Back to Vestie

Privacy Policy

Effective date: June 19, 2026

Vestie helps fashion brands turn Instagram content and shop products into a digital Storefront. This Privacy Policy explains how Vestie collects, uses, stores, and deletes personal data when you use Vestie, including data received from Meta and Instagram.

Vestie Spółka z ograniczoną odpowiedzialnością is the controller of the personal data described in this Privacy Policy. Its registered address is ul. Wielicka 42/B3, 30-552 Kraków, Poland, KRS 0001243423, NIP 6793366991, REGON 544842597.

For the Storefront analytics described in this Privacy Policy, Vestie determines the purposes of the processing, including evaluating Storefront performance, improving the product, making business decisions, and preparing performance reports for brands. The brand operating the website remains separately responsible for its own website processing and its use of the reports Vestie provides.

For privacy questions or requests, contact us at wojtek@vestie.io.

1. Data We Collect

Data You Provide To Vestie

When you create a Vestie account, you must provide your email address and shop website URL. Vestie cannot create or operate your account without this information. If you contact us, we also receive the contents of your message and the contact information you use.

When you use Vestie Creations, you may upload product photos for AI image generation.

Data We Receive From Instagram And Meta

Vestie uses Instagram API with Instagram Login. Instagram Login is currently the only way to sign up or log in to Vestie.

When you connect an Instagram professional account, Vestie requests the following Meta permissions:

  • instagram_business_basic
  • instagram_business_manage_insights

Vestie uses instagram_business_basic to authenticate you, create your Vestie profile, and import Instagram posts used to generate your Storefront. From this permission, Vestie stores:

  • Instagram username;
  • Instagram display name;
  • Instagram user ID;
  • Instagram account type;
  • imported Instagram posts;
  • post captions;
  • cached media files in Cloudflare R2.

Vestie uses instagram_business_manage_insights only to understand media-level/post-level performance. Vestie does not use this permission for general account analytics. From this permission, Vestie stores:

  • likes count;
  • comments count;
  • saves count;
  • a server-side Vestie score derived from post performance.

Vestie may fetch reach and shares to calculate the Vestie score, but reach and shares are not stored as separate metrics.

Shop And Product Data

To generate a Storefront, Vestie scans and stores product data from the connected shop, including product images, names, prices, URLs, availability, and descriptions.

Authentication And Technical Data

We collect technical data needed to operate and secure Vestie, including:

  • login and session data;
  • Instagram tokens needed to refresh imported Instagram data;
  • account approval status and authorization metadata;
  • device, browser, and usage data;
  • server logs;
  • error reports.

Operational server logs are not stored as a separate long-term user database. They may exist temporarily as part of normal server/container operation for debugging, security, and reliability.

Storefront Visitor Data

When visitors interact with a Storefront, Vestie collects pseudonymous product and interaction metrics, including popup views, CTA clicks, popup visible duration, hover counts, product CTR derived from views and CTA clicks, pseudonymous session events, and referrer.

Vestie uses a randomly generated identifier to measure Storefront interactions within an analytics session. Vestie treats each page lifecycle as a separate analytics session, so reloading the page starts a new session with a new identifier. The identifier is not stored in cookies, localStorage, sessionStorage, or IndexedDB for use across page loads. Vestie separately uses functional localStorage only to record whether a visitor manually closed the Storefront popup so it does not resurface automatically for 15 minutes.

2. How We Use Data

We use the data we collect to:

  • create and manage your Vestie account;
  • review and approve account access;
  • let you sign up or log in with Instagram;
  • connect your Instagram professional account to Vestie;
  • import Instagram posts needed to generate your Storefront;
  • connect Instagram content with products from your shop;
  • generate, operate, and improve your Storefront;
  • rank or prioritize posts based on post-level performance;
  • refresh imported Instagram data once per day;
  • cache media so Storefront can load reliably;
  • analyze pseudonymous Storefront interactions;
  • evaluate Storefront performance, prepare reports for the brand operating the Storefront, and guide Vestie's product and business decisions;
  • use aggregate Storefront performance statistics to demonstrate product outcomes without identifying individual visitors;
  • crawl the connected shop and import public product data;
  • generate AI marketing images through Vestie Creations;
  • provide support and communicate with you;
  • maintain security, prevent abuse, and debug technical issues;
  • comply with legal and platform obligations.

Vestie uses Instagram and Meta data only for features tied to the connected Vestie account and Storefront. We do not sell data received from Meta or Instagram.

3. Legal Bases

Where GDPR applies, Vestie relies on the following legal bases:

  • performance of a contract to create and operate your account, import Instagram content, generate your Storefront, refresh data, and provide the service;
  • legitimate interests to secure Vestie, debug issues, maintain service reliability, understand aggregate product usage, and improve Storefront performance;
  • legitimate interests to process incidental personal data visible in public brand media when needed to generate and operate a Storefront;
  • legal obligation where processing is required by law.
Data categoryPurposeLegal basisRetentionRecipients
Account email, shop URL, and Instagram profile dataLogin, account creation, Storefront operationContractUntil Storefront/account deletionCloudflare, Hetzner
Imported Instagram posts, captions, and cached mediaStorefront generation, media display, product matchingContract for providing the service; legitimate interests for incidental personal data visible in public brand mediaUntil Storefront/account deletion, subject to backup rotationCloudflare, Hetzner, Google Gemini, Voyage AI
Media insights and Vestie scorePost ranking and Storefront scoringContract, legitimate interestsUntil Storefront/account deletion; reach and shares are processed transientlyHetzner, Cloudflare
Shop product dataProduct crawling, product matching, Storefront generation, and interaction analyticsContractUntil Storefront/account deletionCloudflare, Hetzner, Zyte, Google Gemini, Voyage AI, Mixpanel
Stored Instagram tokensDaily refresh of Instagram dataContractUntil Storefront/account deletion or loss of accessHetzner
Creations source photos and generation metadataGenerate AI marketing images and operate, secure, and monitor the Creations featureContract; legitimate interests for service reliability and cost monitoringSource and generated images are not persisted by Vestie; generation metadata is retained until Storefront/account deletion; Gemini may retain submitted content for up to 55 daysGoogle Gemini, Hetzner
Storefront visitor metricsStorefront measurement, brand performance reporting, product improvement, business planning, and aggregate demonstration of product outcomesLegitimate interestsTwo years in Mixpanel; the popup-close value is retained for 15 minutesMixpanel, Cloudflare, and the brand operating the relevant Storefront
Error and operational dataDebugging, reliability, securityLegitimate interestsTemporarily in operational logs and according to provider retentionSentry, Hetzner

4. Stored Data And Transient Processing

Vestie stores the data needed to operate your account and Storefront. This includes:

  • account email address;
  • shop URL;
  • Instagram username;
  • display name;
  • Instagram user ID;
  • Instagram account type;
  • imported posts;
  • captions;
  • cached media files;
  • likes count;
  • comments count;
  • saves count;
  • Vestie score;
  • Instagram tokens needed for data refresh;
  • account approval status and authorization metadata;
  • product images, names, prices, URLs, availability, and descriptions.
  • Creations generation metadata, including model, cost/usage information, and references to selected style posts.

Imported Instagram post data is refreshed once per day.

Some metrics are processed only temporarily. Reach and shares may be fetched to calculate the Vestie score but are not stored as separate metrics.

Creations source photos and generated image files are processed to complete the generation request but are not persisted by Vestie after the request completes.

5. How We Share Data

We do not sell personal data or share Meta/Instagram data with third parties for their own marketing or independent use.

We use service providers to host, process, analyze, secure, and operate Vestie. These currently include:

  • Cloudflare Pages for frontend hosting;
  • Cloudflare R2 for cached media storage;
  • Cloudflare vector database infrastructure;
  • Hetzner for backend hosting and server backups;
  • Mixpanel for frontend analytics and product metrics;
  • Sentry for bug and error reporting;
  • Google Gemini for AI/model processing;
  • Voyage AI for image analytics;
  • Zyte for crawling public shop and product pages.

AI/model providers may receive Instagram media, captions, product images, product names, product descriptions, product prices, product URLs, product availability, and user-uploaded product photos so Vestie can analyze images, understand product context, generate Storefront matching, and generate AI marketing images through Vestie Creations. This content may include people or other personal data visible in brand media or uploaded photos. Vestie does not intentionally send Vestie account IDs, Instagram user IDs, or internal Vestie store identifiers to AI/model providers.

Under Google's paid Gemini API terms, Google does not use Vestie-submitted prompts, files, or responses to improve Google products. Google may retain prompts, contextual information, and outputs for 55 days for abuse monitoring, service safety, security, and required legal or regulatory disclosures.

Voyage AI may receive media and product context for image analytics. Vestie's Voyage AI organization has zero-day retention enabled, and Voyage AI does not retain the submitted data for future model training.

Mixpanel receives a randomly generated identifier scoped to the current page lifecycle; device, browser, operating-system, and screen information; coarse city, region, and country; referrer and marketing attribution parameters; current page URL, domain, and path; event timestamps; Storefront interaction data; and public product context such as product URL, price, and title. The identifier is not persisted in browser storage between page loads and is not associated with a Vestie account. Mixpanel uses the request IP address to derive coarse geolocation but does not store the raw IP address as an event property under Vestie's current implementation. Sentry receives user-agent and technical diagnostic data for bug/error reporting but is not configured with a Vestie user identity.

Vestie shares Storefront performance reports with the brand operating the relevant Storefront. Vestie may also use aggregate Storefront performance statistics for business planning and to demonstrate product outcomes to prospective clients. These reports and statistics do not identify individual Storefront visitors.

Zyte receives the connected shop URL and fetches public shop and product pages so Vestie can obtain product names, prices, descriptions, images, availability, and URLs. Zyte processes this service data under its data processing agreement with Vestie.

Authorized Vestie administrators may access account and Storefront data when needed to review and approve users, operate the service, investigate technical issues, or protect Vestie.

We may also disclose data if required by law, to protect Vestie, to prevent abuse, or as part of a business transaction such as a merger, acquisition, or financing.

6. Retention

We keep account and Storefront data for as long as your Vestie account is active or as long as needed to provide Vestie.

This retention applies to accounts pending approval as well as accounts with an approved or active Storefront.

When you delete your Storefront/account, Vestie deletes active application data associated with that account immediately, including your account email address, shop URL, Meta/Instagram data, cached media, product data, stored Instagram tokens, Storefront data, insight counts, scores, and Creations generation metadata.

Limited operational logs may exist temporarily as part of normal server/container operation for debugging, security, and reliability. Hetzner server backups may contain deleted data until the relevant backup expires through the default backup rotation. Hetzner's Cloud documentation describes seven daily backup slots per server, with the oldest backup automatically deleted when a new backup is created after the limit is reached.

Cloudflare-hosted objects, cached media, and database records are retained until Vestie deletes them or they are otherwise removed under Vestie's configuration. Cloudflare operational logs and diagnostics follow Cloudflare's own retention criteria and policies.

Mixpanel automatically deletes Vestie's analytics events after two years.

Vestie uses Sentry's free Developer plan. Sentry error and diagnostic events are available for 30 days under that plan.

Google Gemini API may retain prompts, contextual information, and outputs for 55 days for abuse monitoring and service safety/security purposes. Vestie's Voyage AI organization has zero-day retention enabled.

Zyte processes shop-crawling requests and service data according to its service agreement, data processing agreement, and applicable retention criteria.

Service-provider logs, diagnostics, abuse-monitoring records, and backups may persist according to the relevant provider's retention settings. We may also retain limited records when required for legal, security, fraud-prevention, or accounting reasons.

If Instagram access is disconnected outside Vestie, Vestie may lose the ability to refresh data from Instagram. Unless you delete your Storefront/account in Vestie or send us a deletion request, Vestie may keep existing data to keep the Storefront operational.

7. Account Deletion And Data Deletion Requests

You can request deletion of your Vestie account and associated data by:

  • using the deletion option inside Vestie;
  • contacting us at wojtek@vestie.io.

To delete your Storefront/account inside Vestie:

  1. Log in to Vestie with Instagram.
  2. Click the settings icon in the top-right corner.
  3. In the Delete storefront section, click the red Delete store button.
  4. Confirm deletion by clicking Delete store again in the Delete storefront? popup.

Deleting your Storefront in Vestie also deletes the Vestie account data connected to that Storefront.

After deletion, Vestie removes active application data associated with your account, including data received from Meta and Instagram, subject to the limited log, backup, legal, and security retention described above.

Data deletion instructions are also available at vestie.io/data-deletion.

8. LocalStorage And Session-Scoped Analytics

Vestie does not use cookies, localStorage, sessionStorage, or IndexedDB to persist a Storefront analytics identifier between page loads. Mixpanel persistence is disabled. Vestie treats each page lifecycle as a separate analytics session. A randomly generated identifier exists only for that session so events within the same page lifecycle can be measured together; reloading the page starts a new session with a new identifier.

Vestie uses Mixpanel only to measure events generated inside the Storefront widget. These events include popup views, CTA clicks, popup visible duration, hover counts, session-scoped events, device/browser/operating-system and screen information, coarse city/region/country derived from the request IP address, referrer and marketing attribution parameters, current page URL/domain/path, event timestamps, Storefront interaction data, and public product context such as product URL, price, and title. Mixpanel does not store the raw IP address as an event property under Vestie's current implementation.

Vestie uses functional localStorage only to record whether a visitor manually closed the Storefront popup so it does not resurface automatically for 15 minutes. This functional value is not used to identify the visitor or measure behavior and expires after 15 minutes.

9. Security

We use technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, or alteration. These include limiting data access to service operation needs and using infrastructure providers for hosting, storage, backups, monitoring, and reliability. No online service can guarantee absolute security.

10. International Transfers

Vestie is based in Poland and uses service providers that may process data globally. Processor relationships are governed by data processing agreements. For transfers outside the European Economic Area, Vestie relies on an applicable adequacy decision or the European Commission's Standard Contractual Clauses where required. Contact wojtek@vestie.io for more information about the safeguards used for a particular provider.

Zyte may process service data in Ireland, the United States, and other countries where it operates. Zyte's data processing agreement incorporates the European Commission's Standard Contractual Clauses for restricted transfers.

11. Your Rights

If you are in the European Economic Area, you have rights to access, correct, delete, receive or transfer certain personal data under the right to data portability, or restrict the use of your personal data, subject to the conditions and exceptions in applicable law. You also have the right to object to certain processing. People in other locations may have similar rights under their local law.

To exercise your rights, contact us at wojtek@vestie.io.

If you are in the European Economic Area and believe we have not handled your request properly, you may lodge a complaint with your local data protection authority. In Poland, this is the President of the Personal Data Protection Office (UODO).

12. Children

Vestie is intended for business users and is not directed to children. We do not knowingly collect personal data from children.

13. Changes To This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the effective date and provide notice where required.

14. Contact

Vestie Spółka z ograniczoną odpowiedzialnością

ul. Wielicka 42/B3

30-552 Kraków, Poland

Email: wojtek@vestie.io