1. Who is responsible and how can you contact us?

The controller responsible for data processing on this website and through the Chatcast platform (as defined in Art. 4 No. 7 GDPR) is:

Comet Rocks GmbH
Cuvrystrasse 1
10997 Berlin, Germany
Email: info@chatcast.io

For data protection inquiries, please contact us at: info@chatcast.io

We are not required to appoint a Data Protection Officer under Art. 37 GDPR as we do not carry out large-scale systematic monitoring or processing of special categories of data. We nonetheless take data protection seriously and respond to all inquiries promptly.

2. Overview of our services

Chatcast is a SaaS platform for Shopify merchants. It provides dynamic FAQ widgets, an AI shopping assistant, and agentic commerce capabilities via public MCP (Model Context Protocol) endpoints. Our platform is accessed through:

www.chatcast.io — our marketing website
console.chatcast.io — the brand management console for merchants
faq-widget.chatcast.io / ai-assistant.chatcast.io — embeddable widgets on merchant storefronts
mcp.chatcast.io — public API endpoints for AI agents

This privacy policy applies to all services operated by Comet Rocks GmbH. Where we process data as a data processor on behalf of merchants (see Section 9), the merchant is the data controller for their end-customer data.

3. What personal data do we process and why?

3.1. Visiting our website (www.chatcast.io)

When you visit our website, your browser automatically transmits technical data to our servers, including your IP address, browser type and version, operating system, referrer URL, pages accessed, and time of access. This data is processed in server log files.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing a functional and secure website).

3.2. Merchant account registration and use of the brand console

When you register for a Chatcast account, we collect your email address, name, and optionally a profile picture (when using Google Sign-In). We process this data to provide access to the brand console, manage your account, and communicate with you about the service.

Data collected: email, first name, last name, profile picture URL, authentication tokens, selected organization/brand context.

Legal basis: Art. 6(1)(b) GDPR (performance of the contract for service provision).

3.3. Shopify store integration

When you connect your Shopify store, we access store data via the Shopify API using OAuth authorization. The data we access includes product catalog data, collections, store policies, and order data (for commission tracking). We also receive webhook notifications for app lifecycle events and GDPR compliance requests.

Shopify API scopes: read_products, read_orders, read_customers, write_script_tags, unauthenticated_read_product_listings.

Legal basis: Art. 6(1)(b) GDPR (contract performance — you authorize data access during Shopify OAuth flow).

3.4. FAQ and AI shopping assistant widgets (merchant storefronts)

When end-customers interact with Chatcast widgets embedded on merchant storefronts, we process limited technical data to provide the widget functionality:

Anonymous identifier: a randomly generated token stored in the browser's localStorage to enable chat history across page visits (no name, email, or other personal identifiers are collected)
Browser locale: your browser language setting for localization
Page context: the URL and product context of the page where the widget is displayed
Conversation data: questions asked and answers provided within the widget
Feedback: optional thumbs-up/down feedback on FAQ answers

For widget interactions, the merchant is the data controller and Comet Rocks GmbH acts as data processor (see Section 9). No personal identifiers such as email addresses, names, or payment information are collected by the widget.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest of the merchant in providing customer support and product information).

3.5. Agentic commerce and public MCP endpoints

Chatcast provides public API endpoints (via MCP — Model Context Protocol) that allow AI agents to discover and interact with merchant product catalogs. When AI agents use these endpoints, we process:

Agent identifiers and registration data
Search queries and product interaction data
Discount codes generated for agent-attributed sales
Commission and attribution data

MCP discovery signals (meta tags and structured data) may be injected into merchant storefronts when the merchant enables this feature. These signals contain only public endpoint URLs and do not include personal data.

Legal basis: Art. 6(1)(b) GDPR (contract performance for merchants who enable agentic commerce) and Art. 6(1)(f) GDPR (legitimate interest in enabling AI-driven product discovery).

3.6. AI-powered features (policy extraction)

When merchants use our AI-powered policy extraction feature, the text or URL they provide is processed using Google Gemini to extract structured policy information. This processing is initiated by the merchant and the content is not retained beyond the extraction process.

Legal basis: Art. 6(1)(b) GDPR (contract performance — feature requested by the user).

3.7. Payment and billing

Billing for Chatcast is handled entirely through the Shopify Billing API. We do not directly collect or store payment card details, bank information, or other financial instruments. Shopify processes payments and sends us subscription status updates via webhooks.

Legal basis: Art. 6(1)(b) GDPR (contract performance).

3.8. Contacting us

When you contact us via email or through our website, we process the data you provide (name, email address, message content) to respond to your inquiry.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in responding to inquiries).

4. Cookies, local storage, and tracking technologies

We use cookies, localStorage, and similar technologies for the purposes described below. Where consent is required, we will ask for it before setting non-essential cookies.

4.1. Strictly necessary storage

These do not require consent:

Name	Type	Purpose	Duration
accessToken	localStorage	Authentication for the brand console	Until logout
selectedBrand	localStorage	Active organization context	Until logout
cookie-consent	localStorage	Remembers your cookie consent choice	Indefinite
cfaq_anonymous_token	localStorage	Anonymous widget session for chat history (no PII)	Indefinite

4.2. Analytics (consent required)

The following tracking technologies are only activated after you give explicit consent via our cookie banner:

Service	Provider	Purpose	Location
Google Analytics 4	Google Ireland Ltd.	Website usage analysis, traffic patterns, user interactions	USA (EU-US DPF)

Legal basis: Art. 6(1)(a) GDPR (consent). You can withdraw your consent at any time by clearing your browser's local storage or using our cookie banner.

4.3. Product analytics (brand console)

For authenticated users of the brand console, we use PostHog for product analytics to understand feature usage and improve the platform. PostHog is configured in “identified only” mode, meaning it only creates analytics profiles for authenticated merchant users, not anonymous visitors. Data is hosted in the EU (eu.i.posthog.com).

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in improving our product for paying customers).

4.4. Performance monitoring

We use Vercel Analytics to collect anonymized web performance metrics (page load times, Core Web Vitals). This data does not identify individual users.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in maintaining website performance).

5. Third-party service providers (sub-processors)

We use the following third-party service providers to operate the Chatcast platform. Where these providers process personal data on our behalf, we have entered into data processing agreements in accordance with Art. 28 GDPR.

Provider	Purpose	Location	Transfer mechanism
Vercel Inc.	Website and app hosting, CDN, analytics	USA	EU-US Data Privacy Framework / SCCs
Railway Corp.	Backend API hosting, database	USA	SCCs
Shopify Inc.	Ecommerce platform integration, billing, webhooks	Canada / USA	EU adequacy decision (Canada) / SCCs
Google LLC	Authentication (OAuth), AI processing (Gemini), Analytics (GA4), Fonts	USA	EU-US Data Privacy Framework
PostHog Inc.	Product analytics (brand console only)	EU (eu.i.posthog.com)	EU hosting

6. International data transfers

Some of our service providers are located outside the EU/EEA, primarily in the United States. We ensure adequate protection for such transfers through:

EU-US Data Privacy Framework: for providers certified under the DPF (Google, Vercel)
Standard Contractual Clauses (SCCs): as adopted by the EU Commission pursuant to Art. 46(2)(c) GDPR, for providers not covered by an adequacy decision
EU adequacy decisions: for transfers to countries the EU Commission has determined provide adequate data protection (e.g., Canada)

7. Data retention

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law:

Account data: retained for the duration of your account. Deleted upon account termination, subject to statutory retention obligations.
Shopify store data: retained while the store integration is active. Deleted upon app uninstallation or store data redaction request via Shopify GDPR webhooks.
Widget interaction data: retained for the purpose of providing chat history and service improvement. Anonymous tokens can be cleared by the end-customer via browser settings (localStorage).
Commission and transaction data: retained for the statutory retention period under German commercial and tax law (up to 10 years per HGB SS 257 and AO SS 147).
Server logs: deleted after 90 days.
Analytics data: retained according to the respective provider's retention policy (PostHog, Google Analytics).

8. Your rights as a data subject

Under the GDPR, you have the following rights regarding your personal data:

Right of access (Art. 15 GDPR) — you may request information about whether and which personal data we process about you.
Right to rectification (Art. 16 GDPR) — you may request correction of inaccurate personal data.
Right to erasure (Art. 17 GDPR) — you may request deletion of your personal data, subject to statutory retention obligations.
Right to restriction (Art. 18 GDPR) — you may request that we restrict the processing of your data in certain circumstances.
Right to data portability (Art. 20 GDPR) — you may request your data in a structured, commonly used, machine-readable format.
Right to object (Art. 21 GDPR) — you may object to processing based on legitimate interest at any time. We will then cease processing unless we demonstrate compelling legitimate grounds that override your interests.
Right to withdraw consent (Art. 7(3) GDPR) — where processing is based on consent, you may withdraw it at any time with effect for the future.

To exercise any of these rights, please contact us at info@chatcast.io. We will respond within one month as required by Art. 12(3) GDPR.

Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR. The supervisory authority responsible for Comet Rocks GmbH is:

Berliner Beauftragte fuer Datenschutz und Informationsfreiheit
Friedrichstrasse 219
10969 Berlin
Germany
Website: www.datenschutz-berlin.de

9. Our role as data processor for merchant storefronts

When our widgets (FAQ widget, AI shopping assistant) are embedded on a merchant's storefront, the merchant is the data controller for their end-customers' data and Comet Rocks GmbH acts as a data processor pursuant to Art. 28 GDPR. In this capacity:

We process end-customer data only on the merchant's instructions and for the purpose of providing the widget functionality.
We do not use end-customer personal data for our own purposes, marketing, or profiling.
Merchants are responsible for providing appropriate privacy notices to their end-customers regarding the use of Chatcast widgets.
We enter into a Data Processing Agreement (Auftragsverarbeitungsvertrag) with each merchant that governs the processing of end-customer data.

10. Aggregated and anonymized data

We may use anonymized and aggregated data — data from which individual persons cannot be identified — for the purposes of service improvement, development of AI capabilities, analytics, and research. This includes aggregated usage patterns, product catalog metadata, FAQ interaction patterns, and search query trends. Anonymized data is not personal data under the GDPR and may be used without restriction.

11. Data security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, loss, or destruction in accordance with Art. 32 GDPR. These measures include encryption of data in transit (TLS/HTTPS), access controls, regular security assessments, and secure authentication mechanisms.

To report a security vulnerability, please contact security@chatcast.io.

12. Children's data

Chatcast is a B2B service for Shopify merchants. We do not knowingly collect personal data from children under the age of 16. If you believe we have inadvertently collected data from a child, please contact us and we will promptly delete it.

13. Changes to this privacy policy

We may update this privacy policy from time to time to reflect changes in our data processing practices or legal requirements. We will indicate the date of the most recent update at the bottom of this page. For material changes, we will notify registered merchants via email or through the brand console.

Last updated: February 2025

Privacy Policy