Privacy Policy
Last updated: April 22, 2026
Virtual Try-On ("the App", "we", "us") is operated by TSA Group LLC. This Privacy Policy explains what data the App processes when it is installed in a Shopify store and when a shopper interacts with the try-on widget on a merchant's storefront. We designed the App to be privacy-first: we do not store shopper photos, and we do not collect personally identifiable information (PII) from end shoppers.
1. Who We Are
Data Controller: TSA Group LLC
Contact: info@tsagroupllc.com
App domain: https://vto.tsagroupllc.com
2. What We Collect
Two different data subjects are relevant: the merchant (Shopify store owner) and the shopper (end customer browsing a storefront).
2.1 Merchant Data
- Shop domain (e.g.
example.myshopify.com) - Shop name, merchant email (from Shopify), installed scopes
- OAuth access token (encrypted at rest, used to call the Shopify Admin API)
- Product metadata synced from the merchant's catalog (title, handle, images, variants)
- Usage counters (number of try-ons generated per billing period)
- Billing status returned by Shopify Billing API
2.2 Shopper Data
- An anonymous first-party cookie named
vto_sidcontaining a random session identifier. This identifier is not linked to any Shopify customer ID, email, or other PII. - Aggregate event logs: which product was viewed, when a try-on was initiated, whether the shopper completed the try-on, page referrer, user-agent string.
- We do not permanently store photos uploaded by shoppers. Photos are transmitted directly to our AI processing provider, processed in memory, and the resulting image URL returned to the shopper expires automatically.
- We do not collect names, email addresses, phone numbers, or payment information from shoppers.
3. What Merchants See
Merchants access an analytics dashboard inside the Shopify admin. The dashboard shows aggregate metrics only: total try-on count, conversion rate, top products, usage against plan quota. Merchants never see individual shopper photos or identities.
4. Cookies
| Name | Type | Purpose | Lifetime |
|---|---|---|---|
vto_sid |
First-party, strictly necessary | Anonymous session identifier used to deduplicate try-on events and measure funnel conversion per session. | 30 days |
We do not set third-party cookies and we do not use advertising or cross-site tracking cookies.
5. Data Retention
- Shopper event logs: 90 days from the event date, then automatically purged.
- Merchant data: retained for the duration of the app installation. When a merchant uninstalls, we immediately clear the OAuth access token. Shopify sends a
shop/redactwebhook 48 days after uninstall, at which point we delete all remaining merchant and associated event data. - Shopper photos: never persisted. Processed in memory by our AI provider; result URLs expire in a short time window.
6. Third-Party Data Processors
- Shopify Inc. — hosts the store, provides OAuth and the Admin API, issues webhooks. Governed by the Shopify Partner Program Agreement.
- KIE.AI — performs the virtual try-on image processing. Images are sent over HTTPS, processed transiently, and not stored by us. KIE.AI's data handling is governed by their own privacy policy.
- Hosting infrastructure — servers and database operated on behalf of TSA Group LLC under standard cloud security controls (TLS in transit, encryption at rest).
7. Legal Basis (GDPR)
Where GDPR applies, we rely on the following legal bases:
- Contract — processing merchant data is necessary to provide the App under our Terms of Service.
- Legitimate interests — processing anonymous shopper events to measure and improve the try-on feature the merchant has chosen to enable.
- Consent — where a merchant's storefront requires it, the try-on widget will only activate after the shopper's consent management platform allows strictly-necessary cookies.
8. Your Rights
Under GDPR, KVKK (Turkey), CCPA, and comparable regimes, data subjects have rights including:
- Right of access — request a copy of personal data we hold about you.
- Right to deletion (right to be forgotten).
- Right to rectification of inaccurate data.
- Right to data portability.
- Right to object to or restrict processing.
- Right to lodge a complaint with a supervisory authority.
Shoppers can exercise these rights through the merchant whose store they visited. Merchants can exercise these rights, and forward shopper requests to us, by emailing info@tsagroupllc.com. We respond within 30 days.
9. Shopify GDPR Webhooks
We implement the three mandatory Shopify compliance webhooks:
customers/data_request— we respond with the data we hold for the identified customer (typically none, since we do not store PII).customers/redact— we delete any records that reference the identified customer.shop/redact— 48 days after uninstall, we delete all data associated with the shop.
10. Security
- All traffic is encrypted in transit using TLS 1.2+.
- Access tokens and credentials are encrypted at rest.
- Access to production systems is restricted to named personnel with MFA.
- Webhook integrity is verified via HMAC-SHA256.
11. International Transfers
Processing may occur in jurisdictions outside the EU/EEA, the UK, and Turkey. Where applicable, we rely on Standard Contractual Clauses and equivalent safeguards.
12. Children
The App is not directed to children under 13 (or 16 in the EEA) and we do not knowingly process data of minors.
13. Changes to This Policy
We may update this policy from time to time. Material changes will be announced in-app or via email to the merchant. The "Last updated" date at the top always reflects the current version.
14. Contact
Questions, requests, or complaints:
info@tsagroupllc.com
TSA Group LLC