TryPoint — AI Virtual Try-On
Effective Date: Upon installation or first use of TryPoint
Data Controller ("Merchant," "You"): The Shopify merchant who has installed and uses the TryPoint application.
Data Processor ("TryPoint," "We," "Us"): TouchPoints Inc, a Delaware corporation, 701 Tillery Street Unit 12, 2539, Austin, TX 78702, US.
This DPA is incorporated into the TryPoint Terms of Service ("Agreement").
"Applicable Data Protection Law" means all applicable data protection and privacy laws, including GDPR (Regulation (EU) 2016/679), UK GDPR, CCPA/CPRA, and other laws applicable based on the location of the Merchant or its end users.
"Customer Personal Data" means any Personal Data that TryPoint processes on behalf of the Merchant in connection with the TryPoint services, relating to Merchant's end users (Shoppers).
"GDPR" means the General Data Protection Regulation (EU) 2016/679.
"Personal Data" has the meaning given under Applicable Data Protection Law.
"Processing" means any operation performed on Personal Data, including collection, recording, storage, use, disclosure, erasure, or destruction.
"Sub-processor" means any third party engaged by TryPoint to process Customer Personal Data.
"Data Subject" means the identified or identifiable individual to whom Customer Personal Data relates.
"Standard Contractual Clauses" (SCCs) means the standard contractual clauses for the transfer of personal data approved by the European Commission (Decision 2021/914).
2.1 Roles. The Merchant is the Data Controller. TryPoint is the Data Processor for Customer Personal Data.
2.2 Subject Matter and Duration. TryPoint processes Customer Personal Data for the duration of the Agreement to provide the virtual try-on and related services.
2.3 Nature and Purpose of Processing. TryPoint processes Customer Personal Data solely to: enable Shoppers to use the virtual try-on feature on Merchant's Shopify store; generate AI-powered virtual try-on images via Google's AI models; store and display generated try-on images in the Merchant's admin gallery; capture email addresses (when enabled by the Merchant); collect and display try-on feedback and satisfaction data; provide analytics on try-on usage and engagement; facilitate sharing and downloading of try-on results; and process UGC permission requests (when enabled by the Merchant).
2.4 Types of Personal Data Processed. Visual data: Shopper-uploaded photos, AI-generated try-on images. Contact data: Email address (if Merchant enables email capture). Technical data: IP address, browser type, device type, session identifiers. Behavioral data: Try-on interactions (clicks, shares, downloads, feedback). No special category data (Art. 9 GDPR) is processed. TryPoint's AI processes photos solely for garment visualization, not for identification or authentication. Per GDPR Recital 51, this does not constitute biometric data processing.
2.5 Categories of Data Subjects. Shoppers (end users) who use the virtual try-on feature on Merchant's store.
The Merchant shall: (3.1) Ensure it has a lawful basis for providing Customer Personal Data to TryPoint, including informing Shoppers about the processing before they upload photos. (3.2) Ensure its privacy policy discloses TryPoint's processing activities, including AI processing and sub-processors. (3.3) Promptly inform TryPoint of any Data Subject request relating to TryPoint's processing. (3.4) Comply with its obligations as Data Controller under Applicable Data Protection Law.
4.1 Processing Instructions. TryPoint shall process Customer Personal Data only on the Merchant's documented instructions (as described in this DPA and the Agreement), unless required by law. TryPoint will notify the Merchant if it believes an instruction infringes Applicable Data Protection Law.
4.2 Confidentiality. All personnel authorized to process Customer Personal Data are subject to confidentiality obligations.
4.3 Security Measures. TryPoint implements and maintains appropriate technical and organizational measures: encryption of data in transit (TLS 1.2+) and at rest; role-based access controls with principle of least privilege; logical data isolation between Merchants; secure, temporary storage for uploaded photos with automatic deletion within 24 hours; regular security monitoring and vulnerability assessment; and incident detection and response procedures.
4.4 Sub-Processors. (a) The Merchant provides general authorization for TryPoint to engage sub-processors. (b) Current sub-processors: Google Cloud (Google LLC) — AI virtual try-on image generation (US); DigitalOcean LLC — Database storage (Frankfurt, Germany, EU) and image storage (New York City, US); Shopify Inc — Platform integration (Canada/US). (c) TryPoint shall notify the Merchant at least 14 days before engaging a new sub-processor or materially changing an existing one. Notification via email or admin dashboard. (d) The Merchant may object in writing within 14 days. If TryPoint cannot reasonably accommodate the objection, either party may terminate the Agreement. (e) TryPoint enters into written agreements with each sub-processor imposing obligations no less protective than this DPA.
4.5 Data Subject Rights. (a) TryPoint assists the Merchant in responding to Data Subject requests (access, rectification, erasure, restriction, portability, objection) to the extent technically feasible. (b) Direct requests received by TryPoint are redirected to the Merchant unless legally required to respond directly. (c) TryPoint provides Shopify GDPR webhook support (customers/data_request, customers/redact, shop/redact).
4.6 Data Protection Impact Assessments. TryPoint provides reasonable assistance for DPIAs and prior consultations with supervisory authorities where relevant to TryPoint's processing.
4.7 Breach Notification. (a) TryPoint notifies the Merchant without undue delay (within 48 hours) after becoming aware of a breach affecting Customer Personal Data. (b) Notification includes: nature of the breach, categories and approximate number of affected Data Subjects and records, likely consequences, and measures taken or proposed. (c) TryPoint cooperates with investigation, mitigation, and remediation.
4.8 Data Retention and Deletion. (a) Upon termination or Merchant request, TryPoint deletes or returns all Customer Personal Data within 30 days, except where retention is required by law. (b) Deletion confirmed in writing upon request. (c) Standard retention during the Agreement: Uploaded Shopper photos — deleted within 24 hours of try-on generation. Generated try-on images — until Merchant deletes, or 30 days if not reviewed. Email addresses — managed by Merchant; deleted upon request or closure. Consent records — processing duration + 3 years. Aggregated analytics — 12 months (anonymized).
4.9 Audits. (a) TryPoint makes available information necessary to demonstrate DPA compliance upon reasonable request. (b) The Merchant (or independent auditor) may audit no more than once per year with 30 days' notice. (c) TryPoint may satisfy requests by providing certifications, audit reports, or written responses.
5.1 Where Customer Personal Data is transferred outside the EEA/UK/Switzerland to a country without an adequacy decision, TryPoint ensures appropriate safeguards via Standard Contractual Clauses (Module 2: Controller to Processor, Decision 2021/914), incorporated by reference.
5.2 Supplementary Measures. Encryption in transit and at rest, access controls, policies preventing unauthorized government disclosure, prompt notification of government access requests (where permitted).
5.3 UK GDPR. For UK-governed transfers, this DPA incorporates the UK International Data Transfer Addendum to the EU SCCs.
Subject to the limitations in the Agreement. Nothing limits liability to Data Subjects under Applicable Data Protection Law.
Effective for the duration of the Agreement. Sections on deletion, audit rights, and confidentiality survive termination.
Governed by the laws of the Agreement, except where Applicable Data Protection Law requires otherwise.
Email: privacy@trypoint.ai
Address: TouchPoints Inc, 701 Tillery Street Unit 12, 2539, Austin, TX 78702, US.
The SCCs (Module 2: Controller to Processor, Decision 2021/914) are incorporated by reference.
Annex I.A — Parties: Data exporter: Merchant. Data importer: TouchPoints Inc.
Annex I.B — Description of Transfer: Data subjects: Shoppers on Merchant's Shopify store. Personal data: Photos, generated try-on images, email addresses, IP addresses, device info, interaction data. No special category data is processed. Processing: Virtual try-on generation, gallery storage, email capture, analytics, UGC consent management.
Annex I.C — Supervisory Authority: The authority of the Merchant's EEA member state, or the Lithuanian VDAI if Merchant is not in the EEA.
Annex II — Technical and Organizational Measures: As described in Section 4.3.