Privacy Policy

1. Introduction

J'ko ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered virtual try-on platform for Instagram businesses.

What J'ko Does: J'ko provides fashion brands and retailers with an automated Instagram bot that allows their customers to virtually try on products using AI image generation technology. When end-users message your Instagram business account requesting a virtual try-on, our service processes their photos using artificial intelligence to generate try-on images.

Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not use our services. By using J'ko, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

Important Note for Business Users: If you are a business using J'ko to provide virtual try-on services to your customers, you are responsible for maintaining your own privacy policy that covers your use of J'ko services and obtaining appropriate consents from your end-users.

2. Information We Collect

2.1 Business Account Information

When you register as a business user, we collect:

• Account Information: Name, email address, username, password (encrypted)
• Business Information: Company name, website, business location, phone number
• Profile Information: Avatar/logo, timezone, language preferences
• Workspace Information: Team member information, workspace settings and preferences

2.2 Instagram & Social Media Data (via Meta Platform APIs)

When you connect your Instagram Business Account to J'ko, we collect and process:

• Instagram Account Data: Instagram Page ID, page name, access tokens (encrypted)
• Conversation Data: Direct messages, comments, sender usernames, platform user IDs
• Message Content: Text messages, image attachments, timestamps, message status
• Profile Information: Instagram usernames, profile URLs of users who message your account

Meta Platform Compliance: We collect and process this data in accordance with Meta's Platform Terms, Instagram API Terms, and Data Use Policy. We do not use Instagram data for surveillance, selling to third parties, or making eligibility determinations for housing, employment, or credit.

2.3 Biometric and Sensitive Information (GDPR/CCPA Sensitive Data)

AI Image Processing: Our virtual try-on service processes images containing human faces, which constitutes biometric data under GDPR and sensitive personal information under California CPRA.

• Customer Photos: Facial images uploaded by end-users for virtual try-on generation
• Product Images: Images of clothing/fashion items for try-on processing
• Generated Images: AI-generated virtual try-on results
• Image Metadata: Processing timestamps, generation IDs, image URLs

Legal Basis for Processing: We process biometric data based on explicit consent from end-users through your Instagram bot interface, or legitimate interest in providing the requested virtual try-on service. For EU/EEA users, explicit consent is obtained before processing facial images.

AI Processing Notice: All images are processed using third-party AI services (Replicate API) for virtual try-on generation. This processing typically takes 15-40 seconds. Images are processed solely for the purpose of generating virtual try-on results and are not used for training AI models without explicit consent.

2.4 Usage and Analytics Data

We automatically collect information about your use of J'ko services:

• Device Information: IP address, browser type, operating system, device identifiers
• Usage Metrics: Generation history, processing times, success/failure rates
• Performance Data: API response times, error logs, system diagnostics
• Business Metrics: Credit usage, conversation volumes, engagement rates
• Cookies: Session cookies, authentication tokens, preference settings

2.5 Payment and Billing Information

For paid services, we collect:

• Payment Details: Processed securely through Stripe (we do not store full credit card numbers)
• Billing Information: Billing address, company tax ID (if applicable)
• Transaction History: Credit purchases, usage costs, invoices

2.6 Communications

We collect communications you have with us:

• Customer support messages and tickets
• Email correspondence
• Feedback and survey responses

3. How We Use Your Information

3.1 Primary Service Purposes

We use your information to provide and operate our virtual try-on platform:

• Virtual Try-On Generation: Process facial images using AI to create virtual try-on results
• Instagram Bot Operations: Manage conversations, send/receive messages through Instagram API
• Account Management: Create and maintain your business account, authentication, workspace access
• Credit System: Track generation usage, credit balances, and billing
• Bot Configuration: Store and apply your custom bot messages, trigger keywords, and automation settings

3.2 Platform Operations

• Service Delivery: Process API requests, generate try-on images, deliver results to end-users
• Performance Monitoring: Track processing times, success rates, system health
• Quality Assurance: Improve AI generation quality, debug errors, optimize performance
• Security: Detect and prevent fraud, unauthorized access, abuse of services
• Technical Support: Respond to support requests, troubleshoot issues, provide assistance

3.3 Business Communications

• Service Updates: Important notifications about service changes, maintenance, outages
• Billing Communications: Invoices, payment confirmations, credit balance alerts
• Marketing (with consent): Product updates, new features, promotional offers (you can opt-out)

3.4 Analytics and Improvement

• Usage Analytics: Understand how businesses use J'ko to improve features
• Performance Metrics: Monitor API performance, generation success rates
• Product Development: Identify popular features, plan new capabilities

3.5 Legal and Compliance

• Legal Obligations: Comply with applicable laws, regulations, and legal processes
• Terms Enforcement: Enforce our Terms of Service, prevent violations
• Rights Protection: Protect our rights, property, and safety, and that of our users

3.6 Legal Basis for Processing (GDPR)

For users in the EU/EEA, we process personal data based on the following legal grounds:

• Consent: Processing biometric data (facial images) for virtual try-on generation
• Contract Performance: Providing J'ko services as per our Terms of Service
• Legitimate Interests: Platform operations, security, fraud prevention, service improvement
• Legal Obligation: Compliance with laws, regulations, court orders

4. How We Share Your Information

We do not sell your personal information to third parties. We share information only as described below to provide our services and comply with legal obligations.

4.1 AI Processing Service (Replicate)

Critical Third-Party Processing: Customer photos are processed through Replicate's AI infrastructure for virtual try-on generation.

• Data Shared: Facial images, product images for AI processing
• Purpose: Generate virtual try-on results using IDM-VTON AI model
• Processing Location: United States (Replicate servers)
• Retention: Replicate processes images transiently; images are not permanently stored by Replicate
• Security: Data transmitted via encrypted HTTPS connections

4.2 Instagram/Meta Platform

We access Instagram data through Meta's official APIs to provide bot functionality:

• Data Exchange: Messages, conversation data accessed via Instagram Graph API
• OAuth Authorization: You authorize J'ko to access your Instagram Business Account
• Compliance: All data use complies with Meta Platform Terms and Instagram API Terms
• Data Scope: We only access data necessary for bot operations (messages, basic profile info)

4.3 Infrastructure and Hosting Providers

We use trusted service providers to operate our platform:

• Supabase (Backend Infrastructure):
  • Purpose: Database, authentication, storage, and backend services
  • Data Shared: All user data, messages, images, account information
  • Privacy Policy: https://supabase.com/privacy
  • Location: Hosted infrastructure
  • Protections: SOC 2 Type II certified, GDPR-compliant
  • Data Processing: Data Processing Agreement in place

4.4 Payment Processor (Stripe)

• Payment Processing: Stripe processes all payment transactions securely
• Data Shared: Billing information, transaction amounts, payment methods
• Security: PCI DSS Level 1 certified, we do not store full credit card numbers

4.5 Workspace Team Members

• Team members in your workspace can access shared conversations, generation history, and workspace settings
• You control team member permissions through workspace administration

4.6 Business Transfers

If J'ko is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice before your personal information is transferred and becomes subject to a different privacy policy.

4.7 Legal Requirements and Protection

We may disclose information when required by law or to protect rights and safety:

• Legal Process: Respond to subpoenas, court orders, legal requests from authorities
• Rights Protection: Enforce our Terms of Service, protect our intellectual property
• Safety: Prevent fraud, abuse, security threats, or harm to users
• Compliance: Comply with applicable laws and regulations

4.8 With Your Consent

We may share your information for other purposes with your explicit consent or at your direction.

5. Data Security

We implement industry-standard security measures to protect your information from unauthorized access, alteration, disclosure, or destruction:

5.1 Technical Security Measures

• Encryption: All data encrypted in transit (TLS 1.2+) and at rest (AES-256)
• Access Controls: Role-based access control (RBAC), multi-factor authentication available
• Secure Authentication: Industry-standard password hashing (bcrypt), secure session management
• API Security: OAuth 2.0 for Instagram integration, secure API key management
• Database Security: Row-level security (RLS) policies, encrypted connections
• Image Storage: Encrypted storage buckets, signed URLs with expiration

5.2 Organizational Security Measures

• Access Limitation: Employee access limited to necessary functions only
• Monitoring: Continuous security monitoring and logging of access
• Incident Response: Security incident response plan in place
• Vendor Management: All third-party providers vetted for security compliance

5.3 Biometric Data Protection

Given the sensitive nature of facial images, we implement additional protections:

• Images processed only for virtual try-on purposes, not for facial recognition or identification
• Temporary processing with automatic deletion after generation completion
• No use of images for AI model training without explicit consent
• Secure transmission to AI processing service (Replicate) via encrypted channels

Security Disclaimer: While we implement robust security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security. In the event of a data breach affecting biometric data, we will notify affected users and relevant authorities as required by law.

6. Data Retention

6.1 Data Retention Periods

We retain your data according to the following schedule:

Account-Based Retention: We retain your Instagram messages, generated images, and account data while your Instagram account is connected to J'ko. After disconnection, data is retained for 90 days to allow you to reconnect without losing your history. After 90 days, data is automatically and permanently deleted.

Automated Cleanup: We run automated processes daily at 3:00 AM UTC to delete data from accounts that have been disconnected for more than 90 days.

Immediate Deletion: You may request immediate deletion at any time by contacting privacy@jko.ai, without waiting for the 90-day period.

6.2 Retention Criteria

We determine retention periods based on:

• Service Provision: Duration needed to provide services and support
• Legal Requirements: Tax laws, financial regulations, data protection laws
• Dispute Resolution: Statute of limitations for potential legal claims
• User Expectations: Reasonable user expectations for data availability
• Data Minimization: GDPR principle of retaining data only as long as necessary

6.3 Automatic Deletion

We implement automated processes to delete data at the end of retention periods. This includes scheduled deletion of expired biometric data, archived conversations, and inactive accounts.

7. Your Rights and Choices

You have various rights regarding your personal information, depending on your location. We are committed to honoring these rights.

7.1 Universal Rights (All Users)

Account Access and Correction:

• View and update your account information through your profile settings
• Correct inaccurate or incomplete data
• Manage Instagram account connections and bot configurations

Data Deletion:

• Request deletion of your account and associated data
• Delete specific generated try-on images
• Disconnect Instagram accounts to stop data collection
• Note: Some data may be retained as required by law (e.g., billing records for tax purposes)

Marketing Communications:

• Opt-out of promotional emails using the unsubscribe link
• Manage notification preferences in account settings
• You will still receive essential service communications

7.2 Data Deletion

You have two options for deleting your data:

Option 1: Automatic Deletion (Recommended)

Simply disconnect your Instagram account from J'ko. Your data will be automatically deleted after 90 days. This grace period allows you to reconnect without losing your conversation history.

Option 2: Immediate Deletion

Request immediate deletion by contacting us at privacy@jko.ai with:

• Your Instagram username
• Your workspace name or ID
• Confirmation that you want immediate deletion

Timeline:

• Acknowledgment: Within 48 hours
• Completion: Within 30 business days for manual requests
• Automatic: Exactly 90 days after disconnection

What Will Be Deleted:

• All Instagram messages (sent and received)
• Generated virtual try-on images
• Conversation history
• Account connection tokens

What Will Be Retained (Legal Requirement):

• Billing records (7 years per tax law)
• Aggregated analytics (anonymized, no personal data)

Verification:

We will send you confirmation when your data has been deleted.

For detailed deletion instructions, visit: https://dash.jko.ai/legal/data-deletion/

7.3 European Privacy Rights (GDPR - EU/EEA Users)

If you are located in the European Union or European Economic Area, you have additional rights:

• Right to Access (Art. 15): Request a copy of all personal data we hold about you
• Right to Rectification (Art. 16): Correct inaccurate or incomplete data
• Right to Erasure / "Right to be Forgotten" (Art. 17): Request deletion of your data
• Right to Restrict Processing (Art. 18): Limit how we use your data
• Right to Data Portability (Art. 20): Receive your data in machine-readable format (JSON/CSV)
• Right to Object (Art. 21): Object to processing based on legitimate interests
• Right to Withdraw Consent (Art. 7.3): Withdraw consent for biometric data processing at any time
• Right to Lodge a Complaint: File complaint with your local Data Protection Authority

Automated Decision-Making: Our AI generates virtual try-on images, but these are not used for automated decision-making that produces legal or similarly significant effects. The service is purely for visual product try-on purposes.

7.3 California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you specific rights:

• Right to Know: Request disclosure of personal information collected about you in the past 12 months
• Right to Delete: Request deletion of your personal information
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out of Sale/Sharing: We do not sell or share personal information for behavioral advertising
• Right to Limit Use of Sensitive Personal Information: Limit use of biometric data (facial images) to service provision only
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

California "Shine the Light" Law:

We do not disclose personal information to third parties for their direct marketing purposes without your consent.

7.4 Canada (PIPEDA) Rights

Canadian users have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA):

• Right to access personal information we hold about you
• Right to challenge accuracy and completeness of your information
• Right to withdraw consent for data collection and use
• Right to file a complaint with the Office of the Privacy Commissioner of Canada

7.5 How to Exercise Your Rights

To exercise any of these rights, you can:

• Self-Service: Use your account settings for most access, correction, and deletion requests
• Email: Contact us at privacy@jko.ai
• Response Time: We will respond within 30 days (GDPR) or 45 days (CCPA)
• Verification: We may require identity verification to process requests
• No Fee: Exercising your rights is free (excessive/repeated requests may incur reasonable fees)

Authorized Agent (California):

You may designate an authorized agent to make requests on your behalf. The agent must provide written authorization or power of attorney.

7.6 Cookie and Tracking Preferences

• Manage cookies through your browser settings
• Most browsers allow blocking or deleting cookies
• Disabling cookies may limit functionality of J'ko services

8. International Data Transfers

J'ko operates globally and your information may be transferred to and processed in countries other than your country of residence, including the United States.

8.1 Transfer Mechanisms

We ensure appropriate safeguards for international data transfers:

• Standard Contractual Clauses (SCCs): EU-approved contractual terms with service providers
• Data Processing Agreements: Written agreements requiring GDPR-equivalent protection
• Adequacy Decisions: Transfers to countries with adequacy decisions from the European Commission
• Encryption: All data transfers encrypted in transit using TLS 1.2+

8.2 Primary Data Locations

• United States: Primary servers (Supabase), AI processing (Replicate), payment processing (Stripe)
• Global: Cloudflare edge network for performance and DDoS protection
• Instagram/Meta: Data accessed via Meta APIs (Meta's global infrastructure)

8.3 EU/EEA User Protections

For users in the EU/EEA, we have implemented safeguards to ensure your data receives an equivalent level of protection as required by GDPR when transferred outside the European Economic Area.

9. Children's Privacy

J'ko is a business-to-business (B2B) service intended for use by businesses only. Our services are not directed to children under 16 years of age (or under 13 in the United States).

• We do not knowingly collect personal information from children under 16 (or 13 in the US)
• Our Terms of Service require users to be at least 18 years old to create a business account
• If we learn we have collected data from a child, we will delete it immediately
• Business users are responsible for ensuring their end-users (customers using virtual try-on) comply with applicable age restrictions

Parental Rights: If you believe we have inadvertently collected information from a child, please contact us at privacy@jko.ai and we will promptly delete such information.

10. Data Protection Impact Assessment (DPIA)

As required by GDPR Article 35, we have conducted a Data Protection Impact Assessment for our biometric data processing activities. Key findings:

• Risk Level: High-risk processing due to biometric data (facial images)
• Mitigation Measures: Explicit consent, encryption, limited retention, no facial recognition use
• Purpose Limitation: Images used solely for virtual try-on generation, not for identification or surveillance
• Data Minimization: Only necessary facial features processed, no storage of biometric templates
• Safeguards: Automatic deletion, secure transmission, third-party vetting (Replicate)

11. Meta Platform Compliance

As an application using Instagram APIs, we comply with all Meta Platform policies and requirements:

11.1 Platform Terms Compliance

• We have reviewed and comply with Meta's Platform Terms, Instagram API Terms, and Data Use Policy
• We maintain this privacy policy in accordance with Meta's requirements
• Privacy policy URL registered in our Meta App Dashboard
• All versions of this policy are retained and available to Meta upon request

11.2 Prohibited Data Uses

In compliance with Meta's Platform Terms Section 3, we do NOT:

• Use Instagram data for surveillance or monitoring
• Sell or rent Instagram data to third parties
• Use data for eligibility determinations (credit, housing, employment, insurance, etc.)
• Transfer Instagram data to data brokers, advertisers, or information resellers
• Use data in violation of Instagram Community Guidelines or Terms of Use

11.3 Data Access and Permissions

We only request Instagram permissions necessary for our service:

• instagram_basic: Basic account information
• instagram_manage_messages: Send and receive DMs for bot functionality
• instagram_manage_comments: Respond to comments for try-on requests
• pages_messaging: Facebook Pages messaging integration

12. Your Responsibilities as a Business User

If you are a business using J'ko to provide virtual try-on services to your Instagram customers, you have legal responsibilities:

12.1 Your Privacy Policy

• You must maintain your own privacy policy covering your use of J'ko services
• Your policy must inform end-users that their images will be processed using J'ko's AI virtual try-on service
• You must disclose that images are processed by third-party AI services

12.2 User Consent

• You are responsible for obtaining appropriate consents from end-users before collecting their facial images
• For EU/EEA users, you must obtain explicit consent for biometric data processing
• For California users, you must provide notice about sensitive personal information processing

12.3 Data Subject Requests

• You are the data controller for your customer relationships
• You must handle data subject requests (access, deletion, etc.) from your end-users
• We will assist you in fulfilling these requests as the data processor

12.4 Legal Compliance

• You must comply with all applicable privacy laws in your jurisdiction
• You must not use J'ko for unlawful purposes or in violation of Meta's terms

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

13.1 Notification of Changes

• Material Changes: We will notify you via email and in-app notification at least 30 days before effective date
• Minor Changes: Posting updated policy with new "Last Updated" date
• Legal Requirements: Changes required by law may take effect immediately

13.2 Policy Versions

• All previous versions are retained and available upon request (as required by Meta)
• Effective date clearly displayed at top of policy
• You can review changes by comparing effective dates

13.3 Continued Use

Your continued use of J'ko services after policy changes become effective constitutes acceptance of the updated terms. If you do not agree, you should discontinue use and close your account.

14. Contact Us & Data Protection Officer

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

14.1 Data Protection Officer (GDPR)

For EU/EEA users, you can contact our Data Protection Officer:

14.2 Supervisory Authorities

If you are located in the EU/EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority:

• EU Data Protection Authorities: Find your local DPA
• Ireland (Lead Supervisory Authority): Data Protection Commission (if applicable)

California Residents: You may also contact the California Attorney General's Office to report violations or submit complaints.

14.3 Response Times

• General Inquiries: 5 business days
• Privacy Rights Requests: 30 days (GDPR), 45 days (CCPA)
• Data Breaches: Notification within 72 hours (GDPR requirement)

15. Additional Information

15.1 No Sale of Personal Information

We do not sell your personal information. This statement applies to all users, including California residents under CCPA. We share data only as described in Section 4 of this policy.

15.2 Do Not Track Signals

Our services do not currently respond to "Do Not Track" (DNT) browser signals. We use essential cookies for authentication and functionality, not for tracking or advertising.

15.3 Third-Party Links

Our services may contain links to third-party websites or services (e.g., Instagram). We are not responsible for the privacy practices of these third parties. Please review their privacy policies.

15.4 Business Purpose Processing Only

All personal information processing is for business purposes as described in this policy. We do not use data for purposes incompatible with this policy without obtaining your consent.

This Privacy Policy was last updated on November 6, 2025. We may update this policy from time to time. Please check this page periodically for changes.