Privacy Policy

Last Updated: October 20, 2025

Art Studio LLC ("Comma", "we", "us", "our") operates the Comma platform at heycomma.com. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our Service.

1. Information We Collect

1.1 Information You Provide

  • Account Information: Name, email address, company name, job title
  • Payment Information: Processed by Stripe (we do not store full credit card details)
  • Content Data: Brand assets, written content, personas, and other materials you create or upload
  • Communications: Messages you send us, support requests, feedback

1.2 Automatically Collected Information

  • Usage Data: Features accessed, queries run, content generated, session duration
  • Technical Data: IP address, browser type, device information, operating system
  • Analytics Data: Collected via PostHog and similar providers to understand product usage

1.3 Cookies and Tracking

We use essential cookies for authentication and optional analytics cookies. You can control cookie preferences through your browser settings.

2. How We Use Your Information

2.1 Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

  • Contract Performance: To provide the Comma platform and fulfill our Terms of Service
  • Legitimate Interests: To improve our Service, prevent fraud, and ensure security
  • Consent: For optional analytics and marketing communications (you may withdraw consent anytime)
  • Legal Obligation: To comply with applicable laws and regulations

2.2 Purposes

We use collected information to:

  • Provide and improve the Comma platform
  • Generate AI-optimized content based on your specifications
  • Monitor your brand visibility across AI answer engines
  • Process payments and maintain your account
  • Send service updates, security alerts, and support messages
  • Analyze platform performance and user behavior
  • Comply with legal obligations

3. AI Model Usage

3.1 Content Generation

We use third-party AI services (Anthropic, OpenAI, Google Gemini) to generate content. When you request content generation:

  • We send prompts derived from your instructions (not your raw user data)
  • Generated content is stored in your account with strict user separation
  • Your content is never used to train AI models
  • We rely on our AI providers' data retention policies for prompt handling

3.2 Visibility Testing

We may submit content to AI answer engines (ChatGPT, Perplexity, Google AI Overview, Gemini) solely to test and measure your brand visibility. This is core to the platform's functionality.

4. Information Sharing and Disclosure

4.1 Service Providers

We share information with:

  • Stripe: Payment processing (EU-US Data Privacy Framework certified)
  • Anthropic, OpenAI, Google: AI content generation
  • PostHog and analytics providers: Usage analytics
  • Render.com: Infrastructure and hosting
  • CMS integrations: When you authorize connections to your content management systems

All third-party service providers are contractually required to protect your data and process it only for specified purposes.

4.2 International Transfers

Your information may be transferred to and processed in the United States or other countries where our service providers operate. For EEA users, we ensure adequate protection through:

  • EU-US Data Privacy Framework participation (where applicable)
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Other appropriate safeguards under GDPR Article 46

4.3 Business Transfers

If Comma is acquired or merged, your information may be transferred to the new entity. You will be notified of any such change.

4.4 Legal Requirements

We may disclose information when required by law, to protect our rights, or to prevent harm.

4.5 Aggregated Data

We may share anonymized, aggregated data for marketing, research, or industry analysis. This data cannot identify individual users or companies.

5. Data Security

We implement industry-standard security measures including:

  • Encryption in transit (TLS/SSL)
  • Encryption at rest for sensitive data
  • Access controls and authentication
  • Regular security assessments
  • Pseudonymization and data minimization where appropriate

No method of transmission or storage is 100% secure. We cannot guarantee absolute security.

6. Data Retention

  • Active Accounts: We retain your data while your account is active
  • Canceled Accounts: Data is deleted within 30 days of cancellation, with backup purges completed within 90 days
  • Legal Holds: We may retain data longer when required by law or to resolve disputes

We retain personal data only as long as necessary for the purposes outlined in this policy or as required by law.

7. Your Rights

7.1 General Rights

Depending on your location, you may have rights to:

  • Access your personal information
  • Correct inaccurate data
  • Request deletion of your data
  • Export your data (data portability)
  • Opt out of marketing communications
  • Object to certain processing activities

7.2 GDPR Rights (EEA, UK, Switzerland)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have additional rights under GDPR:

  • Right of Access: Request confirmation of what personal data we process and obtain a copy
  • Right to Rectification: Correct inaccurate or incomplete personal data
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data in certain circumstances
  • Right to Restriction: Request we limit processing of your personal data in certain situations
  • Right to Data Portability: Receive your data in a structured, commonly used format and transmit it to another controller
  • Right to Object: Object to processing based on legitimate interests or for direct marketing
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
  • Right to Lodge a Complaint: File a complaint with your local data protection authority

Response Time: We will respond to rights requests within 30 days (may be extended by 60 days for complex requests).

7.3 Exercising Your Rights

To exercise these rights, contact us at notices@heycomma.com. We may request verification of your identity before processing requests.

8. EU Representative

For GDPR matters, EU-based users may contact our EU representative at: [TO BE APPOINTED IF REQUIRED]

Note: Under GDPR Article 27, companies not established in the EU must appoint an EU representative if they offer goods/services to or monitor EU data subjects. If your business scales significantly in the EU, you may need to appoint a representative.

9. Data Protection Officer

For data protection inquiries, you may contact our Data Protection Officer at: notices@heycomma.com

10. Children's Privacy

Comma is not intended for users under 16 (or under 13 in the US). We do not knowingly collect information from children.

11. Third-Party Links

Our Service may contain links to third-party websites. We are not responsible for their privacy practices.

12. California Privacy Rights (CCPA/CPRA)

California residents have additional rights including:

  • Right to Know: What personal information we collect, use, disclose, and sell
  • Right to Delete: Request deletion of personal information
  • Right to Opt-Out: Opt out of the sale or sharing of personal information
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Limit: Limit use of sensitive personal information
  • Non-Discrimination: We will not discriminate against you for exercising your rights

We do not sell or share personal information for cross-context behavioral advertising.

To exercise California rights, contact notices@heycomma.com or call [PHONE NUMBER IF REQUIRED].

13. Automated Decision-Making

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.

14. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email or platform notification at least 30 days before they take effect. Continued use of the Service after changes constitutes acceptance.

15. Contact Us

Questions about this Privacy Policy or data protection?

Art Studio LLC
Email: notices@heycomma.com
Address: 400 NW Gilman Blvd # 1165 Issaquah, WA 98027

For GDPR-specific inquiries:
Email: notices@heycomma.com
Subject Line: "GDPR Data Request"