Privacy Policy
Effective Date: 03 July 2025
Last Updated: 03 July 2025
1. Who We Are
This Privacy Policy explains how OnTry ("we", "us", "our") collects, uses, discloses, and protects your personal data when you use the OnTry mobile application and related services (the "App"). We act as the data controller under the EU General Data Protection Regulation ("GDPR") unless stated otherwise.
If you have questions, email [email protected] or write to the address above. If required, you may also contact our Data Protection Officer at [email protected].
2. Personal Data We Collect
| Category | Purpose | Examples | Source |
|---|---|---|---|
| Account Data | Create & manage your account | Name, email, password (hash), gender, birthday, country | You / Sign-In provider |
| Authentication Tokens | Single-sign-on (Apple/Google) | OAuth or Sign-In-With-Apple tokens, user IDs | Apple Inc., Google LLC |
| Subscription & Billing | Manage Free / Premium plans | Plan type, purchase receipts, transaction IDs, renewal status | RevenueCat, Apple App Store, Google Play |
| Images & AI Outputs | Provide virtual try-on | Photos you upload, generated try-on images, cropping metadata | You |
| Usage & Device Data | Operate, secure & improve the App | IP address, device model, OS, app version, language, event logs, crash reports | Device; PostHog analytics SDK |
| Support Records | Customer service | Chat transcripts, emails | You |
| Optional Marketing Data | Send news & offers (opt-in) | Preferences, push-notification token | You |
We do not require or knowingly collect "special categories" of personal data (e.g., health data) beyond what you voluntarily provide in photos.
3. How We Use Your Data
| Legal Basis (GDPR) | Key Uses |
|---|---|
| Contract (Art. 6 (1)(b)) | • Account creation & authentication • Deliver try-on credits • Process subscriptions & payments |
| Legitimate Interest (Art. 6 (1)(f)) | • Prevent fraud & abuse • Debug and improve the App • Aggregate statistics |
| Consent (Art. 6 (1)(a)) | • Optional marketing emails/push notifications • Use of cookies/analytics where required • Retaining your uploaded images beyond active use |
| Legal Obligation (Art. 6 (1)(c)) | • Tax and accounting records • Responding to lawful requests |
You may withdraw consent at any time in the App settings or by contacting us (see Section 11).
4. Sharing & Disclosure
| Recipient / Service | Purpose | Safeguards |
|---|---|---|
| RevenueCat, Inc. | Subscription validation & entitlements | SCCs / DPF for EU–US transfers |
| Apple App Store / Google Play | Payments, refunds, fraud prevention | Their privacy policies |
| Hetzner Online GmbH (Germany) | Hosting of servers & storage | Data centers ISO 27001 / located in EU |
| PostHog, Inc. | In-app analytics & event logging | EU data-hosting option / SCCs |
| Customer-support tools (if used) | Ticketing, live chat | SCCs / EU servers |
| Professional advisers | Accounting, legal, auditing | Confidentiality obligations |
| Authorities & courts | Compliance with legal process | Only if required by law |
| Corporate successors | Merger, acquisition, or asset sale | Data subject notification if practicable |
We never sell your personal data or share it with third parties for their own direct-marketing purposes.
5. International Data Transfers
Some partners (e.g., RevenueCat, PostHog) are based outside the European Economic Area. When we transfer personal data internationally, we rely on at least one of:
- European Commission adequacy decisions
- Standard Contractual Clauses (SCCs)
- Additional technical and organisational safeguards (encryption in transit and at rest, restricted access)
You may request a copy of the SCCs via [email protected].
6. Data Retention
| Data Type | Retention Rule |
|---|---|
| Account data | While your account is active and for up to 24 months after deletion (legal defence + fraud prevention) |
| Subscription & billing records | 10 years (statutory bookkeeping) |
| Uploaded images & try-on outputs | Deleted automatically 30 days after upload or immediately when you remove them in the App |
| Analytics & log data | 14 months (unless aggregated/anonymised sooner) |
| Support communications | 3 years after ticket closure |
We may anonymise data for statistical purposes; anonymised data is not subject to retention limits.
7. Security Measures
We implement industry-standard safeguards, including:
- End-to-end TLS encryption
- Encryption at rest (AES-256) on Hetzner volumes
- Role-based access controls and audit logging
- Automatic security updates and penetration testing
Photo processing performed on isolated GPU instances; images are not used to train our models without explicit consent.
No system can be 100% secure. We continuously monitor and improve our defences.
8. Your Rights (GDPR Articles 15–22)
You can exercise these rights free of charge:
| Right | What it Means |
|---|---|
| Access | Obtain a copy of your personal data we hold |
| Rectification | Correct inaccurate or incomplete data |
| Erasure | Request deletion ("right to be forgotten") |
| Restriction | Ask us to limit processing in certain cases |
| Portability | Receive data in a machine-readable format |
| Objection | Object to processing based on legitimate interests |
| Withdraw Consent | Stop any processing based on your consent |
| Complaint | Lodge a complaint with your local supervisory authority (e.g., Der Berliner Beauftragte für Datenschutz und Informationsfreiheit) |
Submit requests via the in-app privacy menu or email [email protected]. We may verify your identity before responding.
9. Children's Privacy
The App is not directed to children under 16. We do not knowingly process their data without verifiable parental consent. If you believe a child has provided us personal data, contact us and we will delete it.
10. Links & Third-Party Content
The App displays third-party products for virtual try-on. When you follow a link to purchase, you interact directly with that retailer under their own privacy policy. We do not control third-party sites and disclaim responsibility for their practices.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be announced in-app or by email at least 14 days before they take effect. Continued use of the App after the effective date constitutes acceptance.
12. Contact
OnTry – Privacy Team
Email: [email protected]
If you feel we have not resolved your concern satisfactorily, you have the right to lodge a complaint with your supervisory authority or seek a judicial remedy.
We recommend that you save or print a copy of this Privacy Policy for your records.