Privacy Policy
Last updated: May 1, 2026
This Privacy Policy describes how CartFits (“CartFits,” “we,” “us”) collects, uses, and shares information when you use our websites, applications, and related services (the “Services”). It should be read alongside our Terms of Use.
1. Who we are
The data controller for the Services is CartFits. Contact: gggsanchez@ucdavis.edu. Replace this section with your legal entity name and mailing address where required by law (for example, certain U.S. state privacy laws).
2. Information we collect
Depending on how you use the Services, we may collect or process:
| Category (illustrative) | Examples |
|---|---|
| Photos / images you provide | Selfies, garment photos, and similar uploads needed for virtual try-on or demos. Photos may depict your likeness. |
| Identifiers and session data | Session identifiers, timestamps, job or request records, and similar operational data we use to run the service. |
| Account or authentication data | If sign-in is offered, identifiers supplied by an authentication provider (for example a user id or email), as implemented in the product. |
| Usage and diagnostics | Server logs, error reports, coarse technical data (for example IP address, user agent, request metadata) through our hosting provider, and similar data used for security and reliability. |
| Locally stored preferences | Your browser may store simple preferences (such as whether you accepted our terms) when needed for the app to work. |
We do not use uploaded photos to train or improve third-party foundation models unless we expressly say so in a separate notice and obtain any consent required by law. Today, photos are used to provide the try-on feature you request.
3. How we use information
We use information to:
- Provide, operate, and maintain the Services (including generating try-on outputs).
- Authenticate users and enforce limits or eligibility, if applicable.
- Maintain security, detect abuse, debug, and improve reliability.
- Comply with law and respond to lawful requests.
- Communicate with you about the Services, if you contact us or we send service messages.
4. How we share information
We share information with service providers (“subprocessors”) that process data on our behalf under contractual obligations. We may also share information if required by law, or to protect rights, safety, and security.
We do not sell your personal information as that term is commonly defined in U.S. state privacy laws, and we do not share personal information for cross-context behavioral advertising unless we update this Policy and offer any legally required choices.
5. Service providers
We use vendors to host our applications, store data, run databases, and process images through third-party cloud and machine-learning infrastructure. They act as our service providers under contracts that require appropriate security and confidentiality.
For security reasons we do not publish a public list of vendor or product names on this page. We may provide subprocessor information to customers, partners, or regulators where contract or law requires it, and may share a confidential list upon a verified request sent to gggsanchez@ucdavis.edu.
6. Retention
We keep personal information only as long as needed to provide the Services, plus a short additional period for reliability, abuse prevention, backups, and legal compliance. Try-on inputs and generated outputs are not kept indefinitely; typical horizons are on the order of days, not months, unless law or security requires otherwise.
Deletion is not always immediate across every system or backup, and we may retain certain logs or records where required or reasonably necessary. If you need help with deletion, contact gggsanchez@ucdavis.edu and we will use reasonable efforts within the scope of our systems.
7. Security
We use commercially reasonable technical and organizational measures designed to protect information. No method of transmission or storage is completely secure.
8. Children
The Services are not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe we have, contact us and we will take appropriate steps.
9. U.S. state privacy rights (including California)
Depending on where you live, you may have rights to know, access, delete, correct, or limit certain processing of personal information, and to appeal our decisions. You may also have the right to opt out of certain disclosures if we ever engage in activities that qualify as “sale” or “sharing” under state law.
To exercise rights, contact gggsanchez@ucdavis.edu. We will verify requests as required by law. You may designate an authorized agent where applicable. We will not discriminate against you for exercising rights.
If you are required to offer additional methods (for example a toll-free number) under CPRA, add them here after counsel review.
10. International users
If you access the Services from outside the United States, you understand that information may be processed in the United States and other countries where our providers operate, which may have different data protection rules.
11. Integrations on merchant websites
If a retailer or partner (a “merchant”) embeds CartFits into its own site or application, both CartFits and the merchant may collect information from end users. End users should read both this Policy and the merchant’s privacy notice.
12. Shopper accounts and the embedded widget
The CartFits widget may invite shoppers on a merchant's site to create a CartFits account after their first try-on. When a shopper creates an account, we store:
- Their email address (from the authentication provider) and a CartFits-issued account identifier.
- A wardrobeof the shopper's saved try-on results, retained by default for up to 18 months. Each item can be deleted individually from cartfits.com/me at any time.
- Email preferences (e.g. opt-in to abandoned-fit reminders and new-drop announcements). The shopper can change preferences any time at cartfits.com/me/settings and unsubscribe from any marketing email via a one-click footer link.
We send shoppers transactional emails (sign-in, account changes, deletion confirmations) and — only if the shopper opts in — re-engagement emails such as “your fit is waiting” and new-drop announcements. We cap marketing email at three messages per shopper per week, total, across every merchant site.
Aggregate, de-identified try-on metrics (e.g. “item X was tried 12 times this week”) may be shared with the merchant whose site generated the try-on, but a single shopper's identity is not shared with merchants without their explicit, separate consent.
A shopper can permanently delete their CartFits account at cartfits.com/me/settings or by emailing gggsanchez@ucdavis.edu. After deletion: every active session is revoked, the wardrobe and email preferences are removed, and historical try-on rows are detached from the shopper (kept only as anonymous aggregates for the merchant's analytics).
13. Changes
We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the latest version as of May 1, 2026. Material changes may require additional notice under applicable law.
14. Contact
Privacy questions or requests: gggsanchez@ucdavis.edu