cartxcartx

Privacy Policy

Last updated: May 25, 2026

1. Introduction

This Privacy Policy describes how cartx (the "App") collects, uses, stores, and shares information when Shopify merchants install and use the App on their Shopify stores, and when their customers interact with the cart drawer rendered by the App on those stores.

By installing or using cartx, you agree to the terms of this policy. If you do not agree, please uninstall the App.

2. Information we collect

cartx is intentionally minimal in the data it collects. We do not run marketing trackers, advertising pixels, or third-party analytics inside the merchant's storefront or admin.

2.1 Merchant (store) data

  • Shop domain (e.g. example.myshopify.com), shop ID, and primary contact details Shopify provides during OAuth.
  • Theme ID(s) for which cartx has been configured.
  • App configuration the merchant creates: drawer styling, progress milestones, coupons, claim gifts, upsell products, custom CSS, and similar settings.
  • Shopify session tokens issued via OAuth so the App can call the Shopify Admin GraphQL API on the merchant's behalf.
  • Webhook deliveries from Shopify (app/uninstalled, app/scopes_update, customers/data_request, customers/redact, shop/redact).

2.2 Customer (storefront) data

When a customer browses the merchant's store with the cartx drawer active, the storefront calls cartx's evaluation endpoint to decide what offers, gifts, and discounts to surface. The request includes:

  • Cart contents (line items, quantities, prices, line-level properties, applied discount codes).
  • The shop's domain and theme ID.
  • The current page path (e.g. /products/example) — used for page-level targeting.
  • If logged in: the customer's Shopify customer ID and customer tags. We do not receive name, email, address, or payment details.
  • Browser-derived currency and money format strings.

cartx does not set cookies on the storefront, does not fingerprint visitors, and does not log IP addresses beyond standard server access logs retained for operational and security purposes.

2.3 Server logs

  • Standard HTTP request metadata (timestamp, path, status code, response time, IP address, user agent) generated by our hosting provider.
  • Application error traces.

3. How we use information

  • Render and operate the cartx cart drawer on the merchant's storefront.
  • Evaluate the merchant's configured offers, milestones, gifts, and discounts against the active cart.
  • Persist merchant-authored configuration so it is retained across sessions.
  • Authenticate the merchant in the App's admin UI via Shopify OAuth.
  • Detect and prevent abuse (rate limiting, error monitoring).
  • Comply with legal obligations and respond to Shopify-issued GDPR webhooks.

We do not sell personal data, share it with advertisers, or use it to train any machine-learning model.

4. Legal bases (GDPR)

  • Contractual necessity — to provide the App's functionality once installed.
  • Legitimate interest — securing the service, preventing abuse, debugging.
  • Legal obligation — responding to verified data-subject and authority requests.
  • Consent — where required by local law and where consent is the appropriate basis (the merchant's customers obtain such consent via their own privacy notices).

5. Sub-processors and third parties

We rely on the following processors to deliver cartx:

  • Shopify Inc. — App distribution, OAuth, Admin API, storefront delivery, webhook routing. See Shopify's privacy policy.
  • Fly.io — Application hosting (primary region: Mumbai, IN).
  • PostgreSQL hosted alongside the App on Fly.io — Configuration and session storage.

We do not transfer personal data to any other third party unless required by law or with the merchant's instruction.

6. Data retention

  • Merchant configuration and session records are retained for the duration of the install and deleted (or anonymized) within 30 days of uninstall, unless retention is required by law.
  • Server access logs are retained for up to 30 days.
  • Webhook-triggered redactions (customer/redact, shop/redact) are processed within 30 days of receipt as required by Shopify.

7. Your rights

Depending on your jurisdiction (including the EEA, UK, and India), you may have the right to: access, rectify, erase, restrict, or port your personal data, and to object to certain processing.

Merchants can exercise these rights directly via the App admin or by emailing ansh.varshney@devxlabs.ai. Storefront customers should contact the merchant whose store they shopped on; cartx will assist that merchant in fulfilling the request and acts on Shopify's GDPR webhooks within mandated timeframes.

8. Security

We protect data with TLS for all transport, scoped Shopify OAuth tokens stored encrypted at rest, role-based access to production infrastructure, and HMAC verification on Shopify app-proxy and webhook requests. No system is perfectly secure; we will notify affected merchants and authorities of any qualifying breach within the timeframes required by applicable law.

9. International transfers

Our infrastructure is primarily in India (Mumbai region). If you are located outside India, your data will be transferred to and processed in India. Where required, we rely on Standard Contractual Clauses or equivalent safeguards.

10. Children's privacy

cartx is a B2B tool for Shopify merchants and is not directed at children under 13 (or the equivalent age in your jurisdiction). We do not knowingly collect data from children.

11. Changes to this policy

We may update this policy from time to time. Material changes will be communicated to active merchants via the App admin or email. The "Last updated" date at the top of this page always reflects the latest revision.

12. Contact

For privacy questions, data-subject requests, or to report a concern, email ansh.varshney@devxlabs.ai.