Is virtual try-on legal under GDPR in Europe?

Yes. Virtual try-on is fully legal under GDPR provided three things are respected: collecting the shopper's consent before she uploads her photo, processing that photo transiently with no long-term retention, and not reusing it to train AI models. The photo is personal data, but as long as there's no facial recognition, it isn't biometric data subject to the stricter Article 9 regime.

Is a shopper's face photo biometric data?

Not automatically. Under GDPR Article 4-14, data is only biometric if specific technical processing allows the unique identification of a person — like facial recognition. A photo used solely to overlay a garment, without creating an identification template, remains ordinary personal data. The distinction matters because the applicable legal regime is far simpler.

Who is responsible if something goes wrong, the merchant or the try-on app?

The merchant is the data controller, because they decide to collect the photos through their store. The app vendor is typically the data processor. That's why signing a Data Processing Agreement (DPA) compliant with GDPR Article 28 with your vendor is essential: it frames each party's responsibilities and protects you.

How does 1Match protect customer photos?

The uploaded photo is used only to generate the try-on render, then isn't retained long-term. It isn't used to train models, and 1Match performs no facial recognition — no biometric template is created. The merchant gets a built-in consent message and two ready-to-use sentences to add to their privacy policy.

What should I write in my privacy policy for virtual try-on?

Two sentences are enough: state what data is collected (a photo), for what purpose (generating a virtual try-on render), which sub-processor handles it (your vendor's name), and how long it's kept (transient processing, no long-term retention). Transparency reassures shoppers and increases the feature's usage rate.

Virtual Try-On & GDPR: What Shopify Merchants Must Know

1Match·June 11, 2026

Yes, you can offer virtual try-on on your Shopify store in compliance with GDPR. The photo your shopper uploads is personal data, but it can be processed lawfully under three conditions: clear consent before upload, transient processing (the photo isn't retained long-term), and no reuse to train AI models. The risk isn't virtual try-on itself — it's enabling it without checking how your vendor handles those photos.

What this article does differently: nearly all virtual try-on content sells conversion gains and return reduction. None answers the silent objection that actually stops cautious merchants: "what happens to my customers' photos?" This article gives the concrete legal answer, the biometric-data nuance everyone gets wrong, and the exact checklist to send your vendor before you install anything.

Why this question (rightly) stops serious merchants

A fashion merchant who thinks before acting always asks the same thing before installing a try-on app: if a shopper uploads a photo of herself and something goes wrong — a leak, misuse, a privacy complaint — it's the merchant, as the data controller, who answers for it. Not the app vendor.

That concern is legally grounded. Under GDPR, as the retailer who decides to collect these photos, you are the data controller. The try-on technology vendor is typically your data processor. The split of responsibilities must be governed by a contract — and that's exactly what most merchants never verify.

The good news: once you have the right reflexes, compliance is simple and doesn't stop you from capturing the conversion and return-reduction gains of virtual try-on.

Is a shopper's photo "biometric" data?

This is the most common confusion, and it has direct consequences. Many assume a face photo is automatically biometric data subject to the stricter Article 9 regime. That's incorrect.

GDPR (Article 4-14) defines biometric data as data resulting from specific technical processing that allows the unique identification of a person — like facial recognition that turns a face into a mathematical template to identify the individual.

A photo used to overlay a garment identifies no one. It produces a visual render, then it serves no further purpose. As long as the technology creates no identification template and doesn't try to recognize the person, the photo remains "ordinary" personal data — not biometric data under Article 9.

This distinction changes everything: ordinary personal data is handled with consent and the basic principles. Biometric data would require far heavier safeguards. Hence the importance of confirming your vendor does not perform facial recognition.

The 5 GDPR principles applied to virtual try-on

1. Legal basis: consent

The appropriate legal basis here is explicit consent. In practice: the shopper must understand, before uploading her photo, what will happen to it. A short, clear line above the upload button is enough — not a checkbox buried in 40 pages of terms.

2. Minimization

You collect only what is strictly necessary: a photo, for the time it takes to generate the render. No name, no date of birth, no geolocation tied to that photo.

3. Storage limitation

This is the single most important point. The photo should be processed transiently — the render is generated, displayed, then the source photo isn't retained long-term on servers. "On-the-fly" processing removes 90% of the risk, because there's simply no store of photos left to protect or leak.

4. No repurposing

Your shoppers' photos must not be used to train AI models, resold, or fed into any purpose other than the requested try-on. This is the most strategic clause to verify in your vendor's contract.

5. Transparency

Your privacy policy must mention virtual try-on: what data, for what purpose, processed by which sub-processor, retained for how long. Two sentences added to your privacy page are enough.

The 6 questions to ask your vendor before installing

Copy-paste this list and send it to any virtual try-on app vendor you're considering:

Is the uploaded photo retained after the render is generated? If so, for how long and where (which server region)?
Are my shoppers' photos used to train your AI models?
Do you perform facial recognition or create any biometric template?
Do you provide a Data Processing Agreement (DPA) compliant with Article 28 of GDPR?
Is data transferred outside the EU? If so, under what safeguard (Standard Contractual Clauses)?
Can I obtain deletion of a photo on a shopper's request, and within what timeframe?

A serious vendor answers all six without hesitation. A vendor who dodges question 1 or 2 is a red flag.

How 1Match handles this

1Match was built with these constraints in mind from the start. In practice: the photo your shopper uploads is used only to generate the try-on render, then isn't retained long-term. It feeds no model training, and the app performs no facial recognition — so no biometric template is ever created.

For the merchant, that means three simple things: a widget that displays a clear consent message before upload, two sentences to add to your privacy policy (which we provide), and the peace of mind of knowing there's no stored database of customer photos sitting somewhere.

If you're evaluating several solutions, our comparison of Shopify virtual try-on apps for 2026 covers the criteria beyond compliance alone.

The counter-intuitive move: transparency increases usage

Many merchants hide the privacy notice for fear of scaring the shopper. That's the exact opposite of what works.

A shopper who sees a clear message — "Your photo is used only for try-on and isn't stored" — uploads more readily than one told nothing. Absence of information breeds suspicion; information reassures. Transparency isn't a compliance burden to endure — it's a conversion lever on the try-on feature itself.

It's the same mechanic as return policies: as we detail in our complete guide to virtual try-on, the reassured shopper engages more than the one left in doubt.

Your 4-step action plan

Send the 6 questions above to your current (or future) virtual try-on vendor.
Require and sign a DPA (data processing agreement) — a compliant vendor has one ready.
Add 2 sentences to your privacy policy describing virtual try-on.
Enable a clear consent message above the upload button.

These four steps take an afternoon. Once done, you capture the conversion and return-reduction gains of virtual try-on with no legal blind spot.

This article provides general information and is not legal advice. For formal compliance, consult your DPO or specialized counsel.

Ajoute l'essayage virtuel à ta boutique Shopify

1Match s'installe en 10 minutes. Tes clients voient comment le vêtement leur va avant d'acheter — tu réduis les retours et tu augmentes les conversions.

Commencer gratuitement →