Legal

Privacy Policy

Last updated: 28 March 2026

1. Scope of this policy

This Privacy Policy explains how Cartaro collects, uses, stores, shares, and protects personal data when you use our website, merchant onboarding flows, admin workspaces, APIs, mobile applications, and Cartaro-powered commerce services. Merchants using Cartaro may also need to provide their own customer-facing privacy notices for their stores.

2. Personal data we collect

The personal data we collect depends on how you use Cartaro. It may include contact and account details such as your name, email address, phone number, password credentials, and login identifiers; merchant and business details such as store name, business contact details, billing and subscription information; shopper and order information such as customer names, contact details, order history, delivery or pickup details, saved addresses, and support messages; and technical and usage data such as IP address, browser family, operating system, device type, language, app and session identifiers, cart tokens, diagnostic events, and page-visit metadata. On our public website, that technical data may include the page path you visit, referrer host, selected locale, consent status, and, if you allow analytics cookies, first-party analytics identifiers and approximate location inferred from IP-based geolocation. We may also collect location data when you choose to allow device location access in the mobile app for address pinning or map-centering features.

3. How we collect personal data

We collect personal data directly from you, from merchants and shoppers using Cartaro-powered stores, automatically from your use of our website or apps, and from third parties that help us operate the services. For example, we may receive order or payment status information from payment providers, address or map information from geolocation or map services, and security or anti-abuse signals during signup and service use.

4. How we use personal data

We use personal data to provide and operate Cartaro, create and manage accounts, authenticate users, process merchant subscriptions, host storefronts, support carts and checkout flows, facilitate delivery and pickup operations, send transactional communications, respond to support requests, monitor performance, investigate misuse, improve the user experience, and comply with legal and regulatory obligations. We may also use aggregated or de-identified information for analytics, reporting, and product improvement.

5. Merchant and shopper data on Cartaro-powered stores

Where a merchant uses Cartaro to run a store, we may process customer and order data to provide the services to that merchant, including storefront operation, order management, notifications, customer support tooling, analytics, and security monitoring. The merchant remains responsible for its store practices, including product, fulfilment, returns, and any store-specific privacy notice that applies to its customers.

6. Cookies, local storage, sessions, and permissions

We use cookies, session technologies, cart tokens, local storage, and similar tools to keep users signed in, remember cart and locale preferences, protect sessions, and support core website and app functions. On our public website, this may include a session cookie, an XSRF or CSRF protection cookie, a locale preference cookie, and a cookie-consent record. If you choose to allow analytics cookies, we may also store first-party analytics identifiers, including visitor and session identifiers used to understand page traffic and content performance. Those analytics records may be linked with metadata such as page path, referrer host, locale, browser family, operating system, device type, and approximate location derived from IP-based geolocation. In the mobile app, authentication session tokens may be stored securely on your device to keep you signed in. The mobile app may request access to your device location if you choose to use address pinning or location-based map features; you can decline or revoke that permission through your device settings.

7. Payment data and third-party services

Cartaro integrates with third-party services such as payment gateways, banks, app stores, hosting and infrastructure providers, messaging and email tools, map or geocoding providers, domain services, and logistics partners. We may share personal data with those providers when reasonably necessary to operate the services. Unless we expressly tell you otherwise, payment card data is handled by the relevant payment provider, and Cartaro generally receives limited transaction, status, and reference information rather than full card details.

8. Disclosure of personal data

We do not sell personal data. We may disclose personal data to merchants using Cartaro, service providers acting on our behalf, professional advisers, regulators, law enforcement, courts, or other competent authorities where required by law, to protect rights or safety, to investigate fraud or abuse, or as part of a corporate transaction such as a merger, financing, restructuring, or sale of assets.

9. International transfers

Personal data may be processed in the United Arab Emirates and in other countries where Cartaro or its service providers operate. Where cross-border transfers occur, we take steps designed to ensure an appropriate level of protection in line with applicable law.

10. Retention and security

We retain personal data for as long as reasonably necessary for the purposes described in this Policy, including account administration, service delivery, record keeping, dispute resolution, fraud prevention, and legal compliance. We implement reasonable technical and organisational safeguards designed to protect personal data, but no system can guarantee absolute security or uninterrupted availability.

11. Your rights and choices

Subject to applicable law, you may ask us to correct inaccurate personal data and to restrict or stop certain processing. You may also contact us about deletion requests, account data updates, marketing preferences, or other privacy rights available to you under applicable law. We may need to verify your identity before acting on a request. You can also manage browser cookie controls, mobile device permissions, and marketing opt-out choices where those options are available.

12. Marketing and contact preferences

Cartaro may send operational messages such as account verification, password reset, billing, security, support, and order-related notices. Marketing communications will be sent only where permitted by applicable law. We do not disclose consumer personal data for third-party telemarketing without the required consent, and you may opt out of non-essential marketing communications where an opt-out mechanism is provided.

13. Children and policy updates

Cartaro is not intended for young children, and we do not knowingly collect personal data from children in violation of applicable law. We may update this Privacy Policy from time to time. When we make material changes, we may update the date on this page and provide additional notice where appropriate.

Questions about privacy or your personal data? Contact us