Privacy Policy
Last updated: June 2026
CatalogShoot (“we”, “us”) is operated by KOMA Software BV, registered in Belgium. This policy explains what data the CatalogShoot Shopify app processes, why, and the choices you and your shoppers have.
Roles
- For a merchant’s own account data (store details, usage, billing status), KOMA Software BV is the data controller.
- For shopper personal data processed through the storefront “Try It On” feature (uploaded photos, generated images, saved looks), the merchant’s store is the controller and CatalogShoot acts as a data processor on the merchant’s behalf, under Shopify’s Data Processing Addendum.
What we collect
From merchants (the store admin):
- Store data: product titles, descriptions, and images — used to generate on-model and virtual try-on photos
- Usage data: number of generations, plan tier, billing status
- Contact information: your email address if you contact support
From shoppers (the storefront “Try It On” feature):
- The photo a shopper uploads (“selfie”) — used solely to render the selected garment onto that shopper
- The generated try-on image produced from it
- Saved looks — for signed-in customers who choose to save a try-on, we store their saved-try-on history, linked to their Shopify customer ID
- Try-on activity records — which product was tried, a timestamp, and an automated quality verdict, shown to the merchant in their dashboard
What we don’t collect
- No shopper contact or identity details. We do not collect shoppers’ names, email addresses, phone numbers, or postal addresses. Signed-in shoppers are referenced only by their Shopify customer ID.
- No facial recognition or biometric identification. Uploaded photos are used only to render clothing onto the shopper. We do not identify or recognise individuals, match faces, or build any biometric profile or template.
- No payment details — billing is handled entirely by Shopify.
How we use your data
- To generate AI virtual try-on and on-model photos
- To run an automated quality check on each result
- To manage your subscription and enforce plan limits
- To respond to support requests
AI processing and sub-processors
To deliver the service we share the minimum necessary data with:
- Google Cloud (Vertex AI & Gemini): product images and the shopper’s uploaded photo are sent to Google’s Vertex AI to generate the try-on, and to Gemini to check the result’s quality. Google processes this data as our sub-processor under its data processing terms and does not use it to train its models.
- Google Cloud Storage: uploaded photos and generated images are stored in a Google Cloud Storage bucket (subject to the retention rules below) and served over HTTPS.
- Supabase: usage, settings, and try-on activity records are stored in a Supabase-hosted PostgreSQL database (EU region).
Data retention
- Shopper photos and results for anonymous (not signed-in) shoppers automatically expire under the storage lifecycle rule — 30 days by default, configurable by the merchant between 1 and 365 days.
- Saved looks for signed-in customers persist while the customer keeps them, and are removed when the customer deletes a saved look, when the merchant removes it, or when the customer record is redacted.
- Try-on activity records follow the same retention window as above (default 30 days).
- Merchant account and billing records are retained while the app is installed and as required by law.
When a store uninstalls, or when Shopify sends us a customer- or shop-redaction request, we delete the associated data — including the stored images — within 30 days.
Your rights
Depending on your location, you (and your shoppers) have rights under the GDPR, CCPA, and similar laws, including the right to access, correct, delete, restrict, object to, or port your personal data.
- Merchants: contact support@catalogshoot.app to exercise any of these rights.
- Shoppers: signed-in customers can delete a saved look directly in the try-on panel; you may also contact the store you shopped with, or us, to request access or deletion.
- We honour Shopify’s mandatory privacy webhooks (
customers/data_request,customers/redact,shop/redact) automatically.
We respond to verified requests within 30 days.
Data security
Data is transmitted over HTTPS, stored with access controls, and hosted in the EU (Supabase) and Google Cloud. We restrict access to personal data to what is required to operate the service.
International transfers
Where data is processed outside your region by our sub-processors (Google Cloud, Supabase), those transfers rely on appropriate safeguards such as the EU Standard Contractual Clauses.
Children
CatalogShoot is a tool for merchants and is not directed to children. The try-on feature is intended for adult shoppers using a merchant’s store.
Changes
We may update this policy; material changes will be reflected by the “Last updated” date above.
Contact
KOMA Software BV — Belgium support@catalogshoot.app