Privacy Policy for Cartivate

1. Who we are

Cartivate is operated by:

Privacy and support contact: info@cartivate.io

Privacy contact person: Karlo Bradica

We are established in Slovenia, European Union.

2. Our role under privacy laws

For most personal data relating to a merchant’s customers and store visitors, the Shopify merchant is the data controller or business, and Cartivate acts as a data processor or service provider. This means we process that data on behalf of the merchant in order to provide the Cartivate service.

For data relating to merchant accounts, billing, support, app usage, website visitors, security logs, and our own business operations, Cartivate may act as the data controller or business.

Merchants are responsible for making sure their own privacy policy, cookie policy, consent notices, and Shopify store settings accurately explain their use of Cartivate and any other apps or tracking technologies on their store.

3. Information we collect from Shopify

When a merchant installs or uses Cartivate, we may collect or access information from Shopify through Shopify APIs, app extensions, app embeds, storefront functionality, and related Shopify services.

Depending on the features used by the merchant, this may include:

• shop name, Shopify store URL, myshopify.com domain, public store domain, shop ID, store currency, timezone, locale, and basic store settings;
• merchant account information made available by Shopify, such as merchant email address, store owner information, and billing-related status;
• product information, including product titles, product IDs, variants, prices, images, availability, collections, tags, and product metadata;
• cart information, including cart contents, product IDs, variant IDs, quantities, cart value, cart attributes, discount state, and cart drawer interactions;
• discount, offer, upsell, cross-sell, gift, shipping incentive, and promotional configuration data;
• theme, app embed, storefront, and cart drawer configuration data needed to display Cartivate correctly on the merchant’s Shopify store;
• order, checkout, or purchase event information where needed to measure whether a Cartivate offer, upsell, or cart drawer interaction resulted in a conversion;
• technical identifiers and event data needed for app functionality, fraud prevention, debugging, analytics, and performance measurement.

Cartivate is not intended to collect protected customer data from Shopify unless required for a specific approved feature or merchant configuration. If our Shopify API scopes or data access change in the future, we will update this Privacy Policy accordingly.

4. Information merchants provide directly to us

Merchants and their authorized users may provide information directly to Cartivate when they install, configure, or use the app.

This may include:

• name, email address, company/store name, and contact details;
• Shopify store URL and account identifiers;
• app settings and cart drawer preferences;
• upsell, cross-sell, product recommendation, offer, discount, and incentive settings;
• campaign names, display rules, targeting rules, design settings, text, images, and other content uploaded or configured by the merchant;
• support messages, feedback, bug reports, and other communications sent to us;
• billing plan, subscription status, and Shopify Billing information;
• internal app usage data such as features used, settings changed, campaigns created, offers launched, and app performance metrics.

5. Information collected from store visitors and customers

When Cartivate is active on a merchant’s Shopify store, we may collect information about how customers and visitors interact with the cart drawer and related Cartivate features.

Depending on the merchant’s configuration, this may include:

• cart contents, cart value, product IDs, variant IDs, quantities, and cart changes;
• products viewed, products added to cart, products removed from cart, upsell clicks, cross-sell clicks, offer views, offer acceptances, offer rejections, discount usage, free gift interactions, shipping incentive interactions, and checkout-related events;
• session ID, cookie ID, localStorage ID, cart token, checkout token, or similar pseudonymous identifiers;
• IP address, browser type, device type, operating system, screen size, language, country or approximate location derived from technical data;
• date, time, URL, referring URL, and interaction events;
• customer or order identifiers where made available by Shopify and where needed for attribution, reporting, fraud prevention, or app functionality;
• customer name, email address, phone number, billing/shipping information, or order information only if made available by Shopify or the merchant’s configuration and only where needed to provide the Cartivate service.

Cartivate is a cart drawer and upsell application. It is not designed as an email or SMS lead collection tool, and it does not send marketing emails or SMS messages to store visitors.

6. Cookies, localStorage, and similar technologies

Cartivate may use cookies, localStorage, sessionStorage, pixels, scripts, or similar technologies on a merchant’s storefront to provide and improve the app.

These technologies may be used to:

• remember cart drawer state and user interactions;
• prevent the same offer or drawer behavior from being shown too often;
• measure impressions, clicks, conversions, and cart drawer performance;
• support A/B testing, personalization, debugging, and fraud prevention;
• keep the Cartivate experience functional across pages and sessions.

Merchants are responsible for configuring their Shopify store, cookie banner, consent tools, and privacy notices in accordance with applicable privacy and ePrivacy laws.

Where legally required, merchants should obtain valid consent before enabling non-essential cookies, analytics, tracking, or personalization features.

7. How we use personal data

We use personal data to:

• provide, operate, maintain, and improve Cartivate;
• install and display the Cartivate cart drawer and related storefront features;
• allow merchants to configure upsells, cross-sells, offers, discounts, gifts, shipping incentives, and cart drawer settings;
• personalize and control the cart drawer experience based on merchant settings;
• measure impressions, clicks, interactions, conversions, revenue attribution, and app performance;
• provide analytics and reporting to merchants;
• troubleshoot errors, debug issues, prevent abuse, and secure the service;
• communicate with merchants about support, service updates, billing, and administrative matters;
• comply with legal obligations, Shopify requirements, and enforce our rights.

We do not sell personal data.

We do not use merchant customer data to independently market to customers.

We do not use merchant customer data to build unrelated advertising profiles outside the Cartivate service.

8. Legal bases for processing

Where the GDPR, UK GDPR, or similar laws apply, we rely on the following legal bases:

• Performance of a contract: to provide Cartivate to merchants and operate the app.
• Legitimate interests: to secure, improve, debug, analyze, and maintain the service.
• Consent: where required for cookies, analytics, tracking, personalization, or similar technologies.
• Legal obligation: to comply with laws, accounting obligations, Shopify requirements, and valid legal requests.
• Processor instructions: where we process customer or visitor data on behalf of a merchant.

9. Sharing of personal data

We may share personal data with:

• Shopify, as necessary to operate the app within the Shopify platform;
• hosting and infrastructure providers, including Vercel, for hosting, deployment, security, and delivery of the service;
• analytics and product analytics providers, including PostHog, for app analytics, product usage measurement, debugging, and improvement;
• payment and billing providers, including Shopify Billing, for subscription and billing management;
• support and communication tools, if used, for merchant support and service communication;
• professional advisors, such as lawyers, accountants, or auditors, where necessary;
• public authorities or legal requesters, where required by law or to protect our legal rights.

We require service providers that process personal data for us to use appropriate safeguards and process data only for authorized purposes.

10. Subprocessors

We may use subprocessors to provide Cartivate. Current key subprocessors include:

We may update this list from time to time if we add or replace service providers.

11. International data transfers

Cartivate is operated from Slovenia, European Union.

We aim to process and store personal data in the European Economic Area where reasonably possible. However, some service providers may process personal data in other countries, including the United States or other locations where they or their subprocessors operate.

Where personal data is transferred outside the EEA, UK, or Switzerland, we rely on appropriate safeguards where required, such as:

• adequacy decisions;
• Standard Contractual Clauses;
• Data Processing Agreements;
• the EU-U.S. Data Privacy Framework, UK Extension, or Swiss-U.S. Data Privacy Framework where applicable;
• equivalent safeguards required by applicable privacy laws.

12. Data retention

We keep personal data only for as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required by law.

In general:

• merchant account and store configuration data is kept while the merchant uses Cartivate;
• cart drawer settings, offer settings, campaign settings, and app configuration data are kept while the app is installed and active;
• customer-level event data and cart interaction data are generally kept only as long as needed for reporting, attribution, debugging, and service operation;
• technical logs are kept for a limited period for security, debugging, and operational purposes;
• billing, accounting, tax, and legal records may be kept for the period required by applicable law;
• backups may retain deleted data for a limited period before being overwritten or securely deleted.

When a merchant uninstalls Cartivate, we will delete or anonymize shop-level and customer-level data that is no longer needed to provide the service, generally within 90 days, unless we need to retain certain information for legal, security, billing, dispute, or compliance reasons.

Aggregated or anonymized data that no longer identifies a merchant, customer, or individual may be retained for analytics, benchmarking, and service improvement.

13. Shopify privacy webhooks and deletion requests

Cartivate is designed to comply with Shopify’s mandatory privacy webhook requirements for public apps.

We support Shopify privacy requests, including:

• customer data access requests;
• customer data deletion/redaction requests;
• shop data deletion/redaction requests after uninstall.

When we receive a valid request through Shopify or directly from a merchant, we will process it in accordance with applicable law and Shopify requirements.

Merchants can also contact us at info@cartivate.io for privacy-related requests.

14. Data security

We use appropriate technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, alteration, or disclosure.

These measures may include:

• HTTPS/TLS encryption for data transmitted over public networks;
• access controls and authentication for internal systems;
• limited access to production data based on business need;
• logging, monitoring, and debugging controls;
• backups and recovery procedures;
• vendor review and use of reputable infrastructure providers;
• internal confidentiality obligations.

No system is completely secure. If we become aware of a security incident involving personal data, we will take appropriate steps to investigate, mitigate, and notify affected parties where required by law.

15. Merchant responsibilities

Merchants using Cartivate are responsible for:

• having a valid privacy policy and cookie policy on their Shopify store;
• explaining their use of Cartivate and similar apps to customers where required;
• obtaining any legally required consent for cookies, analytics, personalization, tracking, or marketing;
• ensuring their use of Cartivate complies with applicable laws;
• responding to customer privacy requests where the merchant is the controller;
• configuring Cartivate in a lawful and privacy-respecting way.

16. Customer and visitor rights

Depending on where an individual is located, they may have rights under privacy laws, including the right to:

• access personal data;
• correct inaccurate personal data;
• request deletion of personal data;
• restrict or object to processing;
• request portability of personal data;
• withdraw consent where processing is based on consent;
• opt out of certain processing, including sale, sharing, targeted advertising, or profiling where applicable.

Customers of Shopify merchants should usually contact the merchant directly because the merchant controls the customer relationship and determines how Cartivate is used on the store.

Merchants and individuals may also contact us at info@cartivate.io. If we receive a request relating to a merchant’s customer, we may direct the requester to the relevant merchant or work with the merchant to respond.

17. California and U.S. state privacy rights

Cartivate does not sell personal information.

Cartivate does not use merchant customer personal information for cross-context behavioral advertising outside the Cartivate service.

Where U.S. state privacy laws apply, including the California Consumer Privacy Act as amended by the California Privacy Rights Act, we process merchant customer personal information as a service provider or processor on behalf of the merchant, unless otherwise stated.

Depending on the context, the categories of personal information we may process include:

• identifiers, such as IP address, cookie ID, session ID, customer ID, email address, or similar identifiers;
• commercial information, such as cart contents, products, order-related events, discounts, and offer interactions;
• internet or electronic network activity, such as page views, cart drawer interactions, clicks, device information, and browser information;
• geolocation information at an approximate level derived from IP address;
• inferences or analytics derived from cart drawer interactions, only for app reporting, optimization, and service improvement.

We do not knowingly collect or process sensitive personal information for the purpose of inferring characteristics.

18. Children

Cartivate is intended for use by Shopify merchants and is not directed to children.

We do not knowingly collect personal data directly from children. Because Cartivate operates on merchant Shopify stores, merchants are responsible for ensuring that their stores and customer-facing notices comply with laws relating to children’s privacy where applicable.

19. Automated decision-making

Cartivate may automate certain cart drawer behaviors based on merchant settings, cart contents, product data, customer interactions, and storefront events.

Cartivate does not make automated decisions that produce legal or similarly significant effects on individuals.

20. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in Cartivate, Shopify requirements, legal requirements, or our data practices.

When we make material changes, we will update the “Last updated” date above and may notify merchants through the app, email, or another reasonable method.

21. Contact us

For privacy questions, requests, or concerns, contact us at:

Email: info@cartivate.io

Privacy contact: Karlo Bradica