Step 1: Understand what GDPR requires for photo processing
When a shopper uploads a photo of themselves, you are processing personal data — specifically image data that may be classified as biometric data under GDPR Article 9 if it is used to 'uniquely identify a natural person.' Courts and regulators across the EU have given mixed guidance on whether virtual try-on photos cross the Article 9 biometric threshold. The conservative and safest interpretation is to treat shopper photos as special-category biometric data and obtain explicit consent before processing.
Photta's architecture does not extract biometric templates (face embeddings, body measurements, or fingerprints). The AI uses the photo purely for image compositing — it does not store or analyze identity. However, GDPR's definition is process-based, not result-based: if you process a photo from which biometric data could technically be derived, you are in the risk zone. Your legal counsel should confirm your classification. The guidance in this document is informational, not legal advice.
Step 2: Know Photta's data deletion windows
Photta operates two deletion timers by design. Shopper upload photos (the original selfie or body photo) are deleted from Photta's servers within 1 hour of upload, regardless of whether a try-on was completed. Generated try-on result images (the composited output) are deleted within 24 hours. Neither the upload nor the result is ever shared with third parties or used for AI model training. These short windows are a deliberate compliance feature, not just a storage cost decision.
Merchants do not have access to shopper photos through the Business Dashboard — by design. You can see aggregated analytics (try-on counts, conversion rates, error rates) but not the actual images. This means you do not need to build a separate data-deletion workflow for GDPR right-to-erasure requests related to try-on photos; Photta's automatic deletion covers them within 24 hours.
Step 3: Implement a consent UX before the try-on
Before the shopper uploads their photo, display a clear consent step. The widget's built-in consent screen (enabled by adding data-consent="true" to your script tag) shows a brief explainer: 'Your photo is used only to generate a try-on image and will be deleted within 1 hour.' The shopper must tick a checkbox labeled 'I consent to my photo being processed for virtual try-on' before they can proceed. This consent is logged with a timestamp in Photta's system.
If you prefer to build your own consent UI, disable the widget's built-in screen with data-consent="custom" and present your own modal before calling photta.open() from your JavaScript. Ensure your custom consent UI records the consent timestamp and purpose in your own database. GDPR requires that consent is freely given, specific, informed, and unambiguous — a pre-ticked checkbox does not qualify.
Step 4: Sign a Data Processing Addendum with Photta
Under GDPR Article 28, when you engage a third-party processor (Photta) to process personal data on your behalf, you must have a written Data Processing Addendum (DPA) in place. Log in to the Photta Business Dashboard, navigate to Settings → Legal, and click 'Sign DPA.' The DPA is a standard EU Standard Contractual Clauses-compliant document that specifies the data categories processed, the processing purposes, Photta's sub-processors, and the deletion obligations.
The DPA is available in English. Signing is a one-click process using DocuSign. Once signed, a PDF copy is emailed to your registered address and stored in Settings → Legal for your records. If your DPA needs to name specific sub-processors used by Photta (AWS S3 for storage, KieAI for generation), those are listed in the DPA schedule. Update your own Records of Processing Activities (RoPA) document after signing to reflect Photta as a data processor.
Step 5: Update your privacy policy
Your store's privacy policy must disclose the virtual try-on processing activity. Add a section titled 'Virtual Try-On Feature' that includes: (1) what data is collected (photos uploaded by the user), (2) the purpose (generating a virtual try-on image), (3) the legal basis (explicit consent, Art. 6(1)(a) GDPR), (4) who processes the data (Photta, a third-party AI service), (5) retention period (photos deleted within 1 hour, results within 24 hours), and (6) data subject rights (right to withdraw consent at any time).
A suggested template clause: 'When you use our Virtual Try-On feature, the photo you upload is transmitted to Photta (photta.app) for the sole purpose of generating a virtual try-on image. Photta deletes your photo within 1 hour and the generated image within 24 hours. No biometric templates are stored. You may withdraw consent at any time by not using the feature; photos already uploaded cannot be retrieved after processing completes. For questions, contact privacy@[yourstore].com.' Adjust to your store's legal entity and jurisdiction.