Legal

Privacy Policy

Last updated: March 10, 2026

Drapit ("we", "our", or "us") operates the virtual try-on platform available at drapit.io and as a Shopify app. This Privacy Policy explains what data we collect, how we use it, and your rights under applicable privacy laws including the GDPR (EU) and AVG (Netherlands).

By using Drapit, you agree to the collection and use of information as described in this policy.

1. Who We Are

Drapit is operated as a sole proprietorship by Michael Maessen, based in the Netherlands. Contact: info@drapit.io.

For the purposes of GDPR, Drapit acts as a data processor on behalf of merchants (data controllers) who use our platform to provide virtual try-on functionality to their shoppers.

2. Data We Collect

2.1 Merchant data (Shopify store owners)

When you install Drapit via Shopify or sign up on drapit.io, we collect:

  • Shop domain and store name
  • Contact email address
  • Shopify access token (stored encrypted, used to communicate with your store)
  • Billing information (processed by Shopify Billing or Stripe — we do not store card details)
  • Usage data: number of try-ons per month, API key activity

2.2 Shopper data (end customers using the try-on widget)

When a shopper uses the virtual try-on widget in a merchant's store:

  • The photo uploaded by the shopper is sent to our AI processing service (Replicate)
  • The garment/product image from the store
  • The generated try-on result image

We do not store shopper photos or results beyond what is needed for processing. Images are retained only as long as necessary to deliver the result to the shopper, and are not linked to any personal identity, account, or persistent identifier.

2.3 Technical data

  • Server logs (IP addresses, request timestamps) retained for up to 30 days for security purposes
  • Cookies strictly necessary for authentication (no tracking or advertising cookies)

3. How We Use Your Data

  • To provide and operate the virtual try-on service
  • To manage your account, billing, and subscription
  • To send transactional emails (welcome, billing receipts, service updates)
  • To improve our AI model quality and service reliability
  • To comply with legal obligations (including GDPR)

We do not sell, rent, or share your personal data with third parties for marketing purposes.

4. Third-Party Services

We use the following sub-processors to deliver our service:

ServicePurposeLocation
SupabaseDatabase & file storageEU (Frankfurt)
ReplicateAI image processing (VTON)USA
StripePayment processing (direct signups)USA / EU
ShopifyBilling for App Store installsCanada / Global
ResendTransactional email deliveryUSA

When data is transferred to processors outside the EU (e.g. Replicate, Stripe), we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards as required by GDPR.

5. Data Retention

  • Merchant account data: retained as long as your account is active, then deleted within 30 days of account closure
  • Shopper images: deleted immediately after the try-on result is returned (not persisted)
  • Try-on metadata (anonymized counts): retained for analytics purposes for up to 12 months
  • Billing records: retained for 7 years as required by Dutch tax law
  • Server logs: deleted after 30 days

6. Your Rights (GDPR)

If you are in the EU/EEA, you have the following rights regarding your personal data:

  • Right of access — request a copy of the data we hold about you
  • Right to rectification — correct inaccurate data
  • Right to erasure ("right to be forgotten") — request deletion of your data
  • Right to restriction — limit how we process your data
  • Right to data portability — receive your data in a machine-readable format
  • Right to object — object to processing based on legitimate interests

To exercise any of these rights, contact us at info@drapit.io. We will respond within 30 days.

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

7. Shopify Merchants — GDPR Compliance

As a Shopify app, Drapit complies with Shopify's GDPR webhook requirements. When Shopify notifies us of a customer data request or erasure request from one of your shoppers, we process those requests automatically and delete associated data within 48 hours.

When you uninstall Drapit from your Shopify store, your access token is immediately invalidated and your shop data is queued for full deletion within 48 hours, in accordance with Shopify's data deletion requirements.

8. Cookies

Drapit uses only strictly necessary cookies for authentication (session management). We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

The Shopify embedded app uses Shopify's App Bridge, which may set cookies required for the embedded iframe authentication flow. These are functional cookies and cannot be disabled without breaking the app.

9. Security

We implement industry-standard security measures including HTTPS-only communication, encrypted storage of access tokens, HMAC verification on all Shopify webhooks, and row-level security on our database.

In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR Article 33.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify merchants of material changes via email or via a notice in the Drapit dashboard. The "Last updated" date at the top of this page always reflects the most recent version.

11. Contact

Questions about this Privacy Policy? Contact us:

  • Email: info@drapit.io
  • Website: drapit.io/contact
  • Response time: within 2 business days