Data Processing Agreement

Last updated: May 22, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between the Shopify merchant using FitRum AI Virtual Try-On ("Controller" or "Merchant") and FitRum ("Processor", "we", "us", or "our").

1. Purpose

This DPA applies when FitRum processes personal data on behalf of a merchant to provide AI virtual try-on functionality, merchant analytics, support, billing status, abuse prevention, and privacy compliance workflows.

2. Roles

The merchant determines why FitRum is used on the storefront and which products, shoppers, and store interactions are involved. The merchant is generally the Controller for shopper data.

FitRum processes that data as a Processor or service provider according to the merchant's documented instructions, Shopify requirements, this DPA, and applicable law.

3. Processing Details

Subject Matter

Operation of a Shopify app that allows shoppers to upload a photo and generate an AI virtual try-on preview for selected products.

Duration

For the duration of the merchant's use of FitRum, plus the retention periods described in the Privacy Policy and any legally required retention.

Nature and Purpose

• Storefront try-on widget operation.
• Shopper photo upload and temporary processing.
• AI try-on generation and safety checks.
• Product-level analytics and attribution.
• Shopper email capture where consent is provided.
• Subscription, usage, abuse prevention, support, and compliance workflows.

Types of Personal Data

• Shopper photos.
• Generated try-on images.
• Shopper email addresses where provided.
• Consent records.
• Session identifiers and interaction data.
• Product and variant interaction data.
• Order and checkout attribution data where required for app functionality.
• Merchant contact and store account data.

Categories of Data Subjects

• Shoppers who interact with the FitRum widget.
• Merchants, store owners, and authorized store staff.

4. Processor Obligations

FitRum will:

• Process personal data only for the documented purposes of providing and protecting the App.
• Keep personal data confidential.
• Use appropriate technical and organizational safeguards.
• Limit staff and system access to what is needed.
• Assist merchants with reasonable privacy requests where required.
• Process Shopify privacy webhooks and deletion/redaction workflows.
• Delete or anonymize personal data when required by the Privacy Policy, Shopify, law, or termination of service.
• Notify merchants of a confirmed personal data breach where required by law.

5. Merchant Obligations

The merchant will:

• Use FitRum lawfully and according to Shopify requirements.
• Provide required privacy notices to shoppers.
• Collect consent where required for photo upload, AI processing, email capture, and marketing follow-up.
• Avoid uploading or encouraging shoppers to upload unlawful, explicit, harmful, or unauthorized content.
• Respond to shopper requests as the Controller.
• Tell FitRum promptly if a privacy request or incident requires FitRum assistance.

6. Subprocessors

FitRum may use subprocessors in the following categories:

• Shopify platform services for app installation, APIs, billing, and webhooks.
• Secure hosting, database, storage, and infrastructure providers.
• AI processing providers used only for requested try-on generation and related safety checks.
• Email delivery, support, logging, monitoring, and security providers.

FitRum requires subprocessors to process data only for the services they provide to FitRum and to follow confidentiality, security, and data protection obligations.

To reduce operational security risk, this public DPA lists subprocessor categories rather than infrastructure-specific details. Where legally required, contractually required, or requested by Shopify review, FitRum can provide additional subprocessor information to the merchant.

7. Security Measures

FitRum maintains safeguards designed to protect personal data, including:

• Encryption in transit.
• Access controls and least-privilege permissions.
• Protected Shopify session handling.
• Private handling of uploaded and generated images.
• Time-limited media access where possible.
• Retention and deletion workflows.
• Logging of compliance requests and security-relevant events.
• Abuse prevention and generation limits.
• Production configuration controls.

8. Data Subject Requests

FitRum will reasonably assist merchants with data subject requests relating to FitRum data, including access, deletion, correction, restriction, and portability where applicable.

Shopify privacy webhook requests are handled through FitRum's compliance workflow for:

• customers/data_request
• customers/redact
• shop/redact

9. Deletion and Return

Upon uninstall, termination, or a valid deletion request, FitRum will delete or anonymize personal data according to the Privacy Policy, Shopify requirements, and applicable law. Some records may be retained where required for billing, tax, fraud prevention, dispute resolution, security, or legal compliance.

10. International Transfers

Personal data may be processed in countries where FitRum or its subprocessors operate. Where required, FitRum uses appropriate contractual or organizational safeguards for international transfers.

11. Audits and Information

Upon reasonable written request, FitRum will provide information necessary to demonstrate compliance with this DPA. Audits must be reasonable, limited to FitRum's processing for the merchant, and must not compromise the security or confidentiality of other merchants, shoppers, systems, or subprocessors.

12. Liability

Liability under this DPA is subject to the limitations and exclusions in the Terms of Service unless applicable law requires otherwise.

13. Contact

For privacy or DPA requests:

Email: [email protected]

Important: FitRum support writes only from [email protected]. Any other email or person claiming to represent FitRum support should be treated as fraudulent.