Privacy Policy

1. Overview

This policy explains how Trion AI ("we", "us") handles personal data when merchants install our Shopify app and when shoppers use the try-on feature on a merchant's storefront. The short version: we collect the minimum needed to run the service, shopper photos are deleted within 24 hours, and we never sell data or use photos to train AI models.

2. Data we process for merchants

When you install the app we receive your store's myshopify.com domain and a Shopify API access token, which we store to operate the app. We also store your plan, monthly usage counts, widget branding colors, and records of generations (product image URL, product title, status and timestamps).

Billing is handled entirely by Shopify — we never see or store your payment details.

3. Data we process for shoppers

When a shopper uses the try-on feature, they upload a photo of themselves. The photo is transmitted over HTTPS, stored briefly in private cloud storage, sent to our AI processing providers to generate the try-on image, and the resulting image is stored so the shopper can view and save it.

Both the uploaded photo and the generated result are automatically deleted within 24 hours of creation. Access to them in the interim is via short-lived signed URLs only — they are never publicly listed.

We do not require shoppers to create accounts, we do not link photos to shopper identities, we do not use photos to train AI models, and we do not sell or share photos with anyone other than the processors listed below.

4. Our processors

We use a small number of infrastructure providers to operate the service: Supabase (database and temporary image storage), Replicate and its upstream model provider OpenAI (AI image generation), Shopify (authentication, billing and store integration), and our hosting provider (application serving).

Each processor receives only what it needs to perform its function. Images sent for AI generation are processed under the providers' API terms, which prohibit using customer API data to train models.

5. Cookies and tracking

The storefront widget does not set tracking cookies and does not fingerprint shoppers. It uses sessionStorage only to cache the merchant's widget colors for the duration of a browsing session. The merchant dashboard relies on Shopify's own session tokens for authentication.

6. Retention

Shopper photos and generated images: deleted within 24 hours, automatically.

Merchant account data and generation records: retained while the app is installed. When you uninstall, your access token is invalidated immediately and your merchant data is deleted in line with Shopify's data-removal timelines.

7. GDPR and data rights

We honor Shopify's mandatory privacy webhooks: when a shopper or merchant requests their data or its deletion through Shopify, we respond accordingly — including redacting stored records and deleting any remaining images.

Depending on where you live, you may have rights to access, correct, delete or port your personal data, and to object to or restrict certain processing. To exercise any of these rights, contact us at the address below and we will respond within the timeframes required by applicable law.

8. Security

All data is transmitted over HTTPS. Images live in private storage buckets accessible only via short-lived signed URLs. Database access is restricted to the application backend. No system is perfectly secure, but minimal collection and short retention materially limit what could ever be exposed.

9. Children

The service is not directed at children, and merchants must not permit the upload of photos of minors. If we learn that a child's photo has been uploaded, we will delete it immediately (and in any case it is deleted automatically within 24 hours).

10. Changes to this policy

We may update this policy as the service evolves. Material changes will be announced via the dashboard or email. The effective date above always reflects the current version.

11. Contact

For privacy questions or data requests, contact us at nasirbaradari10@gmail.com.