Legal

Privacy policy

Last updated · 2026-05-29

This policy describes what data Railory (operated by Synetra Systems LLC, “we”, “us”) processes when a Shopify merchant installs our app and when their customers (“visitors”) interact with the Railory storefront widget. Railory is designed to collect the minimum data needed to do its job.

1. Who this applies to

Merchants — Shopify store owners who install Railory.
Visitors — shoppers using a merchant's storefront where the Railory widget is installed.

2. What data we process

Category	Source	Retention
Merchant store metadata (shopify_domain, plan tier, install date)	Shopify OAuth + billing webhooks	Until uninstall (then purged via shop/redact webhook, 48 hr SLA)
Merchant product catalog (titles, descriptions, prices, images, tags) and AI embeddings of that catalog	Shopify Admin API on sync	Same as above
Visitor prompt text (e.g., “casual outfit for brunch”) and the resulting outfit selection	The visitor types it	Indefinite, attached to an anonymous per-request UUID — no personal identifier
Try-on result images	Generated by AI image model from a model image and product images	90 days; then pruned by daily cron
Visitor IP address	Inbound request header	Used only for rate-limiting; rows older than 24 hours are deleted nightly

What we do NOT collect

Visitor names, emails, addresses, or order data
Visitor uploaded photos for try-on are processed entirely in memory and never written to disk or storage
Cookies for tracking or advertising
Any data from stores that haven't installed Railory

3. How we use the data

To run the outfit recommendation pipeline (retrieval-augmented generation against your catalog)
To render virtual try-on images
To enforce plan limits and protect against automated abuse
To show the merchant their own usage history in the admin dashboard
To bill the merchant via Shopify Billing

We do not sell, rent, or share merchant or visitor data with third parties for marketing purposes. Ever.

4. Subprocessors

We use a small set of infrastructure providers to operate the service. Each is bound by their own privacy and security commitments.

Provider	Purpose	Data processed
Shopify	App platform, billing	All OAuth and billing data
Vercel (USA)	App hosting	Request logs, app code
Supabase (USA/EU)	Database, file storage, edge functions	Catalog, embeddings, sessions, try-on renders
OpenAI	Embeddings + stylist LLM	Catalog text (sent at sync time), visitor prompt text (sent per request)
Google (Gemini API)	Try-on image generation	Model image + product images (per try-on request)

OpenAI and Google process inputs to return results. Per their API terms, neither uses inputs from API customers to train their models.

5. GDPR & CCPA — your rights

Visitors and merchants can:

Request access to data we hold about you
Request deletion of your data
Request correction if any record is inaccurate

Merchants can trigger deletion of all their store data simply by uninstalling Railory from their Shopify admin. We honor Shopify's mandatory shop/redact webhook, which fires 48 hours after uninstall — at that point all merchant data is purged from our systems (cascading to products, sessions, outfits, try-on events).

Visitors can email mujtabajavaid@synetrasystems.com to request data action. Because visitor data is anonymous (no email or name stored), we'll ask for the merchant store URL and the approximate timestamp of the interaction to locate the relevant records.

6. Data security

All traffic is HTTPS-encrypted in transit (TLS 1.2+)
Database and file storage are encrypted at rest by Supabase
API access from the storefront is gated by per-store shared secrets and per-IP rate limits
Multi-tenant isolation is enforced at the database query level — one merchant can never read another merchant's data
Row-level security is enabled on every database table; service-role credentials are stored as environment secrets, never committed to source

7. International transfers

Our infrastructure is hosted in the United States and (for Supabase) potentially the European Union. If you access Railory from outside these regions, your data will be transferred to and processed in those jurisdictions, subject to the safeguards required by applicable law.

8. Changes to this policy

We'll update this page when our practices change. Material changes will be announced via the merchant admin dashboard. The “Last updated” date at the top reflects the most recent revision.

9. Contact

Privacy & data inquiries

Synetra Systems LLC

mujtabajavaid@synetrasystems.com