Terms of Service

General Terms and Conditions

Effective Date: December 2025

1. Scope of Application

1.1 These General Terms and Conditions ("Terms") govern the use of the software-as-a-service product "ShopAssist" ("Service"), provided by Kremic Ventures UG (haftungsbeschränkt) ("Provider", "we", "us") to the customer (“Customer”, "Merchant").
1.2 The offer is directed exclusively at merchants that operate eCommerce online shops (B2B) within the meaning of § 14 of the German Civil Code (BGB). Consumers are excluded from concluding a contract with the Provider.
1.3 Conflicting or deviating terms and conditions of the Customer shall not apply unless we have expressly agreed to them in writing.

2. Subject Matter of the Service

2.1 Service Description: ShopAssist is an AI-powered shopping assistant designed for eCommerce stores (specifically Shopify). It integrates with the Merchant's store via API to sync product data (the "Sync Engine") and uses Large Language Models (LLMs) to answer shopper inquiries via a chat widget.
2.2 AI Limitations: The Customer acknowledges that the Service utilizes Artificial Intelligence. While we strive for accuracy (e.g., via our Sync Engine to reduce hallucinations), AI outputs are probabilistic. The Provider does not guarantee that the AI’s responses will be 100% error-free, factual, or suitable for the Merchant's specific legal compliance needs.
2.3 Availability: The Provider strives for an annual average availability of 99%, excluding maintenance work and force majeure events.
2.4 Modifications: The Provider reserves the right to update and modify the Service (e.g., changes to the AI model providers like OpenAI) to maintain technical standards, provided these changes do not unreasonably restrict the core functionality.

3. Account Registration and Conclusion of Contract

3.1 To use ShopAssist, the Customer must create an account (either directly or via the Shopify App Store integration).
3.2 By clicking the "Install", "Subscribe", or "Sign Up" button, the Customer submits a binding offer to conclude a SaaS contract. The contract is concluded when the Provider grants access to the Service.
3.3 The Customer warrants that all data provided during registration (Company Name, VAT ID, Address) is accurate and relates to their commercial activity.

4. Customer Obligations & End User Relationships

4.1 Shopify Integration: The Customer is responsible for maintaining an active, valid Shopify account. ShopAssist relies on the Shopify API; if the Customer's Shopify account is suspended or the API token is revoked, ShopAssist cannot function.
4.2 Content Responsibility: The Customer is solely responsible for the product data, descriptions, and policies (Shipping, Returns) synced to ShopAssist. The Provider is not liable if the AI repeats incorrect information provided by the Merchant.
4.3 Prohibited Use: The Customer may not use the Service to promote illegal goods, process sensitive personal data (e.g., health data, credit card numbers) inside the chat prompt unless authorized, or reverse engineer the "Sync Engine."
4.4 End User (Shopper) Relationship: The Customer acknowledges that they act as the sole contracting partner for their End Users (Shoppers). No contractual relationship exists between the Provider (ShopAssist) and the End User. The Customer is solely responsible for the relationship with the End User, including any advice given by the AI widget on the Customer’s store.
4.5 Transparency & AI Disclosure: The Customer is obligated to inform End Users that they are interacting with an Artificial Intelligence system, not a human, in accordance with applicable laws (e.g., the EU AI Act).
4.6 Merchant Terms & Privacy: The Customer warrants that their own Terms of Service and Privacy Policy cover the use of third-party tools and AI chat widgets. The Customer is responsible for obtaining any necessary consents (e.g., cookie consent) from the End User before the chat widget processes data.

5. Fees and Payment

5.1 Subscription: The fees are based on the pricing tier selected by the Customer (e.g., based on the number of products synced or chat volume) as displayed on the ShopAssist website or presented by the ShopAssist sales representative.
5.2 Payment Terms: Unless otherwise agreed, fees are payable in advance on a monthly or annual basis.
5.3 Shopify Billing: If the Service is booked via the Shopify App Store, billing is handled directly through Shopify’s billing system. In this case, Shopify’s payment terms apply in addition to these Terms.
5.4 Default: If payment fails, the Provider reserves the right to suspend access to the Service immediately until payment is resolved.

6. Intellectual Property

6.1 Provider Rights: Kremic Ventures UG retains all rights, title, and interest in the ShopAssist software, the "Sync Engine," the visual interface, and the underlying AI agent logic. The Customer receives a limited, non-exclusive, non-transferable right to use the Service during the contract term.
6.2 Customer Data: The Customer retains all rights to their product data and chat logs. The Customer grants the Provider a right to process this data solely for the purpose of providing the Service (e.g., generating embeddings for the Vector Database).

7. Data Protection

7.1 The parties shall comply with the provisions of the General Data Protection Regulation (GDPR).
7.2 Data Processing Agreement (DPA): Since the Provider processes personal data (e.g., shopper chat logs) on behalf of the Merchant, the parties hereby conclude the Data Processing Agreement (Auftragsverarbeitungsvertrag) attached to these Terms as Appendix A. By accepting these Terms, the Customer agrees to the provisions of Appendix A.
7.3 The Privacy Policy available at getshopassist.com/privacy applies.

8. Liability

8.1 The Provider is liable without limitation for damages caused by intent (Vorsatz) or gross negligence (grobe Fahrlässigkeit), as well as for injury to life, body, or health.
8.2 In cases of slight negligence (einfache Fahrlässigkeit), the Provider is only liable for the breach of material contractual obligations (cardinal duties). Cardinal duties are obligations whose fulfillment is essential for the proper execution of the contract and on whose observance the Customer relies.
8.3 In the case of Clause 8.2, liability is limited to the foreseeable, typically occurring damage.
8.4 Strict liability for initial defects (warranty without fault) under § 536a (1) BGB is excluded.
8.5 The Provider is not liable for the purchasing decisions made by the Merchant's End Users based on AI recommendations. The Merchant acts as the seller of record.

9. Indemnification (Freistellung)

9.1 The Customer (Merchant) agrees to indemnify, defend, and hold harmless the Provider (ShopAssist) from and against any third-party claims, damages, liabilities, and expenses (including reasonable attorney fees) arising out of or relating to:

(a) Product Liability: Any claims regarding the safety, quality, or defects of the products sold by the Customer, including claims for bodily injury, death, or damage to property;
(b) Health & Safety Claims: Any claims arising from End Users relying on the Service for medical advice, allergy information, or safety instructions (e.g., regarding toys, cosmetics, or supplements) where the AI output was based on the Customer's product data or lack of safety warnings;
(c) Data Accuracy: Any misleading, illegal, or incorrect product data provided by the Customer to the Sync Engine (e.g., incorrect age recommendations or ingredients);
(d) Compliance: The Customer's failure to comply with applicable laws, including privacy laws (GDPR) and consumer protection regulations;
(e) End User Disputes: Any general dispute between the Customer and their End User regarding refunds, returns, or purchasing decisions.

10. Term and Termination

10.1 Term: The contract runs for an indefinite period (monthly subscriptions) or for the fixed term agreed upon (annual subscriptions).
10.2 Termination:
- Monthly Plans: Can be terminated with 7 days' notice to the end of the billing month.
- Annual Plans: Can be terminated with 30 days' notice to the end of the contract year.
- Termination via Shopify: Uninstalling the App from the Shopify store constitutes a termination effective at the end of the current billing cycle.
10.3 The right to extraordinary termination for good cause remains unaffected.

11. Final Provisions

11.1 Updates to Terms: We reserve the right to amend these Terms. We will notify the Customer of changes by email or dashboard notification 30 days in advance. If the Customer does not object within this period, the changes are deemed accepted.
11.2 Governing Law: These Terms are governed by the laws of the Federal Republic of Germany. The UN Convention on Contracts for the International Sale of Goods (CISG) is excluded.
11.3 Place of Jurisdiction: The exclusive place of jurisdiction for all disputes arising from this contract is Berlin, Germany.
11.4 Severability: Should individual provisions of this agreement be invalid, the validity of the remaining provisions shall remain unaffected.

Provider Information (Impressum Reference):

Kremic Ventures UG (haftungsbeschränkt)

Liselotte-Herrmann-Straße 12

10407 Berlin, Germany

HRB 237823 (Amtsgericht Berlin-Charlottenburg)

Appendix A: Data Processing Agreement (AV-Vertrag)

Pursuant to Art. 28 GDPR

Preamble

This Data Processing Agreement ("DPA") is an integral part of the Terms of Service between Kremic Ventures UG (haftungsbeschränkt) ("Processor") and the Customer ("Controller"). By entering into the Terms of Service, the Parties conclude this DPA to ensure compliance with data protection laws regarding the processing of personal data (e.g., End User chat logs and Merchant product data).

1. Subject Matter and Duration

1.1 Subject Matter: The Processor shall process personal data on behalf of the Controller in connection with the provision of the AI-powered shopping assistant services as described in the Principal Agreement.
1.2 Duration: The term of this DPA shall coincide with the term of the Principal Agreement.

2. Nature and Purpose of Processing

The processing involves the collection, storage, analysis, and retrieval of data to:

Sync Merchant product catalogs using the "Sync Engine".
Answer End User (Shopper) inquiries via the AI Chat Widget using Large Language Models (LLMs).
Provide analytics and insights to the Controller regarding shopper behavior.

3. Categories of Data and Data Subjects

3.1 Categories of Data Subjects:

End Users (Shoppers/Visitors of the Merchant’s online store).
Employees/Representatives of the Controller (Admin users).

3.2 Types of Personal Data:

Communication Data: Chat logs, user queries, feedback, and interaction history.
Technical Data: IP addresses, browser type, device information, session identifiers.
Order/Cart Data: Products viewed, added to cart, or purchased (if shared during chat).
Merchant Data: Name, email, and business contact details of the Controller’s employees.

4. Obligations of the Processor

4.1 Instructions: Process personal data only on documented instructions from the Controller, unless required to do so by Union or Member State law. The Principal Agreement and the configuration of the Service by the Controller constitute such instructions.
4.2 Confidentiality: Ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.3 Security (Art. 32 GDPR): Implement appropriate technical and organizational measures (TOMs) to ensure a level of security appropriate to the risk (see Appendix 2).
4.4 Assistance: Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR (Security, Breach Notification, DPIA) taking into account the nature of processing and the information available to the Processor.
4.5 Data Subject Rights: Assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising the data subject's rights (e.g., deletion, access).
4.6 Deletion/Return: At the choice of the Controller, delete or return all the personal data to the Controller after the end of the provision of services relating to processing, unless Union or Member State law requires storage of the personal data.

5. Sub-processors (Unterauftragsverarbeiter)

5.1 Authorization: The Controller grants the Processor general authorization to engage the sub-processors listed in Appendix 1.
5.2 Changes: The Processor shall inform the Controller of any intended changes concerning the addition or replacement of other sub-processors. The Controller may object to such changes within 14 days on reasonable data protection grounds.
5.3 Obligations: The Processor shall impose the same data protection obligations as set out in this DPA on any sub-processor by way of a contract (e.g., Data Processing Addendum).
5.4 International Transfers: If a sub-processor is located outside the EU/EEA, the Processor ensures compliance with Chapter V of the GDPR (e.g., via Adequacy Decisions or Standard Contractual Clauses/SCCs).

6. Audit Rights

The Controller has the right to conduct audits to verify compliance with this DPA. If the Processor provides a recognized certification (e.g., SOC 2, ISO 27001) or audit report, the Controller agrees to accept this as sufficient proof of compliance to avoid business disruption.

Appendix 1: List of Authorized Sub-processors

Sub-processor	Function	Location	Safeguard
OpenAI, L.L.C.	LLM / AI Text Generation	USA	SCCs / DPF
Anthropic, PBC	LLM / AI Text Generation	USA	SCCs
Pinecone Systems Inc.	Vector Database (Embeddings)	USA	SCCs
Supabase Inc.	Core Database & Auth	USA/EU	SCCs
Vercel Inc.	Web Hosting & Analytics	USA	SCCs / DPF
Cloudflare Inc.	CDN & Security	USA	SCCs / DPF
Shopify Inc.	E-commerce Integration	Canada	Adequacy Decision

Note: "SCCs" refers to the Standard Contractual Clauses approved by the European Commission. "DPF" refers to the EU-US Data Privacy Framework.

Appendix 2: Technical and Organizational Measures (TOMs)

1. Confidentiality

Encryption: All data in transit is encrypted via TLS 1.2+. Data at rest in the database (Supabase) and Vector DB (Pinecone) is encrypted.
Access Control: Access to production databases is restricted to key personnel (Founders/Engineers) via multi-factor authentication (MFA).

2. Integrity

Input Control: All API interactions are logged. Changes to the AI agent configuration are tracked within the Merchant dashboard.
Separation: Customer data is logically separated within the database using unique Tenant IDs (Merchant IDs).

3. Availability & Resilience

Backups: Automated daily backups of the database are performed by the infrastructure provider (Supabase).
Redundancy: Services are hosted on scalable cloud infrastructure (Vercel/Cloudflare) designed to handle load spikes.
Rapid Recovery: Disaster recovery plans are in place to restore service availability in case of a physical or technical incident.

4. AI Accuracy (Anti-Hallucination)

Grounding: The AI is strictly instructed to reference only the product data indexed from the Merchant's store ("Sync Engine") and to decline answering if the data is missing.
Updates: Product data (stock/price) is synced at regular intervals (approx. every 10 minutes) to minimize discrepancies.