Legal

Privacy Policy

Last updated: April 28, 2026

Vircab ("Vircab", "we", "us", "our") is operated by arkhe with registered address at Tekstilkent Koza Plaza A Blok Kat:1 No:1, 34235 Esenler, Istanbul, Türkiye. We provide an AI virtual try-on service for Shopify merchants.

This Privacy Policy explains how we collect, use, store, and protect personal data when you (a merchant) install our Shopify app, when an end customer of yours uses the try-on widget on your storefront, or when you visit vircab.com. It covers your rights under the EU/UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and Anti-Spam Legislation (CASL), and Türkiye's Kişisel Verilerin Korunması Kanunu (KVKK).

1. Data Controller

For merchants and website visitors, Vircab acts as the data controller. For end-customer photo data uploaded through the try-on widget, Vircab acts as a data processor on behalf of the merchant who installed the app; the merchant is the data controller of their own customers.

Contact our team for any privacy matter at info@vircab.com.

2. Information We Collect

Merchants (Shopify app users)

  • Shopify shop domain, email, and store metadata
  • Product catalog data (title, images, variants)
  • Subscription and billing status (via Shopify Billing)
  • Usage analytics: try-ons rendered, errors, latency

End customers (try-on widget users)

  • Photos uploaded by the customer to render a virtual try-on
  • IP address and user agent (for abuse detection and rate-limiting)
  • Try-on result image generated by our AI engine

Website visitors (vircab.com)

  • IP address, browser type, referrer, and pages viewed
  • Cookies for essential site functionality and consented analytics
  • Form submissions (e.g., demo request, support email — only if you contact us)

3. How We Use Your Information

  • Provide, operate, and improve the Vircab service
  • Render virtual try-on images for end customers
  • Process payments and manage subscriptions via Shopify
  • Detect, investigate, and prevent abuse, fraud, or security incidents
  • Comply with legal obligations and respond to lawful requests
  • Communicate service updates, security alerts, and support responses

We do not use customer photos to train AI models, sell personal data, or share with advertisers.

4. Lawful Basis (GDPR / UK GDPR)

We process personal data on the following legal bases:

  • Contract — to deliver the service to merchants and to render try-ons requested by their customers
  • Legitimate interests — abuse prevention, fraud detection, infrastructure security, and product analytics
  • Legal obligation — tax, accounting, and compliance with regulators
  • Consent — for non-essential cookies and any marketing communications you opt into

5. Photo Data — Special Handling

Customer photos uploaded through the try-on widget are the most sensitive data we handle. We treat them with extra care:

  • Photos are processed in-memory or on encrypted ephemeral storage and are never used to train AI models
  • Photos are only retained as long as needed to deliver the try-on result and are scheduled for deletion afterward
  • If a merchant uninstalls our Shopify app, all customer photo data tied to that shop is removed via Shopify's shop/redact webhook within 48 hours, per Shopify policy
  • If a customer requests deletion, the merchant can trigger Shopify's customers/redact webhook and we will delete that customer's photo data
  • Photos are not shared with third parties beyond the AI rendering infrastructure that produces the try-on result

6. Cookies and Tracking

We use essential cookies for session, security, and language. With your consent, we may use analytics cookies to understand how merchants use vircab.com and improve the product. You can review and change your choices at any time via the cookie banner or by clearing site data.

See our Cookie information section below for details.

7. Data Sharing and Sub-processors

We do not sell personal data. We share data only with vetted sub-processors who help us operate the service. Current sub-processors include:

  • Hetzner (Germany) — primary infrastructure hosting
  • Shopify (Canada) — billing, app distribution, merchant authentication
  • Cloudflare (USA) — DNS and content delivery
  • Google Workspace (USA) — email and document collaboration
  • AI rendering infrastructure provider — confidential third party that processes photo data only for the duration of the render

All sub-processors are bound by data processing agreements with GDPR-equivalent safeguards.

8. International Transfers

Data may be transferred outside the EEA, UK, Canada, or Türkiye for processing. Where this happens, we rely on Standard Contractual Clauses (EU SCCs / UK IDTA) or other approved transfer mechanisms to ensure equivalent protection.

9. Data Retention

  • Customer photos: retained only as long as necessary to render and deliver the try-on result, then deleted
  • Try-on results: stored short-term so customers can revisit; subject to merchant subscription state and Shopify redact webhooks
  • Merchant account data: retained while the app is installed and for up to 12 months after uninstall for legal and accounting purposes
  • Website analytics: aggregated and retained for up to 14 months
  • Support emails: retained for up to 24 months

10. Your Rights

GDPR / UK GDPR (EU and UK residents)

  • Access, rectify, or erase your personal data
  • Restrict or object to processing based on legitimate interests
  • Data portability (receive your data in a structured format)
  • Withdraw consent at any time
  • Lodge a complaint with your supervisory authority (e.g., CNIL, ICO, BfDI)

CCPA / CPRA (California residents)

  • Right to know what personal information we collect and how we use it
  • Right to delete personal information
  • Right to correct inaccurate personal information
  • Right to opt out of the sale or sharing of personal information — we do not sell or share for cross-context behavioral advertising
  • Right to non-discrimination for exercising your rights

PIPEDA / CASL (Canada residents)

  • Access to your personal information held by us and the right to correct it
  • Withdraw consent for any non-essential processing or marketing communications
  • All commercial electronic messages we send include a clear identification of the sender, our address, and a one-click unsubscribe per CASL
  • File a complaint with the Office of the Privacy Commissioner of Canada

KVKK (Türkiye residents)

Türkiye'de yerleşik kişisel veri sahipleri KVKK 11. madde kapsamında verilerine erişme, düzeltme, silme, işlemenin sınırlandırılması, otomatik kararlara itiraz ve veri taşınabilirliği haklarına sahiptir. Talepler için info@vircab.com adresine yazılı başvuru yapılabilir.

To exercise any of these rights, email info@vircab.com. We respond within 30 days (or sooner where required by law). We may need to verify your identity before fulfilling requests.

11. Security

We implement industry-standard safeguards: encryption in transit (TLS), encrypted storage at rest, audit logging, isolated network boundaries, and least-privilege access controls. Our infrastructure runs on production-grade Kubernetes with regular security reviews. No system is perfectly secure, but we work hard to protect your data.

12. Children's Privacy

Vircab is built for B2B (merchants) and adult e-commerce shoppers. We do not knowingly collect data from children under 16 (EU/UK) or under 13 (US/Canada). If you believe a child's data has been provided to us, contact us immediately and we will delete it.

13. Cold Outreach and Marketing Emails

When we send commercial emails to potential merchant customers, we comply with CAN-SPAM (US), CASL (Canada), and GDPR (EU). Every email includes:

  • Clear identification of the sender (Vircab / arkhe)
  • Our physical postal address
  • A working one-click unsubscribe link
  • A truthful subject line that matches the email content

Our lawful basis for B2B prospect outreach is legitimate interest (GDPR Art. 6(1)(f)). You can opt out at any time and we will stop within 10 business days (often immediately).

14. Changes to this Policy

We may update this Privacy Policy. Material changes will be announced via the app dashboard or email at least 14 days before taking effect. The "Last updated" date at the top of this page reflects the current version.

15. Contact

For privacy questions, complaints, or rights requests:

  • Email: info@vircab.com
  • Postal address: Tekstilkent Koza Plaza A Blok Kat:1 No:1, 34235 Esenler, Istanbul, Türkiye
  • Operator: arkhe