Data Policy

1. Overview

This Data Policy provides detailed information about how Vensa processes data, with a focus on compliance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

This policy supplements our Privacy Policy with specific technical and legal details about data processing across all supported platforms (Shopify, WordPress/WooCommerce, and Magento).

2. Data Controller and Processor

In the context of our Service:

• Merchant (Data Controller): The store owner who installs Vensa. You determine the purposes for processing customer data through the use of our app.
• Vensa (Data Processor): We process customer data on behalf of merchants to provide the virtual try-on service.
• Sub-processors: Google Cloud (Vertex AI), Cloudflare (R2 Storage), PayPal, Resend, and Neon act as sub-processors under our supervision.

3. Data Processing Activities

3.1 Photo Processing

This is the most sensitive data processing activity in our service:

• Input: Customer uploads a photo (JPEG, PNG, or WebP, max 10MB)
• Upload: Photo is uploaded directly from the customer's browser to Cloudflare R2 via a time-limited presigned URL
• Processing: Photo is sent to Google Vertex AI along with the product image for virtual try-on generation
• Output: AI generates a composite image showing the product on the customer
• Storage: Both input photo and output image are stored temporarily on Cloudflare R2 (encrypted at rest)
• Deletion: All images are automatically deleted within 24 hours

3.2 Analytics Processing

• Widget interaction events (opens, try-on starts, completions)
• Add-to-cart events after try-on
• Purchase attribution (matching products tried on within 7 days of purchase)
• All analytics are aggregated and presented to merchants in dashboard form

3.3 Rate Limiting Data

• Customer IDs and browser fingerprints are used solely to enforce per-customer usage limits (10 try-ons/week)
• IP addresses are used for abuse prevention only
• This data is not used for profiling or marketing

4. Biometric Data Considerations

Customer photos may be classified as biometric data under certain jurisdictions (e.g., GDPR in the EU, BIPA in Illinois, USA). We handle this with extra care:

• Minimal processing: Photos are only used for the specific purpose of generating a try-on image
• No biometric extraction: We do not extract, store, or create biometric templates or identifiers from photos
• No facial recognition: The AI model generates composite images; it does not perform facial recognition, identification, or classification
• Immediate deletion: Photos are deleted within 24 hours
• No training: Photos are never used to train or improve AI models
• Consent basis: Processing is initiated by the customer voluntarily uploading their photo — this constitutes implied consent

5. Sub-Processors

The following third-party sub-processors are used to deliver the Vensa service:

6. International Data Transfers

Data may be transferred to and processed in countries outside the EEA, including the United States. We ensure appropriate safeguards are in place:

• Google Cloud complies with EU Standard Contractual Clauses (SCCs)
• Cloudflare is certified under the EU-US Data Privacy Framework
• All transfers are encrypted in transit using TLS 1.2+

7. Data Retention Schedule

8. Security Measures

We implement industry-standard security measures to protect data at every layer:

• Encryption in transit: All API communications use TLS/HTTPS
• Encryption at rest: R2 storage uses AES-256 encryption
• Access control: Shopify endpoints require valid HMAC signatures; WordPress/Magento endpoints use license key verification
• Rate limiting: Per-customer and per-IP rate limits prevent abuse
• Presigned URLs: Image uploads use time-limited presigned URLs (expiring in minutes)
• Admin security: Admin dashboard uses hashed passwords with account lockout after failed attempts
• No persistent storage: Sensitive photo data is never stored long-term

9. GDPR Rights (EU/EEA Residents)

Under the GDPR, data subjects have the following rights. Merchants should facilitate these for their customers, and we will assist:

• Right of Access (Art. 15): Request access to personal data we process
• Right to Rectification (Art. 16): Request correction of inaccurate data
• Right to Erasure (Art. 17): Request deletion of personal data (“right to be forgotten”)
• Right to Restriction (Art. 18): Request restriction of processing
• Right to Data Portability (Art. 20): Receive data in a structured, machine-readable format
• Right to Object (Art. 21): Object to processing based on legitimate interest

To exercise these rights, contact us at privacy@vensa.app. We will respond within 30 days.

10. Data Processing Agreement (DPA)

By installing Vensa, you agree to our data processing terms as outlined in this Data Policy. This constitutes a Data Processing Agreement between you (the Data Controller) and Vensa (the Data Processor) as required under GDPR Article 28.

For merchants requiring a separately signed, formal Data Processing Agreement (DPA), please contact us at privacy@vensa.app.

11. Data Breach Notification

In the event of a data breach that affects personal data:

• We will notify affected merchants within 72 hours of becoming aware of the breach, as required by GDPR Article 33
• The notification will include: the nature of the breach, categories of data affected, approximate number of records affected, and measures taken or proposed to address the breach
• We will cooperate with merchants in fulfilling their obligations to notify supervisory authorities and affected data subjects

12. Contact Our Data Protection Team

For any questions about this Data Policy, data processing, or to exercise your data protection rights:

• Email: privacy@vensa.app
• Website: Contact Page