BackVirtualFit

Biometric Data Policy

Last updated: May 29, 2026

Overview

VirtualFit uses artificial intelligence to generate virtual try-on images. This process involves analyzing photographs that you voluntarily upload, which may include facial features and body measurements. This Biometric Data Policy explains how we collect, use, store, and protect this data in compliance with applicable biometric privacy laws, including the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act, the Washington Biometric Identifier law, and the EU General Data Protection Regulation (GDPR).

What Biometric Data We Collect

When you upload a photo for virtual try-on, our AI may process:

  • Facial geometry — to accurately position clothing on your image
  • Body proportions — to scale and fit clothing realistically
  • Skin tone data — to blend generated images naturally

We do not collect fingerprints, retina scans, voiceprints, or DNA. All biometric data is derived solely from photographs you voluntarily upload.

How We Use Biometric Data

Your biometric data is used exclusively for:

  • Generating virtual try-on images you request

We never sell, lease, trade, or otherwise profit from your biometric data. We do not use it for advertising, surveillance, or identification purposes.

Third-Party Processors of Biometric Data

In accordance with BIPA Section 15(d) and GDPR Article 28, we disclose the following third-party service providers who may receive or process biometric data on our behalf:

Google LLC (Gemini AI API) — Processes user-uploaded photographs containing facial geometry and body measurements to generate virtual try-on images. Google acts as a data processor under our Data Processing Agreement (DPA) pursuant to GDPR Article 28. Photos are transmitted to Google Gemini API via encrypted API calls (TLS 1.3) solely to generate your virtual try-on image. Processing is governed by Google's API Terms of Service and applicable Data Processing Addendum. We do not knowingly permit Google to use your photos for model training or any purpose beyond fulfilling the API request. Google's data processing terms are available at Google Cloud Data Processing Addendum.

Cloudinary Ltd. — Stores user-uploaded photographs (which may contain biometric data) in portfolio features. Cloudinary acts as a data processor under our DPA pursuant to GDPR Article 28. Images are encrypted at rest and in transit. Cloudinary does not access, analyze, or process the biometric content of stored images.

No other third parties receive, access, or process your biometric data. We do not disclose biometric data to advertisers, data brokers, or any entity not listed above.

Consent

In accordance with the Illinois Biometric Information Privacy Act (BIPA) and GDPR, VirtualFit obtains your explicit, informed, standalone consent before collecting or processing any biometric data.

How consent is obtained: Before your first photo upload (whether as a free trial user or registered user), you will be presented with a mandatory biometric consent checkbox. This checkbox requires you to actively click to confirm: "I am at least 18 years old and I explicitly consent for VirtualFit to process my biometric data (facial geometry and body measurements) for the purpose of generating my virtual try-on image, as described in the Privacy Policy and Biometric Data Policy. I understand that my biometric data will be processed in real-time and will not be stored beyond this session unless I create an account." You cannot proceed with your photo upload without providing this consent.

This consent requirement applies equally to free trial users and registered users. Free trial users must check the biometric consent box before generating any try-on image.

You may withdraw consent at any time by deleting your account, deleting your uploaded photos, or contacting us at hello@virtualfit.work. Withdrawal of consent will result in the immediate cessation of biometric data processing and the deletion of any stored biometric-related data within 30 days.

Storage & Security

  • Uploaded photos are processed in real-time and are not permanently stored on our servers after the try-on image is generated, unless you explicitly save them to your portfolio.
  • Biometric identifiers extracted during processing are ephemeral and discarded immediately after the try-on image is rendered.
  • All data transmission uses 256-bit TLS encryption.
  • Stored images (portfolios) are encrypted at rest using industry-standard encryption.

Data Retention & Destruction Schedule

In compliance with BIPA Section 15(a), we maintain the following retention and destruction schedule:

Biometric identifiers and biometric information shall be permanently destroyed no later than the earlier of: (a) 30 days after account deletion or the purpose for which the data was collected has been satisfied, or (b) three (3) years from the date of collection — whichever comes first.

  • Ephemeral processing data: Biometric identifiers extracted during AI try-on processing are discarded immediately and automatically after the try-on image is rendered. They are never written to persistent storage.
  • Free trial users: Uploaded photos and generated images are automatically deleted within 24 hours of the session ending.
  • Registered users: Portfolio images are retained for the duration of your active subscription. Upon account deletion or subscription cancellation, all associated biometric data and images are permanently destroyed within 30 days.
  • Maximum retention: Regardless of account status, no biometric data is retained for longer than three (3) years from the date of collection.
  • Destruction method: Data destruction is performed via secure deletion (overwrite and purge) from all primary storage and backup systems.

You may request deletion of specific images or your entire account at any time via Settings or by emailing hello@virtualfit.work. Deletion requests are processed within 30 days.

Your Rights

Depending on your jurisdiction, you may have the right to:

  • Know what biometric data we hold about you
  • Request deletion of your biometric data
  • Withdraw consent to biometric data processing
  • Obtain a copy of your biometric data in a portable format (GDPR)
  • File a complaint with your local data protection authority
  • Bring a private right of action for violations of BIPA (Illinois residents)

To exercise any of these rights, contact us at hello@virtualfit.work. We will respond to verified requests within 30 days.

Data Breach Notification

In the event of a data breach involving biometric data, VirtualFit is committed to:

  • GDPR (EU/EEA users): Notifying the relevant supervisory authority within 72 hours of becoming aware of the breach, and notifying affected individuals without undue delay if the breach poses a high risk to their rights and freedoms.
  • US state laws: Notifying affected individuals as required by applicable state breach notification laws, including but not limited to Illinois, California, Texas, and Washington.
  • All users: Providing clear, plain-language notification via email describing the nature of the breach, the data affected, the measures taken, and recommended protective actions.

Minors & Age Restrictions

VirtualFit is not intended for use by minors. We enforce the following age restrictions:

  • United States (COPPA): VirtualFit does not knowingly collect personal information or biometric data from children under 13 years of age, in compliance with the Children's Online Privacy Protection Act (COPPA). If we learn that a child under 13 has provided us with personal or biometric data, we will promptly delete it.
  • EU/EEA (GDPR Article 8): Users in the EU/EEA must be at least 18 years of age to use VirtualFit and consent to biometric data processing.
  • General policy: Users must be at least 18 years of age to use VirtualFit, create an account, and consent to biometric data processing. No parental or guardian consent exception is permitted.

If you believe a minor has submitted biometric data through our platform, please contact us immediately at hello@virtualfit.work and we will delete it within 24 hours.

Changes to This Policy

We may update this Biometric Data Policy from time to time. In accordance with BIPA requirements, we will provide at least 30 days' advance written notice via email to registered users before any material changes to how we collect, use, store, or share biometric data take effect. Non-material updates (formatting, clarifications) will be posted on this page with an updated "Last updated" date. Your continued use of VirtualFit after the effective date of material changes constitutes acceptance of the updated policy.

Contact Us

If you have questions about this Biometric Data Policy, contact us at:

VirtualFit
Email: hello@virtualfit.work
Website: virtualfit.work

Install VirtualFit

Add to your home screen for the best experience with push notifications.

We value your privacy

We use essential cookies to run the site. Optional cookies are used for analytics and free trial enforcement via browser fingerprinting (an explicit opt-in tracker). Closing this banner = reject all non-essential cookies. Privacy Policy