Data Protection

Personal Data Processing Policy

Live & Video Shopping Caast.TV

Last updated: December 8, 2025

This document governs the processing of personal data carried out in connection with the use of the Caast.TV Live & Video Shopping solution, developed by Caast SAS (hereinafter referred to as the "Data Processor"), and operated on behalf of its client (hereinafter referred to as the "Data Controller") in the context of operations on its site.

1. Definitions

  • Client: refers to any legal entity having a commercial relationship with Caast.
  • Service Provider or Caast: refers to Caast SAS, registered with the Lille Trade and Companies Register under number 528 509 060, with its registered office at 165 avenue de Bretagne, 59000 Lille.
  • Sub-Processor: refers to any third party designated by Caast to process Personal Data in connection with the provision of the Solution.
  • End User: refers to the natural persons with whom the Client interacts via the Caast Solution.
  • Data Subjects: means identified or identifiable persons to whom Personal Data relates.
  • Data Protection Legislation: refers to all applicable laws and regulations, including the provisions of Regulation 2016/679 (GDPR).
  • Personal Data: means any information relating to an identified or identifiable natural person.
  • Processing: means any operation carried out on Personal Data.
  • Security Incident: means the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

2. Description of Processing

Caast provides a live and video commerce solution incorporating several features: public instant messaging, SMS registration and reminder system, contest mechanics, and audience analytics tools.

The processing of this Personal Data is based on the legal ground of the explicit consent of the End User, in accordance with Article 6.1(a) of the GDPR.

2.1 Live & Video Player

PurposeEnsure proper functioning of the player, measure audience, analyse usage without advertising retargeting
DataCart clicks, access log data, IP addresses, user agent, low-resolution geolocation
RetentionCart: 24 months — Live Overview: 100 days
Data SubjectsEnd Users consuming Lives or videos via Caast

2.2 Instant Messaging (Chat)

PurposeAllow End Users to interact in real time during a live event via a public chat
DataUsername, chat messages
Retention24 months
Data SubjectsEnd Users participating in instant messaging

2.3 SMS Registration and Reminder

PurposeSend an SMS reminder link before each new live event, at the explicit request of the End User
DataPhone number
Retention36 months
Data SubjectsEnd Users registering for SMS reminders

2.4 Contest

PurposeManage participation, prize allocation, and winner contact
DataUsername, first name, last name, email, phone number
Retention60 days
Data SubjectsEnd Users participating in a contest

3. Sub-Processors and Transfers Outside the EU

The Data Controller authorises the Data Processor to engage Sub-Processors to assist in delivering the Solution.

Where the Data Processor engages Sub-Processors located outside the European Economic Area, Standard Contractual Clauses (European Commission Decision 2021/914) are put in place.

Amazon Web Services EuropeFile and data hosting — Luxembourg / United Kingdom — SCC V2 + DPF
Google Cloud (BigQuery)Data hosting — France / EU multi-region — SCC V2
Mux VideoVideo delivery — United States / Germany — SCC V2 + DPF
Mux DataVideo performance reporting (Live Overview) — United States / Germany — SCC V2 + DPF
MongoDB (Atlas)Data hosting — Ireland — GDPR compliant
SMSFactorSMS delivery — France / EU multi-region — SCC V2

4. Obligations of the Data Processor

4.1 General Obligations

  • Not to retain, use, or disclose Personal Data outside the scope of the specified services.
  • To keep Personal Data secure, accessible only to authorised persons bound by confidentiality obligations.
  • To process Personal Data in accordance with the documented instructions of the Data Controller.
  • To return and/or delete Personal Data within a maximum of 15 days upon termination of the commercial relationship.
  • To notify the Data Controller without undue delay of any Personal Data breach.
  • To implement and maintain appropriate physical, technical, and organisational security measures.
  • To delete Personal Data within 3 months of the termination or expiry of the commercial relationship.

4.2 Purpose and Limitations

The Data Processor undertakes to use End Users' Personal Data solely for purposes strictly necessary to the provision of the Caast Solution:

  • Sending notifications related to live events (SMS reminders at the End User's explicit request).
  • Managing participation in interactive features (chat, contests).
  • Transmitting to the Data Controller the information required to contact winners.

No Personal Data will be used for commercial or advertising purposes, nor disclosed to unauthorised third parties.

5. Audit

The Data Processor authorises and facilitates audits conducted by the Data Controller or any mandated auditor (non-competing, bound by confidentiality).

  • The Data Controller shall inform the Service Provider at least 2 weeks in advance (except in emergencies).
  • The Data Processor shall make available the information necessary to demonstrate compliance with this DPA.
  • The Data Controller shall not have access to the data of other clients of the Data Processor.

All audits are carried out at the Data Controller's expense, who shall provide a copy of the audit report.

6. Rights of Data Subjects

The Data Processor provides assistance to the Data Controller in responding to requests from individuals exercising their rights:

  • Right of access: via the Caast interface or upon request to technical support.
  • Right to rectification: correction of information (first name, last name, username, email, phone number) upon simple request via the contact form.
  • Right to erasure / right to object: upon deletion of a message or account, all data is deleted except anonymised logs retained for general statistics.
  • Right to data portability: the context of use of the Solution makes this type of request not applicable.

The Data Processor systematically redirects Data Subjects to the Data Controller, who is the sole party authorised to respond to requests for the exercise of rights.

7. Applicable Law

This document is governed by French law.

8. Duration

This document applies for as long as Caast acts as Data Processor on behalf of the Data Controller in connection with the use of the Caast.TV Solution.