Native Shopify integrationLearn more →
VirtualClothingTryOn.com

Data Processing Addendum

Last updated: 14 May 2026

This DPA forms part of the Terms of Service between you (the "Controller", typically a Shopify merchant) and VirtualClothingTryOn.com ("Processor"). It governs processing of personal data under UK GDPR and EU GDPR (Regulation 2016/679).

1. Subject matter and duration

We process personal data on your behalf for the duration of your subscription and for up to 30 days after termination, after which all personal data is deleted or anonymised.

2. Nature and purpose

Operating the AI virtual try-on service, including generating try-on images, estimating body measurements, recommending sizes, and serving the widget on your Shopify storefront.

3. Categories of data subjects

  • Your store's shoppers who use the try-on widget.
  • Your staff users with dashboard access.

4. Categories of personal data

  • Shopper photos uploaded for try-on (special category — biometric, when present).
  • Estimated body measurements derived from those photos.
  • IP address, user agent, and an anonymous session id.
  • Shopify shop domain, order ids referenced for analytics, staff email addresses.

5. Sub-processors

We use the following sub-processors:

  • Supabase Inc. — database, auth, object storage (EU region).
  • Cloudflare, Inc. — edge compute and CDN.
  • fal.ai — AI inference for try-on generation.
  • Google LLC — Gemini AI gateway models, Google Analytics 4.
  • OpenAI, L.L.C. — fallback AI models.
  • Klaviyo, Inc. — transactional and marketing email (only if you connect it).
  • Shopify Inc. — billing API and OAuth.

We will give you 30 days' notice of any new sub-processor. You may terminate without penalty if you object.

6. Security measures

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Role-based access with row-level security on all merchant-scoped tables.
  • Secrets stored in managed secret stores; no secrets in code.
  • Audit logs of admin operations retained for 90 days.
  • Background checks and least-privilege access for staff.

7. International transfers

Data is primarily processed in the EU and UK. Transfers to the US (e.g. OpenAI, Cloudflare US edges) are covered by the EU Standard Contractual Clauses and the UK International Data Transfer Addendum.

8. Data subject requests

We assist you in responding to access, deletion, and portability requests within 7 days. Shopify customer-data redaction webhooks (customers/redact, shop/redact) are honoured within 48 hours, in line with Shopify's requirements.

9. Breach notification

We notify you without undue delay (and within 72 hours) of any personal data breach affecting your data, with the information you need to meet your own notification obligations.

10. Audits

We provide on request our latest SOC 2 / ISO 27001 reports (when available) and a written security questionnaire response. On-site audits are available to enterprise customers under reasonable notice.

11. Contact

DPO and privacy contact: privacy@virtualclothingtryon.com