Data Processing Agreement (DPA)
Last updated: 20 April 2026.
This Agreement forms part of the Terms of Service and governs how Wearlo processes personal data on behalf of the Customer, in accordance with Article 28 GDPR.
1. Parties
Controller — the Customer (online store, brand, e-commerce platform) using the Wearlo Service. The Customer determines the purposes and means of processing shopper data, including collecting consent for AI try-on.
Processor — Ailo sp. z o.o. (operating under the Wearlo brand), seated at Parkowe Wzgórze 100, 32-031 Mogilany, Poland, Tax ID (NIP) 6762430848. Acts only on documented instructions from the Controller.
2. Subject matter and duration
The subject matter is the processing of Customer shoppers' personal data (in particular photos of their face and body) for the purpose of generating photoreal virtual try-ons of garments sold by the Customer.
This Agreement applies for the duration of the Terms of Service between Wearlo and the Customer.
3. Nature and purpose of processing
- Nature: automated image processing using AI models (generative AI).
- Purpose: generating a visualisation of the product on the shopper, returning the result to the shopper's browser, storing the result in the Customer's admin panel.
4. Categories of data and data subjects
| Category of data subjects | Category of personal data |
|---|---|
| Shoppers visiting the Customer's store | Selfie photo, generation result, hashed IP address, session ID, try-on timestamp |
| Customer staff using the admin panel | Name, email, login logs (IP hashed) |
5. Controller obligations
- Establish a lawful basis for processing — in particular obtain shopper consent to use their likeness in AI and inform them of the processing.
- Document processing instructions.
- Not upload data whose processing would be unlawful.
6. Wearlo obligations as Processor
- Process personal data only in accordance with documented Controller instructions (these Terms + admin panel configuration).
- Ensure that persons authorised to process data are bound by confidentiality.
- Implement appropriate technical and organisational measures to ensure data security (see section 8).
- Assist the Controller in responding to data subject rights requests (access, rectification, erasure, restriction, portability).
- Notify the Controller of a personal data breach within 24 hours of detection.
- Delete or return all personal data after the Service ends (Controller's choice), subject to legal retention requirements.
- Make available to the Controller information needed to demonstrate compliance with Article 28 GDPR and allow audits (section 10).
7. Sub-processors
The Controller grants general authorisation for Wearlo to use the sub-processors listed below. Wearlo will notify the Controller of any change (addition or replacement) at least 14 days in advance. The Controller may object — in which case the parties agree on next steps, including possible termination of this Agreement.
| Sub-processor | Role | Location |
|---|---|---|
| Kie.ai | AI model provider (nano-banana-2) | Global — transfers under SCCs |
| Amazon Web Services (AWS) | File hosting (S3) | Germany (eu-central-1) |
| Railway Corp. | Application and database hosting | EU |
| Functional Software, Inc. (Sentry) | Error monitoring | EU — Sentry.io EU data region |
8. Security measures
- Encryption at rest (AWS S3 SSE-S3) and in transit (TLS 1.2+).
- IP hashing with a per-store salt — raw IPs are never logged.
- Role-based access control (RBAC) with MFA for the Wearlo team.
- Pseudonymisation in diagnostic logs.
- Automatic deletion of files and records after 90 days (configurable down to 24 hours by the Controller).
- At least annual application security testing.
- Security incident response procedure with a 24h SLA.
9. Transfers outside the EEA
Shopper data is transferred to the AI model hosted by sub-processor Kie.ai, which may process it outside the European Economic Area. Transfers then rely on the Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914).
Other data (hosting, logs) is stored in EU regions.
10. Audits
The Controller may conduct audits no more than once per year, with 30 days' prior notice. Audits take place during business hours, in a way that does not disrupt the Service, by an independent auditor bound by confidentiality. Audit costs are borne by the Controller, except where the audit reveals material breach by Wearlo.
Where sufficient, Wearlo will provide certification reports (e.g. ISO 27001, SOC 2) or a detailed security questionnaire in lieu of an on-site audit.
11. Return or deletion of data
After the Service ends — at the Controller's option — Wearlo returns all personal data within 30 days or deletes it, along with all existing copies, unless longer retention is legally required (e.g. invoices — 5 years).
12. Liability
Wearlo's liability under this Agreement is limited as set out in the Terms of Service, except where limitation is not permitted under mandatory law.
13. Changes and contact
Material changes to this DPA are communicated 30 days in advance. Contact: [email protected].