Effective: January 1, 2026 · Last updated: May 15, 2026

Plain-language version of how Carti Apps handles your data, your rights, and how to get in touch about anything privacy-related.

Carti Apps (Carti, we, us, our) is a Shopify development studio that operates the website at cartiapps.com and publishes apps on the Shopify App Store. This Privacy Policy explains how we handle personal data when you visit our website, contact us, become a client, or install one of our apps.

For the purposes of GDPR, Carti Apps is the data controller for personal data collected through our website and direct client relationships.

Contact: privacy@cartiapps.com

When you visit our website

• Browsing data: pages visited, time spent, referrer URL, browser type, device type. Collected via Google Analytics 4 in aggregate, anonymized form.
• IP address: truncated and stored only for security and analytics purposes.
• Cookies: see Section 7 below.

When you contact us or book an audit

• Name, email address, store URL, phone number (if provided)
• Approximate revenue range and store size (if disclosed)
• Any additional information you choose to share in the message

When you become a client

• Business contact details, billing information, project requirements
• Shopify store admin access (granted by you to facilitate development work)
• Communications via Slack, email, and Zoom recordings (with your consent)

When you install one of our Shopify apps

• Shopify store domain, billing email, store-level permissions you grant
• Usage data within the app (e.g., which features you use, error logs)
• App-specific data as documented in each app's individual privacy policy

We collect personal data only for specific, legitimate purposes:

• Service delivery: to perform contracted Shopify development work, deliver our apps, and provide customer support.
• Communication: to respond to inquiries, send project updates, and share relevant content (only when you opt in).
• Website analytics: to understand how visitors use cartiapps.com so we can improve it.
• Legal compliance: to meet tax, accounting, and regulatory obligations.
• Security: to detect and prevent fraud, abuse, and security incidents.

Our legal bases under GDPR include: performance of a contract (client work), legitimate interest (analytics, security), legal obligation (tax records), and consent (marketing emails, optional analytics cookies).

We use personal data to:

• Deliver the services you've requested (audits, migrations, custom development, app functionality)
• Communicate with you about your project, account, or apps
• Improve our website, apps, and services based on usage patterns
• Send marketing communications, only to people who have opted in
• Comply with legal and regulatory requirements

We do not sell personal data to third parties. We never have.

We share personal data only with service providers who help us operate, and only to the extent necessary:

• Google Analytics 4 — anonymized website analytics
• HubSpot — CRM for managing client communications and proposals
• Stripe — payment processing for client invoices and app billing
• Shopify — for app distribution and merchant-app integration
• Slack — for client communication channels
• Zoom — for video calls (recordings only with consent)
• AWS, Cloudflare — infrastructure and content delivery

Each provider has its own privacy policy, and we have data processing agreements in place with all of them where required by GDPR.

We may also disclose personal data when required by law, court order, or to protect our legal rights or the safety of others.

Under GDPR (if you're in the EU/EEA/UK) and CCPA (if you're in California), you have the right to:

• Access the personal data we hold about you
• Correct inaccurate or incomplete data
• Delete your data (right to be forgotten)
• Restrict processing in certain circumstances
• Data portability — receive your data in a portable format
• Object to processing for legitimate interest or direct marketing
• Withdraw consent for any consent-based processing
• Opt out of sale of personal data (we don't sell data, but the right exists)

To exercise any of these rights, email privacy@cartiapps.com. We respond within 30 days.

We use cookies for three purposes:

• Strictly necessary cookies — for the website to function (login state, security). These cannot be disabled.
• Analytics cookies — Google Analytics 4 with IP anonymization. You can opt out via our cookie banner.
• Functional cookies — to remember preferences like form data or language settings.

We do not use cookies for advertising or third-party retargeting. We do not embed Facebook, TikTok, or other ad-tech pixels on cartiapps.com.

• Website analytics: 26 months (Google Analytics 4 default)
• Inquiry form submissions: 2 years from last contact, then deleted
• Active client data: retained for the duration of the engagement plus 7 years (for legal/tax compliance)
• App data: retained while you have the app installed, deleted within 30 days of uninstall (subject to legal hold)
• Marketing email subscribers: until you unsubscribe

We take security seriously. Our measures include:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Access controls — only authorized Carti staff can access client data, on a need-to-know basis
• Annual security audits and quarterly internal reviews
• SOC 2 Type II compliance is in progress (target completion Q3 2026)
• Incident response plan with 72-hour notification commitment per GDPR Article 33

No system is perfectly secure. If we ever become aware of a data breach affecting your personal data, we'll notify you and the relevant authorities within 72 hours as required by GDPR.

We may update this Privacy Policy from time to time. Material changes will be announced via email (to active clients and email subscribers) and via a banner on cartiapps.com. The Last updated date at the top of this document reflects the most recent revision.

For any privacy-related questions, requests, or complaints:

• Email: privacy@cartiapps.com
• Mail: Carti Apps, [Office Address], [City, Country]
• Response time: within 30 days for GDPR/CCPA requests; usually within 2 business days for general inquiries

If you're not satisfied with our response, you have the right to lodge a complaint with your local data protection authority (in the EU/EEA/UK).