Legal

Privacy Policy

Last updated: May 1, 2026

This policy explains what information roopafy collects when you use our service to turn smartphone photos into AI-generated fashion listings, how we use that information, and the choices you have. Plain language, no surprises.

1. Introduction

roopafy (“we”, “us”, “our”) helps small fashion sellers generate professional product listings from a single smartphone photo. This Privacy Policy covers our website, web app, and the publishing connections we make to platforms like Shopify on your behalf.

By creating a roopafy account or using our service, you agree to the practices described here. If you do not agree, please do not use the service.

2. Information we collect

We collect only what we need to run the service and deliver your listings.

Account information

  • Your name and email address
  • A hashed password (we never store your password in plain text), or a Google account identifier if you sign in with Google
  • Your subscription tier and credit balance

Content you upload

  • Garment photos you upload for processing
  • Optional reference images and notes you provide for AI models, brand voice, or photo set templates

Content we generate for you

  • AI-generated model photos and studio shots produced from your uploads
  • AI-generated titles, descriptions, and tags
  • The prompts and metadata used to produce them, so we can support, debug, and let you regenerate variants

Connected store data

  • Your Shopify store domain and an OAuth access token, encrypted at the application layer, used only when you publish or update listings
  • Status of products we have published on your behalf

Usage data

  • Generation history, credit usage, and error events — used to improve the product and to investigate issues you report
  • Standard server logs (IP address, user agent, timestamps) retained for security and debugging

Billing information

  • Payments are processed by Lemon Squeezy, our Merchant of Record. We do not see or store your payment card numbers.
  • We receive your billing email, country, the plan you purchased, and an opaque transaction reference from Lemon Squeezy.

3. How we use your information

  • Generate listings on your behalf. Your uploaded photos and prompts are sent to AI providers (see Section 4) to produce model photos, descriptions, and tags.
  • Publish to your connected stores. When you ask us to, we use your stored OAuth token to create or update products on your Shopify store.
  • Send transactional emails. Account verification, billing receipts, generation completion notifications, and important account alerts — sent via Resend.
  • Improve product quality. We review aggregated, anonymized usage to find rough edges and decide what to build next. We do not sell your data.
  • Keep the service safe. Detect abuse, prevent fraud, and meet our legal obligations.

4. AI processing of your photos

This section is important enough to call out separately.

When you generate a listing, your uploaded photos and the prompts we construct from your inputs are sent to our AI providers for processing:

  • Anthropic — Claude models, used for text generation and image analysis
  • Google AI — Gemini and Imagen models, used for text and image generation
  • Replicate — image generation models

We do not use your photos to train AI models. Our agreements with these providers reflect the same: your content is processed to produce your output, not to train their models.

Generated images are stored on Cloudinary, our content delivery network. You can delete uploaded photos and generated outputs at any time from your account.

5. Third-party service providers

We rely on a small number of trusted subprocessors to operate roopafy. Each one only receives the data it needs for the role it plays.

ProviderPurpose
MongoDB AtlasPrimary database (account, product, generation records)
CloudinaryImage storage and content delivery network
AnthropicAI text generation and image analysis (Claude)
Google AIAI text and image generation (Gemini, Imagen)
ReplicateAI image generation
Lemon SqueezyPayments and Merchant of Record
ResendTransactional email delivery
ShopifyPublishing target — only when you connect your store
Google Cloud PlatformApplication hosting (Cloud Run, Memorystore)

6. Data retention

  • Account, product, and generation records are kept while your account is active.
  • If you delete your account, we delete or anonymize your personal data within 30 days, except where we are required to keep records for legal, tax, or fraud-prevention reasons.
  • OAuth tokens for connected stores can be revoked at any time from your Shopify admin or by disconnecting the integration in roopafy. Revoked tokens are deleted promptly.
  • Standard server logs are retained for up to 90 days.

7. Your rights

You have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate information
  • Request deletion of your data
  • Receive a copy of your data in a portable format
  • Withdraw consent for processing (note: this may end your ability to use parts of the service)
  • Object to processing or restrict it in certain cases

To exercise any of these rights, email hello@roopafy.com. We will respond within 30 days.

8. Security

  • All traffic between your browser and roopafy is encrypted in transit using TLS.
  • Data at rest in MongoDB Atlas is encrypted using industry-standard AES-256.
  • OAuth access tokens for connected stores are encrypted at the application layer before they are stored.
  • Access to production systems is limited to the engineering team and audited.

No system is perfectly secure. If you discover a vulnerability, please report it to hello@roopafy.com — we appreciate responsible disclosure.

9. Cookies

roopafy uses a minimal set of first-party cookies, used only to keep you signed in and to remember your preferences within the app. We do not use third-party advertising cookies, tracking pixels, or cross-site analytics that follow you around the web.

Most browsers let you block or delete cookies. Doing so will sign you out of roopafy.

10. Children

roopafy is not intended for users under 13 years of age, and we do not knowingly collect information from children. If you believe a child has provided us information, please contact us and we will delete it.

11. International transfers

roopafy is operated from servers in the United States (Google Cloud Platform, us-central1 region). Our subprocessors may process data in other regions where they operate. By using the service, you consent to your data being transferred to and processed in these regions, which may have different data protection laws than your own.

12. Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page reflects the most recent revision. For material changes, we will notify registered users by email at least 14 days before the change takes effect.

13. Contact us

Questions about this policy or your data? Email hello@roopafy.com and we will get back to you.

↑ Back to top