Privacy Policy

Last updated: November 2025

Introduction

Welcome to SmartFit, a Shopify application that provides AI-powered virtual try-on services for merchants and their customers. This Privacy Policy describes what personal information we collect and how we use, store, and protect your personal information when you use our Service.

We are committed to complying with applicable data protection laws, including the General Data Protection Regulation (GDPR), UK GDPR, and the California Privacy Rights Act (CPRA).

The Service is not directed to individuals under the age of 18. We do not knowingly collect information or data from children under the age of 18 or knowingly allow children under the age of 18 to use the Service.

This Policy may be amended from time to time. We will post any changes to this Policy on our Service at a reasonable time in advance of the effective date of the change, and we will also make efforts to proactively notify you by email of the changes if we have your email address.

Contact Us

What We Collect and Why

We collect the following types of personal information:

Type of Information	Purpose	Legal Basis
Merchant Account Information - Shop domain - Email address - Access tokens	- To provide and operate the Service - To authenticate and authorize access - To communicate with merchants	Performance of contract
Customer Information - Customer ID	- To associate try-on sessions with customers - To track order associations - To provide customer data requests	Legitimate interest, Performance of contract
User Photos - Uploaded photos - Generated try-on images - Product associations	- To provide AI try-on functionality - To generate virtual try-on renderings - To improve service quality	Performance of contract, Consent
Order Information - Order IDs - Product information - Order dates and amounts	- To track which products customers tried on - To associate photos with orders - To provide analytics to merchants	Legitimate interest
Usage Data - Session IDs - Product handles - Interaction timestamps	- To maintain session state - To improve user experience - To analyze service usage	Legitimate interest

Methods and Sources for Collecting Your Personal Information

We collect personal information from several sources:

• Directly from Shopify: When you install and use the Service through the Shopify app store, we receive information from Shopify including your shop domain, access tokens, and customer information.
• From Merchants: When merchants configure the Service, they may provide additional information through our configuration interface.
• From Customers: When customers use the AI try-on feature, they may upload photos or take pictures, which we process to generate virtual try-on renderings.
• From Orders: When customers place orders after using the try-on feature, we receive order information from Shopify to track associations between try-on sessions and purchases.
• Automatically: Through the device you use to access our Service, including session IDs and usage analytics.

You are not legally obligated to provide us with your personal information, but if you do not, we will not be able to provide the Service functionalities, including the AI try-on feature.

How We Use Your Information

We use the personal information we collect for the following purposes:

• To Provide the Service: To enable merchants to offer AI try-on functionality to their customers, including processing uploaded photos and generating virtual try-on renderings.
• To Process Orders: To associate try-on sessions with customer orders and provide order tracking functionality to merchants.
• To Communicate: To respond to your inquiries, provide customer support, and send important service updates.
• To Improve the Service: To analyze usage patterns, troubleshoot issues, and enhance the AI try-on technology.
• To Comply with Legal Obligations: To respond to data subject requests, comply with privacy laws, and handle compliance webhooks from Shopify.

Sharing Your Personal Information

We will not share your information with third parties, except in the following circumstances:

Recipient	Purpose	Information Shared
Shopify	- To operate the Service - To process orders - To handle compliance requests	Shop domain, access tokens, order information, customer IDs
AI Service Providers	- To generate virtual try-on renderings - To process uploaded photos	User photos, product images (processed for try-on generation)
Cloud Storage Providers	- To store user photos and generated images - To ensure data availability	User photos, generated images, metadata
Legal Authorities	- To comply with legal obligations - To respond to lawful requests	As required by law

We require all third-party service providers to maintain appropriate security measures and to use personal information only for the purposes we specify.

Data Retention and Security

We will retain your information for the duration needed to support our ordinary business activities operating the Service and interacting with you. Thereafter, we will still retain your personal information as necessary to comply with our legal obligations, resolve disputes, establish and defend legal claims, and enforce our agreements. The overall period of retention is approximately 7 years, unless a shorter retention period is required by law.

We implement measures to secure your information:

• Encryption of data in transit and at rest
• Access controls and authentication mechanisms
• Regular security assessments and updates
• Secure data storage with reputable cloud providers

However, these measures do not provide absolute information security. Therefore, although efforts are made to secure your personal information, there is no guarantee that it will be immune from information security risks.

Compliance Webhooks

As a Shopify app, we are required to respond to mandatory compliance webhooks. We have implemented the following webhooks to comply with privacy regulations:

• customers/data_request: When a customer requests their data, we provide all associated user photos, try-on sessions, and order information.
• customers/redact: When a customer requests data deletion, we process the deletion request and remove all associated personal information, subject to legal retention requirements.
• shop/redact: When a merchant uninstalls the app, we delete all data associated with that shop after a 48-hour grace period, subject to legal retention requirements.

All compliance webhook requests are verified using HMAC signatures to ensure authenticity. Invalid requests are rejected with a 401 Unauthorized status.

Additional Information for Individuals in the EU or UK

Controller and Processor

SmartFit is the data Controller for the personal information described in this Policy that we collect directly from merchants and website visitors.

SmartFit is the data Processor for personal information we process on behalf of merchants, such as customer photos and order information collected through the Service.

Legal Basis for Processing Your Personal Data

Processing Activity	Legal Basis
Providing the AI try-on Service	Performance of contract
Processing customer photos and generating renderings	Consent, Performance of contract
Associating try-on sessions with orders	Legitimate interest
Communicating with merchants	Performance of contract, Legitimate interest
Improving and analyzing the Service	Legitimate interest
Complying with legal obligations	Legal obligation

Data Subject Rights

If you are in the EU or the UK, you have the following rights under the GDPR:

• Right to Access: Receive a copy of your personal information that we process.
• Right to Rectify: Correct inaccurate personal information we have concerning you.
• Right to Erasure: Request deletion of your personal information under certain circumstances.
• Right to Restrict Processing: Restrict us from processing your personal information in certain cases.
• Right to Data Portability: Receive your personal information in a structured, machine-readable format.
• Right to Object: Object to our processing of your personal information based on legitimate interest.
• Right to Withdraw Consent: Withdraw your consent at any time where processing is based on consent.

To exercise any of these rights, please contact us at zapzlabs@gmail.com. We will respond to your request within 30 days.

International Data Transfers

If we transfer your information from within the EU to the United States or other countries that are not recognized by the European Commission as having adequate protection for personal data, we will do so under the terms of a data transfer agreement which contains standard data protection contract clauses with adequate safeguards determined by the EU Commission and UK Information Commissioner's Office.

Additional Information for California Residents

If you are a California resident, you have additional rights under the California Privacy Rights Act (CPRA):

• Right to Know: Request information about the categories and specific pieces of personal information we collect, use, disclose, and sell.
• Right to Delete: Request deletion of your personal information, subject to certain exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out: Opt-out of the sale or sharing of personal information (we do not sell personal information).
• Right to Non-Discrimination: Not be discriminated against for exercising your privacy rights.

To exercise any of these rights, please contact us at zapzlabs@gmail.com. We will verify your identity before processing your request.

Cookies and Tracking Technologies

We use session IDs and similar technologies to maintain your session state when using the Service. These are essential for the Service to function properly. We do not use cookies for advertising or tracking purposes beyond what is necessary to provide the Service.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. We encourage you to review this Privacy Policy periodically for any changes.

Contact Information

---

© 2024 SmartFit. All rights reserved.