TryPoint — AI Virtual Try-On
Last Updated: April 15, 2026
This Privacy Policy ("Policy") describes how TouchPoints Inc ("TryPoint," "we," "our," or "us") collects, uses, stores, and shares personal data when you: (i) Visit our website at https://trypoint.ai ("Website"); (ii) Are a Shopify merchant using our platform ("Merchant"); (iii) Are an end user (shopper) interacting with TryPoint's virtual try-on features on a Merchant's Shopify store ("Shopper"); (iv) Contact us for support or marketing purposes; (v) Interact with us on social media. "Personal Data" means any information that can be used, alone or combined with other data, to identify a living individual.
TryPoint is a product of TouchPoints Inc, a Delaware (US) corporation with operations in Vilnius, Lithuania. We provide an AI-powered virtual try-on application for Shopify fashion merchants. Data Controller: For Website visitors and Merchant account data, TouchPoints Inc acts as the Data Controller. Data Processor: For Shopper data processed through Merchant stores, the Merchant is the Data Controller and TouchPoints Inc acts as the Data Processor on the Merchant's behalf, in accordance with our Data Processing Agreement (available at trypoint.ai/dpa).
Contact for Privacy Inquiries: Email: data@trypoint.ai. Address: TouchPoints Inc, 701 Tillery Street Unit 12, 2539, Austin, TX 78702, US.
2.1 Website Visitors. We collect: IP address, browser type, device info, pages visited (for analytics, legitimate interest Art. 6(1)(f)); cookies and tracking technologies (for analytics and functionality, consent Art. 6(1)(a)); name and email if you fill a form (to respond to inquiries). 2.2 Merchants. We collect: name, email, phone number (for account management, contract performance Art. 6(1)(b)); Shopify store URL and store data (for service delivery); payment/billing information (for subscription management); platform usage data (for service improvement, legitimate interest); product images and catalog data (for virtual try-on functionality).
2.3 Shoppers. When a Shopper uses virtual try-on, we process: uploaded photo (for AI try-on generation, consent Art. 6(1)(a)); generated try-on image (to display result); email address if provided (for newsletter opt-in, separate consent); IP address, browser type, device info (for service functionality and security, legitimate interest); try-on interaction data (for analytics); and session identifier (to link session data). Photo Data Classification: TryPoint's AI processes photos solely to overlay garments — not to identify, authenticate, or categorize individuals. Under GDPR Recital 51, photos are classified as biometric data only when processed through technical means allowing unique identification. Since TryPoint does not perform identification, photos are regular personal data under Article 6, not special category data under Article 9. The EU AI Act further confirms this by exempting virtual try-on from biometric categorization. Data Minimization: EXIF metadata (GPS, device model, camera settings) is stripped from photos before processing. Only the photo and product image are sent to Google's AI — no names, emails, or identifiers. Google does not use uploaded photos to train their AI models.
When a Shopper uses virtual try-on: (1) The Shopper uploads a photo of themselves. (2) The photo and product image are sent via TLS to Google's AI virtual try-on models. (3) Google's AI generates a composite image showing the Shopper wearing the product. (4) The generated try-on image is returned and displayed to the Shopper. (5) The original uploaded photo is deleted from our systems within 24 hours.
The uploaded photo is not used to identify the Shopper, is not used for facial recognition, is not used for profiling, and is not used to train AI models. Try-on results are AI-generated images and are labeled as such.
Before uploading, Shoppers are shown a clear notice explaining what will happen to their photo, how it will be processed, how long it will be retained, and that photos are not used for identification or AI training. The notice includes a link to this Privacy Policy.
4.1 How We Obtain Consent. Before a Shopper uploads a photo, we display a clear notice explaining what will happen to the photo, how it will be processed, how long it will be retained, and that photos are not used for identification or AI training. By uploading their photo after reading this notice, the Shopper provides informed consent. No checkbox is required — the voluntary upload action constitutes a clear affirmative action under GDPR Art. 6(1)(a).
4.2 Separate Consents. We collect independent consent for each purpose: Virtual try-on processing is provided through the informed upload action. Email capture is optional and separate — not required to use the try-on feature. Image usage rights (UGC) is a separate, independent request to allow the Merchant to feature the Shopper's try-on image on their websites and social media. This consent is never bundled with try-on consent or email capture. Sharing and downloading are initiated by the Shopper's own action.
4.3 Withdrawing Consent. A Shopper may withdraw consent at any time by contacting the Merchant on whose store they used the try-on feature. If you are unable to reach the Merchant, you may contact us at data@trypoint.ai as a fallback. Upon withdrawal, we delete the Shopper's photo and generated try-on images within 30 days. If UGC consent is withdrawn, the image is removed from all public-facing use and deleted within 30 days. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. Withdrawal of consent is as simple as giving it.
Consent records are logged for each photo upload, including session ID, timestamp, notice version, and hashed IP address. Consent records are retained for the duration of processing plus 5 years for compliance documentation.
Image Usage Rights (UGC): When a Merchant enables UGC collection, Shoppers may be asked — after seeing their try-on result — to grant the Merchant permission to feature the try-on image on their websites and social media. This is a separate, optional consent with its own checkbox. The image is retained until consent is withdrawn, at which point it is deleted within 30 days.
5.1 Sub-Processors. We use third-party service providers who process data on our behalf: Google Cloud (Google LLC) for AI virtual try-on image generation (US); DigitalOcean LLC for database storage (Frankfurt, Germany, EU) and image storage (New York City, US); Shopify Inc for e-commerce platform integration (Canada/US). A current list of sub-processors is maintained and available upon request at data@trypoint.ai. Merchants are notified at least 14 days in advance of any changes to sub-processors. 5.2 Merchants. When a Shopper uses try-on on a Merchant's store, that Merchant may receive: generated try-on images (in admin gallery), email address (if provided), UGC-consented images (if granted), and aggregated analytics.
5.3 Legal Requirements. We may disclose Personal Data if required by law, regulation, or legal process. 5.4 Business Transfers. In the event of a merger, acquisition, or sale of assets, Personal Data may be transferred. We will notify affected parties. We do not sell Personal Data. We do not share Personal Data with advertisers or data brokers.
TouchPoints Inc is based in the United States with operations in Vilnius, Lithuania. Personal Data may be transferred between the US, EU, and sub-processor locations.
For transfers from the EEA/UK/Switzerland to countries without an adequacy decision, we rely on: Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914); the EU-US Data Privacy Framework, where applicable; and sub-processor agreements with appropriate safeguards. All data is encrypted in transit (TLS 1.2+) and at rest. You may request a copy of applicable SCCs at data@trypoint.ai.
UK GDPR: The UK International Data Transfer Addendum is incorporated into our transfer mechanisms. Switzerland: We apply equivalent safeguards under the Swiss Federal Act on Data Protection.
Supplementary measures include: encryption in transit and at rest, access controls limiting who can access transferred data, policies preventing disclosure to government authorities except as required by law, and prompt notification of government access requests.
A Transfer Impact Assessment (TIA) has been conducted documenting that SCCs combined with supplementary measures provide essentially equivalent protection for EU data subjects.
Uploaded photos: deleted within 24 hours of try-on generation. Generated try-on images (standard): up to 90 days, or until Merchant deletes. Generated try-on images (UGC-consented): until consent is withdrawn, then deleted within 30 days. Consent records: duration of processing plus 5 years. Email addresses captured during try-on: managed by the Merchant per their privacy policy. Merchant account data: duration of subscription plus 90 days after closure. Website analytics data: 12 months. Aggregated/anonymized analytics: 12 months (anonymized data may be retained indefinitely).
You may request earlier deletion at any time (see Section 9).
Automated deletion processes run on schedule: original photos are purged after 24 hours, standard-tier generated images after 90 days. All deletions are logged for audit purposes.
We implement appropriate technical and organizational measures: encryption in transit (TLS 1.2+) and at rest; role-based access controls with least-privilege principle; logical data isolation per Merchant; file type validation and size limits on uploads; API security including authentication tokens and rate limiting; automatic purging per retention schedule; and an incident response plan.
Breach notification: In the event of a data breach, we notify the affected Merchant within 48 hours. The Merchant, as Data Controller, notifies the relevant supervisory authority within 72 hours where required by GDPR Art. 33. Affected individuals are notified without undue delay where the breach is likely to result in high risk. No system is 100% secure. While we take reasonable precautions, absolute security cannot be guaranteed.
9.1 All Users. Depending on your jurisdiction, you may have the following rights: Access (Art. 15) — request a copy of your Personal Data; Rectification (Art. 16) — request correction of inaccurate data; Erasure (Art. 17) — request deletion; Restriction (Art. 18) — request restricted processing; Data Portability (Art. 20) — receive data in structured format; Object (Art. 21) — object to legitimate-interest processing; Withdraw Consent (Art. 7(3)) — withdraw at any time. Automated Processing (Art. 22): The virtual try-on uses AI to generate images — this produces a visual output only and does not create legal effects or significantly affect you. Anonymous Shoppers: If you used try-on without providing an email, we may ask for the approximate date/time, merchant store, or a copy of the uploaded photo to locate your data. If data has been auto-deleted per our retention policy, we will inform you. Per GDPR Art. 11, we are not required to collect additional information solely to identify you.
Exercising Your Rights: To exercise any of these rights, contact the Merchant on whose store you used the try-on feature. The Merchant is the Data Controller for your data and is your primary point of contact for all data requests. If you are unable to reach the Merchant after a reasonable attempt, you may contact us as a fallback at data@trypoint.ai — Subject line: "Data Rights Request — [Your Right]." We respond within 30 days (extendable by 60 days for complex requests per Art. 12(3)). Identity verification may be required. Complaints: Lodge a complaint with the Lithuanian State Data Protection Inspectorate (VDAI) at https://vdai.lrv.lt or your local supervisory authority.
10.1 EEA/UK Residents (GDPR). In addition to the rights above, you have the right to: restrict processing under certain circumstances; lodge a complaint with your local Data Protection Authority; and not be subject to decisions based solely on automated processing that produce legal or similarly significant effects.
10.2 California Residents (CCPA/CPRA). You have the right to: know what Personal Information we collect, use, and disclose; delete your Personal Information; correct inaccurate information; opt out of sale/sharing — we do not sell or share for cross-context behavioral advertising; and non-discrimination. Categories of Personal Information collected (past 12 months): identifiers, internet activity, geolocation data, photos/images, and inferences drawn from the above.
10.3 Brazil Residents (LGPD). Under the Lei Geral de Proteção de Dados, you have rights including access, correction, anonymization, portability, deletion, information about sharing, and the ability to revoke consent.
10.4 Canada Residents (PIPEDA). Under the Personal Information Protection and Electronic Documents Act, you have the right to access, correct, and withdraw consent for the collection, use, and disclosure of your personal information.
10.5 Children's Privacy. TryPoint is not intended for use by anyone under the age of 16. We do not knowingly collect Personal Data from children under 16. If you believe a child under 16 has used the Service or provided Personal Data to us, contact us immediately at data@trypoint.ai and we will promptly delete such data.
We verify age through reasonable measures where required by applicable law. If we learn that we have collected data from a child without parental consent where required, we will delete it as quickly as possible.
TryPoint uses Google's AI models to generate virtual try-on images. Try-on results are AI-generated images and are labeled as such. Your photo is processed solely for garment visualization — not for identification, profiling, or model training. The AI does not extract biometric templates, facial embeddings, or perform facial recognition. Individual uploaded photos are not used to train AI models. Aggregated, de-identified data may be used to improve the Service.
On trypoint.ai: Non-essential cookies require consent via our cookie banner. See our Cookie Policy for details.
On Merchant stores: The TryPoint embed uses essential session cookies for try-on functionality. Analytics and tracking pixels are subject to the Merchant's Shopify cookie consent settings and only fire after Shopper consent.
We do not use cookies to track Shoppers across different Merchant stores. Each Merchant store session is independent.
The Service may contain links to third-party websites or integrate with third-party services (e.g., Shopify, Google). This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party services you interact with.
We may update this Policy from time to time. The revised Policy will be posted at trypoint.ai/privacy-policy with an updated "Last Updated" date. Merchants are notified of material changes via email or in-app notification. Your continued use of the Service after changes take effect constitutes acceptance.
For questions, concerns, or data rights requests:
TouchPoints Inc, 701 Tillery Street Unit 12, 2539, Austin, TX 78702, US.
Email: data@trypoint.ai. Website: https://trypoint.ai