Privacy Policy

1. Introduction

Cartiva ("we", "us", "our") operates the analytics platform at app.cartiva.io (the "Dashboard"), the marketing website at cartiva.io (the "Website"), and the MCP proxy service at mcp.cartiva.io (the "Proxy"). This Privacy Policy explains how we collect, use, and protect information when you use our services.

2. Information We Collect

2.1 Merchant Account Data

When you create an account, we collect:

• Email address and password (hashed)
• Store URL and platform type (e.g., WooCommerce)
• API keys (stored as SHA-256 hashes; raw keys are shown once at creation)

2.2 Agent Analytics Data (via MCP Proxy)

When AI shopping agents interact with your store through our proxy, we collect:

• Agent identity (e.g., ChatGPT, Gemini, Perplexity) derived from MCP client metadata
• Search queries, product views, and variant checks performed by agents
• Session metadata (timestamps, duration, number of tool calls)

We do not collect personally identifiable information (PII) about end customers. Any customer identifiers are SHA-256 hashed before storage. We do not store raw webhook payloads long-term.

2.3 Website Analytics

We use Google Analytics (via Google Tag Manager) to understand how visitors use our Website and Dashboard. This data is collected only with your consent (see our Cookie Policy).

3. How We Use Your Information

• Provide and maintain the analytics dashboard and MCP proxy service
• Authenticate your account and secure API access
• Generate aggregated, anonymized analytics about AI agent behavior
• Send transactional emails (account confirmation, password reset)
• Improve our services based on usage patterns

We do not sell your data to third parties. We do not use your store data for advertising purposes.

4. Data Storage and Third-Party Services

Your data is processed by the following services:

• Supabase (EU/US) — merchant authentication and configuration
• ClickHouse Cloud — analytics data storage (agent sessions, events)
• Cloudflare Workers — API and MCP proxy processing
• Vercel — dashboard and website hosting
• Resend — transactional email delivery
• Google Analytics — website usage analytics (with consent)

All data is transmitted over encrypted connections (TLS/HTTPS). API keys are stored as SHA-256 hashes. Webhook payloads are validated via HMAC-SHA256 signatures.

5. Data Retention

• Account data: retained while your account is active
• Analytics data: retained for 12 months, then automatically purged
• Upon account deletion: all data is purged within 48 hours

6. Your Rights (GDPR)

If you are located in the European Economic Area, you have the right to:

• Access your personal data
• Rectify inaccurate data
• Delete your data ("right to be forgotten")
• Export your data in a portable format (JSON/CSV)
• Object to processing or restrict processing
• Withdraw consent for optional data processing (e.g., analytics cookies)

To exercise any of these rights, contact us at support@cartiva.io. We will respond within 30 days.

7. Security

We implement the following security measures:

• No PII stored in analytics databases
• Customer identifiers SHA-256 hashed before storage
• API keys stored as SHA-256 hashes
• Webhook verification via HMAC-SHA256
• All traffic encrypted via TLS/HTTPS
• Rate limiting on all API endpoints
• Input validation at all system boundaries (Zod schemas)

8. Children

Our services are not directed to individuals under 16. We do not knowingly collect data from children. If we learn that we have collected data from a child under 16, we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by posting a notice on our Dashboard. Your continued use of our services after changes take effect constitutes acceptance of the updated policy.

10. Contact

For privacy-related questions or requests, contact us at: support@cartiva.io