logo

Privacy Policy for IndStudio AI Trialroom

Last Updated: October 10, 2025

Introduction

IndStudio AI Trialroom ("we", "our", "us") is a Shopify app that provides virtual try-on functionality for clothing and accessories using artificial intelligence technology. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our app.

This Privacy Policy applies to:

  • Merchants who install the IndStudio AI Trialroom app on their Shopify stores
  • Customers who use the virtual try-on feature on merchant stores

We are committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other privacy regulations.

1. Information We Collect

1.1 Information Collected Through Shopify's APIs

When a merchant installs our app, we collect the following information through Shopify's APIs:

Merchant Information:

  • Shop domain and store name
  • Merchant contact information (email, name)
  • Session tokens for authentication
  • App subscription and billing information

Product Information:

  • Product IDs, titles, and descriptions
  • Product images and variant images
  • Product category information (specifically "Apparel & Accessories > Clothing" products)
  • Product URLs

We access this information to:

  • Authenticate merchants and maintain their sessions
  • Retrieve product images for virtual try-on processing
  • Validate that products are eligible for virtual try-on (clothing items only)
  • Track usage against subscription limits

API Scopes Requested:

  • write_products - Used to access product images and metadata for virtual try-on processing

1.2 Information Collected Directly from Merchants

Through the App Admin Interface:

  • Subscription plan selections and preferences
  • Usage tracking and analytics preferences
  • Support requests and communications

Automatically Generated:

  • App usage statistics (number of try-ons processed)
  • Error logs and diagnostic information
  • Subscription usage metrics

1.3 Information Collected Directly from Customers

When customers use the virtual try-on feature on a merchant's store, we collect:

Uploaded Images:

  • Customer-uploaded photos (selfies or model photos) for virtual try-on processing
  • Image metadata (file name, size, format, dimensions)
  • Processed/compressed versions of uploaded images

Technical Information:

  • IP address (for rate limiting and fraud prevention)
  • User agent string (browser and device information)
  • Customer ID (if the customer is logged into the Shopify store)
  • Session identifiers

Usage Information:

  • Product selections for try-on
  • Try-on result images generated by our AI
  • Share links and share activity (when customers share results)
  • Add-to-cart actions from virtual try-on results
  • Timestamps of uploads and processing

No Cookies or Browser Tracking:

We do not set cookies, use localStorage, or employ third-party tracking technologies on customer-facing pages. All customer interactions are handled through our secure API endpoints.

2. How We Use the Information

2.1 Primary Purpose - Virtual Try-On Service

We use the collected information to:

  • Process virtual try-on requests using External AI API
  • Generate AI-powered virtual try-on result images
  • Display results to customers
  • Enable sharing of results via social media
  • Track conversions (add-to-cart actions)

2.2 Service Delivery and Support

We use information to:

  • Authenticate and manage merchant accounts
  • Enforce subscription limits and billing
  • Provide customer support to merchants
  • Troubleshoot technical issues
  • Send service-related notifications

2.3 Security and Fraud Prevention

We use technical information (IP addresses, user agents) to:

  • Implement rate limiting to prevent abuse
  • Detect and prevent fraudulent activity
  • Protect our systems from malicious attacks

2.4 Service Improvement

We may use aggregated, anonymized data to:

  • Improve AI processing quality
  • Optimize app performance
  • Develop new features
  • Analyze usage patterns

Important: We do NOT use your personal data for:

  • Marketing or advertising to third parties
  • Training AI models with customer images
  • Selling or sharing data with third parties for their marketing purposes

3. Data Retention and Storage

3.1 Where We Store Data

Database Storage:

  • Hosted on PostgreSQL database (location: Singapore| Asia Pacific 1)
  • Secured with encryption at rest and in transit

Image Storage:

  • Amazon S3 (AWS) - India (ap-south-1) region
  • All uploaded and generated images stored with encryption
  • Secure access controls and signed URLs

AI Processing:

  • AI API (temporary processing only)
  • Images are sent to API for processing but are not retained by the provider after processing completes

3.2 Data Retention Periods

Customer Virtual Try-On Data:

  • Uploaded Images: Retained indefinitely unless customer or merchant requests deletion, (Planning to move to a 7 day retention period)
  • Generated Result Images: Retained indefinitely unless deleted, (Planning to move to a 7 day retention period)
  • Technical Logs (IP, User Agent): Retained for 90 days, then automatically deleted
  • Share Links: Remain active indefinitely unless merchant disables or deletes

Merchant Data:

  • Account Information: Retained for the duration of the subscription plus 30 days after cancellation
  • Usage Records: Retained for current billing period plus 12 months for accounting purposes
  • Session Data: Retained until session expires or merchant logs out

Shop Redaction (App Uninstall):

  • When a shop uninstalls the app, we receive a webhook from Shopify within 48 hours
  • All shop data, including images, is permanently deleted within 30 days of uninstall
  • This includes all customer try-on data associated with that shop

3.3 Data Deletion Rights

Customers and merchants have the right to request deletion of their data at any time. See Section 6 for details.

4. Data Sharing and Third-Party Services

4.1 Third-Party Service Providers

We share data with the following third-party services to provide our app's services:

AI Provider API:

  • Purpose: AI-powered virtual try-on image generation
  • Data Shared: Customer-uploaded images and product images (temporarily during processing)
  • Retention: Provider does not retain images after processing completes
  • Location: Provide Cloud data centers (may include US, EU, and other regions)

Amazon Web Services (AWS):

  • Purpose: Image storage (S3) and queue management (SQS)
  • Data Shared: Uploaded images, generated images, and processing metadata
  • Location: India
  • Security: Encrypted storage with access controls

Shopify Platform:

  • Purpose: Authentication, product data access, and webhook handling
  • Data Shared: We access Shopify's APIs as described in Section 1.1
  • Location: Shopify's global infrastructure

4.2 Data We Do NOT Share

We do NOT:

  • Sell or rent personal data to third parties
  • Share customer images with marketing companies
  • Use customer images for purposes other than virtual try-on
  • Share data with social media platforms (except when customers explicitly choose to share results)

4.3 Legal Requirements

We may disclose personal data if required to:

  • Comply with legal obligations or court orders
  • Protect our rights, property, or safety
  • Prevent fraud or security threats

5. International Data Transfers

5.1 Location of Data Processing

Our services are primarily hosted in India. If you are located in the European Economic Area (EEA), United Kingdom, or other regions with data protection laws, please note that your data may be transferred to and processed in India.

5.2 Data Protection Safeguards

For transfers of personal data from the EEA/UK to the United States, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Appropriate technical and organizational security measures
  • Third-party service providers who comply with applicable data protection frameworks

6. Your Privacy Rights

6.1 Rights for All Users

Right to Access:

You can request a copy of the personal data we hold about you.

Right to Deletion (Right to be Forgotten):

You can request deletion of your personal data.

Right to Data Portability:

You can request a copy of your data in a machine-readable format.

6.2 GDPR Rights (EEA/UK Residents)

If you are located in the EEA or UK, you have additional rights under GDPR:

  • Right to withdraw consent at any time
  • Right to lodge a complaint with a supervisory authority
  • Right to object to automated decision-making (Note: Our AI processing is not used for automated decisions affecting legal rights)

6.3 CCPA/CPRA Rights (California Residents)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

  • Right to know what personal information is collected
  • Right to know if personal information is sold or shared (We do not sell personal information)
  • Right to opt-out of the sale of personal information (Not applicable - we don't sell data)
  • Right to delete personal information
  • Right to non-discrimination for exercising privacy rights

6.4 How to Exercise Your Rights

For Customers:

Contact the merchant whose store you used the virtual try-on feature on, or contact us directly at the email address below.

For Merchants:

Log into your Shopify admin panel and contact us through the app support, or email us directly.

GDPR Data Requests (Automated):

We comply with Shopify's mandatory GDPR webhooks:

  • customers/data_request - Automatically exports all customer data
  • customers/redact - Automatically deletes all customer data within 30 days
  • shop/redact - Automatically deletes all shop data within 30 days of app uninstall

7. Security Measures

We implement industry-standard security measures to protect your data:

7.1 Technical Safeguards

  • Encryption: Data encrypted in transit (TLS/SSL) and at rest
  • Access Controls: Role-based access with multi-factor authentication
  • Rate Limiting: API rate limits to prevent abuse and DDoS attacks
  • Secure Authentication: OAuth 2.0 for Shopify integration
  • Signed URLs: Time-limited access to stored images

7.2 Organizational Safeguards

  • Regular security audits and vulnerability assessments
  • Employee training on data protection
  • Incident response procedures
  • Data breach notification protocols

7.3 Data Processing Security

  • Image Processing: All images processed through secure, encrypted connections
  • AI Processing: Images sent to AI API via secure channels
  • Queue Management: SQS queues with encryption and access controls

8. Children's Privacy

Our app is not intended for use by individuals under the age of 13 (or 16 in the EEA). We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without parental consent, we will take steps to delete that information.

9. Marketing Communications

No Marketing for This App:

We do not send marketing emails or promotional communications related to this app. All communications are service-related (e.g., subscription confirmations, support responses).

Merchant Communications:

Merchants may receive transactional emails related to:

  • App installation and onboarding
  • Subscription changes and billing
  • Critical service updates
  • Support ticket responses

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make changes:

  • We will update the "Last Updated" date at the top of this policy
  • For material changes, we will notify merchants via email or in-app notification
  • Continued use of the app after changes constitutes acceptance of the updated policy

We encourage you to review this Privacy Policy periodically.

11. Legal Basis for Processing (GDPR)

For users in the EEA/UK, we process your personal data based on the following legal grounds:

PurposeLegal Basis
Providing virtual try-on servicePerformance of contract (with merchant) or Legitimate interest
Processing uploaded imagesConsent (implicit when customer uploads image)
Authentication and securityLegitimate interest (protecting our systems)
Compliance with legal obligationsLegal obligation
Service improvement (anonymized data)Legitimate interest

12. Cookies and Tracking Technologies

No Cookies on Customer-Facing Pages:

We do not use cookies, web beacons, or similar tracking technologies on the customer-facing virtual try-on interface.

Session Management:

We use Shopify's session management for merchant authentication, which may involve cookies set by Shopify's platform.

No Third-Party Analytics:

We do not use Google Analytics, Facebook Pixel, or other third-party tracking services.

Acknowledgment

By installing and using IndStudio AI Trialroom, merchants acknowledge that they have read and understood this Privacy Policy. By using the virtual try-on feature, customers acknowledge that they have read and understood this Privacy Policy.

For merchants: You are responsible for ensuring that your customers are informed about how their data is processed when they use the virtual try-on feature. We recommend adding a link to this Privacy Policy on your product pages where the virtual try-on button appears.