_Last updated: replace with publish date._
Publish this at a public URL (e.g. https://yourdomain.com/privacy) and paste that URL into the Shopify App Store listing → App details → Privacy policy. Replace every [bracketed] value before publishing.
Nova Vision (the "App") is a Shopify app operated by [Company / Developer name] ("we", "us") that adds an AI virtual try‑on, look creator, and product‑photoshoot studio to Shopify stores. This policy explains what data the App processes, why, where it goes, and how it is deleted.
We act as a data processor on behalf of the merchant for shopper data, and as a controller for the merchant's own account/config data.
| Data | Whose | Why | Where it lives | Retention |
|---|---|---|---|---|
| Shopper photo (uploaded for try‑on) | Shopper | Generate the try‑on / look image | In server memory only, per session — never written to disk or a database by us | Discarded when the session ends / expires; never persisted |
| Generated try‑on / look images | Shopper | Shown back to the shopper | Held in memory for the session; returned to the shopper's browser | Not persisted server‑side after the session |
| Email + phone (if the shopper submits them) | Shopper | Merchant lead capture / order contact | Stored server‑side, scoped to the merchant | Until the merchant deletes them or a GDPR delete request is received |
| Product images & catalog data | Merchant | Assemble looks, run the photoshoot studio | Fetched live from Shopify via the Admin API; not stored | Not stored |
| Usage analytics (counts of chats, generations, add‑to‑carts, orders, revenue) | Merchant/aggregate | Merchant dashboard + our billing/metering | Stored as aggregate daily counters per store — no shopper PII | Retained for reporting |
| App configuration (branding, targeting, plan, uploaded logos) | Merchant | Run the App | Stored server‑side per store | Until uninstall / shop redaction |
| Shopify session tokens | Merchant | Authenticate Admin API calls | Stored server‑side (session store) | Deleted on uninstall |
Chat transcripts stay on the shopper's own device (their browser localStorage), auto‑delete after 1 week, and are never sent to our servers. We only receive the aggregate analytics and which products were tried on / made into a look.
image API to generate the try‑on/look/photoshoot image. Governed by OpenAI's API data policies (API inputs are not used to train their models). No email, phone, or order data is sent to OpenAI.
Shopify Admin API, under the scopes the merchant approves.
shopper their generated image. Disabled by default.
We do not sell data, do not use it for advertising, and do not share it with any party other than the sub‑processors above.
We never handle card data. Orders are completed on Shopify's own hosted checkout (a draft order + checkout link). Subscription billing is handled by Shopify Billing.
The App implements Shopify's mandatory privacy webhooks:
customers/data_request — on request, we report the shopper data we hold(email/phone leads) for that customer.
customers/redact — deletes all leads matching that customer's email/phone.shop/redact — deletes all data for the store (fires ~48h afteruninstall): settings, leads, analytics, sessions.
app/uninstalled — deletes store settings and leads immediately on uninstall.Shoppers or merchants can also request deletion directly at [privacy@yourdomain.com].
API is verified with Shopify's App Proxy HMAC signature; webhooks are HMAC‑verified.
Data may be processed in [country/region of your hosting + OpenAI (USA)]. Standard contractual clauses / equivalent safeguards apply where required.
The App is not directed to children under 16 and should not be used to upload photos of minors without appropriate consent.
We may update this policy; the "last updated" date will change. Questions or requests: [privacy@yourdomain.com], [Company legal address].
Shopper uploads photo (browser)
│ downscaled in-browser to ≤1280px JPEG
▼
App Proxy (HMAC-verified) → App backend (in-memory session; NOT persisted)
│
├─ photo + product image(s) ─→ OpenAI image API ─→ generated image ─→ back to shopper
│
└─ if shopper submits email/phone ─→ stored as a "lead" (merchant-scoped)
└─ deletable via customers/redact, shop/redact, uninstall
Merchant admin (embedded, App Bridge session-token auth)
└─ reads its own settings, leads, aggregate analytics — no cross-store access
Aggregate analytics only (chats, generations, carts, orders, revenue counts)
└─ no shopper PII; used for the merchant dashboard + usage-based billing
PII inventory: shopper photo (ephemeral, in-memory), shopper email + phone (stored, deletable). Everything else is merchant config or aggregate counters.