Privacy Policy

Data Controller

TryYou is operated by Swicelso OÜ, an Estonian private limited company. We act as data controller for the data described below. For any question, write to contact@swicelso.com.

Data Collected

We collect the strict minimum needed to run the service:

• Shopify shop data: shop domain, subscription status, billing cap, display settings (colors, button text), Shopify authentication sessions.
• Try-on logs: product ID, variant ID, cart token, success or failure, duration, timestamp. Used for pay-per-use billing and analytics.
• Anti-abuse technical identifiers: shopper IP addresses are never stored in clear text. We only keep a SHA-256 hash for rate limiting.
• Shopper photos: selfies are sent to Google (Gemini) or OpenAI (depending on the chosen quality level) to generate the render, then never stored in our database. We keep no copy.
• Attributed orders: fills in as soon as a shopper tries a product and then places an order. No customer data is stored.

Purposes

• Run the virtual try-on feature on product pages.
• Bill merchants on a pay-per-use basis via Shopify.
• Provide merchant analytics (volume, success rate, most-tried products).
• Prevent abuse through IP-hash-based rate limiting.
• Respond to support requests.

Legal Basis

Processing is based on the performance of the contract between the shopper, the merchant, and TryYou (Article 6.1.b GDPR) for anything related to the try-on service. Anti-abuse logs are based on our legitimate interest in securing the app (Article 6.1.f). Shopify billing data is based on compliance with our legal and contractual obligations.

Retention

• Shopify sessions are purged when the app is uninstalled.
• Try-on logs and billing records are kept while the shop uses the app, then deleted within 48 hours of receiving the shop/redact webhook.
• Shopper photos are never stored by TryYou. They only transit through Google (Gemini) or OpenAI (depending on the chosen quality level) while the render is being generated.
• IP hashes are kept for a maximum of 90 days for rate limiting purposes.

Sub-processors

We rely on two providers to deliver the service:

• Fly.io: application hosting and PostgreSQL database. Region eu-cdg (Paris, France).
• Google LLC: Gemini 3.1 Flash Image API for try-on render generation.
• OpenAI, L.L.C.: gpt-image-2 API for try-on render generation on higher quality levels.

International Transfers

Application data (database included) is hosted in the European Union, region cdg (Paris). The Gemini (Google) and gpt-image-2 (OpenAI) APIs are operated in the United States. This transfer is covered by the EU-US Data Privacy Framework and, where applicable, by the European Commission's Standard Contractual Clauses.

Your Rights

Under the GDPR, you have the following rights:

• Right of access to the data concerning you.
• Right to rectification of inaccurate data.
• Right to erasure (right to be forgotten).
• Right to data portability.
• Right to object to processing.
• Right to restrict processing.
• Right to lodge a complaint with a supervisory authority (CNIL in France, AKI in Estonia).

How to Exercise Your Rights

Send an email to contact@swicelso.com specifying the shop concerned. We reply within 30 days at most. Merchants can also uninstall the app at any time, which triggers automatic deletion of associated data.

Shopify automatically forwards GDPR requests to us via the customers/data_request, customers/redact, and shop/redact webhooks. They are handled immediately on receipt.

Updates to this Policy

This policy may be updated to reflect technical or legal changes. The date at the top of the page always shows the latest revision. Material changes are announced in the Shopify admin.

Contact

Question, request, doubt? Write to contact@swicelso.com. Guaranteed reply within 30 days, usually much faster.