Privacy Policy

CatZCommerce Inc. ("CatZCommerce", "we", "us", or "our") operates the CatZ FAQs Shopify application and the website located at catzcommerce.com (collectively, the "Service"). This Privacy Policy describes how we collect, use, store, disclose, and protect information about you when you install or use our Shopify app, visit our website, or otherwise interact with us.

We are committed to handling your personal data responsibly and transparently. This document is written in plain language so that you can clearly understand what we do with your information — not just what we are legally required to say. If you have questions at any point, you are always welcome to reach out at privacy@catzcommerce.com.

By installing the CatZ FAQs app from the Shopify App Store, or by continuing to use the Service after this policy has been updated, you acknowledge that you have read and understood this Privacy Policy and agree to its terms. If you do not agree, please uninstall the app and discontinue use of the Service.

This policy applies to:

• Shopify merchants who install and use the CatZ FAQs app ("Merchants")
• Visitors to the catzcommerce.com website
• Anyone who contacts us for support or other purposes

It does not apply to the end-shoppers who visit your Shopify storefront. Those individuals are your customers, and their data is governed by your own store's privacy policy. Our FAQ widget does not collect personal data from your end-shoppers.

We collect information in three ways: data you provide directly, data received from Shopify during app installation, and data collected automatically through your use of the Service.

2.1 — Store & Account Information (from Shopify OAuth)

When you install CatZ FAQs from the Shopify App Store, Shopify's OAuth flow grants us access to the following information from your store. We request only the minimum scopes necessary to operate the app:

• Shopify shop domain (e.g., yourstore.myshopify.com) and store URL
• Store owner's name and primary email address
• Shopify access token — scoped, encrypted with AES-256, and stored separately from other data
• Store locale, currency, timezone, and plan level (used to localize the app interface)
• Product titles, descriptions, handles, and IDs — read-only, used solely for AI FAQ generation and product-to-FAQ linking
• Billing and subscription status via Shopify Billing API

We do not request read access to customer orders, order history, customer email lists, financial reports, or any data beyond what is required for the app's stated features.

2.2 — Content You Create in the App

Everything you build inside CatZ FAQs is stored on our servers so it can be served to your storefront. This includes:

• FAQ questions and their answers
• Category names, ordering, and visibility settings
• Page configurations — title, URL slug, layout style, color settings, and animation preferences
• Product FAQ assignments — which FAQs are linked to which Shopify products
• Widget settings — button label, accent color, position (bottom-left or bottom-right), search placeholder text, and max result count
• Any content you paste or type when using the AI FAQ generation feature (e.g., product descriptions submitted for generation)

2.3 — Technical & Usage Data (Collected Automatically)

When you use the Service, we automatically collect certain technical information to operate, secure, and improve the platform:

• IP address and approximate geographic region (country/city level)
• Browser type and version, operating system, and device type
• Pages, features, and UI elements interacted with inside the app admin
• Session duration and click-path data within the app
• API request logs (endpoint, timestamp, response code) — retained for 90 days for security and debugging
• JavaScript error reports and crash logs from the app frontend
• Performance metrics — page load times and slow query events

2.4 — Communications Data

If you contact our support team, submit a bug report, or respond to a survey, we collect:

• Your name and email address
• The content of your messages and any attachments
• Support ticket history and resolution notes

We use this data solely to respond to your inquiry, improve our documentation, and prioritize product fixes. We do not use support conversations for marketing without your explicit consent.

We process your data only for the purposes described below. For each purpose, we have identified the legal basis under applicable privacy law (including GDPR Article 6) that permits the processing.

3.1 — Delivering and Maintaining the Service (Contract Performance)

The core reason we collect data is to run the app you installed. This includes:

• Authenticating your store and establishing a secure session
• Storing and retrieving your FAQ content, categories, pages, and widget settings
• Serving your FAQ blocks and widget via our CDN to your storefront visitors
• Syncing product data so you can link FAQs to specific products
• Processing subscription upgrades, downgrades, and cancellations via Shopify Billing API

3.2 — AI FAQ Generation (Contract Performance + Legitimate Interest)

When you use the AI generation feature, we send your product titles, descriptions, and any additional context you provide to our language model endpoint. This content is used only to generate FAQ suggestions for your store. Specifically:

• Your store content is sent to the AI processing endpoint over an encrypted connection (TLS 1.3)
• The model processes your content in real time and returns suggestions — it does not store your content for future model training without explicit opt-in
• AI-generated suggestions are stored in our database only once you save them
• We use aggregated, anonymized signals (e.g., which suggestions were accepted vs. rejected) to improve generation quality, never individual store content

3.3 — Transactional Communications (Contract Performance)

We send emails that are necessary to deliver the Service, including:

• App installation confirmation and onboarding guides
• Billing receipts and upcoming renewal reminders
• Critical security or service-affecting notices (e.g., maintenance windows, breaking changes)
• Responses to your support requests

You cannot opt out of transactional emails while your account is active, as they are necessary for the operation of the Service.

3.4 — Product Improvement & Analytics (Legitimate Interest)

We analyze how merchants use the app — which features are used most, where users drop off, which UI interactions are confusing — to prioritize development work and fix bugs. This analysis uses aggregated or anonymized data wherever possible. Individual-level behavioral data is never shared with third parties for this purpose.

3.5 — Marketing Communications (Consent)

With your explicit consent, we may send you product news, feature announcements, tips, and case studies. You can opt in during onboarding or later via account settings, and can unsubscribe at any time using the link in any marketing email or by emailing privacy@catzcommerce.com.

3.6 — Security & Fraud Prevention (Legitimate Interest)

We process IP addresses and API request logs to detect unusual activity, prevent abuse of the AI generation feature, and protect the platform from unauthorized access.

3.7 — Legal Compliance (Legal Obligation)

We may process your data when required to comply with applicable laws, regulations, legal process, or enforceable governmental requests — for example, responding to a valid court order or complying with tax record-keeping requirements.

We do not sell, rent, or trade your personal data to any third party for advertising, profiling, or any commercial purpose unrelated to the Service.

We share your data with a limited set of trusted service providers ("sub-processors") who help us operate the Service. Every sub-processor is bound by a Data Processing Agreement (DPA) that restricts them to processing data only on our behalf and only for the stated purpose.

We do not sell your data. We do not share your data with advertising networks, data brokers, or any third party for their own use.

4.1 — Current Sub-processors

• Vercel Inc. (USA) — Cloud hosting and edge CDN for the app backend and storefront widget delivery. Data may be processed in the US and EU. SOC 2 Type II certified.
• PlanetScale Inc. (USA) — Managed MySQL database hosting for all app data (FAQs, categories, pages, settings). Encrypted at rest and in transit. SOC 2 Type II certified.
• Resend Inc. (USA) — Transactional email delivery (billing receipts, onboarding emails, support replies). Emails are not used for advertising targeting. GDPR-compliant.
• Sentry Inc. (USA) — Error monitoring and crash reporting for the app frontend. Personal identifiers (store domain, email) are scrubbed before sending error events. SOC 2 certified.
• OpenAI LLC (USA) — Powers the AI FAQ generation feature. Product content you submit for generation is sent to OpenAI's API under a zero-data-retention agreement — OpenAI does not use this data to train their models. See OpenAI's API Privacy Policy for details.
• Shopify Inc. (Canada) — As the platform provider, Shopify facilitates the installation, billing, and OAuth authentication flow. Shopify's own privacy practices are governed by the Shopify Privacy Policy.

4.2 — Other Disclosure Scenarios

• Legal Requirements — We may disclose your information if required to do so by applicable law, regulation, legal process, or a valid governmental request (e.g., a court order or subpoena). We will notify you of such requests whenever legally permitted to do so.
• Protection of Rights — We may disclose information where we believe in good faith that disclosure is necessary to protect our rights, the safety of our users, or to investigate fraud or a security incident.
• Business Transfer — In the event of a merger, acquisition, reorganization, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify affected users via email and a prominent in-app notice at least 30 days before data is transferred to a new owner, and the acquiring party will be required to honor this Privacy Policy.

5.1 — Storage Location

By default, your data is stored on servers located in the United States. Merchants on the Essentials plan may request EU-region data storage (Frankfurt, Germany) by contacting privacy@catzcommerce.com. International data transfers to countries outside the EEA are governed by Standard Contractual Clauses (SCCs) as approved by the European Commission.

5.2 — Security Measures

We implement a layered set of technical and organizational security controls to protect your data:

• Encryption in transit — All data exchanged between your browser, our servers, and sub-processors is encrypted using TLS 1.3
• Encryption at rest — Shopify access tokens and other sensitive credentials are encrypted with AES-256 before being written to the database
• Access controls — Strict role-based access control (RBAC) limits which employees can access production data. Access is granted on a least-privilege basis and reviewed quarterly
• Employee training — All team members with access to customer data complete annual privacy and security training
• Penetration testing — We conduct third-party penetration tests annually and address critical findings within 72 hours
• Automated backups — Database snapshots are taken daily and retained for 30 days, stored in a separate encrypted storage bucket
• Incident response — We maintain a documented incident response plan. In the event of a breach involving your data, we will notify affected merchants within 72 hours as required by GDPR Article 33

Despite these measures, no method of data transmission or storage is completely secure. We encourage you to use a strong, unique password for your Shopify account and to revoke app access immediately if you suspect unauthorized use.

5.3 — Data Retention

We retain your data for as long as your CatZ FAQs account is active. When you uninstall the app from your Shopify store:

• Your FAQ content, categories, page configurations, and widget settings are deleted within 30 days of uninstallation
• Your Shopify access token is immediately invalidated and deleted from our systems at the time of uninstallation
• Anonymized aggregate analytics data (e.g., total FAQ count, plan type) may be retained indefinitely in aggregated form with no link to your store
• Support ticket history is retained for 2 years to assist with reactivation and to comply with business record requirements
• Billing transaction records are retained for 7 years as required by Japanese tax law and generally accepted accounting principles

You may request earlier deletion of your data at any time by contacting privacy@catzcommerce.com, subject to our legal retention obligations.

We use cookies, local storage, and similar technologies in the CatZ FAQs app admin interface and on the catzcommerce.com website. We do not use these technologies on your customers' storefront; the FAQ widget is a read-only embed that sets no cookies on end-shoppers' browsers.

6.1 — Types of Cookies We Use

• Strictly Necessary Cookies — These are essential for the app admin to function. They handle session authentication, CSRF token protection, and maintaining your login state within the Shopify embedded app. These cannot be disabled without breaking app functionality.
• Functional / Preference Cookies — These remember your UI preferences, such as your last-visited section, table sort order, and collapsed sidebar state. They improve your experience by restoring your workspace between sessions.
• Analytics Cookies — We use a self-hosted, privacy-respecting analytics tool to measure aggregate usage patterns (e.g., which features are most used, average session length). No personally identifiable information is included in analytics events, and data is never shared with advertising platforms.

6.2 — Cookie Consent

Strictly necessary cookies are placed without consent as they are required for the app to operate. For functional and analytics cookies, we request your consent during onboarding. You may change your cookie preferences at any time via the Cookie Settings link in the app footer.

6.3 — The Storefront Widget & Cookies

The CatZ FAQs JavaScript widget embedded in your Shopify theme loads FAQ content from our CDN and renders it on the page. It does not:

• Set cookies on your customers' devices
• Collect IP addresses or browser fingerprints from shoppers
• Transmit any shopper data back to our servers
• Load third-party tracking scripts

The only network request the widget makes is a GET request to our CDN to fetch your FAQ JSON content — no personal data is included in that request.

6.4 — Managing Cookies

You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. Note that disabling strictly necessary cookies will prevent you from logging into the CatZ FAQs admin. For more information on managing cookies, refer to your browser's help documentation.

Depending on where you are located, you have specific legal rights regarding your personal data. We honor these rights for all users, regardless of jurisdiction, to the extent technically feasible.

7.1 — Rights Under GDPR (EEA & UK Residents)

• Right of Access (Art. 15) — You may request a copy of all personal data we hold about you, the purposes of processing, and the categories of data involved. We will respond within 30 days.
• Right to Rectification (Art. 16) — You may request correction of any inaccurate or incomplete personal data we hold about you.
• Right to Erasure (Art. 17) — You may request deletion of your personal data ("right to be forgotten"), subject to our legal retention obligations.
• Right to Restriction of Processing (Art. 18) — You may request that we restrict processing of your data in certain circumstances, such as while you contest the accuracy of data we hold.
• Right to Data Portability (Art. 20) — You may request your FAQ content and account data in a structured, machine-readable format (JSON or CSV). This export can be initiated from the app's Settings page or by contacting us.
• Right to Object (Art. 21) — You may object to processing based on our legitimate interests, including profiling. We will cease that processing unless we can demonstrate compelling legitimate grounds that override your interests.
• Right to Withdraw Consent (Art. 7) — Where processing is based on your consent (e.g., marketing emails), you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
• Right to Lodge a Complaint — You have the right to lodge a complaint with your local supervisory authority. In Japan, this is the Personal Information Protection Commission (PPC). In the EU, contact your national data protection authority.

7.2 — Rights Under CCPA / CPRA (California Residents)

If you are a California resident, you additionally have the right to:

• Know what personal information is collected about you and how it is used and disclosed
• Delete personal information we have collected (with certain exceptions)
• Opt out of the sale or sharing of your personal information — we do not sell personal information
• Non-discrimination for exercising your privacy rights
• Correct inaccurate personal information
• Limit the use and disclosure of sensitive personal information

To submit a CCPA request, contact us at privacy@catzcommerce.com with "CCPA Request" in the subject line. We will verify your identity before processing the request and respond within 45 days.

7.3 — How to Exercise Your Rights

To exercise any privacy right, email us at privacy@catzcommerce.com with a clear description of your request. We will acknowledge receipt within 5 business days and fulfill the request within 30 days (extendable to 60 days for complex requests, with prior notice). There is no charge for submitting a rights request.

We may ask you to verify your identity (e.g., by confirming your store domain or the email address on file) before fulfilling a request to prevent unauthorized access to your data.

CatZCommerce is headquartered in Tokyo, Japan. When you use the Service, your data may be transferred to and processed in countries outside your own, including Japan, the United States, and other countries where our sub-processors operate.

For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries not recognized as providing an adequate level of data protection, we rely on the following legal mechanisms:

• Standard Contractual Clauses (SCCs) — as approved by the European Commission (Decision 2021/914), incorporated into our Data Processing Agreements with all relevant sub-processors
• Adequacy Decisions — where available (e.g., Japan has been recognized by the EU as providing adequate data protection under the Act on the Protection of Personal Information, APPI)

You may request a copy of the Standard Contractual Clauses applicable to your data transfers by contacting privacy@catzcommerce.com.

The CatZ FAQs Service is designed for use by Shopify merchants — businesses and individuals operating e-commerce stores. The Service is not directed to, and we do not knowingly collect personal information from, individuals under the age of 16.

If you are a parent or guardian and believe that a minor has provided personal information to us without your consent, please contact us immediately at privacy@catzcommerce.com. Upon verification, we will take prompt steps to delete that information from our systems.

If we discover that we have inadvertently collected personal data from a child under 16, we will delete it from our databases without delay. We do not use personal data from anyone under 16 for any purpose, including AI model improvement.

CatZ FAQs is distributed through the Shopify App Store and is required to comply with the Shopify Partner Program Agreement, Shopify API Terms, and Shopify App Store requirements. The following disclosures are specific to our use of Shopify's platform:

10.1 — API Scopes Requested

We request the following Shopify API permission scopes during installation:

• read_products — To display your product list in the app and allow linking FAQs to specific products. We do not modify your products.
• read_script_tags / write_script_tags — To inject the CatZ FAQs widget JavaScript into your storefront theme without requiring you to edit theme code manually.
• read_themes — To detect your active Shopify theme and ensure widget compatibility.

We do not request and will never request scopes related to customer personal data (orders, customer emails, payment information, analytics) unless a future feature explicitly requires it and is fully disclosed in advance.

10.2 — Mandatory Webhooks

Shopify requires all apps to respond to the following mandatory GDPR webhooks, which we honor:

• customers/data_request — We will provide all personal data we hold related to a specific customer upon request. Note: we do not hold individual shopper data, only merchant data, so these requests typically result in an empty response.
• customers/redact — We will redact any customer personal data upon request. As above, we typically hold no shopper data.
• shop/redact — Triggered 48 hours after a store uninstalls our app. Upon receiving this webhook, we initiate full deletion of all data associated with that store within 30 days.

10.3 — Data Shared Back with Shopify

We share aggregate, anonymized usage metrics with Shopify as part of the App Store review process (e.g., active installs, plan distribution). We do not share any individual merchant or shopper data with Shopify beyond what Shopify already has through their own platform.

We may update this Privacy Policy from time to time to reflect changes in our practices, applicable law, or the features of our Service. We will always post the updated policy on this page and update the "Last Updated" date at the top.

For material changes — those that meaningfully affect how we collect or use your data, or your rights under this policy — we will provide at least 14 days' advance notice via:

• An email to the store owner's email address on file
• A banner notification in the CatZ FAQs app admin
• A post on our changelog at catzcommerce.com/changelog

For minor changes (e.g., clarifying language, correcting typos, updating sub-processor names), we will update the policy silently without direct notification, though the "Last Updated" date will reflect the change.

Your continued use of the Service after a material change takes effect constitutes your acceptance of the updated policy. If you disagree with the changes, you may uninstall the app and request deletion of your data before the change takes effect.

CatZCommerce Inc. is the data controller responsible for your personal data as described in this Privacy Policy.

Privacy Inquiries & Rights Requests

• Email: privacy@catzcommerce.com
• Response time: We acknowledge all privacy inquiries within 5 business days and fulfill requests within 30 days

General Support

• Email: support@catzcommerce.com
• In-app chat: Available within the CatZ FAQs admin dashboard during business hours (JST, Mon–Fri)

Registered Address

• CatZCommerce Inc.
• Shibuya-ku, Tokyo 150-0001, Japan

Shopify Data Requests

For questions about how Shopify handles data related to your store and your customers, you may also contact Shopify's privacy team directly at privacy@shopify.com or visit the Shopify Privacy Center at shopify.com/legal/privacy.

For EEA merchants, our EU representative for GDPR purposes can be reached at eu-privacy@catzcommerce.com.