AI
Traion.me
AITraiOn.me

Data Processing Agreement (DPA)

Last updated: January 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service (the "Principal Agreement") between TraiOn.me and the Controller (as defined below) and governs the Processing of Personal Data by TraiOn.me on behalf of the Controller.

1. Definitions

  • "Applicable Data Protection Law" means all applicable data protection and privacy laws, including the EU General Data Protection Regulation (GDPR), UK GDPR, and similar laws.
  • "Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Supervisory Authority" have the meaning given in Applicable Data Protection Law.
  • "Services" means the virtual try-on services and related infrastructure provided by TraiOn.me, including its widget, APIs, merchant dashboard, integrations and hosting.
  • "Subprocessor" means any third party engaged by TraiOn.me to Process Personal Data on behalf of the Controller in connection with the Services.
  • "Customer Personal Data" means Personal Data Processed by TraiOn.me on behalf of the Controller in the course of providing the Services.

2. Subject Matter, Nature, and Duration

2.1 Subject Matter

This DPA governs TraiOn.me's Processing of Customer Personal Data in connection with the provision of the Services to the Controller.

2.2 Nature and Purpose

TraiOn.me Processes Customer Personal Data for the purpose of:

  • providing AI-based virtual try-on functionality;
  • generating AI output images for end users;
  • providing analytics and reporting to the Controller;
  • ensuring security, availability, and performance of the Services;
  • providing support and resolving incidents.

2.3 Categories of Data Subjects

May include, as determined by Controller:

  • End users / shoppers of Controller's store(s);
  • Personnel or authorized users of Controller (for admin access, billing, etc.).

2.4 Categories of Personal Data

May include:

  • Identification data (e.g., name or username if provided);
  • Contact data (e.g., email for transactional notifications, if collected);
  • Device and technical data (IP address, browser, device identifiers);
  • Photographic images of end users uploaded for try-on;
  • Usage data (logs, events, preferences);
  • Limited transaction metadata related to try-on sessions.

TraiOn.me does not intentionally require special categories of data.

2.5 Duration

This DPA remains in force for as long as TraiOn.me Processes Customer Personal Data on behalf of the Controller under the Principal Agreement.

3. Roles of the Parties

3.1 The Controller determines the purposes and means of Processing Customer Personal Data.

3.2 TraiOn.me acts as Processor, Processing Customer Personal Data only on documented instructions from the Controller, except where required by Applicable Data Protection Law.

4. Controller Obligations

4.1 The Controller is responsible for ensuring that:

  • the Processing of Customer Personal Data is lawful;
  • appropriate privacy notices are provided to Data Subjects;
  • valid consents are obtained where required (e.g., for uploading photos);
  • Customer Personal Data provided to TraiOn.me is accurate and up to date.

4.2 The Controller shall not instruct TraiOn.me to Process Customer Personal Data in violation of Applicable Data Protection Law. If such instructions are given, TraiOn.me may suspend Processing until such instructions are clarified or modified.

5. Processor Obligations

TraiOn.me shall:

5.1 Processing on Instructions. Process Customer Personal Data only in accordance with the Controller's documented instructions, the Principal Agreement, and this DPA, unless required to do otherwise by Applicable Data Protection Law. In such case, TraiOn.me shall inform the Controller (unless prohibited by law).

5.2 Confidentiality. Ensure that persons authorized to Process Customer Personal Data are subject to appropriate confidentiality obligations (contractual or statutory).

5.3 Security. Implement appropriate technical and organizational security measures as required under Article 32 GDPR, taking into account the state of the art, costs, nature of processing, and risks. These measures include, where appropriate:

  • encryption in transit (TLS/HTTPS);
  • access controls and authentication;
  • logging and monitoring;
  • logical separation of customer environments;
  • backup and resilience measures;
  • content moderation to reduce abusive uploads.

5.4 Subprocessing. Only engage Subprocessors in accordance with Section 6.

5.5 Assistance. Taking into account the nature of Processing and available information, assist the Controller in ensuring compliance with obligations under Applicable Data Protection Law, including with respect to Data Subject requests, security, breach notification, data protection impact assessments, and consultations with supervisory authorities.

5.6 Records. Maintain records of Processing activities as required by Applicable Data Protection Law.

6. Subprocessors

6.1 The Controller authorizes TraiOn.me to engage Subprocessors to provide the Services (e.g., hosting providers, AI processing APIs, email providers, payment processors).

6.2 TraiOn.me shall ensure that any Subprocessor is bound by a written agreement imposing data protection obligations no less protective than those in this DPA.

6.3 Where required by law, TraiOn.me shall provide the Controller with a current list of material Subprocessors upon request. TraiOn.me may update that list from time to time.

6.4 Where the Controller reasonably objects to a new Subprocessor on legitimate data protection grounds, the parties will discuss in good faith a commercially reasonable solution. If none is possible, Controller may terminate the affected Services with respect to which the objection was raised.

7. International Data Transfers

7.1 TraiOn.me may Process Customer Personal Data in countries outside the EEA, UK, or the Controller's jurisdiction, including through its Subprocessors.

7.2 Where required under Applicable Data Protection Law, TraiOn.me shall ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission, or
  • equivalent lawful transfer mechanisms.

7.3 Upon request and where required, TraiOn.me will provide details about the applicable transfer mechanism for Customer Personal Data.

8. Data Subject Requests

8.1 If TraiOn.me receives a request from a Data Subject in relation to Customer Personal Data (e.g., access, deletion, restriction, portability, objection), TraiOn.me will, where reasonably possible and legally permissible, notify the Controller without undue delay and refer the Data Subject to the Controller.

8.2 Taking into account the nature of the Processing, TraiOn.me will assist the Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling Controller's obligations to respond to Data Subject requests under Applicable Data Protection Law.

9. Personal Data Breach

9.1 In the event of a Personal Data Breach affecting Customer Personal Data, TraiOn.me shall notify the Controller without undue delay after becoming aware of the breach.

9.2 Such notification will include:

  • a description of the nature of the breach;
  • categories and approximate number of Data Subjects and records concerned;
  • likely consequences;
  • measures taken or proposed to address the breach and mitigate possible adverse effects, to the extent known at the time.

9.3 TraiOn.me will cooperate with the Controller and provide reasonable assistance to meet any legal obligations relating to the Personal Data Breach, including notifications to supervisory authorities and Data Subjects, at Controller's cost where applicable.

10. Data Protection Impact Assessments & Prior Consultation

10.1 Where a data protection impact assessment (DPIA) or prior consultation with a supervisory authority is required under Applicable Data Protection Law in relation to the Services, TraiOn.me shall, upon reasonable request, provide the Controller with available information necessary to support such obligations, taking into account the nature of Processing and information available to TraiOn.me.

11. Return and Deletion of Data

11.1 Upon termination or expiry of the Principal Agreement, TraiOn.me shall, at Controller's choice (to the extent technically feasible and legally permissible):

  • return Customer Personal Data to the Controller, or
  • delete or anonymize Customer Personal Data, except to the extent TraiOn.me is required by law to retain certain data (e.g., billing records).

11.2 Notwithstanding the above, End User Images and AI Outputs are by default retained only for very short technical windows (normally no more than 24 hours), as specified in the Privacy Policy and Principal Agreement.

12. Audits

12.1 Upon reasonable written request and subject to reasonable confidentiality obligations, TraiOn.me shall make available to the Controller information necessary to demonstrate compliance with this DPA.

12.2 Where required by Applicable Data Protection Law, the Controller may conduct audits or inspections (including by a mutually agreed independent auditor) limited to facilities and systems relevant to the Services, provided that:

  • audits are conducted during normal business hours;
  • do not unreasonably interfere with TraiOn.me's business operations;
  • are subject to reasonable notice and frequency limitations;
  • Controller bears its own costs and any mutually agreed costs of TraiOn.me.

12.3 TraiOn.me may satisfy audit obligations by providing industry-standard certifications or audit reports (e.g., SOC2, ISO 27001) if available, which the Controller agrees to consider as adequate evidence where appropriate.

13. Liability

13.1 The liability of each party under this DPA shall be subject to the exclusions and limitations of liability set out in the Principal Agreement.

13.2 Nothing in this DPA shall limit a party's liability where such limitation is prohibited by Applicable Data Protection Law.

14. Precedence

14.1 In the event of any conflict between this DPA and the Principal Agreement, this DPA shall prevail with respect to the Processing of Customer Personal Data.

15. Governing Law and Jurisdiction

15.1 This DPA shall be governed by and construed in accordance with the laws applicable to the Principal Agreement.

15.2 Any disputes arising in connection with this DPA shall be subject to the dispute resolution provisions set out in the Principal Agreement.

16. Miscellaneous

16.1 This DPA may be updated by TraiOn.me from time to time to reflect changes in Applicable Data Protection Law or processing practices. Material changes will be communicated to Controller as appropriate.

16.2 If any provision of this DPA is held invalid or unenforceable, the remaining provisions shall remain in full force and effect.

Signed electronically or deemed accepted when Merchant activates or continues to use the Services after this DPA is made available.