Privacy Policy

Last updated: 2026-05-28

Data controller

Emergence IT
van Ravesteyn erf 434, 3315 DT Dordrecht, the Netherlands
KVK: 98992678 - BTW: NL005366013B25
Email: emergenceit1@gmail.com

Emergence IT operates the TryOn AI Shopify app (“the App”). For the purposes of the EU General Data Protection Regulation (GDPR), Emergence IT is the data controller for the data described in this policy.

What we process

• Selfie image uploaded by the shopper to the try-on widget.
• Garment image taken from the merchant's product page or uploaded by the shopper.
• Shopify merchant identifiers such as shop domain, Shopify shop ID, OAuth access token, and billing plan state.
• Usage logs such as request ID, plan, status, image size, OpenAI request ID, model cost, and timing metadata.

How we process it

Selfie and garment images are read into server memory, forwarded to OpenAI's image-generation API, and the generated try-on image is streamed back to the shopper's browser. We do not write any shopper-supplied image or generated try-on image to disk or any database.

Try-on usage is logged so merchants can monitor app usage, enforce plan limits, export usage history, and support billing through Shopify App Pricing. The App does not request order access and does not read customer names, emails, phone numbers, addresses, or order contents.

Legal basis for processing (GDPR Art. 6)

• Contract performance (Art. 6(1)(b)) - processing merchant identifiers and usage logs is necessary to provide the App.
• Legitimate interests (Art. 6(1)(f)) - short-lived processing of shopper images is necessary to fulfil the shopper's explicit try-on request.
• Legal obligation (Art. 6(1)(c)) - retention of billing-related usage records may be necessary for Dutch accounting and tax-record-keeping obligations.

Sub-processors

• OpenAI, L.L.C. (United States) - image generation. See OpenAI's privacy policy.
• Shopify Inc. (Canada / United States) - app platform, OAuth, billing, and webhook delivery.
• Vercel Inc. (United States) - application hosting and serverless runtime.
• Supabase Inc. (United States; database hosted in the EU region eu-west-1) - managed Postgres database for shop-scoped settings, billing state, and usage logs.

International transfers

Some sub-processors are established in the United States. When personal data is transferred outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses and, where applicable, the EU-U.S. Data Privacy Framework.

Data retention

Shopper images: zero retention. They are not persisted to disk or database and are not logged.

Merchant identifiers and settings: retained while the app is installed and deleted when Shopify sends the shop/redact webhook after uninstall.

Usage logs: retained for up to 24 months for billing audit, abuse prevention, support, and tax-record-keeping.

Your rights (GDPR / CCPA)

To exercise access, rectification, erasure, restriction, portability, or objection rights, contact emergenceit1@gmail.com. We will respond within 30 days.

We honor Shopify's mandatory customers/data_request and customers/redact webhooks. Because we do not store shopper names, emails, phone numbers, or addresses, these requests are acknowledged as already satisfied.

Supervisory authority

If you believe our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. For data subjects in the Netherlands, the supervisory authority is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).

Contact

Privacy questions: emergenceit1@gmail.com