Privacy Policy

OnFitt (“we”, “us”, or “our”) operates the website onfitt.com and provides a virtual try-on API service for fashion brands. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our services.

If you have questions about this policy, contact us at hello@getonfitt.com.

Information you provide directly:

• Account information: name, brand name, email address, phone number, website URL
• Payment information: processed securely by our payment provider; we do not store card details
• Communications: emails or messages you send us

Information collected automatically:

• Usage data: pages visited, time on site, clicks, and navigation patterns via Google Analytics
• Device information: browser type, operating system, screen resolution
• IP address and approximate location (country/region level)
• UTM parameters and referral sources to understand how you found us
• API usage metrics: number of try-on requests, timestamps, response times

End-user image data (via the API):

When shoppers use the virtual try-on widget on merchant storefronts, photos submitted for try-on processing are used solely to generate the try-on result. Images are processed transiently and are not stored beyond the duration needed to return the result (typically under 60 seconds). We do not use shopper images for training, profiling, or any secondary purpose.

• To create and manage your account and API access
• To process try-on requests and return results via the API
• To send transactional emails (account confirmation, API key delivery, usage alerts)
• To monitor and improve service performance and reliability
• To detect and prevent fraud, abuse, or violations of our Terms of Service
• To analyse aggregate usage trends and improve our product
• To comply with legal obligations

We do not sell your personal information to third parties. We do not use your data for advertising targeting on other platforms.

If you are located in the European Economic Area (EEA), we process your data under the following legal bases:

• Contract performance: processing necessary to provide the API service you signed up for
• Legitimate interests: analytics, fraud prevention, security, and product improvement
• Consent: where you have explicitly opted in (e.g. marketing emails)
• Legal obligation: where required by applicable law

We use Google Analytics 4 to understand how visitors interact with our website. Google Analytics uses cookies to collect anonymised usage data including page views, session duration, traffic sources, and device information.

You can opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on or by disabling cookies in your browser settings.

We use Firebase (Google) for authentication and database services. Firebase may collect device and usage telemetry as described in Google's privacy policy.

We share data only with the following categories of third parties, under strict data processing agreements:

• Google Firebase: authentication, database, and analytics infrastructure
• Google Analytics: website usage analytics
• Resend: transactional email delivery
• Vercel: website and API hosting infrastructure
• AI inference providers: image processing to generate try-on results (images are not retained)

We may disclose information if required by law, court order, or to protect the rights, property, or safety of OnFitt, our customers, or others.

We retain account data for as long as your account is active and for up to 2 years after account closure, unless a longer period is required by law.

API usage logs are retained for up to 12 months for billing verification and support purposes.

Shopper try-on images are deleted within 60 seconds of the result being returned and are never written to persistent storage.

Depending on your location, you may have the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you
• Rectification: request correction of inaccurate data
• Erasure: request deletion of your account and associated data
• Portability: receive your data in a machine-readable format
• Objection: object to processing based on legitimate interests
• Restriction: request we limit processing of your data

To exercise any of these rights, email us at hello@getonfitt.com. We will respond within 30 days.

California residents have additional rights under the CCPA, including the right to know what personal information is collected, the right to delete, and the right to opt out of the sale of personal information (we do not sell personal information).

We implement industry-standard security measures including TLS encryption in transit, encrypted storage at rest, Firebase Authentication for access control, and API key authentication for all API endpoints.

No method of transmission over the internet is 100% secure. If you believe your account has been compromised, contact us immediately at hello@getonfitt.com.

Our infrastructure is primarily hosted in the United States (Vercel, Google Firebase). If you are accessing our services from outside the US, your data will be transferred to and processed in the US. We rely on Standard Contractual Clauses (SCCs) for transfers from the EEA to the US where applicable.

Our services are not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us at hello@getonfitt.com and we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify registered users by email of material changes. Continued use of the service after changes constitutes acceptance of the updated policy. The effective date at the top of this page reflects when the policy was last updated.