Privacy Policy

Trylo ("Trylo", "we", "us", "our") provides a virtual try-on widget service for clothing e-commerce merchants. This policy explains what data we collect, why, and how we protect it.

For questions, contact us at privacy@trylo.ai.

Merchant accounts. When you sign up we collect your email address and a hashed password. We also store your usage counts, plan information, and embed configuration.

Visitor try-ons. When a visitor uses the try-on widget on your store, their photo is transmitted over HTTPS to our AI provider solely for the purpose of generating a result image. We do not store, log, or retain visitor photos. The generated result image URL is stored temporarily in the visitor's own browser session storage and cleared when they close the tab.

Usage logs. We record aggregated try-on counts per merchant per day for billing and quota enforcement. No personal data about the end visitor is captured in these logs.

Analytics and cookies. We may use privacy-respecting analytics (without fingerprinting or cross-site tracking) to understand how our dashboard and landing page are used.

We use merchant account data to provide, operate, and improve the Trylo service - including billing, authentication, quota management, and customer support. We do not sell your data to third parties.

AI provider. Visitor photos are transmitted to our AI inference provider for processing. The provider processes the image to produce a result and does not retain the photo beyond the scope of the API request, per our data processing agreement.

Paddle. Payments are processed by Paddle, our Merchant of Record. Paddle collects and stores payment and billing information directly; we do not receive or store full card numbers. Paddle's privacy policy governs their data practices.

Infrastructure. Our application runs on Railway. Data is stored in a PostgreSQL database hosted within their infrastructure.

Merchant account data is retained for the duration of your subscription plus 90 days after cancellation, after which it is permanently deleted on request.

Try-on usage logs (aggregated, no personal visitor data) are retained for up to 24 months for billing verification.

All data is transmitted over HTTPS. Passwords are hashed using bcrypt and never stored in plain text. We apply rate limiting and access controls to our APIs. No system is perfectly secure - if you discover a vulnerability, please disclose it responsibly to security@trylo.ai.

If you are in the EU, EEA, UK, or California you have the right to access, correct, or delete your personal data; to object to or restrict processing; and to data portability. To exercise any of these rights, email privacy@trylo.ai. We will respond within 30 days.

We may update this policy from time to time. Material changes will be communicated by email to active merchants. Continued use of the service after the effective date constitutes acceptance of the updated policy.