GDPR Compliance
Effective March 2026 · Last updated March 15, 2026
Our Commitment
also works is committed to protecting personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). We process data only as necessary to deliver our AI-powered features to Shopify merchants and their customers, and we maintain appropriate technical and organizational measures to safeguard that data at every stage.
Legal Basis for Processing
We process personal data under the following legal bases: • Contractual necessity — Processing required to deliver the services agreed upon when a merchant installs the also works Shopify app. • Legitimate interest — Analytics and product improvements that benefit merchants, carried out with appropriate safeguards and balancing tests. • Consent — Where applicable, such as when end customers voluntarily provide body measurements for AI sizing recommendations. Merchants act as Data Controllers for their customer data. also works acts as a Data Processor, processing data on behalf of the merchant in accordance with their instructions and our Data Processing Agreement.
Data We Process
The data we process depends on which features a merchant enables: • Product data — Images, descriptions, categories, and sizing information from the merchant's Shopify catalog. Used for product analysis, categorization, and sizing engine calibration. • Customer body measurements — Height, weight, and body dimensions provided voluntarily by end customers through our sizing widget. Processed on-device where possible; stored only as anonymized measurement profiles. • Browsing behavior — Page views, product interactions, and sizing widget usage. Used for recommendations, customer enrichment, and analytics. • Model and image data — Product imagery analyzed for model recognition, AI photoshoots, and visual product analysis. • Account data — Merchant contact details, store URL, and billing information required for service delivery. We do not sell personal data. We do not use customer data for purposes unrelated to the merchant's use of also works.
Your Rights Under GDPR
If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights: • Right of access — Request a copy of the personal data we hold about you. • Right to rectification — Request correction of inaccurate or incomplete data. • Right to erasure — Request deletion of your personal data ("right to be forgotten"). • Right to restrict processing — Request that we limit how we use your data. • Right to data portability — Receive your data in a structured, machine-readable format. • Right to object — Object to processing based on legitimate interest. • Right to withdraw consent — Withdraw consent at any time where processing is consent-based. End customers should contact the relevant merchant (Data Controller) to exercise their rights. Merchants can contact us directly at hello@alsoworks.io. We respond to all requests within 30 days.
Data Processing Agreement
We offer a Data Processing Agreement (DPA) to all merchants, as required under Article 28 of the GDPR. The DPA sets out the scope, nature, and purpose of processing, as well as the obligations and rights of both parties. Merchants can request a copy of our DPA by contacting hello@alsoworks.io.
Sub-processors
We use a limited number of sub-processors to deliver our services. Each sub-processor is vetted for GDPR compliance and bound by appropriate contractual safeguards: • Vercel — Application hosting and edge delivery (USA / EU). • OpenAI — AI model inference for product analysis, sizing, and recommendations. Data is sent via API and not used for model training. • Shopify — E-commerce platform and merchant data source. • Analytics providers — Anonymized usage data for product improvement. We maintain an up-to-date list of sub-processors and notify merchants of any changes. A complete list is available upon request.
Data Transfers
Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place in accordance with Chapter V of the GDPR. These include: • Standard Contractual Clauses (SCCs) approved by the European Commission. • Adequacy decisions where applicable. • Supplementary technical measures including encryption in transit and at rest. We regularly assess the legal frameworks of recipient countries and update our transfer mechanisms accordingly.
Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected: • Active merchant data — Retained for the duration of the merchant's subscription, plus 30 days after cancellation. • Customer measurement profiles — Retained as anonymized data for the duration of the merchant's subscription. Deleted upon merchant request or account termination. • Browsing and analytics data — Aggregated and anonymized within 90 days. • Billing records — Retained as required by applicable tax and accounting regulations. Merchants can request immediate deletion of all associated data at any time.
Data Protection Officer
For any questions or concerns regarding our data protection practices, you may contact our data protection team: Email: hello@alsoworks.io Subject line: GDPR Inquiry We take all inquiries seriously and aim to respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority.
Contact
If you have any questions about this GDPR compliance page or how we handle personal data, please reach out: Email: hello@alsoworks.io Website: alsoworks.io This page is effective as of March 2026 and was last updated on March 15, 2026.