CartWatch Privacy Policy
Last updated: May 13, 2026
Overview
CartWatch is a Shopify app that helps merchants detect likely bot activity during checkout. This policy explains what data we collect, how we use it, and your rights as a merchant or end-customer.Data We Collect
From Merchants (Shopify store owners)
- Shopify store domain and OAuth access token (encrypted at rest) — used to read checkout data and tag customers.
- App configuration preferences (e.g., auto-tag enabled, plan tier).
- OAuth credentials for optional third-party integrations (Klaviyo, Omnisend) — stored encrypted; used only to perform suppression actions on your behalf.
From Checkout Events (end-customers of merchant stores)
- Email address provided during checkout — used for bot scoring and optional email validation (ZeroBounce, if configured by merchant).
- Shipping and billing address — used for address intelligence signals (Smarty US Street, if configured by merchant) to improve bot detection accuracy.
- Shopify checkout ID and customer ID — used to track detection events and apply customer tags.
- Checkout metadata (timestamps, order amounts, cart contents) — used solely for bot scoring heuristics.
How We Use Data
- Bot detection: Checkout data is analyzed against heuristic rules to determine whether a checkout exhibits bot-like patterns.
- Customer tagging: When a checkout is flagged and the merchant has enabled auto-tagging, we apply the
CARTWATCH_FLAGGED_BOT tag to the Shopify customer account via the Shopify Admin API. - Provider suppression: When integrated with Klaviyo or Omnisend and suppression is enabled, we submit the flagged email address to the respective platform to unsubscribe or suppress the contact.
- Audit trail: Detection results and processing logs are stored in Firebase Firestore under the merchant's namespace, so merchants can review and verify flagged events.
- Service improvements: Aggregated, anonymized usage statistics may be used to improve detection accuracy.
We do not sell personal data to third parties, use checkout data for advertising, or share data between merchant accounts.
Third-Party Services
CartWatch may call the following external services when configured by the merchant:
- ZeroBounce — email validation. The email address from the checkout is sent to ZeroBounce's API. Their privacy policy governs their handling of that data.
- Smarty (US Street Address API) — address verification for US shipping addresses. Address components are sent to Smarty's API.
- Klaviyo — email suppression for flagged contacts, via the merchant's connected Klaviyo account.
- Omnisend — email suppression for flagged contacts, via the merchant's connected Omnisend account.
All third-party integrations are optional and only activated when explicitly configured by the merchant.
Data Storage and Retention
Merchant and checkout data is stored in Google Firebase (Firestore), hosted in the United States. Checkout records and their associated audit logs are automatically deleted 90 days after they are created. When a merchant uninstalls CartWatch, all remaining data is deleted immediately in accordance with Shopify's mandatory data deletion webhook requirements.
Data Security
Sensitive credentials (Shopify access tokens, Klaviyo and Omnisend OAuth tokens) are encrypted before being written to Firestore. We use industry-standard AES encryption and do not store encryption keys alongside the data.
Your Rights
If you are a merchant using CartWatch, you may request deletion of your store's data at any time by uninstalling the app or contacting us at the address below.
If you are a customer of a Shopify store that uses CartWatch and you have questions about how your data was processed, please contact that store's owner directly. CartWatch processes checkout data on behalf of merchants and does not have a direct relationship with end-customers.
Changes to This Policy
We may update this privacy policy from time to time. When we do, we will update the "Last updated" date at the top. Continued use of CartWatch after changes are posted constitutes acceptance of the updated policy.
Contact
For privacy-related questions or data deletion requests, please contact:
CartWatch
Email: support@vyntlabs.com