Data Security and Privacy Policy

Effective as of February 2024

Introduction

Welcome to onefit.ai. This Data Security and Privacy Policy outlines our commitment to protecting the personal information and privacy of our users and merchants. By using our services, you trust us with your information, and we are dedicated to safeguarding it in compliance with applicable privacy laws including GDPR, CCPA, and Shopify's protected customer data requirements.

Data Controller

Hin Man Technology Ltd is the entity responsible for the processing of your personal data collected through onefit.ai

Data Minimization Principle

We process only the minimum personal data required to provide our shoe sizing and fitting services to merchants and their customers. We continuously review our data collection practices to ensure we collect only what is necessary for our stated purposes.

Information We Collect

We collect the following types of information:

Customer Data (collected through merchant stores):

• Foot scan images: Digital images of feet for size analysis and fitting recommendations
• Foot measurements: Length, width, and other dimensional data derived from scans
• Size preferences: Historical shoe size information and fit preferences
• Basic profile information: When provided by customers through merchant stores
• Health conditions: Optional information about foot-related health conditions that may affect shoe fitting
• Usage analytics: How customers interact with our sizing tools on merchant websites

Merchant Data:

• Business information: Store details, contact information, and account settings
• Product data: Shoe inventory information necessary for size recommendations
• Integration settings: Configuration data for our services on merchant websites

Technical Data:

• Device information: Browser type, device specifications for optimal service delivery
• Performance data: Service response times and error logs for system optimization

Purpose of Data Collection and Processing

We process personal data only for the following specific, legitimate purposes:

Core Service Delivery:

• To provide accurate shoe size recommendations based on foot measurements
• To maintain and improve our AI-powered fitting technology
• To enable customers to make informed purchasing decisions
• To reduce shoe returns through better fit predictions

Customer Support:

• To respond to customer inquiries and technical issues
• To provide assistance with our sizing tools

Service Improvement:

• To enhance our machine learning algorithms for better size predictions
• To develop new features that improve the customer experience
• To analyze usage patterns to optimize service performance

Legal and Security:

• To comply with legal obligations and protect against fraudulent activities
• To maintain the security and integrity of our systems

We do not use personal data for any purposes beyond those stated above without explicit consent.

Customer Consent and Control

We respect and honor customer consent decisions as follows:

Consent Collection:

• We collect explicit consent for data processing where required by applicable laws
• Consent is collected through clear, unambiguous opt-in mechanisms on merchant websites
• We provide granular consent options for different types of data processing (analytics, marketing, preferences)

Consent Management:

• Customers can withdraw consent at any time through merchant websites or by contacting us directly
• We respect Global Privacy Control (GPC) signals where applicable
• Consent decisions are applied consistently across all our services and integrations

Opt-Out Rights:

• Customers have the right to opt out of data sharing for marketing or advertising purposes
• Customers can opt out of data sale or sharing with third parties under applicable privacy laws (such as CCPA)
• We provide clear mechanisms for customers to exercise these opt-out rights
• Opt-out decisions are processed within 30 days and applied to future data processing

Automated Decision-Making and Your Rights

Our AI-powered shoe sizing technology involves automated processing that may significantly impact purchase decisions:

Automated Processing:

• We use machine learning algorithms to analyze foot measurements and predict optimal shoe sizes
• These automated decisions directly influence product recommendations and purchase guidance
• The automated processing is designed to provide personalized fitting recommendations

Your Right to Opt-Out:

• You have the right to opt out of automated decision-making for shoe size recommendations
• When you opt out, size recommendations will be provided through alternative, non-automated methods
• You can exercise this right by contacting your merchant or us directly
• Manual processing may result in less personalized recommendations but ensures human oversight

Data Retention

We apply strict retention policies to ensure personal data is not kept longer than necessary:

Retention Periods:

• Foot scan images: Retained for 24 months after last use to improve our algorithms, then automatically deleted
• Customer preferences and measurements: Retained for 36 months to maintain personalization, then archived or anonymized
• Analytics data: Aggregated and anonymized after 12 months, with individual identifiers removed
• Technical logs: Retained for 6 months for security and performance monitoring
• Customer support records: Retained for 24 months after case closure

Automatic Deletion:

• We implement automated systems to delete personal data according to our retention schedule
• Data subjects can request earlier deletion of their personal data (see "Your Rights" section)
• We conduct regular audits to ensure compliance with our retention policies

Data Security and Encryption

Hin Man Technology Ltd implements comprehensive security measures meeting Level 2 protected customer data requirements:

Encryption:

• Data at rest: All personal data is encrypted using AES-256 encryption standards
• Data in transit: All data transmissions use TLS 1.3 or higher encryption protocols
• Data backups: All backup systems use end-to-end encryption and are stored securely
• Key management: We use industry-standard key management systems with regular key rotation

Access Controls and Staff Security:

• Limited access: Staff access to protected customer data is restricted on a need-to-know basis
• Strong authentication: We require multi-factor authentication for all staff accounts accessing customer data
• Password policies: Staff accounts must use strong passwords with minimum complexity requirements
• Access logging: We maintain comprehensive logs of all access to protected customer data
• Regular audits: Access logs are reviewed quarterly and audited annually

Environment Separation:

• Production isolation: Live customer data is strictly separated from development and testing environments
• Test data: We use synthetic or anonymized data for development and testing purposes
• Secure development: All development follows secure coding practices and regular security reviews

Data Loss Prevention:

• Technical controls: We implement DLP systems to prevent unauthorized data extraction
• Policy framework: Clear data handling policies govern staff behavior regarding customer data
• Monitoring systems: Continuous monitoring detects and alerts on unusual data access patterns
• Incident response: We maintain a comprehensive security incident response plan

Data Sharing and Disclosure

We do not sell, trade, or rent personal identification information to third parties. Our data sharing practices are limited to the following:

Permitted Sharing:

• Service providers: With vetted third-party processors who assist in delivering our services under strict data processing agreements
• Legal compliance: When required by law or to protect our rights and safety
• Merchant partners: Only the data necessary for merchants to provide customer service and fulfill orders
• Aggregated data: Non-personal, anonymized analytics may be shared with business partners for industry insights

Data Protection Agreements:

We maintain formal data protection agreements with all merchants and service providers that:

• Define the scope and purposes of data processing
• Establish clear roles and responsibilities for data protection
• Include specific security requirements and compliance obligations
• Provide for regular audits and compliance monitoring
• Include procedures for data breach notification and response

Your Rights

You have comprehensive rights regarding your personal data:

Access Rights:

• Right to know what personal data we collect and how it is used
• Right to access a copy of your personal data in a portable format
• Right to receive information about data sharing and processing activities

Control Rights:

• Right to correct or update inaccurate personal data
• Right to delete your personal data (subject to legal retention requirements)
• Right to restrict or limit how we process your personal data
• Right to withdraw consent for data processing at any time

Portability Rights:

• Right to receive your personal data in a structured, commonly used format
• Right to transmit your data to another service provider where technically feasible

Objection Rights:

• Right to object to processing based on legitimate interests
• Right to opt out of automated decision-making and profiling
• Right to opt out of direct marketing communications
• Right to opt out of data sale or sharing under applicable privacy laws

How to Exercise Your Rights:

To exercise any of these rights, please contact us using the information provided in the "Contact Us" section. We will respond to valid requests within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.

International Data Transfers

When we transfer personal data outside the European Economic Area (EEA) or other jurisdictions with data protection laws:

• We ensure adequate protection through approved transfer mechanisms
• We use Standard Contractual Clauses (SCCs) or other approved safeguards
• We conduct regular assessments of data protection in destination countries
• We implement additional security measures where necessary

Compliance and Governance

Privacy Officer:

We have designated privacy and data protection personnel to oversee compliance with privacy laws and internal policies.

Regular Audits:

We conduct regular privacy impact assessments and compliance audits to ensure our practices meet evolving legal requirements.

Staff Training:

All staff receive regular training on data protection requirements and our privacy policies.

Security Incident Response

We maintain a comprehensive incident response plan that includes:

• Detection: Continuous monitoring systems to identify potential security incidents
• Assessment: Rapid evaluation of incident scope and impact on personal data
• Containment: Immediate steps to limit the scope of any data breach
• Notification: Timely notification to relevant authorities and affected individuals as required by law
• Recovery: Systematic restoration of services and implementation of additional safeguards
• Review: Post-incident analysis to improve our security measures and prevent future incidents

Data subjects and merchants will be notified of any security incidents affecting their personal data within 72 hours of discovery, where required by applicable law.

Changes to This Privacy Policy

We may update our Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:

• Posting the new Privacy Policy on this page with an updated effective date
• Sending email notifications to registered users for significant changes
• Providing prominent notice on merchant dashboards where applicable

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

Contact Us

If you have any questions about this Privacy Policy, wish to exercise your rights, or need to report a security concern, please contact us:

Data Protection Contact:

• Email: support@onefit.ai
• Address: Hin Man Technology Ltd, 207 Old Street, London, EC1V 9NR, United Kingdom

For Merchants:

• Email: support@onefit.ai
• Merchant dashboard support portal

We are committed to addressing your privacy concerns promptly and thoroughly.

By using our Service, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, use, and disclosure of your personal data as described herein.