Cartbeat
Home

Privacy Policy

Cartbeat · Last updated July 2026 · info@cartbeat.app

Cartbeat (“we”, “us”) provides cart-recovery software for Shopify merchants. This policy explains what we collect, why, and how merchants and shoppers can exercise their rights.

Who we are

Cartbeat operates at cartbeat.app. Contact: info@cartbeat.app.

Data we process

Merchant data (Shopify store owners): store domain, OAuth access tokens, shop profile (name, email, address), app settings, billing status, and operational logs.

Shopper data (your customers): abandoned checkout information Shopify sends us — typically email, first name, cart line items, cart total, currency, and checkout recovery URL. We use this only to send recovery emails and measure attribution.

SMS / Comebacks (when enabled): phone number (E.164), SMS opt-in timestamp and source, opt-out/suppression timestamps, and message delivery metadata. See our SMS Opt-In Policy for consent and TCPA details.

Email engagement: open and click timestamps on recovery messages we send.

How we use data

Subprocessors

Retention

Merchant and checkout data is kept while the app is installed and for a reasonable period after uninstall for logs and billing. Shoppers who unsubscribe are suppressed immediately.

GDPR / Shopify mandatory webhooks

We implement Shopify’s required GDPR webhooks: customers/data_request, customers/redact, and shop/redact. Merchants may contact us for data requests at info@cartbeat.app.

Shopper rights

Every recovery email includes one-click unsubscribe (RFC 8058). Shoppers may also email info@cartbeat.app to request deletion or opt-out.

Security

OAuth and webhook traffic is HMAC-verified. Secrets are stored server-side only. Merchants should use strong passwords on Shopify and Cartbeat billing accounts.

Changes

We may update this policy. Material changes will be reflected on this page with an updated date.