Privacy Policy
Cartbeat (“we”, “us”) provides cart-recovery software for Shopify merchants. This policy explains what we collect, why, and how merchants and shoppers can exercise their rights.
Who we are
Cartbeat operates at cartbeat.app. Contact: info@cartbeat.app.
Data we process
Merchant data (Shopify store owners): store domain, OAuth access tokens, shop profile (name, email, address), app settings, billing status, and operational logs.
Shopper data (your customers): abandoned checkout information Shopify sends us — typically email, first name, cart line items, cart total, currency, and checkout recovery URL. We use this only to send recovery emails and measure attribution.
SMS / Comebacks (when enabled): phone number (E.164), SMS opt-in timestamp and source, opt-out/suppression timestamps, and message delivery metadata. See our SMS Opt-In Policy for consent and TCPA details.
Email engagement: open and click timestamps on recovery messages we send.
How we use data
- Detect abandoned checkouts and send timed recovery emails on the merchant’s behalf
- Create discount codes in Shopify when configured
- Report recovered orders with honest attribution labels (direct-click or assisted) — not a revenue share
- When Comebacks is enabled: send opt-in SMS win-backs on the merchant’s Twilio account and honor STOP/suppression
- Operate billing, support, security, and legal compliance
Subprocessors
- Fly.io — application hosting
- Resend — email delivery for cart-recovery and related merchant messages (when Resend is the configured transport)
- Twilio — SMS delivery for Comebacks (when enabled; merchant’s Twilio account)
- Shopify — app subscription billing (merchant's Shopify invoice)
- Anthropic (optional) — AI-generated email copy when enabled
Retention
Merchant and checkout data is kept while the app is installed and for a reasonable period after uninstall for logs and billing. Shoppers who unsubscribe are suppressed immediately.
GDPR / Shopify mandatory webhooks
We implement Shopify’s required GDPR webhooks: customers/data_request, customers/redact, and shop/redact. Merchants may contact us for data requests at info@cartbeat.app.
Shopper rights
Every recovery email includes one-click unsubscribe (RFC 8058). Shoppers may also email info@cartbeat.app to request deletion or opt-out.
Security
OAuth and webhook traffic is HMAC-verified. Secrets are stored server-side only. Merchants should use strong passwords on Shopify and Cartbeat billing accounts.
Changes
We may update this policy. Material changes will be reflected on this page with an updated date.
Cartbeat