Privacy & GDPR Policy
This Privacy & GDPR Policy (the "Policy") describes how Window Shopper, LLC ("Window Shopper", "we", "us") processes personal data in connection with our retail window try-on platform (the "Service"). This Policy is designed to comply with the European Union's General Data Protection Regulation ("GDPR") and similar laws in other jurisdictions.
1. Who We Are & Our Roles Under GDPR
Window Shopper, LLC is a software company that provides AI try-on technology to retailers. Under GDPR:
- For the Service operated in a retailer's store, the retailer is the data controller. Window Shopper acts as a data processor on the retailer's behalf and processes personal data only according to the retailer's documented instructions (as set out in the Service agreement).
- For our own website, sales, and administrative activities (for example, when a retailer representative submits their email via our "Request a pilot" form), Window Shopper is the data controller.
2. What Personal Data We Process
2.1 Website visitors
- Business contact details you submit (email, and any other information you provide);
- Technical data your browser sends (IP address, user-agent, approximate location derived from IP);
- Aggregated interaction data (pages viewed, link clicks), limited to what is necessary for operating the website and which we capture via our own first-party log pipeline (see our Cookie notice).
2.2 Retailer staff using the Service
- Account details: name, business email, role, assigned stores;
- Authentication data: hashed magic-link tokens, login timestamps, device pairing records;
- Activity logs: store sessions opened and closed, products added or removed, display pairings performed.
2.3 Passersby in front of an in-store display
See the next section.
3. In-Store Camera Processing
When a Window Shopper display is installed in a retail window, its camera observes the public area in front of the display to detect whether a passerby is looking at the screen and wishes to engage with it. We have designed this process to minimize privacy impact:
- On-device detection. The attention-detection model runs entirely on the local device. No continuous video stream is sent to our servers or to any third party.
- Single-frame capture, on consent. A frame is captured only when a passerby has visibly engaged with the display (for example, by stepping onto a marked area). The frame is transmitted over an encrypted channel to our generative AI processing providers solely to produce the try-on composite.
- No facial-recognition database. We do not use facial biometrics to identify or re-identify individuals. We do not build or query any database of faces.
- Ephemeral processing. The captured frame is deleted within a short processing window (typically under 60 seconds) after the composite is rendered. The generated composite is displayed briefly on the retail screen and is then deleted or stored only in anonymized, aggregated form for analytics.
- Physical signage. The retailer is contractually obliged to display prominent, legally compliant signage at every installation informing passersby that an AI camera is in use, how their image is processed, and how to exercise their rights.
- Opt-out. Every display provides an on-screen "No thanks" control that ends the interaction and prevents further capture of the opting-out individual for at least five minutes.
Notwithstanding the above, a captured image of a person may constitute personal data under GDPR. The retailer, as controller, is responsible for establishing and communicating the lawful basis under which this processing occurs in their premises.
4. Purposes and Legal Bases
- To provide the Service (rendering composites, authenticating staff, operating the displays). Legal basis: performance of a contract (Art. 6(1)(b) GDPR) with the retailer; for passersby, legitimate interests of the retailer in offering an interactive experience (Art. 6(1)(f) GDPR), subject to a balancing test and clear signage.
- To communicate with retailer representatives who request a pilot or otherwise contact us. Legal basis: our legitimate interests in responding to inquiries (Art. 6(1)(f) GDPR) or, where applicable, the pre-contractual steps taken at your request (Art. 6(1)(b) GDPR).
- To improve the Service using anonymized, aggregated analytics. Legal basis: our legitimate interests in improving our product (Art. 6(1)(f) GDPR), balanced against privacy impact through aggregation and anonymization.
- To comply with legal obligations. Legal basis: compliance with a legal obligation (Art. 6(1)(c) GDPR).
- To defend our legal rights. Legal basis: our legitimate interests (Art. 6(1)(f) GDPR).
5. Retention
- Raw captured frames from in-store cameras: deleted within the processing window required to render the composite (typically under 60 seconds).
- Generated composites on screen: displayed for no more than a few minutes, then deleted.
- Interaction analytics: stored in anonymized, aggregated form for up to 24 months.
- Retailer staff account data and audit logs: retained for the duration of the retailer's subscription and for up to 24 months thereafter, unless a longer period is required by law.
- Sales inquiry emails: retained for up to 24 months from last contact, unless you ask us to delete them earlier.
6. Sharing With Third Parties
We share personal data only with:
- AI sub-processors who render the try-on composites and animations (including Google and xAI) under contractual data-protection obligations. Captured frames are transmitted to these providers only for the purpose of rendering and are not used to train their general-purpose models;
- Hosting and infrastructure providers (including Railway and its underlying cloud providers) that operate the servers running the Service under contractual data-protection obligations;
- Professional advisers (lawyers, accountants, auditors) when required to provide advice;
- Regulators and law enforcement when legally required;
- Acquirers or successors in the event of a merger, acquisition, or reorganization, with continuity of this Policy.
We maintain an up-to-date list of sub-processors, available on request to the retailer's administrative contact.
7. International Transfers
Where personal data is transferred outside the European Economic Area, we rely on appropriate safeguards under GDPR Chapter V, including the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, supplementary technical and organizational measures. A copy of the relevant transfer mechanism is available on request.
8. Your Rights Under GDPR
If EU/EEA data-protection law applies to the processing of your personal data, you have the right to:
- Access your personal data and request a copy;
- Rectify inaccurate or incomplete personal data;
- Erase your personal data ("right to be forgotten");
- Restrict processing in certain circumstances;
- Object to processing based on legitimate interests;
- Data portability for data you provided under contract or consent;
- Withdraw consent at any time, where processing is based on consent;
- Lodge a complaint with a supervisory authority, in particular in the EU Member State of your residence, workplace, or the place of the alleged infringement.
For passersby whose image is captured at a retailer's premises, requests to exercise these rights should generally be made to the retailer (the controller). We will assist the retailer in fulfilling such requests. If you are unable to reach the retailer, please contact us at the email address below.
We will respond to legitimate requests within one month, with a possible extension of two additional months for complex requests, and without undue delay.
9. Security
We implement appropriate technical and organizational measures to protect personal data, including: TLS encryption in transit, encryption at rest for databases, bearer-token authentication on administrative endpoints, role-based access controls, audit logging, employee confidentiality obligations, least- privilege access, and periodic review of our security practices. No transmission or storage system is guaranteed 100% secure; in the event of a breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify affected controllers and, where legally required, supervisory authorities and data subjects, without undue delay and in accordance with GDPR Articles 33 and 34.
10. Children
The Service is not directed to children under the age of 16. The attention scanner does not target children, and the retailer is contractually obliged to avoid installations where predominantly minors would be the subject of image capture. If we become aware that personal data of a child under 16 has been collected without appropriate consent, we will delete it promptly.
11. Changes to this Policy
We may update this Policy from time to time. Material changes will be communicated by updating the "Effective" date at the top of this page and, for retailer administrators, by email. Continued use of the Service after the Effective date constitutes acceptance of the revised Policy.