Ayyna - Scale Your Catalogue With Infinite Visual Assets

1. Overview and scope

Ayyna ("Ayyna", "we", "our" or "us") operates a cloud-based AI virtual try-on platform and associated website (collectively, the "Services"). This Privacy Policy explains how Ayyna collects, uses, stores, discloses, and protects personal data in connection with our global operations. The Policy applies to: (a) visitors to our website; (b) business customers (retailers) who register for or integrate our platform; and (c) end-user content (such as customer-provided images) that retailers supply to our Services. Because we operate internationally, this Policy describes how we meet the requirements of multiple legal frameworks, including the Indian Digital Personal Data Protection Act (DPDP Act), the European Union General Data Protection Regulation (GDPR), and U.S. state privacy laws such as the California Consumer Privacy Act and its amendments (CCPA/CPRA). Where a specific law imposes particular obligations, we explain those obligations and how you can exercise rights under that law.

2. Controller and processor roles; contractual commitments

Ayyna's legal role depends on the type of processing. With respect to visitors to our website and with certain account information we collect directly to manage our business relationships, Ayyna typically acts as the data controller and determines the purposes and means of processing. In the typical B2B service relationship, Ayyna acts as a data processor on behalf of the retailer (the retailer being the controller) with respect to images, product catalogs, and customer data that the retailer uploads for virtual try-on. For clarity, all customers who upload or transmit end-user content to Ayyna must ensure they have the necessary rights, consents, and lawful basis to transfer such data to Ayyna for processing. Our customer agreements include a Data Processing Addendum (DPA) that sets out the processing details, security measures, sub-processors, and instructions, and those DPAs are available to customers on request or presented as part of our onboarding process.

3. Categories of personal data and processing purposes

We process a range of information to provide and improve our Services. When you contact us via the website we collect contact details and message content to respond. We automatically collect technical telemetry (for example, IP address, device and browser characteristics, pages visited, and session duration) to maintain our site, analyze usage, and detect abuse. For registered retailers, we process account and billing information, product catalogues, API usage logs, and other business metadata needed to deliver the Services, implement billing, and provide support. Retailers may also upload customer images and related metadata for virtual try-on — these images are processed for the explicit purpose of generating the requested visualizations and for related operational, troubleshooting, and billing purposes. We do not use retailer customer images for unrelated marketing, nor do we disclose them to third parties except as necessary to provide the Services or as required by law, unless the retailer has explicitly instructed otherwise in writing.

4. Lawful bases and legal grounds for processing (GDPR emphasis)

For individuals in the European Economic Area and the United Kingdom, the GDPR requires that every processing activity have a lawful basis. Ayyna relies on several lawful bases depending on the processing: (a) performance of a contract when processing is necessary to deliver our Services to registered customers (account setup, billing, etc.); (b) legal obligation when we must retain or disclose data to comply with applicable law; (c) legitimate interests when we process technical telemetry, detect and prevent fraud, improve the platform, and perform network security (we balance those interests against individual rights and freedoms); and (d) consent where required for specific uses, such as optional marketing communications or certain cookies. Where consent is relied upon, that consent may be withdrawn at any time without affecting prior lawful processing. For visitors and data subjects outside the EU, we apply compatible legal bases under local laws such as the DPDP Act and CCPA/CPRA as applicable.

5. Data subject rights and how to exercise them

Subject to applicable law and identity verification requirements, individuals may exercise a number of rights. Under GDPR these include the right of access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, objection to processing (including profiling), and the right not to be subject to a decision based solely on automated processing where applicable. Under the DPDP Act and comparable laws in other jurisdictions, individuals likewise have rights of access, correction, deletion, and to withdraw consent. Under CCPA/CPRA, California residents have the right to request categories of personal data collected, request deletion of personal data (with some exceptions), and opt out of the sale or sharing of personal data; we do not sell personal data as defined by CCPA, but we maintain a mechanism to respond to opt-out requests if business practices change. Requests to exercise rights can be submitted by contacting us at hi@ayyna.cc. We will verify the identity of the requester and respond within the timelines required by the applicable law (for example, GDPR generally requires responses to access requests within one month; CCPA/CPRA allows a statutory response window as well). Where requests are manifestly unfounded or excessive, we may refuse or charge a reasonable fee in accordance with applicable law.

6. Cookies, tracking and marketing communications

We use cookies and similar technologies to operate our website, to analyze and improve performance, and to personalize user experience. For EU residents, where cookies are not strictly necessary for the operation of the site we obtain explicit consent and provide a cookie control mechanism. Marketing messages are sent only to those who have consented (where required) or where there is a legitimate interest and an appropriate lawful basis; recipients may opt out of marketing at any time by following the unsubscribe link in communications or by contacting hi@ayyna.cc.

7. Cross-border transfers and safeguards

Because Ayyna is a cloud-based global service, personal data may be transferred to, stored in, and processed in jurisdictions outside the country where the data subject resides. For transfers from the EU/EEA/UK to third countries, Ayyna will rely on appropriate safeguards such as European Commission standard contractual clauses (SCCs), adequacy decisions, or Binding Corporate Rules where applicable. For transfers to or from India, the U.S., and other jurisdictions, Ayyna maintains contractual safeguards and operational protections designed to preserve an equivalent standard of protection. Customers requiring specific transfer mechanisms (for example, different SCCs, location-restricted processing, or on-premise options) should raise these requirements during contracting so we can include them in the DPA.

8. Security, retention, and data minimization

Ayyna employs industry-standard technical and organizational measures to protect data, including encryption in transit and at rest, access controls, logging, vulnerability management, and regular security testing. We limit retention to what is necessary to satisfy the purpose for which data was collected, to meet contractual and legal obligations, and to resolve disputes. Operational retention periods vary by category (for example, short retention for transient customer images used in on-demand visualizations versus longer retention for billing records required for accounting). Specific retention schedules are documented in our DPA or available on request.

9. Incident response and breach notification

Ayyna maintains an incident response plan and will investigate any security event promptly. For incidents involving personal data, we will comply with applicable notification obligations; under the GDPR this includes notifying the relevant supervisory authority of a notifiable breach without undue delay and, where required, within 72 hours of becoming aware of it. We will also notify affected data subjects when the breach is likely to result in a high risk to their rights and freedoms. For incidents in other jurisdictions, we will follow the relevant statutory timelines and cooperate with regulators and affected parties as required.

10. Children and sensitive categories of data

Our Services are expressly designed for business customers and are not intended for the collection of personal data from children. We do not knowingly solicit or accept images or personal data from persons under the legal age in their jurisdiction. We generally do not ask for, or process, special categories of sensitive personal data (such as health data, racial or ethnic origin, or political opinions) except where explicitly required and lawfully permitted; such requests will be subject to stricter controls and explicit consent mechanisms where required by law.

11. AI, automated outputs and accuracy disclaimers

Ayyna's platform uses artificial intelligence and computer vision to generate photorealistic visualizations. These outputs are produced algorithmically and may not be perfect; actual product appearance may vary. Ayyna provides the generated content as a tool for retailers and does not assume liability for retailer use of the images, including compliance with consumer protection, advertising, or intellectual property laws. Retailers remain responsible for ensuring they have rights and consents for any content they upload and for compliance with all applicable legal and regulatory requirements when presenting generated images to end users.

12. Customer responsibilities and contractual protections

Because Ayyna provides a B2B platform, many aspects of compliance are contractual. Our customer agreements require retailers to warrant they have obtained necessary consents for any end-user data they upload and to comply with applicable notice and consent obligations. Each customer agreement includes data processing terms that reflect the responsibilities of the controller (customer) and processor (Ayyna), details about permitted sub-processors, and technical and organizational measures. We require sub-processors to adhere to equivalent confidentiality and security obligations.

13. CCPA/CPRA specific notice and opt-out

California residents may request information about the categories of personal data we collect and disclose, request deletion of their personal data (subject to legal exceptions), and opt out of the sale or sharing of personal data. Ayyna does not sell personal data as defined by California law. To submit a request under CCPA/CPRA or to learn more about your rights under California law, please contact us at hi@ayyna.cc and follow the verification process we implement to protect privacy and security.

14. Data Protection Officer and EU representative

To facilitate regulatory communication and data subject requests, Ayyna has designated a privacy lead responsible for global data protection matters; customers and data subjects may direct privacy questions to hi@ayyna.cc. Where required by law (for example, under GDPR if applicable thresholds are met), we will appoint a Data Protection Officer or an EU/UK representative and will provide those contact details upon request and in the DPA.

15. Changes and updates to this Policy

We will revise this Privacy Policy from time to time to reflect changes in our practices, services, or legal obligations. Material changes that affect data subject rights or the ways we use personal data will be communicated by posting a prominent notice on our website and/or by direct communication to registered accounts where appropriate. Continued use of our Services after changes have been posted constitutes acceptance of the revised Policy.

16. How to contact us and supervisory authorities

If you have questions about this policy, wish to exercise your rights, or seek additional information, please contact us at hi@ayyna.cc. If you are located in the EU or EEA and remain dissatisfied after contacting us, you are entitled to lodge a complaint with the relevant data protection authority in your member state. For California residents, unresolved disputes may be directed to the California Attorney General's office or through the mechanisms provided under CCPA/CPRA.

17. Legal disclaimer and counsel review recommendation

This Policy represents Ayyna's current privacy commitments and operational practices. It is intended to be a comprehensive, practical foundation for compliance with DPDP, GDPR, CCPA/CPRA and other relevant laws, but it does not replace jurisdiction-specific legal advice. Before publishing, Ayyna should have this Policy and any customer-facing DPA reviewed and customised by qualified legal counsel in the jurisdictions in which it operates, particularly if you plan to offer localized contractual terms, data residency guarantees, or bespoke transfer mechanisms.

Ayyna — Privacy Policy