Last Updated: April 1, 2026
This Data Processing Agreement (“DPA“) forms an integral part of the Terms of Service between AnyDress.ai (“Data Processor“, “we“, “us“) and the B2B Client / Merchant (“Data Controller“, “Client“, “you“).
This DPA applies to the extent that AnyDress.ai processes Personal Data on behalf of the Client in the course of providing the Virtual Try-On Service.
1. Definitions
- “Data Protection Laws” refers to all applicable privacy and data protection laws, including the General Data Protection Regulation (EU) 2016/679 (“GDPR“) and the Cyprus Law providing for the Protection of Natural Persons with regard to the Processing of Personal Data (Law 125(I)/2018).
- “Personal Data”, “Data Subject“, “Processing“, “Data Controller“, and “Data Processor” shall have the meanings given to them in the GDPR.
- “End-User” or “Shopper” refers to the Client’s website visitors whose Personal Data is processed via the Service.
2. Roles and Scope of Processing
2.1. Roles: The Client is the Data Controller of the Personal Data. AnyDress.ai is the Data Processor processing Personal Data on behalf of the Client.
2.2. Subject Matter: The provision of AI-powered Virtual Try-On and Virtual Photoshoot image generation via API.
2.3. Duration: For the duration of the Client’s active subscription or API usage, plus the temporary retention period outlined in Section 8.
2.4. Categories of Data Subjects: The Client’s End-Users/Shoppers, as well as any models or individuals whose images are uploaded by the Client for Virtual Photoshoots.
2.5. Types of Personal Data Processed:
- Photographs/Images (Face and/or Body) uploaded by the End-User.
- Pseudonymized User Hashes (e.g., MD5 hashes generated by the plugin to track daily usage limits).
3. Obligations of the Data Controller (Client)
3.1. Lawful Basis: The Client represents and warrants that it has a valid lawful basis (e.g., explicit consent) to collect and transmit the End-Users’ Personal Data to AnyDress.ai.
3.2. Minors: The Service may be used to process images of children’s clothing. The Client holds strict and sole responsibility for ensuring that if an End-User is a minor, valid legal consent has been obtained from the minor’s parent or legal guardian prior to uploading any images to the Service. AnyDress.ai disclaims all liability regarding the unauthorized processing of minors’ data initiated by the Client.
3.3. Transparency: The Client agrees to update its own website Privacy Policy to accurately reflect the use of a third-party Virtual Try-On processor.
4. Obligations of the Data Processor (AnyDress.ai)
4.1. Documented Instructions: We will process Personal Data only on your documented instructions (which include generating try-on and photoshoot images via the API) unless required to do otherwise by EU or Cyprus law.
4.2. Confidentiality: We ensure that persons authorized to process the Personal Data (e.g., our employees) have committed themselves to strict confidentiality.
4.3. Security Measures: We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, protecting against unauthorized or unlawful processing, accidental loss, destruction, or damage.
4.4. NO AI TRAINING GUARANTEE: AnyDress.ai expressly guarantees that no Personal Data, including End-User face or body images, submitted by the Client will ever be used to train, retrain, fine-tune, or otherwise improve our AI models. All Personal Data is used strictly for the sole purpose of rendering the requested output for the End-User.
5. Sub-Processors
5.1. General Authorization: The Client grants AnyDress.ai general authorization to engage third-party sub-processors to fulfill its contractual obligations (e.g., cloud hosting providers, GPU rendering clusters).
5.2. Confidential Sub-Processor List: To protect our proprietary infrastructure and security, the full list of third-party sub-processors we use is kept strictly confidential. This list is only available to active B2B Clients upon written request, provided such request is made strictly for the purpose of fulfilling the Client’s data protection compliance obligations (e.g., GDPR).
5.3. Sub-Processor Obligations: We ensure that any sub-processor we engage is bound by data protection obligations at least as protective as those in this DPA. AnyDress.ai remains fully liable to the Client for the performance of the sub-processors’ obligations.
6. Data Subject Rights
Taking into account the nature of the processing, AnyDress.ai will assist the Client through appropriate technical and organizational measures, insofar as possible, to respond to End-User requests exercising their rights under the GDPR (e.g., right to deletion). Note: The AnyDress.ai WordPress plugin allows End-Users to manually delete their localized data directly via the WooCommerce “My Account” dashboard.
7. Personal Data Breaches
In the event of a confirmed Personal Data breach affecting the Client’s End-Users on our SaaS infrastructure, AnyDress.ai will notify the Client without undue delay after becoming aware of it, and provide reasonable assistance to help the Client meet its own breach notification obligations under the GDPR.
8. Deletion and Return of Data
8.1. Data Retention: Images transmitted to our API are processed entirely in server memory (RAM) and are immediately and permanently discarded the millisecond the generation process is completed. We do not store, save, or retain your uploaded models, garments, or generated images on our server storage or databases. Note: The local 7-day auto-deletion featured in the WordPress plugin applies to your own server’s database, independent of our SaaS retention policies.
8.2. Local Plugin Retention: Data stored locally on the Client’s own WordPress database is managed by the Client. By default, the plugin automatically deletes End-User mannequin data after 7 days, though the Client remains responsible for its local database compliance.
9. Governing Law
This DPA is governed by the laws of the Republic of Cyprus. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of Cyprus.