later than one month after receiving the
request.
If you are not satisfied with our response, you have the right to lodge a complaint with the Estonian
Data Protection Inspectorate (Andmekaitse Inspektsioon) or your local data protection authority, as
explained in the “Your data protection rights” section.
To protect your personal data from unauthorized access or deletion, we may require you to verify your
identity before we process any request to know or delete personal data. If we cannot verify your
identity to our satisfaction, we will not provide or delete your personal data.
Updating this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our privacy practices. If we
make any significant changes and affect how your data may be processed, we will notify you (via this
page or any of the means you provided us with).
We encourage you to periodically review this page for the latest data on our privacy practices.
The updated Privacy Policy will be effective as of the time of posting, or such later date as may be
specified in the updated Privacy Policy.
Our contact details
If you have any questions about our Privacy Policy or any other privacy related issue, please contact
us at privacy@grimmor.com.
Grimmor OÜ contact information:
Jõe street 3-315
10151, Tallinn
Estonia