Virtual Try-On Studio (VTS)

1. Introduction

This Privacy Policy ("Policy") describes how Optimo Solutions Inc., operating the Virtual Try-On Studio application ("OPTIMO VTS," "we," "our," or "us"), collects, uses, stores, discloses, and protects information in connection with the OPTIMO VTS application and associated services made available through the Shopify App Store (collectively, the "Services").

OPTIMO VTS is a Shopify application that enables merchants to offer AI-powered size recommendations, fit heatmaps, virtual try-on experiences, and AI photoshoot generation to their shoppers. By installing, accessing, or using the Services, you acknowledge that you have read, understood, and agreed to this Policy.

This Policy applies to:

• Merchants — businesses that install and operate OPTIMO VTS within their Shopify stores;
• Shoppers — individual end consumers who interact with OPTIMO VTS features on Merchant storefronts; and
• Any other individuals whose personal data OPTIMO VTS processes in connection with delivering the Services.

2. Who We Are — Roles and Responsibilities

2.1 About Optimo Solutions Inc.

OPTIMO VTS is developed and operated by Optimo Solutions Inc. ("Optimo"), a technology company offering AI-powered retail fitting solutions to Shopify merchants globally. Contact for all privacy matters: support@vts.optimosolutions.com.

2.2 OPTIMO VTS as Data Processor (Shopper Data)

With respect to Shopper body images, body measurements, and any Shopper-provided information processed through OPTIMO VTS features on a Merchant's storefront, OPTIMO VTS acts as a data processor, processing such data exclusively to deliver the Services.

Critically: Merchants do not have access to individual Shopper body images, raw body measurements, biometric data, or any identifiable Shopper data collected through the AI Size Finder, fit heatmap, or virtual try-on features. This data is processed exclusively within OPTIMO VTS's secure, automated pipeline and is never surfaced, transmitted, or made available to Merchants in identifiable form.

The only Shopper personal data OPTIMO VTS may share with a Merchant is the Shopper's email address, and only where the Shopper has explicitly and voluntarily provided that email address and consented to its disclosure.

2.3 OPTIMO VTS as Data Controller (Merchant Data & Platform Operations)

With respect to Merchant account data, platform usage data, analytics, and data collected for OPTIMO VTS's own security, compliance, and product improvement purposes, OPTIMO VTS acts as an independent data controller.

2.4 Merchant Responsibilities

Merchants who install OPTIMO VTS act as data controllers in relation to their own customers and are solely and independently responsible for:

• Obtaining all required consents and providing all required privacy disclosures to their Shoppers under applicable laws before activating OPTIMO VTS features;
• Maintaining and publishing their own privacy policy that accurately reflects the use of OPTIMO VTS's data processing services;
• Complying with all applicable privacy, biometric, consumer protection, and data security laws in every jurisdiction where they operate;
• Promptly notifying OPTIMO VTS of any known or suspected unauthorized access to Shopper data; and
• Cooperating with OPTIMO VTS in responding to data subject rights requests involving Shopper data.

3. What Information We Collect and Why

3.1 Merchant Account and Store Data

When a Merchant installs OPTIMO VTS, we collect and process:

• Shopify store name, store URL, and store identifier;
• Merchant name and contact email address;
• Billing and payment information, processed exclusively through Shopify's Billing API (OPTIMO VTS does not directly collect or store payment card details);
• Product catalog data, product images, and size chart information, accessed via Shopify APIs;
• Store configuration settings, feature preferences, and integration settings; and
• Technical and operational logs related to OPTIMO VTS feature usage.

Legal basis: Performance of contract and legitimate interests (operating, securing, and improving the Services).

3.2 Shopper Body Images

When a Shopper uses the AI Size Finder feature, OPTIMO VTS processes up to two (2) full-body photographs submitted voluntarily through a secure, TLS 1.3-encrypted upload interface. Shopper photographs are:

• Permanently and automatically deleted within twenty-four (24) hours of upload and processing completion;
• Never retained beyond the processing window under any circumstances;
• Never sold, licensed, or transferred to any third party for independent use;
• Never shared with Merchants in any form, identifiable or otherwise;
• Never used to build advertising profiles or shared for behavioral advertising purposes; and
• Never used to train general-purpose AI models outside of the de-identified, aggregated improvement process described in Section 3.5.

3.3 Shopper Body Measurements

OPTIMO VTS's AI pipeline extracts over twenty (20) precise body measurements. All extracted measurements are:

• Stored using anonymous, non-identifying identifiers not linked to Shopper names or email addresses without explicit consent;
• Encrypted at rest using AES-256 encryption;
• Protected in transit using TLS 1.3; and
• Stored on Google Cloud infrastructure located in the United States.

3.4 Shopper Email Address (Optional, Consent-Based)

If a Shopper voluntarily provides their email address, that email may be used to pass to the Merchant if explicitly consented, or to contact the Shopper for optional service feedback. OPTIMO VTS does not send marketing communications to Shoppers and does not use Shopper email addresses for advertising purposes.

3.5 Aggregated and De-Identified Data for Model Improvement

By using the Services, Merchants and Shoppers acknowledge that OPTIMO VTS may use aggregated and de-identified data — including de-identified measurement data — to improve algorithms and enhance AI accuracy. Such data cannot reasonably be used to identify any individual.

3.6 Merchant Marketing Communications Data

OPTIMO VTS collects and uses Merchant contact information to send service-related communications and marketing materials. Merchants may unsubscribe at any time via the unsubscribe link in any email or by contacting support@vts.optimosolutions.com.

3.7 Website and Dashboard Analytics

OPTIMO VTS uses Google Analytics, Meta Pixel (Facebook Pixel), and Microsoft Advertising (Bing) on its own website for traffic analysis and advertising measurement. These tools are not deployed on Merchant storefronts. Each operates under its own privacy policy and terms.

4. Artificial Intelligence — Limitations, Accuracy, and Disclaimers

4.1 AI Recommendations Are Estimates Only

All AI-generated outputs — including size recommendations, body measurements, fit scores, and virtual try-on renderings — are probabilistic estimates. These outputs:

• Are not guaranteed to be accurate, complete, or error-free;
• Are not suitable substitutes for professional tailoring, medical assessment, or expert fitting consultation;
• Should be treated as guidance and decision-support tools only; and
• May vary in accuracy depending on image quality, lighting, clothing worn, camera specifications, and other environmental factors.

OPTIMO VTS expressly disclaims all liability for any loss, dissatisfaction, or damages arising from reliance on AI-generated size or fit information.

4.2 Measurement Extraction Limitations

Accuracy depends on image resolution, ambient lighting, clothing worn, camera hardware, Shopper posture, and background contrast. OPTIMO VTS makes no warranty that extracted measurements will precisely match a Shopper's actual physical dimensions. Extracted measurements must not be used for any medical, clinical, therapeutic, or health assessment purpose.

4.3 Virtual Try-On and AI Photoshoot Limitations

Virtual try-on images and AI photoshoot outputs are computer-generated visual simulations. Factors such as fabric drape, texture, stretch, colour accuracy, and garment construction may differ between simulated and actual appearances. These outputs are provided for illustrative purposes only.

4.4 No Use for Critical or High-Stakes Decisions

AI-generated content must not be used as the sole or primary basis for decisions involving medical assessments, legal proceedings, insurance determinations, or any other high-stakes context.

4.5 Our AI Model

OPTIMO VTS's AI capabilities are powered by Optimo 4.0, a proprietary model developed by Optimo Solutions Inc. All processing occurs within OPTIMO VTS's controlled infrastructure. Third-party AI processing providers are contractually bound to use data only for OPTIMO VTS service delivery; no Shopper data is used by these providers for their own independent training or commercial purposes.

5. How We Share Information

OPTIMO VTS does not sell personal data. OPTIMO VTS does not share personal data for cross-context behavioral advertising. Disclosure occurs only in the following limited circumstances:

5.1 With Authorized Subprocessors

Third-party technology and infrastructure providers engaged to operate the Services are contractually bound to process data only for OPTIMO VTS service delivery purposes, required to maintain SOC 2-consistent security standards, and prohibited from independently selling or sharing any data. Primary infrastructure: Google Cloud (United States). A list of material subprocessors is available on request.

5.2 With Merchants (Shopper Email Only)

OPTIMO VTS may share a Shopper's email address with the relevant Merchant only where the Shopper has explicitly consented. No other identifiable Shopper data is ever shared with Merchants.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of substantially all assets, personal data may be transferred to the acquiring entity subject to equivalent data protection commitments. Affected Merchants will be notified.

5.4 Legal Requirements

OPTIMO VTS may disclose personal data where required by applicable law, court order, or lawful governmental request, and only to the extent strictly required. Where permitted, OPTIMO VTS will attempt to notify affected Merchants prior to disclosure.

5.5 No Biometric Data Sales

OPTIMO VTS does not sell biometric identifiers or biometric information as defined under applicable law, including BIPA (Illinois), CUBI (Texas), or equivalent statutes. Body images are deleted within 24 hours. De-identified measurement data retained beyond that window does not constitute biometric data as it cannot be used to identify an individual.

6. Shopify API Data and Mandatory Webhook Compliance

OPTIMO VTS accesses Merchant store data exclusively through Shopify's official APIs. OPTIMO VTS does not access customer order history, customer PII from Shopify customer records, or any payment card data.

OPTIMO VTS is fully subscribed to and compliant with all three Shopify mandatory privacy webhooks:

• customers/data_request — OPTIMO VTS responds to requests for data held about a merchant's customers;
• customers/redact — OPTIMO VTS permanently deletes all data relating to a specified customer upon receiving this webhook; and
• shop/redact — OPTIMO VTS permanently deletes all data relating to a Merchant's store following uninstallation and the applicable retention period.

Shopper measurement data and size recommendations are not written back to Shopify customer records or metafields. OPTIMO VTS operates as a separate data environment from the Shopify customer database.

7. Data Retention

• Shopper body images: Permanently deleted within 24 hours of processing completion, without exception.
• Shopper body measurements: Retained for up to 12 months then automatically purged; earlier deletion available on request within 30 days of verified request.
• Merchant account data: Retained for the duration of active installation; deleted automatically on uninstall, or within 72 hours of a verified deletion request.
• Aggregated / de-identified data: May be retained indefinitely for research and model improvement (no personal identifiers).
• Marketing communications data: Retained until the Merchant unsubscribes or requests deletion.

8. Security

OPTIMO VTS implements the following technical and organizational security measures:

• Encryption at rest: AES-256 for all stored personal data and body measurements;
• Encryption in transit: TLS 1.3 for all data communications;
• Infrastructure: Google Cloud (United States) with access controls and security monitoring;
• Role-based access controls: personal data access limited to authorized personnel on a need-to-know basis;
• Automated deletion workflows enforcing retention schedules without manual intervention; and
• Incident response procedures for detecting, containing, and responding to security incidents.

No method of transmission or electronic storage is completely secure. In the event of a security incident posing a material risk, OPTIMO VTS will notify affected Merchants consistent with applicable legal requirements.

9. Your Rights as a Data Subject

9.1 Universal Rights (All Regions)

• Right to Access: Request a copy of the personal data OPTIMO VTS holds about you.
• Right to Correction: Request correction of inaccurate or incomplete personal data.
• Right to Deletion: Request deletion of your personal data, subject to legal retention obligations.
• Right to Withdraw Consent: Where processing is based on consent, withdraw consent at any time.

9.2 GDPR and UK GDPR (EEA and United Kingdom)

EEA/UK residents have additional rights including restriction of processing (Art. 18), data portability (Art. 20), right to object (Art. 21), and the right to lodge a complaint with a national supervisory authority (UK: ICO at www.ico.org.uk). For international transfers from the EEA/UK to the United States, OPTIMO VTS relies on Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms.

9.3 CCPA / CPRA (California, United States)

California residents have rights to know, delete, correct, opt-out of sale or sharing, limit sensitive personal information use, and non-discrimination. OPTIMO VTS does not sell or share personal information for cross-context behavioral advertising.

9.4 PIPEDA (Canada)

Canadian residents have rights to access, correct, and withdraw consent for non-essential processing under PIPEDA and applicable provincial legislation.

9.5 Other Jurisdictions

Residents of jurisdictions including Australia (Privacy Act 1988), Singapore (PDPA), Brazil (LGPD), and others may exercise rights under applicable local law by contacting support@vts.optimosolutions.com.

9.6 Biometric Data Rights

In jurisdictions with biometric privacy legislation (including Illinois, Texas, Washington, New York, and others), Shoppers have additional rights including the right to be informed before collection, the right to refuse collection, and the right to request deletion. Merchants operating in such jurisdictions are responsible for ensuring compliance with all applicable state biometric laws.

9.7 How to Exercise Your Rights

Submit all data rights requests to: support@vts.optimosolutions.com. OPTIMO VTS will acknowledge receipt within five (5) business days and fulfill verified requests within thirty (30) calendar days. Deletion requests received via Shopify's mandatory webhooks are processed automatically.

10. Children's Privacy

OPTIMO VTS does not market its Services directly to children under the age of thirteen (13). Merchants who operate stores accessible to minors are solely responsible for complying with applicable children's privacy laws (including COPPA in the United States) and obtaining required parental consents before allowing minors to use features involving image upload or biometric data collection.

If OPTIMO VTS becomes aware that it has inadvertently collected personal data from a child under 13 without verifiable parental consent, it will take prompt steps to delete such data. Contact support@vts.optimosolutions.com immediately if you believe this has occurred.

11. Cookies and Tracking Technologies

OPTIMO VTS does not deploy cookies or tracking technologies on Merchant customer-facing storefronts. On OPTIMO VTS's own website and merchant-facing dashboard, cookies are used for session management, authentication, and the analytics and advertising measurement purposes described in Section 3.7.

Merchants are independently responsible for ensuring any cookies present on their storefronts comply with applicable cookie consent laws (including the EU ePrivacy Directive, UK PECR, and equivalent legislation).

12. Limitation of Liability and Disclaimers

13. Dispute Resolution and Governing Law

Any dispute arising out of or relating to this Privacy Policy shall first be addressed through good-faith negotiation. If unresolved within thirty (30) days of written notice, the dispute shall be submitted to binding arbitration administered by a recognized arbitration body. Each party shall bear its own costs unless the arbitrator determines otherwise.

This Policy shall be governed by the laws of a jurisdiction to be determined by OPTIMO VTS in its reasonable discretion based on applicable circumstances, without regard to conflict of law principles.

Class action waiver: To the maximum extent permitted by law, you agree to resolve disputes with OPTIMO VTS on an individual basis only and waive any right to participate in any class, collective, or representative action.

14. International Data Transfers

OPTIMO VTS's infrastructure is located in the United States. By using the Services, you acknowledge that your personal data may be transferred to, stored in, and processed in the United States. For personal data transferred from the EEA, UK, or Switzerland, OPTIMO VTS endeavors to implement appropriate safeguards including Standard Contractual Clauses (SCCs) or other legally recognized transfer mechanisms. Contact support@vts.optimosolutions.com for current status and details.

15. Changes to This Privacy Policy

OPTIMO VTS reserves the right to update this Privacy Policy at any time. When we make material changes, we will:

• Update the "Effective Date" at the top of this Policy;
• Notify Merchants via email or in-app notification at least fourteen (14) days prior to material changes taking effect, where reasonably practicable; and
• Make the previous version of the Policy available upon request.

Continued use of the Services following the effective date of a revised Policy constitutes Merchant's acceptance of the updated terms.

16. Contact Us

17. Image Upload Terms, User Obligations and Enforcement

By uploading any image through OPTIMO VTS features — including the AI Size Finder, virtual try-on, or AI photoshoot tools — the uploading party (whether a Shopper or a Merchant-authorized user) automatically and unconditionally accepts the obligations set out in this Section. Use of the image upload functionality constitutes express agreement to these terms without the need for any additional signature or affirmative action.

17.1 Rights and Ownership

You confirm that you own the uploaded image outright or hold a valid, unrestricted legal right to use it for the purpose of AI processing. You must not upload:

• Images in which you do not hold the intellectual property rights or a sufficient licence;
• Stock photographs or third-party licensed images that do not permit AI processing or biometric analysis; or
• Images obtained without the knowledge or consent of the subject depicted.

17.2 Third-Party Faces and Consent

You must not upload any image in which another identifiable person appears unless you have obtained that person's explicit, informed, and documented prior consent for the image to be processed by an AI system. This obligation is heightened for images that may identify children or vulnerable individuals. In February 2026, sixty-one (61) data protection authorities published a joint statement expressing concern about AI systems generating realistic images of identifiable individuals — particularly children — without their knowledge or consent. OPTIMO VTS treats this standard as a minimum floor of acceptable conduct for all users.

17.3 Prohibited Content

You must not upload, generate, or share through OPTIMO VTS any image or content that:

• Constitutes, depicts, facilitates, or promotes hate speech, harassment, abuse, or discrimination on any basis;
• Contains violence, graphic injury, or content designed to intimidate or threaten any person;
• Is sexually explicit, obscene, or pornographic in nature;
• Depicts or could be used to exploit, harm, or sexualise minors in any way;
• Impersonates any real person without their consent, or is designed to deceive, defame, or damage the reputation of any individual; or
• Violates any applicable law, regulation, or third-party right in the jurisdiction where you operate or where the depicted individual resides.

17.4 Biometric Data Acknowledgement

You acknowledge that facial images and full-body photographs constitute biometric data under applicable privacy and AI legislation. Uploading such images carries heightened legal and ethical responsibilities. You accept that facial and body images may expose individuals — including yourself — to risks associated with misuse or exploitation of personal data if mishandled. By using OPTIMO VTS's image upload features, you confirm that you understand these risks and accept them as part of your use of the Services. OPTIMO VTS's technical safeguards (deletion within 24 hours, AES-256 encryption, no sale or transfer) are designed to mitigate but cannot entirely eliminate all such risks.

17.5 Content and Model Training

As described in Section 3.5, OPTIMO VTS may use aggregated and de-identified data derived from uploaded images to improve its AI models. Original images are deleted within 24 hours and are never used in identifiable form for model training. If you do not wish your de-identified, aggregated measurement data to be used for model improvement, you may opt out by contacting support@vts.optimosolutions.com.

17.6 Automatic Acceptance and Enforcement

By submitting any image through OPTIMO VTS, you automatically accept full legal responsibility for compliance with the obligations in this Section. OPTIMO VTS reserves the right, without prior notice, to:

• Immediately suspend or terminate access to the Services for any user found to have breached these obligations;
• Permanently delete any content found to be in violation;
• Preserve and disclose relevant user identification data, usage logs, uploaded content, and associated metadata to competent law enforcement authorities, data protection regulators, or judicial bodies where required by law, pursuant to a lawful order, or where OPTIMO VTS reasonably determines that a serious breach has occurred — including breaches involving prohibited content, non-consensual biometric processing, or child safety violations; and
• Cooperate fully with any investigation by regulatory authorities, including data protection supervisory authorities, law enforcement agencies, or child protection bodies.

Where a breach involves content that is illegal, harmful to minors, or constitutes a serious violation of applicable law, OPTIMO VTS will report the breach to the relevant authorities as required by law and will share identifying information — including account data, IP addresses, device identifiers, and upload records — to the extent necessary to facilitate investigation and enforcement. OPTIMO VTS will not be liable for any consequences to the user arising from such disclosure.

17.7 Indemnification

You agree to indemnify, defend, and hold harmless Optimo Solutions Inc. and its officers, employees, agents, and subprocessors from and against any claims, liabilities, damages, penalties, fines, costs, and expenses (including reasonable legal fees) arising out of or relating to your breach of this Section, your unauthorised upload of third-party images, or any violation of applicable law in connection with your use of OPTIMO VTS image upload features.