Cartful legal

Data Protection

A summary of the data categories, retention approach, and safeguards used to operate Cartful.

Last updated: March 17, 2026

Purpose

Cartful processes store, cart, analytics, billing, and limited order-related information in order to provide a premium cart experience platform for Shopify merchants.

The service is designed to help merchants control cart design, merchandising, multi-cart deployment, and cart-specific reporting from a single application.

Data categories

  • Merchant and store account data needed for installation, authentication, and billing.
  • Cart configuration data such as layouts, widget settings, translations, and design settings.
  • Cart session and event data used for funnel and performance analytics.
  • Order-related data such as order identifiers, totals, timestamps, currency, and normalized line item records used for attribution, billing, and analytics workflows.

Data minimization

Cartful limits the order-related data it stores to the fields needed to operate the service, analytics, attribution, and billing workflows. Cartful does not maintain customer profiles as a standalone dataset and does not retain full raw Shopify order webhook payloads in normal operation.

Access and security measures

Cartful uses commercially reasonable controls to protect the information it processes. These measures may include secure transport, access restrictions, infrastructure-level protections, and internal safeguards intended to reduce unauthorized access and misuse.

Access to operational data is limited to the people, systems, and service providers that need it in order to operate, maintain, support, or secure Cartful.

Retention and deletion

Cartful applies retention periods so operational and analytics data is not kept longer than needed.

Current standard retention windows are 12 months for cart events, 12 months for cart sessions after inactivity, and 24 months for order analytics records.

When Cartful receives Shopify's shop redact request, data associated with that shop is deleted from Cartful's systems. Customer-related privacy requests are handled through Shopify's privacy workflows against the limited order and analytics records Cartful stores.

Use limitation

Cartful uses the information it processes to provide, support, secure, and improve the service. Cartful does not sell merchant or customer personal data.

Operational notes

Because Cartful is installed into merchant Shopify stores, some information is received from Shopify APIs and webhooks as part of normal platform operation. Cartful stores and processes only the information needed to operate the service, attribution flows, analytics, billing workflows, and Shopify-required compliance processes.

Contact

Questions about Cartful's data protection practices can be sent to team@cartful.ca.