Legal
Effective Date: 1 April 2026 · 5SEC Ltd
Important: 5SEC collects and processes sensitive personal data including facial photographs, body measurements, and AI-generated biometric analysis. Please read this policy carefully before using our services. By submitting any photograph or body measurement data, you explicitly consent to the processing described in this policy.
Contents
5SEC Ltd ("5SEC", "we", "us", or "our") operates the 5SEC platform and services, accessible at 5sec.app and related subdomains. We provide personal styling, wardrobe management, colour analysis, fit profiling, and related advisory services.
For the purposes of applicable data protection law, 5SEC Ltd is the data controller responsible for the personal data you provide to us. Our principal place of business is New York, NY, United States.
For all privacy-related enquiries, data subject requests, or complaints, contact our Data Protection contact at: [email protected].
We collect the following categories of personal data, depending on the services you use:
Name, email address, username, password (hashed), account creation date, and authentication tokens.
Email correspondence, support messages, booking enquiries, and any information you voluntarily provide when contacting us.
Payment method type, billing address, transaction identifiers, and order history. We do not store full card numbers or CVV codes. Payment processing is handled by PayPal (see Section 7). We retain transaction records for legal and accounting purposes.
Lifestyle questionnaire responses including work style, social context, travel frequency, dress level preferences, age, and personal style preferences provided during onboarding or assessment.
Physical measurements you provide or that are derived from analysis, including but not limited to: height, weight, shoulder width, chest circumference, waist circumference, hip circumference, inseam length, neck circumference, thigh circumference, and posture classification. This data is used exclusively to generate your fit profile.
Facial photographs and full-body photographs submitted for colour analysis, fit analysis, and wardrobe profiling. This data is classified as sensitive personal data and is subject to additional protections described in Section 3.
Derived data produced by our automated analysis systems, including: skin undertone classification, skin tone depth (Fitzpatrick scale), colour saturation classification, fit profile archetype, silhouette type, proportion analysis, wardrobe archetype, and associated recommendations. This derived data is linked to your account and profile.
IP address, browser type and version, device type, operating system, pages visited, time on page, referral source, and interaction events. Collected via server logs and analytics tools.
This section is particularly important. Please read it carefully.
5SEC processes data that may constitute biometric data and special category personal data under applicable law, including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and the Illinois Biometric Information Privacy Act (BIPA) where applicable.
The following data we collect is classified as sensitive or biometric:
We collect and process biometric and photographic data only with your explicit, informed consent. You provide this consent at the point of data submission (during the assessment or onboarding flow) by actively confirming your agreement to this policy. You may withdraw consent at any time — see Section 10 for your rights.
Withdrawal of consent for biometric data processing will result in the deletion of your photographs and AI-derived analysis from our systems. It may affect the quality or availability of personalised recommendations.
Biometric and photographic data is used exclusively for the following purposes:
We do not use biometric data for identity verification, surveillance, marketing profiling, or any purpose beyond the personalised styling services described above.
Photographs and biometric-derived data are stored in encrypted cloud storage (Amazon S3 with server-side AES-256 encryption). Access is restricted to authorised personnel on a strict need-to-know basis. We do not store raw facial geometry, facial recognition templates, or fingerprint data.
We do not sell, lease, trade, or otherwise profit from your biometric data or photographs. We do not share biometric data with third parties except as strictly necessary to provide the service (e.g., cloud storage providers acting as data processors under written contract).
If you are an Illinois resident, you have rights under the Illinois Biometric Information Privacy Act (BIPA). Our biometric data retention schedule provides for deletion of biometric identifiers within 3 years of collection or within 1 year of your last interaction with us, whichever is earlier. You may request earlier deletion at any time by contacting [email protected].
We use your personal data for the following purposes:
| Purpose | Data Used |
|---|---|
| Providing and managing your account | Account & identity data |
| Processing payments and managing subscriptions | Payment & transaction data |
| Generating your colour, fit, and wardrobe profile | Photos, measurements, questionnaire, AI analysis |
| Delivering personalised recommendations | Profile data, AI analysis, lifestyle data |
| Enabling stylist review and consultation | Photos, measurements, profile data |
| Sending service communications (receipts, updates, onboarding) | Email, account data |
| Responding to support enquiries | Contact & communication data |
| Improving our analysis engines (anonymised only) | Aggregated, anonymised usage data only |
| Complying with legal obligations | As required by applicable law |
| Fraud prevention and platform security | Usage & technical data, account data |
We do not use your personal data for automated decision-making that produces legal or similarly significant effects without human review. All profile outputs are reviewed by Professor Nedo Bellucci or an authorised stylist before delivery.
Processing your account data, payment data, and service delivery data is necessary to perform the contract between you and 5SEC (your membership or assessment purchase).
Processing biometric data, photographs, and AI-derived sensitive data is based on your explicit, freely given, specific, informed, and unambiguous consent. You may withdraw this consent at any time without affecting the lawfulness of processing prior to withdrawal.
Processing usage data for fraud prevention, platform security, and service improvement is based on our legitimate interests, balanced against your privacy rights. We do not rely on legitimate interests for sensitive data processing.
Retaining transaction records and certain account data to comply with tax, accounting, and anti-money-laundering obligations.
When you submit a selfie or photograph, our AI system analyses visual characteristics including skin undertone (warm/cool/neutral), skin tone depth (Fitzpatrick scale 1–6), and colour saturation (bright/muted). These outputs are combined with your questionnaire responses to generate your colour profile.
All AI-generated profiles are reviewed by Professor Nedo Bellucci or an authorised stylist before being released to you. The AI output is a starting point for expert review, not a final automated decision. You are informed of this review process at the point of assessment submission.
If you believe your AI-generated profile is inaccurate, you have the right to request human review, correction, or deletion of the analysis. Contact us at [email protected] with your request.
Our AI analysis is powered by large language model services. Photographs submitted for analysis are transmitted to these services under data processing agreements that prohibit retention for training purposes. See Section 7.
We do not sell your personal data. We share data only with the following categories of recipients:
Professor Nedo Bellucci and designated 5SEC stylists have access to your profile data, photographs, and measurements for the purpose of reviewing and refining your profile. All personnel are bound by confidentiality obligations.
We may disclose personal data to law enforcement, regulators, or courts where required by applicable law, court order, or to protect the rights, property, or safety of 5SEC, our users, or the public.
In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you before your data is transferred. Biometric data will not be transferred without your renewed explicit consent.
5SEC operates from the United States. If you are located in the European Economic Area (EEA), United Kingdom, or other jurisdictions with data transfer restrictions, your data may be transferred to and processed in the United States.
We ensure such transfers are protected by appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable. You may request a copy of the transfer safeguards applicable to your data by contacting [email protected].
| Data Category | Retention Period |
|---|---|
| Account & identity data | Duration of account + 2 years after closure |
| Payment & transaction records | 7 years (legal/accounting obligation) |
| Photographs (facial & body) | Active membership + 1 year, or 3 years from collection, whichever is earlier. Deleted immediately on request. |
| AI-derived biometric analysis | Same as photographs. Deleted with photographs on request. |
| Body measurements | Active membership + 1 year after cancellation |
| Questionnaire & lifestyle data | Active membership + 1 year after cancellation |
| Usage & technical data | 13 months from collection |
| Support communications | 3 years from last interaction |
| Book waitlist email | Until publication or until you unsubscribe |
When retention periods expire, data is securely deleted or anonymised. You may request earlier deletion at any time (subject to legal retention obligations).
Depending on your jurisdiction, you have the following rights. We respond to all verified requests within 30 days.
Right of Access
Request a copy of all personal data we hold about you, including photographs, measurements, and AI analysis.
Right to Rectification
Request correction of inaccurate or incomplete personal data.
Right to Erasure ('Right to be Forgotten')
Request deletion of your personal data, including all photographs and biometric analysis. Certain data may be retained where required by law.
Right to Withdraw Consent
Withdraw consent for biometric data processing at any time. This does not affect the lawfulness of prior processing.
Right to Data Portability
Receive your personal data in a structured, machine-readable format where technically feasible.
Right to Restrict Processing
Request that we limit how we use your data while a dispute is resolved.
Right to Object
Object to processing based on legitimate interests.
Right Not to Be Subject to Automated Decisions
Request human review of any AI-generated profile or recommendation.
CCPA Rights (California Residents)
Right to know, right to delete, right to opt out of sale (we do not sell data), right to non-discrimination.
BIPA Rights (Illinois Residents)
Right to deletion of biometric identifiers within the retention schedule.
To exercise any of these rights, contact us at [email protected] with the subject line "Data Subject Request — [Right Type]". We may ask you to verify your identity before processing the request.
If you are in the EEA or UK and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.
Our services are intended for adults aged 18 and over. We do not knowingly collect personal data from individuals under the age of 18. We do not collect biometric data from minors under any circumstances. If you believe a minor has provided us with personal data, contact us at [email protected] and we will delete the data promptly.
We implement the following technical and organisational security measures:
No method of transmission over the internet is 100% secure. In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and relevant authorities as required by law.
We may update this Privacy Policy from time to time. When we make material changes — particularly to how we process biometric or sensitive data — we will notify you by email and display a prominent notice on the platform at least 30 days before the changes take effect.
Your continued use of our services after the effective date constitutes acceptance of the updated policy. Previous versions are available on request.
For all privacy-related enquiries, data subject requests, consent withdrawals, or complaints:
We aim to respond to all data subject requests within 30 days. For urgent biometric data deletion requests, mark your email: "URGENT — Biometric Data Deletion Request".
This Privacy Policy was last reviewed and updated on 1 April 2026. 5SEC Ltd · New York, NY, United States · [email protected]