Privacy Policy

Last updated: October 19, 2020

Your privacy is one of our fundamental commitments, and therefore, we take utmost care to process your personal data in accordance with the principles set forth in the applicable legislation, including without limitation the General Data Protection Regulation no. 679/2016 (“GDPR”). We recognize the importance of maintaining the confidentiality, integrity and security of your personal information ("Personal Data") and have written this privacy policy (“Policy”) to explain how your Personal Data is collected, stored, used and disclosed by Honest Tech S.R.L., CUI 42705171 a company incorporated under the Romanian law, having its headquarters in Romania ("Cartloop", “we”, "us"), as a data controller, with respect to (i) your access to and use of our Shopify application (as explained below) („App”), (ii) the access to, and use of our website available at the URL www.cartloop.io („Site”) and (iii) the access to, and use of the content of the App and of the Site including of the services provided by Cartloop (“Services”). 

Each time we are required by the applicable law or, otherwise, want to use this legal basis, we will request your free, informed, specific and unequivocal consent for the processing of your Personal Data. By expressing your consent, you agree that we can collect, use, reveal, process and transfer your Personal Data in accordance with this Policy.

We reserve the right to amend the provisions of this Policy from time to time. If we make changes to this Policy, we will make the updated version available on the Site and App and we will update the "Last updated” date. We will also inform you on the changes that have occurred, to ensure that you are aware of how we use your Personal Data. Any amendments to this Policy will apply on the date that they are made, with the exception of changes which require your prior consent, and which will apply as of the moment when you express such consent. 

Any capitalized term which is not defined in this Policy will have the meaning set forth in the terms and conditions (“Terms”) applicable to the App and the Site.

1. Applicability

This Policy applies strictly to the processing of Personal Data carried out by Cartloop as a data controller, in relation to (i) the Personal Data of the contact person from our Client and, if the case might be, (ii) the Personal Data of a user navigating our Site. 

For the avoidance of doubt, this Policy does not apply to the processing of Personal Data of the End Users performed by Cartloop as a data processor. In case you are an End User, for more information on how Cartloop Clients process your Personal Data, please see their privacy policies.

2. The App And The Site

The App is an application that can be installed by the users (online shops) of the Shopify platform, available at the URL address https://www.shopify.com (“Client”, “User”). The app is designed to help the Clients to engage with their customers (“End Users”) and to increase the conversion rate through 1:1 conversation using SMS messages.

As a rule, we do not process Personal Data on our Site. However, in case we process such Personal Data, this Policy shall become applicable.

3. Categories of Personal Data, Purposes of Processing, Legal Grounds

  1. Creating an account in order to use the App

In order to use our App, you need to register and create an account. In this case, we will need from you (as a contact person from our Client): first and last name, email address, phone number, address, location. 

Purpose of processing

Legal ground

The purpose of this processing is to create the account, to provide our services through the App and to provide help in using the App.

  • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (art. 6 para. 1, let. b GDPR);
  1. Invoicing

When using our App, we will issue invoices for the payment of the Cartloop services. As a rule, the information mentioned in an invoice does not represent Personal Data. However, we might need certain Personal Data from you (as a contact person from our Client): first name and last name.

Purpose of processing

Legal ground

The purpose of this processing is to issue the invoices for the payment of the Cartloop services.

  • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (art. 6 para. 1, let. b GDPR);
  • Processing is necessary for compliance with a legal obligation to which the controller is subject (art. 6 para. 1, let. c GDPR);
  1. Payments and bank cards

When a payment is made (e.g., paying the subscription for our services) or when a bank card is added in our App, we will process the bank card details. This information might contain certain Personal Data from you (as a contact person from our Client): first and last name, last 4 digits of the card number and the payment date.

Purpose of processing

Legal ground

The purpose of this processing is to send the bank card details to the payment processor in order to process the payment.

  • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (art. 6 para. 1, let. b GDPR);
  1. Contractual notifications

During the provision of our services, we will use your email address and your phone number (as a contact person from our Client) to notify you of any changes in the Terms of the Site and App and in connection with any other issues related to the performance of the contract between the Client and Cartloop.

Purpose of processing

Legal ground

The purpose of this processing is to carry out contractual notices in accordance with the Terms of the Site and App.

  • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (art. 6 para. 1, let. b GDPR);
  1. Contact

You can contact us in different ways (by support form, or by using our chat) in order to request and offer or for support in relation to the services we provide. In this case, in general, we will process the following Personal Data: first name, last name, email and any other information you voluntarily provide when you contact us. 

Purpose of processing

Legal ground

In this situation, we will use your Personal Data only to contact you in connection with the requested offer or in connection with the resolution of the problem.

  • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (art. 6 para. 1, let. b GDPR);
  1. Marketing messages

You can opt in to receive marketing messages via SMS, email, push notification or certain instant messaging platforms owned and operated by third-parties (currently Whatsapp). 

Purpose of processing

Legal ground

If you opt to receive such marketing messages, we will use your email and telephone number to send you marketing messages about our activities and promotions.

  • Your consent. (art. 6 para. 1, let. a GDPR).

You can revoke your prior consent at all times and without any costs, with altering consequences for the future. 

4. Failure to Provide Personal Data

You may refuse to provide certain Personal Data (indicated above) but, in such a case, you may not be able to benefit from certain App or Site services and features, including, but not limited to, the creation of a user account or contacting you to solve your problem and to provide support.

5. Automatic Processing of Personal Data

Your Personal Data will not be processed for taking decisions based solely on automatic processing that would result in legal effects concerning you or could similarly significantly affect you.

6. Storage Period

As a rule, we will process your Personal Data during the existence of your account in our App. 

Personal Data collected based on your consent will be processed until the date of withdrawal of the consent.

In certain circumstances, we may retain your Personal Data for longer periods of time, for example if we are obliged to do so in accordance with the legal, regulatory, tax or accounting requirements.

We may also keep your Personal Data for longer periods of time so that we have accurate records of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your Personal Data or dealings.

7. Transfer of Personal Data

Your Personal Data is filed and stored on the servers of our contractual partners that are helping us to provide our services to you.

We may transfer Personal Data, as far as necessary, to the following categories of recipients: 

  • contractual partners;
  • subcontractors;
  • payment processors;
  • companies offering IT services;
  • marketing companies;
  • public authorities, courts of law or arbitral tribunals, and authorities competent to investigate criminal offence. 

These recipients can be located in the European Union and/or in the European Economic Area. Where recipients are located outside the European Union and the European Economic Area, including in countries not recognized as ensuring an adequate level of protection, the transfer of Personal Data shall be carried out only if there are appropriate guarantees, in accordance with applicable law. In this respect, we rely on several guarantees, such as the standard contractual clauses issued by the European Commission. 

You may receive from us a list of recipients from third countries, as well as a copy of the agreed provisions that ensure an adequate level of protection of Personal Data. For any request to this effect, please contact us at the contact details mentioned below.

8. Security

The security of your Personal Data is important to us. Your Personal Data will therefore be processed by applying reasonable technical and organizational measures to protect Personal Data, such as limiting access to Personal Data, encryption or anonymization of Personal Data, storage on secure environments. However, despite our efforts, we cannot always guarantee the effectiveness of the security measures implemented, and therefore we cannot guarantee the security of Personal Data at any time.

  1. RIGHTS IN CONNECTION WITH THE PROCESSING OF YOUR PERSONAL DATA

9. Rights in Connection With The Processing of Your Personal Data

  1. Your rights

You have the following rights in connection with the processing of your Personal Data:

Access right: You have the right to obtain from us confirmation that your Personal Data is processed by us, as well as information on the specific processing, such as: the purposes of processing, categories of processed Personal Data, recipients of Personal Data, the period for which Personal Data is stored, if we transfer the Personal Data abroad and how we protect it, your rights, the right to lodge a complaint before the supervisory authority, the source of your Personal Data.

Right to rectification: You have the possibility to request rectification of your Personal Data, provided that the applicable legal requirements are met. In the event of errors, after notification, we will immediately correct your Personal Data.

Right to erasure: In certain cases, you have the possibility to request the deletion of Personal Data, namely when: (i) the Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) you withdraw consent on which the processing is based according and where there is no other legal ground for the processing; (iii) you exercise the right to object to the processing; (iv) the Personal Data have been unlawfully processed. We are not obliged to comply with your request when the processing is necessary (among others) for compliance with a legal obligation or for the establishment, exercise or defense of legal claims. There are also other circumstances in which we are not obliged to comply with this request for the deletion of Personal Data.

Restriction of processing: You may request us to restrict the processing of your Personal Data in the following circumstances: (i) you contest the accuracy of the Personal Data, for a period enabling us to verify the accuracy of the Personal Data; (ii) the processing is unlawful and then you oppose to the erasure of the Personal Data and request the restriction of their use instead; (iii) we no longer need the Personal Data for the purposes of the processing, but you require them for the establishment, exercise or defense of legal claims; (iv) you have objected to processing, pending the verification whether our legitimate grounds override yours. However, we can continue to process your Personal Data (i) when you consent; (ii) for the establishment, exercise or defense of legal claims or (iii) for the protection of the rights of another natural or legal person.

Right to data portability: Insofar the Personal Data is processed based on your consent or on the execution of the agreement and the processing is carried out by automated means, you have the right to have your data Personal Data provided to you in a structured format, which is currently used and can be read automatically and you have the right to request us to transfer this Personal Data to another controller. This right shall not adversely affect the rights and freedoms of others.

Right to opposition: In certain situations, such as when we process your Personal Data on the basis of a legitimate interest or for sending marketing messages, you have the right to object to the processing of your Personal Data by us. In the event of unjustified objection, Cartloop is entitled to continue processing Personal Data.

Revocation of consent: Insofar you consented to the processing of your Personal Data, you can at all times revoke your consent, without affecting the lawfulness of processing based on consent before its withdrawal.

Right not to be subject to any automatic individual decisions: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. Such right cannot be exercised when the decision: (i) is necessary for entering into, or performance of, a contract between you and us; (ii) is authorized by law which lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or (iii) is based on your explicit consent.

Right to lodge a complaint with the supervisory authority: You have the right to lodge a complaint with The National Supervisory Authority for Personal Data Processing (“DPA”) in relation to any breach of your rights regarding the processing of your Personal Data. The contact details of the DPA are: 28-30 Gheorghe Magheru Boulevard, District 1, Postal Code 010336, Bucharest, Romania;

  1. How to exercise your rights

To learn more about the manner in which you may exercise the aforementioned rights, please contact us at privacy@cartloop.io.

Identity verification: We take utmost care of the confidentiality of all Personal Data and we reserve the right to verify your identity if you make a request in relation to your Personal Data

Fees: As a rule, you can exercise your rights free of charge. However, we reserve the right to request a reasonable fee if your claims are manifestly unfounded or excessive, in particular because of their repetitive nature.

Response Time: We make every effort to respond to your request within one month of receiving the request. This period may be extended by two further months where necessary, taking into account the complexity and number of the requests, in which case we will inform you of any such extension and of the reasons for the delay

10. Contact

If you have any questions or concerns about this Policy or its implementation, you may contact us at privacy@cartloop.io.