Get Cartwell
Legal

Privacy Policy

This policy explains, in line with the EU General Data Protection Regulation (GDPR), what personal data the Cartwell app processes, why, on what legal basis, how long we keep it, and the rights you have.

Last updated: 1 June 2026

1. Controller

The controller responsible for data processing within the meaning of Art. 4(7) GDPR is:

Justus & Majcen eCommerce GbR (operating the “Cartwell” app)
Brinkeweg 9-11
33758 Schloß Holte-Stukenbrock
Germany
Represented by the partners Kilian Justus and Silas Majcen
Email: support@cartwell.eu

For your customers' personal data that we process on your behalf, you (the merchant) are the controller and we act as your processor under Art. 28 GDPR. For the account data we need to operate the service, we are the controller.

2. Categories of data we process

Store & account data

  • Your store's myshopify.com domain and basic shop details (name, plan, primary locale, currency, country).
  • An access token issued by Shopify, stored encrypted, used to call the Shopify Admin API on your behalf.
  • Your app configuration (shipping thresholds, upsell rules, gift rewards, theme and text settings).
  • Your subscription status (plan, billing state, included-order usage count).

Order data

Under Shopify's approved access to protected customer data, we process a limited amount of order data — primarily order counts and totals — to calculate usage-based billing and to produce aggregate analytics. We keep this to the minimum required, do not use it for any other purpose, and do not sell it.

Storefront analytics events

When a shopper interacts with the cart drawer (e.g. opening the cart, adding an item, viewing an upsell, starting checkout), we record an aggregated event containing the event type, a coarse device type (mobile or desktop), timestamps and non-identifying metadata such as cart-value ranges. These events contain no names, email addresses, payment details or other direct identifiers of individual shoppers.

3. Purposes and legal bases

  • Providing the app (rendering the drawer, applying your settings, processing offers): performance of a contract, Art. 6(1)(b) GDPR.
  • Usage-based billing, analytics, securing and improving the service, preventing abuse: our legitimate interests, Art. 6(1)(f) GDPR.
  • Complying with legal obligations (e.g. statutory retention, responding to data-subject requests): Art. 6(1)(c) GDPR.
  • Where we ask for your consent, the legal basis is Art. 6(1)(a) GDPR; you may withdraw it at any time with future effect.

4. Recipients and processors

We do not sell personal data. We share data only with the providers needed to run Cartwell:

ProviderPurposeLocation
Shopify International Ltd. / Shopify Inc.App platform, authentication, billing, webhooksEU / Canada / global
DigitalOcean LLCApplication hosting & managed databaseEU (Germany)

We may also disclose data where we are legally required to, or to protect our rights, our users or the public.

5. International transfers

Our application and database are hosted within the European Union. Where a recipient processes data outside the EU/EEA (e.g. Shopify), the transfer is safeguarded by an adequacy decision or by the EU Standard Contractual Clauses pursuant to Art. 46 GDPR.

6. Retention

  • Store and configuration data is kept while the app is installed.
  • After uninstall we receive Shopify's shop/redact request (about 48 hours later) and delete your store data within 48 hours of that request.
  • Analytics events are retained for up to 13 months and then deleted.
  • On a customers/redact request we delete any associated data we hold for that shopper.
  • Data subject to statutory retention obligations is kept until those periods expire.

7. Mandatory compliance webhooks

Cartwell implements Shopify's required GDPR webhooks. On a customers/data_request, customers/redact or shop/redact notification we provide or delete the relevant data accordingly.

8. Your rights

Under the GDPR you have, subject to the legal conditions, the following rights:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object to processing based on legitimate interests (Art. 21 GDPR)
  • Right to withdraw consent at any time (Art. 7(3) GDPR)

To exercise these rights, contact us at support@cartwell.eu. Shopify merchants can also use Shopify's built-in data-request and erasure tools, which we honor automatically through the webhooks above.

You also have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The authority competent for us is the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW), Kavalleriestraße 2-4, 40213 Düsseldorf, Germany.

9. Security

  • All data is transmitted over HTTPS/TLS.
  • Access tokens are stored encrypted at rest.
  • Access to production systems is restricted and monitored.

10. Cookies & storage

The Cartwell admin interface uses essential session cookies required for secure, embedded operation inside the Shopify admin. The storefront cart drawer uses only first-party, functional browser storage needed to remember cart state — it sets no advertising or cross-site tracking cookies.

11. Changes to this policy

We may update this policy from time to time. Material changes are reflected by updating the date at the top of this page.

12. Contact

For any question about this policy or your data, email support@cartwell.eu.