Privacy Policy
Last updated: April 6, 2026
At TryOnApp, we take your privacy seriously. This policy explains what data we collect, how we use it, and your rights regarding your personal information. We are committed to transparency and data minimization.
1. Information We Collect
1.1 Account Information
When you create a TryOnApp account, we collect:
- Email address
- Store/business name
- Website URL (for widget integration)
- Billing information (processed securely by Stripe or Iyzico)
1.2 Images
Important: Images uploaded for virtual try-on (selfies and product photos) are processed in real-time and are not permanently stored on our servers. Images are sent to our AI processing pipeline, results are generated and delivered, and all image data is discarded within 24 hours of processing. For Instagram DM interactions, images are held temporarily in server memory for up to 10 minutes to facilitate delivery, then permanently deleted.
1.3 Usage Data
- Number of try-on requests (for billing and rate limiting)
- API call timestamps and response times
- Widget interaction events (page views, button clicks)
- Browser type, device type, and approximate location (country-level)
1.4 Instagram Integration Data
If you connect your Instagram business account, we access:
- Public comments on your posts (to detect trigger words)
- Direct message permissions (to send try-on results)
- Post media URLs (to extract product images)
We do not access private messages, follower lists, or any data unrelated to the try-on bot functionality.
1.5 Instagram DM User Consent
Explicit consent required: Before processing any selfie received via Instagram DM, our bot sends a consent request with tappable "Yes" / "No" buttons. The user must explicitly approve before any image processing begins. Users can decline at any time, and no data is retained from declined interactions. A link to this privacy policy is included in every consent request.
2. How We Use Your Information
| Data | Purpose | Legal Basis |
|---|---|---|
| Account management, billing notifications | Contract | |
| Images | AI virtual try-on processing | Consent |
| Usage data | Billing, rate limiting, service improvement | Legitimate interest |
| Instagram data | Automated DM bot functionality | Consent |
| Billing info | Subscription payment processing | Contract |
3. AI Image Processing
Our virtual try-on service uses Google Gemini AI to generate photorealistic images. Here is how the process works:
- Customer uploads a selfie through the widget, mobile interface, or Instagram DM
- For Instagram DM: user must tap "Yes" on a consent prompt before processing begins
- The selfie and product image are sent to Google Gemini API via encrypted HTTPS connection
- Gemini generates try-on result images using multiple AI models for best quality
- The results are delivered to the customer (browser or Instagram DM)
- All images (selfie, product, result) are discarded within 24 hours — temporary in-memory cache is cleared within 10 minutes
Data retention: We do not permanently retain any customer selfies or generated images. Temporary image data is held in server memory for up to 10 minutes to facilitate delivery, then automatically deleted. Only aggregate usage counts are logged for billing purposes. Google Gemini's own data handling is governed by Google's Privacy Policy.
4. Third-Party Services
We use the following third-party services to operate TryOnApp:
| Service | Purpose | Data Shared |
|---|---|---|
| Google Gemini AI | Image generation | User selfies, product images (not stored) |
| Supabase | Database hosting | Account data, usage logs |
| Railway | Application hosting | Application data in transit |
| Stripe | Payment processing (international) | Billing information |
| Iyzico | Payment processing (Turkey) | Billing information |
| Meta/Instagram | Instagram bot integration | Public comments, DM permissions |
| Vercel | Landing page hosting | Website analytics (anonymous) |
5. Data Security
We implement industry-standard security measures to protect your data:
- Encryption in transit: All data is transmitted over HTTPS/TLS
- API key security: API keys are hashed and encrypted at rest
- JWT authentication: Secure token-based session management
- Input validation: All inputs are sanitized and validated (10MB image size limit, XSS prevention)
- Rate limiting: Per-customer daily and monthly request limits
- No permanent image storage: Selfies and results are never written to disk
6. Cookies & Tracking
Our landing page uses minimal cookies:
- Essential cookies: Session management and authentication (required)
- Analytics: Anonymous page view statistics (can be declined)
We do not use advertising cookies or sell data to third parties. Our widget embedded on customer sites does not set any cookies on end-user browsers.
7. End-User (Customer's Customer) Privacy
When an end-user uses the virtual try-on widget on your store or interacts with the Instagram DM bot:
- Their selfie is processed in real-time and discarded within 24 hours (temporary cache cleared within 10 minutes)
- No personal data is permanently stored about the end-user
- No accounts are created for end-users
- The widget does not track end-users across sites
- Only aggregate try-on counts are logged (no individual user data)
- Instagram DM users must provide explicit consent via tappable buttons before any image processing occurs
- Instagram DM users can decline processing at any time — no data is retained from declined interactions
8. Your Rights
You have the right to:
- Access: Request a copy of all data we hold about you
- Correction: Update inaccurate personal information
- Deletion: Request deletion of your account and all associated data
- Portability: Receive your data in a machine-readable format
- Objection: Object to processing based on legitimate interest
- Withdraw consent: Revoke Instagram access or data processing consent at any time
To exercise any of these rights, contact us at hello@tryonapp.io. We respond to all requests within 30 days.
9. Data Retention
- Account data: Retained as long as your account is active
- Usage logs: Retained for 90 days for billing reconciliation
- Images (selfies & results): Temporary in-memory cache cleared within 10 minutes, fully purged within 24 hours — never written to permanent storage
- Product images: Retained as long as the merchant's account is active
- Instagram DM session data: Session metadata (status, timestamps) retained for 30 days, then auto-deleted. No selfie or result image data is stored in the database.
- Payment records: Retained as required by tax law (typically 7 years)
When you delete your account, all personal data is permanently removed within 30 days, except where retention is required by law.
10. Children's Privacy
TryOnApp is not intended for use by individuals under 16 years of age. We do not knowingly collect personal data from children. If we learn that a child has provided us with personal information, we will promptly delete it.
11. International Data Transfers
Our servers are located in the United States and European Union. If you are accessing TryOnApp from outside these regions, your data may be transferred internationally. We ensure appropriate safeguards are in place for all cross-border data transfers.
12. Changes to This Policy
We may update this privacy policy from time to time. We will notify you of material changes via email or a notice on our website. Continued use of TryOnApp after changes constitutes acceptance of the updated policy.
13. Contact Us
For privacy inquiries, data requests, or concerns:
- Email: hello@tryonapp.io
- Subject line: "Privacy Request" for faster routing