Privacy Policy — Nova Vision (Virtual Try‑On & Look Creator)

_Last updated: replace with publish date._

Publish this at a public URL (e.g. https://yourdomain.com/privacy) and paste that URL into the Shopify App Store listing → App details → Privacy policy. Replace every [bracketed] value before publishing.

Nova Vision (the "App") is a Shopify app operated by [Company / Developer name] ("we", "us") that adds an AI virtual try‑on, look creator, and product‑photoshoot studio to Shopify stores. This policy explains what data the App processes, why, where it goes, and how it is deleted.


1. Who the data belongs to

We act as a data processor on behalf of the merchant for shopper data, and as a controller for the merchant's own account/config data.

2. What we collect and why

DataWhoseWhyWhere it livesRetention
Shopper photo (uploaded for try‑on)ShopperGenerate the try‑on / look imageIn server memory only, per session — never written to disk or a database by usDiscarded when the session ends / expires; never persisted
Generated try‑on / look imagesShopperShown back to the shopperHeld in memory for the session; returned to the shopper's browserNot persisted server‑side after the session
Email + phone (if the shopper submits them)ShopperMerchant lead capture / order contactStored server‑side, scoped to the merchantUntil the merchant deletes them or a GDPR delete request is received
Product images & catalog dataMerchantAssemble looks, run the photoshoot studioFetched live from Shopify via the Admin API; not storedNot stored
Usage analytics (counts of chats, generations, add‑to‑carts, orders, revenue)Merchant/aggregateMerchant dashboard + our billing/meteringStored as aggregate daily counters per store — no shopper PIIRetained for reporting
App configuration (branding, targeting, plan, uploaded logos)MerchantRun the AppStored server‑side per storeUntil uninstall / shop redaction
Shopify session tokensMerchantAuthenticate Admin API callsStored server‑side (session store)Deleted on uninstall

Chat transcripts stay on the shopper's own device (their browser localStorage), auto‑delete after 1 week, and are never sent to our servers. We only receive the aggregate analytics and which products were tried on / made into a look.

3. Third parties we share data with (sub‑processors)

image API to generate the try‑on/look/photoshoot image. Governed by OpenAI's API data policies (API inputs are not used to train their models). No email, phone, or order data is sent to OpenAI.

Shopify Admin API, under the scopes the merchant approves.

shopper their generated image. Disabled by default.

We do not sell data, do not use it for advertising, and do not share it with any party other than the sub‑processors above.

4. Payments

We never handle card data. Orders are completed on Shopify's own hosted checkout (a draft order + checkout link). Subscription billing is handled by Shopify Billing.

5. Data subject rights & GDPR

The App implements Shopify's mandatory privacy webhooks:

(email/phone leads) for that customer.

uninstall): settings, leads, analytics, sessions.

Shoppers or merchants can also request deletion directly at [privacy@yourdomain.com].

6. Data security

API is verified with Shopify's App Proxy HMAC signature; webhooks are HMAC‑verified.

7. International transfers

Data may be processed in [country/region of your hosting + OpenAI (USA)]. Standard contractual clauses / equivalent safeguards apply where required.

8. Children

The App is not directed to children under 16 and should not be used to upload photos of minors without appropriate consent.

9. Changes & contact

We may update this policy; the "last updated" date will change. Questions or requests: [privacy@yourdomain.com], [Company legal address].


Appendix A — Data‑flow summary (for Shopify app review)

Shopper uploads photo (browser)
   │  downscaled in-browser to ≤1280px JPEG
   ▼
App Proxy (HMAC-verified)  →  App backend (in-memory session; NOT persisted)
   │
   ├─ photo + product image(s) ─→ OpenAI image API ─→ generated image ─→ back to shopper
   │
   └─ if shopper submits email/phone ─→ stored as a "lead" (merchant-scoped)
                                          └─ deletable via customers/redact, shop/redact, uninstall

Merchant admin (embedded, App Bridge session-token auth)
   └─ reads its own settings, leads, aggregate analytics — no cross-store access

Aggregate analytics only (chats, generations, carts, orders, revenue counts)
   └─ no shopper PII; used for the merchant dashboard + usage-based billing

PII inventory: shopper photo (ephemeral, in-memory), shopper email + phone (stored, deletable). Everything else is merchant config or aggregate counters.