Privacy Policy

Active as of February 6, 2026 (Last updated: May 19, 2026)

Chartcastr takes your privacy seriously where we deal with your personal data. This means information that identifies you personally such as your name, billing information and contact details or data that can be linked with such information in order to identify you directly or indirectly.

References to "Chartcastr", "we", "us" or "our" in this privacy notice are to Drummerduck Pty Ltd, a company registered in Australia. We are the Controller of your personal data (this simply means we are responsible for what happens to your personal data).

Please read this privacy notice carefully as it contains important information on who we are and how and why we collect, store, use and share your personal data. It also explains your rights in relation to your personal data and how to contact us or supervisory authorities in the event you have a complaint.

This privacy notice does not cover any personal data processed by us on behalf of our clients in relation to the Chartcastr data visualization platform. For information on how personal data is handled within specific charts and reports generated for our clients, please refer to our Data Processing Addendum (DPA).

Your Personal Data and How We Use It

We collect personal data about you, either directly from you, from a third-party source or by automated means (when you use our website or application). Under data protection law we can only use your personal data where we have a lawful basis (justification).

Information you give us

Access to Platform

When you create an account via Clerk, we collect your name, email address, and profile details.

Basis: Performance of a contract

Integration Setup

When you authorize data sources (e.g. Google Sheets), we collect OAuth tokens and identifier data.

Basis: Performance of a contract

Billing & Payments

Payment processing and subscription management is handled via Stripe.

Basis: Performance of a contract

Marketing & Updates

We use your email address to send updates about our service and features.

Basis: Consent / Legitimate interest

Information we collect automatically

Website & App Interaction

We use PostHog to monitor how our service is used, including device characteristics, IP address, and pages visited. This helps us discover and fix problems and improve performance.

Basis: Legitimate interest

How We Share Your Personal Data

We share your personal data with trusted third parties who perform functions on our behalf and help us provide the service. You can view our full list of sub-processors here. These include:

  • Auth & Identity: Clerk (including Google OAuth)
  • Payments & Billing: Stripe
  • Hosting & Infrastructure: Railway, Vercel
  • Storage & Security: Cloudflare R2, Doppler (Secrets management)
  • Analytics: PostHog
  • Communications & Delivery: Resend (Email processing)
  • Data Sources: Google Drive and Google Sheets API
  • AI Processing: Anthropic (Claude), OpenAI (ChatGPT), Google (Gemini) via Vercel AI Gateway

AI & Large Language Model (LLM) Data Handling

Chartcastr uses third-party AI models via Vercel AI Gateway to generate chart analysis summaries and respond to follow-up questions. The specific models used may change over time as we optimize for quality and performance. Here is how your data is handled in relation to these AI services:

  • No training on your data: Your Slack messages, chart data, and conversation context are never used to train or fine-tune AI/LLM models. All AI providers are accessed via Vercel AI Gateway using their commercial API endpoints with zero-retention data processing agreements.
  • Data retention: AI-processed conversation records (questions and responses) are stored as part of your pulse thread history for as long as your account is active. You may request deletion of your conversation data at any time.
  • Data residency: AI inference requests are routed through Vercel AI Gateway to third-party model providers (primarily US-based). No data is stored by these providers beyond the duration of the API request.
  • Data tenancy: All AI processing is performed on a per-request basis. Your data is not shared across tenants or organizations. Each API call is isolated to your specific query and context.
  • Accuracy disclaimer: AI-generated insights may occasionally be inaccurate. Users should always verify important data points with their original source.

Google API Services User Data Policy

Chartcastr's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

The use of raw or derived user data received from Workspace APIs will adhere to the Google User Data Policy, including the Limited Use requirements.

Specifically, Chartcastr requests the following Google OAuth scopes, used only to deliver the features you connect:

  • Google Sheets (spreadsheets.readonly) & Google Drive (drive.readonly): Read the spreadsheets you explicitly select so we can generate charts and scheduled reports from your data.
  • Google Search Console (webmasters.readonly): Read search performance metrics for sites you connect, used to generate charts and reports.
  • Google Ads (adwords): Read campaign performance metrics for accounts you connect, used to generate charts and reports.
  • Google Chat (chat.spaces.readonly, chat.messages.create): List spaces you choose to deliver to and post chart messages on your behalf.

We do not use Google user data to train generalized AI/ML models. We do not transfer Google user data to third parties except (i) to provide or improve user-facing features that are prominent in Chartcastr's UI, (ii) to comply with applicable law, or (iii) as part of a merger, acquisition, or sale of assets, with notice to affected users. Humans do not read your Google user data unless we have your affirmative consent for specific messages, it is necessary for security purposes (such as investigating abuse), to comply with applicable law, or the data (including derivations) has been aggregated and anonymized so it cannot be used to identify any individual.

International Transfers

We are located in Australia. However, many of our service providers are located in the United States or other jurisdictions. We ensure appropriate safeguards (such as Standard Contractual Clauses) are in place to project your personal data when transferred internationally.

Data Security

We are CASA Type 2 certified. We implement stringent technical and organizational measures to protect your data, including AES-256 encryption at rest and TLS for all data in transit.

Your Data Rights

By law, you have several rights regarding your personal data:

  • Right of Access: Request a copy of the data we hold about you.
  • Right to Rectification: Ask us to correct inaccurate or incomplete data.
  • Right to Erasure: Request deletion of your data where no compelling reason exists for continued use.
  • Right to Restrict Processing: "Block" or suppress further use of your personal data.
  • Right to Data Portability: Obtain your data in a structured, machine-readable format.
  • Right to Withdraw Consent: Withdraw permission at any time where we rely on consent.

Contact Us

If you wish to exercise any rights or have questions about this notice, please contact us at: privacy@chartcastr.com

Request Privacy Review

Last Updated: January 30, 2026 | Active Status: Current

Chartcastr