Data Processing Agreement (DPA)

Last updated: May 28, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between the merchant ("Merchant", "Controller") and DevCloud Software LLC ("TryOnIA", "Processor") governing TryOnIA's processing of personal data on the Merchant's behalf. It is designed to support the Merchant's obligations under the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA/CPRA).

1. Roles of the parties

The Merchant is the data controller. TryOnIA is the data processor, processing personal data only on documented instructions from the Merchant (including via the App's normal operation). For the AI try-on rendering step, our sub-processors act as further processors under our instruction.

2. Personal data processed

Category	Data	Purpose	Retention
Shopper photo (selfie)	Image uploaded by the shopper	Generate the virtual try-on result	Merchant-configured, 1–30 days (default 7); auto-purged
Try-on result	AI-generated image of the shopper with the product	Show the result; optional shopper download/share	Same retention window as the selfie
Shopper email (optional)	Email, only if the Merchant enabled email capture and the shopper provided it	Merchant remarketing (e.g. Klaviyo sync)	Until the Merchant deletes it or uninstalls
Order attribution	Order ID + total linked to a try-on session via cart attribute	Conversion + returns analytics for the Merchant	Until uninstall or GDPR redaction

3. Sub-processors

We use the following sub-processors. We will give the Merchant prior notice of any new sub-processor and an opportunity to object.

Sub-processor	Purpose	Location
Google (Gemini API)	AI try-on image generation	USA / global
fal.ai	Alternate AI try-on provider (when configured)	USA
DigitalOcean	Application hosting + image storage	USA
Shopify	App platform + webhooks	Global

Our AI sub-processors are contractually prohibited from training models on shopper data.

4. Security measures

All data in transit is encrypted with TLS 1.2+.
Shopper photos and results are served only through time-limited, HMAC-signed URLs — they are never publicly listable.
Shopify OAuth tokens are stored encrypted at rest.
Access to production systems is restricted and logged.
Customer photos are automatically purged at the end of the Merchant's configured retention window.

5. Data subject requests

TryOnIA honors Shopify's mandatory GDPR webhooks:

customers/data_request — we compile any data we hold for the shopper and return it to the Merchant.
customers/redact — we delete the shopper's photos, results, and email.
shop/redact — 48 hours after uninstall, we delete all data associated with the shop.

6. International transfers

Where personal data is transferred outside the EEA/UK, we rely on Standard Contractual Clauses (SCCs) with our sub-processors.

7. Sub-processor breach & notification

We will notify the Merchant without undue delay (and within 72 hours where feasible) after becoming aware of a personal data breach affecting the Merchant's data.

8. Deletion on termination

On uninstall, all shopper photos and results are purged within 48 hours via the shop/redact flow. The Merchant may also request deletion at any time by emailing the address below.

9. Contact

Data protection requests: privacy@devcloudsoftware.com