Privacy Policy

CartMind

Last updated:

Overview

CartMind is a Shopify app that provides AI-powered abandoned cart recovery through automated email campaigns. We are committed to protecting your privacy and being transparent about how we handle data. This policy explains what data we collect, how we use it, and your rights regarding your information.

Data We Collect

Store Information

  • Shop name, domain, and myshopify domain
  • Store timezone and currency settings
  • Store owner email (from app installation)
  • Subscription plan and billing information
  • App usage statistics and cart processing limits

Abandoned Cart Data

  • Customer email addresses (from abandoned checkouts)
  • Cart value, currency, and item count
  • Product titles, quantities, and prices in the cart
  • Checkout URL for cart recovery links
  • Abandonment timestamp and device type (desktop/mobile)
  • Customer purchase history (if available, for AI analysis)

Product Information

  • Product titles, IDs, and variant information
  • Product images for email templates
  • Pricing information for cart value calculations
  • We do NOT access full product catalog data - only products in abandoned carts

Email Campaign Data

  • Email send status (scheduled, sent, delivered, opened, clicked)
  • Campaign performance metrics (open rates, click rates)
  • Recovery flow assignments (Light Touch, Balanced, High Touch)
  • AI recommendation confidence scores and reasoning

App Configuration Data

  • Email template customizations and theme preferences
  • Recovery flow settings (timing, templates, discount codes)
  • Auto-approve preferences and manual overrides
  • Merchant-provided tracking IDs (Google Analytics, Facebook Pixel - optional)

How We Use Your Data

Primary Purposes

  • AI Analysis: Analyze cart data to recommend optimal recovery strategies (Light Touch, Balanced, High Touch)
  • Email Campaigns: Send automated recovery emails based on approved AI recommendations
  • Performance Tracking: Track email campaign performance and recovery rates
  • Analytics: Provide dashboard metrics and insights on cart recovery effectiveness
  • Plan Management: Monitor usage limits and enforce plan restrictions

AI & Machine Learning

  • Our AI analyzes behavioral signals (cart value, device type, customer history, time of day) to predict the best recovery strategy
  • All AI processing uses aggregated patterns across multiple stores - no individual customer profiling
  • AI models improve over time based on recovery success rates, but customer emails and personal data are never used for training
  • Confidence scores help merchants understand AI prediction quality

Email Delivery

  • Customer email addresses are used exclusively to send cart recovery emails approved by you
  • Emails are sent via secure SMTP services (Resend.com)
  • Email tracking pixels monitor open and click rates for campaign performance
  • We never send marketing emails on our behalf to your customers

Data Security & Protection

Security Measures

  • All data transmitted via encrypted HTTPS/TLS connections
  • Data stored in secure, encrypted PostgreSQL databases
  • Authentication required for all app access via Shopify OAuth
  • Webhook signature verification (HMAC) for all incoming data
  • Regular security monitoring and audit logs

Infrastructure

  • Hosted on Railway.app with enterprise-grade infrastructure
  • Database backups performed automatically
  • Secure environment variable management for API keys and secrets

Access Controls

  • Limited staff access to data on strict need-to-know basis
  • Two-factor authentication required for development team
  • Access logging for all administrative operations

Data Sharing & Third Parties

No Data Sales

  • We never sell, rent, or lease your data to third parties
  • We do not share data with advertisers or marketers
  • Customer email addresses are only used for your approved recovery campaigns

Service Providers We Use

  • Railway.app: Cloud hosting and database services (data processing agreement in place)
  • Resend.com: Email delivery service for recovery campaigns (GDPR compliant)
  • Shopify: OAuth authentication and webhook data (governed by Shopify's data processing terms)
  • Google Analytics: Optional merchant-provided tracking (only if merchant configures their own GA ID)

All third-party services are bound by strict confidentiality agreements and GDPR-compliant data processing terms.

Data Retention & Deletion

Retention Periods

  • Active store data: Retained while app is installed and active
  • Abandoned cart records: Retained for 90 days or until customer completes purchase
  • Email campaign history: Retained for 12 months for analytics purposes
  • Usage/billing data: Retained for current billing cycle plus 12 months for accounting compliance

Automatic Deletion (GDPR Compliance)

CartMind implements Shopify's mandatory GDPR compliance webhooks:

  • Customer Data Request: When a customer requests their data from your store, we provide all abandoned cart and email campaign data associated with their email address
  • Customer Redaction: When a customer requests data deletion, we immediately and permanently delete all abandoned carts, email campaigns, and associated records for that customer email
  • Shop Redaction: When you uninstall the app, all shop data is automatically deleted within 48 hours, including:
    • All abandoned cart records
    • All email campaign data
    • All recovery flows and settings
    • All shop configuration and settings
    • All session and authentication data

Your Deletion Rights

  • Request immediate data deletion at any time via email to contact@matriks.io
  • Uninstall the app to trigger automatic deletion within 48 hours
  • Request deletion of specific customer data via GDPR compliance requests
  • Data portability available - request your data in JSON format

Your Rights & Choices

Access & Control

  • Right to Access: View all data we have about your store through the app dashboard or request a data export
  • Right to Correction: Update inaccurate data through app settings or request corrections
  • Right to Portability: Download your data in portable JSON format
  • Right to Deletion: Delete your data at any time by uninstalling or requesting deletion
  • Right to Object: Object to specific data processing activities

Consent & Opt-Out

  • By installing CartMind, you consent to data collection as described in this policy
  • You can revoke consent by uninstalling the app
  • Disable specific features (e.g., auto-approve) through app settings
  • Your customers can opt out of recovery emails using standard unsubscribe links

Cookies & Tracking

App Usage

  • Shopify OAuth session cookies (required for authentication)
  • No tracking cookies or analytics in the app interface itself

Email Tracking

  • Recovery emails include tracking pixels to measure open rates
  • Email links include UTM parameters for click tracking
  • Merchant-configured tracking IDs (Google Analytics, Facebook Pixel) may be appended to recovery links if enabled

Legal Compliance

Privacy Regulations

CartMind complies with:

  • GDPR (European Union) - Full compliance including mandatory GDPR webhooks
  • CCPA (California) - Consumer privacy rights supported
  • PIPEDA (Canada) - Privacy principles implemented
  • Shopify App Requirements - All mandatory compliance features implemented

Data Processing Locations

  • Data processed and stored in secure US-based data centers (Railway.app infrastructure)
  • Standard contractual clauses in place for international data transfers
  • GDPR-compliant data processing agreements with all service providers

Legal Requests

  • We may disclose data if required by law or valid legal process
  • We will notify you of legal requests unless prohibited by law
  • We challenge overbroad or invalid requests when possible

Children's Privacy

CartMind is intended for business use only and does not knowingly collect data from individuals under 16 years of age. If we become aware of data collected from children, we will delete it immediately.

Changes to This Policy

We may update this privacy policy to reflect changes in our practices, legal requirements, or app features. We will notify you of significant changes via:

  • Email notification to the store owner email on file
  • In-app banner notification on your dashboard
  • Updated "Last updated" date at the top of this policy

Your continued use of CartMind after policy updates constitutes acceptance of the new terms.

Contact Us

Data Protection Inquiries

Email: contact@matriks.io

Subject Line: Privacy Policy / Data Protection Request - CartMind

What to Include in Your Request

  • Your Shopify store domain
  • Type of request (access, deletion, correction, portability, etc.)
  • Specific data or customer email (if applicable)

Response Time

We respond to privacy requests within 30 days (or as required by applicable law). Urgent requests marked as such will be prioritized.

Shopify Privacy

This policy supplements Shopify's own privacy practices. For information about how Shopify handles data, see Shopify's Privacy Policy.

🛡️ Your Data is Safe

We built CartMind with privacy by design. We only collect data necessary for cart recovery, we never sell your data, and we automatically delete everything when you uninstall. Your trust is our priority.