Legal

Privacy Policy

How CartStack collects, uses, and protects personal data.

Privacy Policy

Last updated: 17 April 2026

CartStack ("we", "us", "our") is a United Kingdom-based studio that builds and operates applications for the Shopify platform. This Privacy Policy explains how we collect, use, share, and protect personal data when you visit our websites, contact us, or use our Shopify apps (together, the "Services").

We are committed to protecting your personal data and handling it in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and, where applicable, the EU GDPR.

1. Who we are

CartStack is a trading name based in the United Kingdom. For the purposes of UK data protection law, we are the data controller of personal data collected through our marketing websites and when you contact us directly.

When merchants install one of our Shopify apps, we act as a data processor on behalf of the merchant (the "Merchant") in respect of personal data about the Merchant's customers. The Merchant is the data controller of that customer data.

If you have any questions about this policy or how we handle personal data, you can contact us at:

Email: support@cartstack.app

2. Personal data we collect

The personal data we collect depends on how you interact with us.

2.1 Website visitors

When you visit one of our websites, we may collect:

  • Technical data, such as your IP address, browser type and version, operating system, referring URL, and pages viewed.
  • Usage data, such as the date and time of your visit, time spent on pages, and interactions with content.
  • Cookie data, where you have consented to non-essential cookies (see Section 7).

2.2 When you contact us

If you email us, complete a contact form, or subscribe to updates, we collect:

  • Your name.
  • Your email address.
  • The contents of your message or enquiry.
  • Any other information you choose to provide.

2.3 Merchants using our Shopify apps

When a Merchant installs one of our apps, we may collect and process:

  • Shopify store details, such as store name, domain, email, country, and plan type.
  • Authentication tokens issued by Shopify so our app can operate.
  • Configuration data created by the Merchant within the app.
  • Usage and analytics data relating to the Merchant's use of the app.
  • Billing data associated with the app subscription (processed by Shopify).

2.4 End-customer data processed on behalf of Merchants

Depending on the app, we may process personal data about the Merchant's customers on the Merchant's behalf, such as:

  • Order details (order ID, order value, currency, timestamps).
  • Customer identifiers (customer ID, email address where relevant to the app's functionality).
  • Survey or feedback responses submitted by customers.
  • Attribution and engagement data linked to a customer or order.

We only process this data to deliver the app's functionality to the Merchant and in accordance with our agreement with the Merchant.

3. How we use personal data

We use personal data for the following purposes:

Purpose Lawful basis (UK GDPR)
Operating our websites and providing requested information Legitimate interests
Responding to enquiries, support requests, and feedback Legitimate interests / Contract
Providing and maintaining our Shopify apps Contract
Processing billing and subscription administration Contract / Legal obligation
Sending service communications (e.g. outages, policy updates) Legitimate interests / Contract
Sending marketing communications (where you have opted in) Consent
Analysing usage to improve the Services Legitimate interests
Preventing fraud, abuse, and security incidents Legitimate interests / Legal obligation
Complying with legal, tax, and regulatory obligations Legal obligation

Where we rely on legitimate interests, we have carried out a balancing assessment to ensure our interests do not override your rights and freedoms. You can object to this processing at any time (see Section 8).

4. How we share personal data

We do not sell your personal data. We share it only where necessary and with appropriate safeguards.

We may share personal data with:

  • Shopify Inc., the platform on which our apps run and through which Merchants authenticate.
  • Hosting and infrastructure providers that run our servers, databases, and related services.
  • Email and communications providers that help us deliver transactional and support emails.
  • Analytics and error-monitoring providers that help us understand and maintain the Services.
  • Payment providers (via Shopify) that handle subscription billing.
  • Professional advisers, such as accountants and legal counsel, where necessary.
  • Law enforcement or regulators, where we are legally required to do so.
  • A purchaser or successor, in the event of a merger, acquisition, or sale of all or part of our business.

All sub-processors acting on our behalf are bound by contractual obligations to protect personal data and to process it only on our documented instructions.

5. International transfers

We are based in the United Kingdom, but some of our service providers may be located outside the UK or the European Economic Area (EEA).

Where personal data is transferred outside the UK, we rely on appropriate safeguards such as:

  • Transfers to countries covered by UK adequacy regulations.
  • The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses.
  • Equivalent mechanisms approved under UK data protection law.

You can request further information about the specific safeguards we use by contacting us.

6. Data retention

We retain personal data only for as long as necessary for the purposes set out in this policy, or as required by law.

  • Enquiry and contact data is typically retained for up to 24 months after our last interaction.
  • Merchant account data is retained for the duration of the app installation and for a reasonable period afterwards to handle reinstallations, disputes, and legal obligations.
  • End-customer data processed on behalf of a Merchant is retained in line with the Merchant's instructions and Shopify's requirements. Shopify mandatory webhooks (including customers/redact, shop/redact, and customers/data_request) are honoured in accordance with Shopify's timelines.
  • Billing and tax records are retained for the period required by UK tax law (currently a minimum of 6 years).
  • Backups may persist for a short period after deletion from production systems, after which they are overwritten.

When we no longer need personal data, we delete it securely or anonymise it.

7. Cookies and similar technologies

Our websites use cookies and similar technologies. These fall into the following categories:

  • Strictly necessary cookies, which are required for the site to function (for example, session and CSRF cookies).
  • Analytics cookies, which help us understand how visitors use our site.
  • Preference cookies, which remember your settings.

We only set non-essential cookies where you have given consent. You can withdraw consent at any time by clearing cookies in your browser or adjusting your preferences via any cookie banner we display.

8. Your rights

Under the UK GDPR, you have the following rights in respect of your personal data:

  • Right of access — request a copy of the personal data we hold about you.
  • Right to rectification — ask us to correct inaccurate or incomplete data.
  • Right to erasure — ask us to delete your personal data in certain circumstances.
  • Right to restriction — ask us to limit how we process your data.
  • Right to data portability — receive your data in a structured, commonly used, machine-readable format.
  • Right to object — object to processing based on legitimate interests or for direct marketing.
  • Right to withdraw consent — where we rely on consent, you can withdraw it at any time.
  • Rights in relation to automated decision-making — we do not carry out solely automated decision-making that produces legal or similarly significant effects.

To exercise any of these rights, please contact us at support@cartstack.app. We will respond within one calendar month. We may ask you to verify your identity before acting on your request.

If your personal data is processed by us on behalf of a Merchant (for example, as a customer of a Shopify store using one of our apps), please contact the Merchant directly. We will support the Merchant in responding to your request as required by law.

9. Complaints

If you are unhappy with how we have handled your personal data, please contact us first so we can try to resolve the issue.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

10. Security

We take appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These include encryption in transit, access controls, secure development practices, logging and monitoring, and regular review of our sub-processors.

No system is completely secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO and, where required, affected individuals without undue delay.

11. Children

Our Services are not directed at children under the age of 16, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will take steps to delete it.

12. Changes to this policy

We may update this policy from time to time. When we do, we will update the "Last updated" date at the top of this page. If the changes are material, we will provide a more prominent notice, such as an email or an in-app message.

13. Contact us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

CartStack Email: support@cartstack.app

← Back to CartStack