Cartwise Back to home
Legal

Privacy Policy

Effective: June 15, 2026Last updated: June 15, 2026

1. Overview

Cartwise ("Cartwise", "we", "us") is a Shopify application that helps merchants increase average order value through product bundles, a customizable cart drawer, frequently-bought-together suggestions, post-purchase upsells, and abandoned-cart recovery.

This policy explains what information we process when a merchant installs and uses Cartwise, and when a shopper interacts with Cartwise features on a merchant's storefront. We act as a data processor on behalf of the merchant (the data controller) for shopper personal data, and as a controller for the merchant's own account information.

Plain-language summary: We only collect the store and order data needed to run the features you enable. We never sell personal data. You can request export or deletion at any time, and all data is removed when you uninstall.

2. Data we collect

2.1 Merchant & store data

When you install Cartwise, Shopify provides, and we store, the data needed to authenticate and operate the app:

  • Store domain, shop ID, plan, primary locale and currency
  • The OAuth access token and session used to call the Shopify Admin API
  • Your app configuration — bundles, cart-drawer blocks, upsell offers, A/B tests, and recovery settings

2.2 Store catalog & order data (via the Shopify Admin API)

To render and attribute offers, we access — under the permissions you grant — products, discounts, themes, metaobjects, orders, and checkouts. We store only what is required for analytics and conversion attribution (for example, a bundle ID and revenue/conversion counters), not full order records.

2.3 Shopper personal data (only when you enable recovery)

If you enable Abandoned-Cart Recovery, Cartwise processes a limited set of shopper personal data so we can send the recovery messages you configure:

  • Shopper email address and name
  • The abandoned checkout recovery URL and cart line items
  • Recovery message status (sent, opened, recovered)

If you do not enable Abandoned-Cart Recovery, Cartwise does not store shopper email addresses or names.

2.4 Usage analytics

We record storefront events (such as offer views, add-to-cart, and conversions) to power the in-app analytics dashboard. These events are tied to your shop and, where recovery is enabled, may reference a shopper email to attribute a recovered sale.

2.5 Images you upload

Images you upload for bundles or upsells are stored and served through our image host (Cloudinary). Do not upload personal data inside images.

3. How we use data

  • Authenticate your store and operate the features you enable
  • Render bundles, the cart drawer, and upsells on your storefront
  • Attribute revenue and conversions for your analytics dashboard
  • Send the abandoned-cart email/SMS sequences you configure, using your own provider credentials
  • Provide support, prevent abuse, and meet legal obligations

We do not sell personal data, and we do not use shopper data to advertise to shoppers.

4. Sharing & subprocessors

We share data only with the service providers needed to deliver the app. You choose your own messaging providers, so recovery messages are sent through credentials you supply.

SubprocessorPurposeData
ShopifyApp platform, billing, storefront & checkoutStore, catalog, order & checkout data
Your email provider (e.g. Resend, SendGrid, Mailgun, Postmark, Brevo)Sending recovery emailsShopper email, name, cart contents
Your SMS providerSending recovery SMSShopper phone, message text
CloudinaryImage hostingImages you upload
Cloud hostingRunning the app & databaseAll of the above, at rest

We may also disclose information if required by law, or to protect the rights, safety, and security of Cartwise, our merchants, and the public.

5. Data retention & deletion (GDPR)

We keep data only as long as needed to provide the app:

  • On uninstall — your session is deleted immediately and your shop is flagged for removal.
  • Shop redaction — 48 hours after uninstall, Shopify sends a shop/redact request and we permanently delete your shop's data.
  • Customer redaction — when Shopify sends a customers/redact request, we delete that shopper's stored email, abandoned-cart records, and related analytics.
  • Customer data request — we honor customers/data_request by providing the data we hold for that shopper.

Cartwise implements Shopify's mandatory privacy/compliance webhooks, so these deletions are automatic.

6. Your rights

Merchants and shoppers — depending on your location (including under the GDPR and CCPA/CPRA) — may have the right to access, correct, export, restrict, or delete personal data, and to object to certain processing.

  • Shoppers: contact the store you purchased from; as the data controller, they can forward your request to us, or use Shopify's built-in data-request tools.
  • Merchants: email us using the contact below, or simply uninstall the app to trigger deletion.

We will not discriminate against you for exercising any of these rights.

7. Cookies & tracking

The Cartwise admin runs inside Shopify and uses only the cookies required for secure, authenticated sessions. Our storefront widgets do not set advertising or cross-site tracking cookies; they use lightweight, first-party storage to remember cart and offer state.

8. Security

We protect data with encryption in transit (HTTPS/TLS), access controls, and signed-and-verified Shopify webhooks (HMAC). Merchant API tokens and messaging credentials are stored securely and never exposed in the storefront. No method of transmission or storage is 100% secure, but we work to protect your data using industry-standard safeguards.

9. International transfers & children

Cartwise may process data in countries other than where you or your shoppers reside. Where required, we rely on appropriate safeguards for such transfers. Cartwise is a business tool not directed at children, and we do not knowingly collect personal data from children under 16.

10. Changes to this policy

We may update this policy as the app evolves or as laws change. We will revise the "Last updated" date above and, for material changes, notify merchants in-app or by email. Continued use of Cartwise after an update constitutes acceptance of the revised policy.

11. Contact us

Questions, requests, or complaints about this policy or your data:

Before you publish: replace the contact email and add your legal business name & address if your jurisdiction requires it, then confirm this URL matches the privacy policy field in your Shopify Partner listing.