Privacy Policy

Introduction

Welcome to VirtualFit ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our virtual try-on platform and services.

By using VirtualFit, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use our services.

Information We Collect

Personal Information

• Account information (name, email, password)
• Profile information (handle, bio, profile image)
• Photos you upload for virtual try-on purposes
• Clothing images you upload to your portfolio
• Size and fit preferences you select
• Payment information (processed securely via Stripe)

Automatically Collected Information

• Device information (browser type, operating system)
• IP address and general location
• Browser fingerprint (for free trial tracking)
• Usage data (pages visited, features used)
• Cookies and similar tracking technologies

Image Storage & Third-Party Services

Your images are stored using Cloudinary, a secure cloud-based image management service. This includes:

• Profile pictures
• Portfolio images (for Brands and Influencers)
• AI-generated virtual try-on images
• Collaboration content

How We Use Your Information

We use the information we collect for the following purposes:

• To provide and maintain our virtual try-on service
• To generate AI-powered outfit visualizations
• To manage your account and subscriptions
• To facilitate brand-influencer collaborations and campaigns
• To process payments and campaign transactions
• To save your portfolio and try-on results
• To improve and optimize our platform
• To communicate with you about updates, campaigns, or support
• To detect and prevent fraud or abuse

Data Retention & Your Right to Deletion

We retain your data only as long as necessary for the purposes described in this policy. Below is our specific data retention schedule:

Account Deletion

When your account is deleted (either by you or an administrator), we permanently delete:

• Your profile and account information
• All uploaded images from our cloud storage (Cloudinary)
• Portfolio items and collaboration content
• Messages and campaign history
• Analytics and usage data associated with your account

AI-Generated Content

Our platform uses AI technology (Google Gemini) to generate virtual try-on images. Please note:

• AI-generated images are watermarked for identification
• Generated images are stored on Cloudinary for your access
• We do not use your photos to train AI models
• Your uploaded photos are shared only with our contracted data processors (Google LLC for AI processing and Cloudinary Ltd. for image storage) under Data Processing Agreements, solely to provide the virtual try-on service. They are not shared with any other third parties.

Legal Basis for Processing (GDPR Article 6)

For users in the EU/EEA, we rely on the following legal bases to process your personal data:

• Performance of Contract (Article 6(1)(b)): Account management, subscription services, payment processing, campaign facilitation, and delivering the virtual try-on service you requested.
• Consent (Article 6(1)(a)): Biometric data processing (facial geometry, body proportions), non-essential cookies and tracking (analytics, browser fingerprinting). You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Legitimate Interest (Article 6(1)(f)): Fraud prevention and abuse detection, platform security and infrastructure monitoring, and general service improvement based on aggregated, anonymized usage data.
• Legal Obligation (Article 6(1)(c)): Retention of tax records and payment information as required by law, responding to valid legal requests, and regulatory compliance.

Data Security

We implement appropriate technical and organizational measures to protect your personal information:

• Encrypted data transmission (HTTPS/TLS)
• Secure password hashing (bcrypt)
• Two-factor authentication for admin accounts
• API rate limiting to prevent abuse
• Regular security audits and monitoring

Cookies and Tracking Technologies

We use cookies and similar technologies on our platform. When you first visit VirtualFit, you will be shown a cookie consent banner that allows you to accept or reject non-essential cookies.

Essential Cookies (Always Active)

These cookies are strictly necessary for the website to function. They cannot be switched off. They include:

• Authentication tokens (JWT) — Keeps you logged in during your session
• Cookie consent preference — Remembers your cookie choice so we don't ask again
• Session data — Maintains your active state while using the platform

Tracking / Non-Essential Cookies (Require Consent)

These cookies are only set if you click "Accept All" or enable them via "Customize" on the cookie banner:

• PostHog Analytics (_ph_* cookies) — Used to understand how visitors use the site so we can improve it. Collects anonymized page views, feature usage, and session replays. Data is aggregated and not linked to your personal identity.
• Browser fingerprint (FingerprintJS) — Used to track free trial usage and prevent abuse. If you reject this, we fall back to IP-based tracking which is less accurate.

Managing Your Preferences

You can change your cookie preferences at any time by clearing your browser's local storage for this site, which will cause the consent banner to reappear on your next visit. You can also configure your browser to block cookies, though this may impact essential functionality like logging in.

Third-Party Services

We use the following third-party services to provide our platform:

• Cloudinary: Image storage and delivery
• Stripe: Payment processing
• Google Gemini: AI image generation
• Resend: Transactional emails
• FingerprintJS: Browser identification for free trials

Each service has its own privacy policy governing the use of your information. We have executed Data Processing Agreements (DPAs) with Google LLC, Cloudinary Ltd., and Stripe Inc. in accordance with GDPR Article 28.

International Data Transfers

Our service providers (Google LLC, Cloudinary Ltd., Stripe Inc., Resend Inc., and FingerprintJS Inc.) are based in the United States. If you are located in the EU/EEA, your personal data will be transferred to and processed in the United States.

Your Rights (EU/EEA Users — GDPR)

If you are located in the EU/EEA, you have the following rights under the General Data Protection Regulation:

• Right of Access (Article 15): Request a copy of all personal data we hold about you.
• Right to Rectification (Article 16): Request correction of inaccurate or incomplete personal data.
• Right to Erasure (Article 17): Request deletion of your personal data ("right to be forgotten").
• Right to Restriction (Article 18): Request that we limit how we process your data.
• Right to Data Portability (Article 20): Receive your data in a structured, machine-readable format and transfer it to another controller.
• Right to Object (Article 21): Object to processing based on legitimate interests, including profiling.
• Right Regarding Automated Decision-Making (Article 22): Not be subject to a decision based solely on automated processing that significantly affects you. VirtualFit does not make automated decisions with legal or similarly significant effects.
• Right to Lodge a Complaint: File a complaint with your local supervisory authority (Data Protection Authority).

To exercise any of these rights, contact us at privacy@virtualfit.work. We will respond to verified requests within 30 days. No fee is charged for the first request in any 12-month period.

Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us at: