Legal

Privacy Policy

Effective date: July 3, 2026

1. Who we are

OnFitt (“we”, “us”, or “our”) operates the website getonfitt.com and provides a virtual try-on API service for fashion brands and e-commerce merchants. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit our website or use our services.

Questions about this policy? Contact us at hello@getonfitt.com.

2. Information we collect

Information you provide directly (B2B customers):

  • Account information: name, brand name, email address, phone number, website URL
  • Payment information: processed and stored securely by Stripe. We do not store card numbers, CVVs, or bank details
  • Communications: emails or messages you send us

Information collected automatically:

  • Usage data: pages visited, time on site, clicks, and navigation patterns
  • Device information: browser type, operating system, screen resolution
  • IP address and approximate location (country/region level)
  • UTM parameters and referral sources
  • API usage metrics: request counts, timestamps, response outcomes (no image content)

Shopper image data (via the try-on API):

When shoppers use the virtual try-on widget on a merchant's storefront, photos submitted for try-on processing are handled as follows:

  • Standard try-on (desktop upload): Person photos uploaded directly in the browser are transmitted in-memory over encrypted HTTPS connections to Google Gemini for processing. They are not written to any OnFitt database, disk, or persistent storage at any point.
  • QR phone upload:When a shopper scans the QR code and uploads a photo from their phone, the photo is temporarily stored in encrypted cloud storage (Vercel Blob) for a maximum of 5 minutes while the desktop session retrieves it. The photo is deleted automatically as soon as it is transferred to the shopper's desktop session. It is never retained beyond that transfer.
  • Output (result) images are not stored by OnFitt.The AI-generated try-on result is returned directly to the shopper's device and is never written to OnFitt servers or cloud storage. If the shopper chooses to share their result, the image is shared directly from their device.
  • We do not use shopper images for training AI models, profiling, advertising, or any purpose other than returning the try-on result to the shopper.

3. Third-party AI processing (Google Gemini)

The virtual try-on feature is powered by Google Gemini, a third-party AI image generation service operated by Google LLC. When a try-on request is made, input images are transmitted to Google Gemini's API for processing.

Google Gemini processes these images under its own Privacy Policy and Terms of Service. OnFitt does not control how Google Gemini stores, processes, or retains data on its infrastructure. We are not responsible for Google's data handling practices. You can review Google's privacy practices at policies.google.com/privacy.

By deploying the OnFitt widget on your storefront, you (the merchant) agree that shopper image data will be transmitted to Google Gemini for AI processing. It is your responsibility to disclose this to your shoppers and obtain any required consents under applicable law.

4. How we use your information

  • To create and manage your account and API access
  • To process try-on requests and return results via the API
  • To send transactional emails (account confirmation, API key delivery, usage alerts, billing notices)
  • To monitor and improve service performance and reliability
  • To detect and prevent fraud, abuse, or violations of our Terms of Service
  • To analyse aggregate usage trends and improve our product
  • To comply with legal obligations

We do not sell your personal information to third parties. We do not use your data for advertising targeting on other platforms.

5. Legal bases for processing (GDPR)

If you are located in the European Economic Area (EEA), we process your data under the following legal bases:

  • Contract performance: processing necessary to provide the API service you signed up for
  • Legitimate interests: analytics, fraud prevention, security, and product improvement
  • Consent: where you have explicitly opted in (e.g. marketing emails)
  • Legal obligation: where required by applicable law

With respect to shopper data processed via the API, OnFitt acts as a data processoron behalf of the merchant (who is the data controller). Merchants are responsible for establishing a lawful basis for processing their shoppers' personal data.

6. Cookies and analytics

We use analytics tools to understand how visitors interact with our website. These may use cookies to collect anonymised usage data including page views, session duration, traffic sources, and device information.

You can opt out of analytics tracking by disabling cookies in your browser settings or using a browser-level opt-out mechanism.

We use Firebase (Google) for authentication and database services. Firebase may collect device and usage telemetry as described in Google's privacy policy.

7. Data sharing and third parties

We share data only with the following categories of service providers, under data processing agreements where applicable:

  • Google Gemini: AI image processing to generate try-on results. Input images are transmitted to Gemini and are not retained by OnFitt. Google's Privacy Policy governs Gemini's processing.
  • Google Firebase: authentication, database, and server-side analytics infrastructure
  • Vercel: website and API hosting
  • Stripe: payment processing and subscription management
  • Resend: transactional email delivery

We may disclose information if required by law, court order, or to protect the rights, property, or safety of OnFitt, our customers, or others.

8. Data retention

We retain account data for as long as your account is active and for up to 2 years after account closure, unless a longer period is required by law.

API usage logs (request counts, timestamps, outcomes) are retained for up to 12 months for billing verification and support purposes. No image content is included in these logs.

Shopper photos uploaded via the standard desktop flow are never written to OnFitt persistent storage and are discarded immediately after the try-on result is returned.

Shopper photos uploaded via the QR phone upload flow are stored in temporary encrypted cloud storage for a maximum of 5 minutes and are deleted automatically once transferred to the desktop session, or when the session expires, whichever comes first.

Try-on result images are never stored by OnFitt. The generated result is returned directly to the shopper's device and discarded immediately after delivery.

9. Your rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: request a copy of the personal data we hold about you
  • Rectification: request correction of inaccurate data
  • Erasure: request deletion of your account and associated data
  • Portability: receive your data in a machine-readable format
  • Objection: object to processing based on legitimate interests
  • Restriction: request we limit processing of your data

To exercise any of these rights, email us at hello@getonfitt.com. We will respond within 30 days.

California residents have additional rights under the CCPA, including the right to know what personal information is collected, the right to delete, and the right to opt out of the sale of personal information (we do not sell personal information).

Note: because shopper input images are never stored by OnFitt, we cannot fulfil access or deletion requests for image data that was never retained. For concerns about Google Gemini's data practices, please contact Google directly.

10. Data security

We implement industry-standard security measures including TLS encryption in transit, encrypted storage at rest, Firebase Authentication for access control, and API key authentication for all API endpoints.

No method of transmission over the internet is 100% secure. If you believe your account has been compromised, contact us immediately at hello@getonfitt.com.

11. International transfers

Our infrastructure is primarily hosted in the United States (Vercel, Google Firebase, Google Gemini). If you are accessing our services from outside the US, your data will be transferred to and processed in the US. We rely on Standard Contractual Clauses (SCCs) for transfers from the EEA to the US where applicable.

12. Children's privacy

Our services are not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us at hello@getonfitt.com and we will delete it promptly.

13. Changes to this policy

We may update this Privacy Policy from time to time. We will notify registered users by email of material changes. Continued use of the service after changes constitutes acceptance of the updated policy. The effective date at the top of this page reflects when the policy was last updated.

Questions about this policy? hello@getonfitt.com