Privacy Policy

Effective Date: August 15, 2025

Last Updated: August 15, 2025

Introduction

Carti ("we," "our," or "us") is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, store, and protect your data when you use our Shopify application.

Data Controller

Carti is the data controller for personal information collected through our application. For privacy-related questions, contact us at support@heycarti.com.

Legal Basis for Data Processing

We process your personal data under the following legal bases:

  • Contract Performance – To provide the Shopify app services described in our terms of service.
  • Legitimate Interest – To improve service quality, provide customer support, and ensure security.
  • Legal Obligation – To comply with applicable laws, including recordkeeping requirements.
  • Consent – Where you explicitly provide permission, such as when submitting feedback used to improve AI models.

Data We Collect and Use

Shop Configuration Data

  • Description: Shop settings, branding, and configuration data.
  • Purpose: Service provision and customization.
  • Retention: 7 years.
  • Legal Basis: Contract, legal obligation.

Customer Interactions

  • Description: Chat messages, customer queries, AI responses.
  • Purpose: Customer support and service improvement.
  • Retention: 3 years, then anonymized.
  • Legal Basis: Legitimate interest, consent (for feedback).

Customer Identifiers

  • Description: Customer IDs, emails, phone numbers, order references.
  • Purpose: Order processing and customer support.
  • Retention: 3 years, then anonymized.
  • Legal Basis: Contract, legitimate interest.

Analytics Data

  • Description: Usage statistics, performance metrics.
  • Purpose: Service optimization and business operations.
  • Retention: 2 years, then aggregated.
  • Legal Basis: Legitimate interest.

Training Data

  • Description: Merchant feedback used to improve AI model performance.
  • Purpose: AI service enhancement.
  • Retention: 5 years, then anonymized.
  • Legal Basis: Legitimate interest, consent.

System Logs

  • Description: Operational logs, error reports, system events.
  • Purpose: Security and troubleshooting.
  • Retention: 90 days, then deleted.
  • Legal Basis: Legitimate interest.

Temporary Data

  • Description: Cache files, temporary session data.
  • Purpose: Operational efficiency.
  • Retention: 7 days, then deleted.
  • Legal Basis: Legitimate interest.

Data Retention Schedule

Data CategoryRetention PeriodEnd of Life Treatment
Shop Configuration7 yearsHard delete
Customer Interactions3 yearsAnonymize
Customer Identifiers3 yearsAnonymize
Analytics Data2 yearsAggregate
Training Data5 yearsAnonymize
System Logs90 daysHard delete
Temporary Data7 daysHard delete

Data Minimization

We apply strict data minimization principles:

  • Collect only what is necessary for defined purposes.
  • Replace persistent identifiers with session IDs where possible.
  • Anonymize customer data after 3 years.
  • Aggregate analytics data after 2 years.
  • Delete system logs within 90 days and temporary data within 7 days.

Security Practices

We employ technical and organizational measures to protect your data, including:

  • Encryption: Data encrypted in transit (TLS 1.3) and at rest.
  • Authentication: Shopify OAuth with scoped access only.
  • Access Controls: Role-based, shop-scoped access and continuous audit logging.
  • PII Protection: Automated scrubbing of logs, redaction of sensitive fields, and real-time monitoring.

Automated Data Cleanup

Our systems automatically enforce retention and deletion policies:

  • Daily – Temporary data cleanup, log rotation.
  • Weekly – Aggregation of analytics, anonymization of aged customer data.
  • Monthly – Training data anonymization, compliance review.

Data Breach Response

In the event of a breach, we follow a structured response plan:

  • Immediate Containment within 24 hours.
  • Investigation and root cause analysis within 72 hours.
  • Notification to affected merchants and regulators where required.
  • Remediation and Monitoring to prevent recurrence.

International Data Transfers

Data is primarily stored and processed in the European Union. If transfers outside this region occur, we apply appropriate safeguards, such as Standard Contractual Clauses (SCCs) or adequacy decisions.

Cookies and Tracking

We use cookies only as necessary to operate the app:

  • Essential Cookies for authentication, session management, and security.
  • Analytics Cookies for performance monitoring and error tracking.

Merchants can manage cookies through their browser settings.

Your Rights

You may exercise the following rights under GDPR, CCPA, LGPD, PIPEDA, and similar laws:

  • Access – Request a copy of your personal data.
  • Rectification – Correct or update inaccurate data.
  • Erasure – Request deletion of personal data, subject to retention obligations.
  • Portability – Receive data in a structured, machine-readable format.
  • Restriction/Objection – Limit or object to processing.

We respond to verified requests within 30 days.

Children's Privacy

Our app is not intended for individuals under 16. If we discover such data has been collected, it will be deleted immediately.

Compliance and Audits

We comply with GDPR, CCPA, LGPD, and PIPEDA. Internal reviews are performed regularly, and policies are updated annually to reflect regulatory changes and best practices.

Changes to This Policy

We may update this Privacy Policy from time to time. Substantive changes will be announced with at least 30 days' notice before taking effect.

Contact Information

For questions, requests, or complaints, contact us at:

Email: support@heycarti.com

Data Protection Officer (DPO): support@heycarti.com