Privacy Policy

This document (herein after: “Privacy Policy”) describes the privacy practices of Cart DATA ltd., Drenov Grič 171D Vrhnika, 1360 Vrhnika, Slovenia, EU, Company Registration Number: 8838399000, VAT ID Number: SI49081616, (hereinafter: “we”, “us”, “our” or “Cart DATA d.o.o.”), whereby Cart DATA d.o.o. is the owner and supplier of www.cartboss.io and the CartBoss Plugins, which all represent a proprietary software as a service marketing tool for sending SMS messages (hereinafter: “CartBoss Service”).

We recognize the significance personal information plays in today's world and have thereby designed both our internal processes and the CartBoss Service with data and privacy protection in mind.

Our resident Data Protection Officer can be reached at [email protected]

If you have any questions about this Privacy Policy or any other data protection queries, please contact us at the above address We would always welcome the opportunity to rectify any complaints that you have about your data and privacy held with us and can be contacted as shown in the Data Controller Contact Details section below. If you would like to make a complaint to your national data protection authority, you can find their contact information here.

In addition to being a data Controller for any data we Process in the performance of our own business operations and communications, we also act as data Processors in connection with the CartBoss Service, namely, when the CartBoss Service Customers (i.e. business entities who have registered an account with us under our Terms of Service), set-up the service on their own websites and their customers (i.e. End Users) enter their Personal Data into the service.

This Privacy Policy is therefore split into three parts:

  • in part a) we describe all relevant Data processing information as it pertains to us as a data Controller (i.e. when we collect and process data for our own business and organisational needs);
  • in part b) we describe the relevant Data processing information as it pertains to us as a data Processor (i.e. when we process data in connection with the CartBoss Service for our Customers);
  • in part c) we state all the relevant Data processing information that pertains to both situations (i.e. Data Subject rights, timescales for keeping the data, security measures, etc.).

Interpretation of certain bolded terms in this Privacy Policy

  • Applicable Legislation shall mean but not be limited to the European Union’s General Data Protection Regulation (2016/679) (hereinafter: “GDPR”) as well as any and all applicable EU and national laws and other statutes, rules, regulations and codes, as they may apply to Personal Data and Data Subject privacy (e.g. the CaliforniaConsumer Privacy Act (CCPA).
  • CartBoss Service (also called service) shall mean the Cart DATA d.o.o. proprietary software as a service marketing tool for sending SMS messages, represented by the www.cartboss.io website and the CartBoss Wrodpress Plugin.
  • CartBoss Data Processing Agreement (also called DPA) shall mean the agreement governing the Processing of Personal Data by Cart DATA d.o.o. (as the Processor) on behalf of the Customer (as the Controller) in connection with the Customers’ use of the CartBoss Service.
  • Controller shall mean the legal entity that determines the purposes and means of the Processing of Personal Data, as provided for by Article 4 of the GDPR or by any other relevant Applicable Legislation.
  • Customer shall mean the legal entity that registered its account with us in order to use the CartBoss Service. The Customer is considered as the data Controller regarding any and all Personal Data that is entered into the service by the Customer, its employees or its own customers (End Users).
  • Data processing (also Processing) means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • End User shall mean a Data Subject whose data is being processed in connection with the CartBoss Service.
  • End User Messages shall mean the SMS Messages that are sent to the End Users by our Customers through the CartBoss Service as A2P “Application-to-person” messages.
  • European Economic Area (also called EEA) shall mean the EU Member States and Iceland, Liechtenstein, and Norway.
  • Personal Data shall mean any information relating to an identified or identifiable natural person (herein after: “Data subject”), whereby an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, as provided for by Article 4 of the GDPR or by any other relevant Applicable Legislation.
  • Processor shall mean a legal person which processes Personal Data on behalf of the Controller, as provided for by Article 4 of the GDPR or by any other relevant Applicable Legislation.

Terms not otherwise defined in this Privacy Policy shall have the meaning as set forth in the GDPR.

  1. Information on Data Processing when Cart DATA d.o.o. is acting as the Controller of Personal Data

Data Controller Contact Details

Cart DATA ltd.,

Drenov Grič 171D Vrhnika, 1360 Vrhnika,

Slovenia, EU,

Company Registration Number: 8838399000,

VAT ID Number: SI49081616

Our Data Protection Officer may be reached at [email protected].

Personal Data types and the subject-matter, nature, purpose and legal basis for Processing

The CartBoss Service may only be used by businesses (i.e. we do not allow account registration by natural persons or non-corporate entities), whereby (i.e. when setting up a demo presentation, communicating with us via email or registering an account, issuing an invoice, etc.), we primarily process the Personal Data of Customer representatives:

Personal Data Type* Subject-matter and nature of Processing Purpose of Processing Legal basis for Processing
Account registration data (name, last name, email address, job title, company name, company registered address and country). Automatically collecting, storing and using the data Customers enter when registering their account. We require this data in order to form and maintain a business relationship with our Customer for the provision of the CartBoss Service. Contractual (i.e. the Customer enters into a contract with us under the Terms of Use when he validly registers an account).
Payment method data (might include: card details should you pay via card, please have no concern, we cannot and do not keep this data) Automatically collecting and providing said data to our payment processors (Visa, Braintree, PayPal). We require this data in order to collect payment from our Customer in exchange for offering the CartBoss Service. Contractual (i.e. payment is a necessary condition for the use of the service, as stipulated by our Terms of Use).
Invoicing information (might include: business representative names, emails or phone numbers). Automatically collecting, storing and using said data for invoicing. We require this data in order to invoice our Customers every time they top-up their funds with us and to detect and prevent fraud. Compliance with a legal obligation.
Customer service records (might include: email, first and last name, telephone number, etc.). Collecting, storing and using Customer Personal Data that is sent or communicated to us during inquiries and other communication regarding our service. We process this data in order to answer requests and communicate with Data Subjects (i.e. Customers or third parties) who have reached out to us (i.e. via our contact form, the messaging application on our website, etc.) in order to provide optimal support and staff training. Contractual.
Commercial communication with existing Customers (emails, and might also include telephone numbers). Automatically collecting, storing and using Customer representative Personal Data for commercial communication (i.e. newsletters, special offers, etc.) We process this data in order facilitate our sales and marketing activities. Contractual, legitimate interest (i.e. by registering an account or by being our Customer in the past).
Commercial communication with Data Subjects who are not our Customers (emails). Automatically collecting, storing and using third party Personal Data for commercial communication (i.e. newsletters, special offers, etc.) We process this data in order facilitate our sales and marketing activities. Consent (i.e. if you sign up to our newsletter, etc.).
Collecting CartBoss Service usage data (might include:). Automatically collecting, storing and using technical information regarding service usage. Like most websites and software providers, we automatically collect and use technical information data contained in log files. We log and review data about Customers accessing their account and using the CartBoss Service in order to analyse service usage for strategical and planning purposes, and to detect and prevent fraud. This information remains anonymous (that is, it does not identify the Data Subject personally), but in some cases it can be traced back to personal information such as an IP or e-mail address. Contractual.
www.cartboss.io cookie data (might include: website visitor Internet Protocol address (IP), date and length of website visit, website interactions, interests from visitor Facebook Profile or Google Account information, etc.). Automatically collecting, receiving (from our marketing partners such as Facebook / Google) and using the collected information for analytical and marketing purposes (usually through the use of the Google Analytics / Display Network / FB Pixel services). We process this data in order facilitate our sales and marketing activities and to discovering which products, features and services you appreciate as a Customer. Consent.

*Please note, that to the best of our knowledge, we do not collect or process Special categories of Personal Data, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or health data, when carrying out the processing activities mentioned above as a data Processor.

Timescales for our processing and keeping of Personal Data as a data Controller

We will keep your data for the term you have consented to, the contracted term between us or where there is a legitimate interest for us to remain in contact with you plus 3 years in case of any queries or issues that you may have or for legally required reasons (e.g. revenue, tax and customs requirements), whichever is the longest.

The timescale for this will vary depending on the requirement. Some examples and criteria for our Processing and keeping Personal Data also include:

  • The reason we are using your data. We will keep the minimum amount of data required for the particular above-mentioned reason and for the timescale that that reason requires (i.e. warranty and service agreement periods),
  • Legal requirements and where a minimum timescale is set (i.e. revenue, tax and customs requirements), whereby we are required to keep invoicing data for a minimum period of 10 years.
  • If we process your data on the basis of your explicit consent, we shall keep and process said data until you withdraw your consent, which can be done at any time by reaching out to us at [email protected] or through the relevant user terminal or unsubscribe link.
  • Payment method data is not actually kept by us. We cannot effect the timescales or delete said data.
  • Cookie data is generally held by our marketing partners (i.e. Facebook and Google). You may be able to effect the data keeping timescales regarding this data if you manage your cookie setting or delete your cookies and browsing history.
  • Where possible legal requirements exist under which we might be required to forward Personal Data to a duly appointed public authority or third party citing relevant parts of the Applicable Legislation based on their explicit request (i.e. criminal investigations where we are provided with a court order).
  • Customer service record data may be kept by us on the basis of our legitimate interest, should the need to demonstrate or legally prove that a service was provided or carried out by us.
  • In order to carry out maintenance or service updates, we may also make appropriate duplicate records against loss and create intermediate files or workspaces, whereby all such records and data are promptly deleted after maintenance or the application of the update.

Should you as a Data Subject require that your Personal Data stopped being Processed or that it is deleted, you should reach out to us at [email protected].

However, in certain situations, we shall have the legal right to Process or keep your data even though you wish to exercise your right to cease processing or your right to erasure, on the basis of our own legal and valid reasons (i.e. invoicing data, data that pertains to an ongoing fraud or other investigation, etc.). We shall explicitly notify you in this regard and cooperate with you to minimise any and all relevant data in the context of the situation, should the Applicable Legislation allow us to do so.

  1. Information on Data Processing when Cart DATA d.o.o. is providing the CartBoss Service to Customers and acting as the Processor of Personal Data

The CartBoss Service is used by our Customers as a marketing tool for sending SMS messages to their own customers (i.e. End Users), whereby we may process End User (i.e. Data Subject) Personal Data to the extent necessary for the provision of the CartBoss Service, as stated below and have concluded the necessary DPA agreement with all of our Customers to this end, whereby we are the data Processor of such data.

Please note that: each individual CartBoss Service Customer (i.e. the organization you gave your telephone number to and consented into receiving their SMS Messages) is responsible for the processing of your data through the CartBoss Service as the data Controller. Customers are also required to obtain your prior legal Consent for sending End User Messages under the Applicable Legislation. If you have received a SMS Message through the CartBoss service and require information on its sender, where the sender received your data, the senders data retention, security measures, third party processors your rights, or other applicable data processing information, you should contact the sender and consult his privacy policy.

Cart DATA d.o.o. does not suggest, monitor, inhibit or in any other way influence the contents, form and overall legality of any and all SMS Messages sent via the CartBoss Service by its Customers to the End Users.

If you are a Data Subject wanting to exercise his data protection and privacy rights in connection with the CartBoss Service, you may address the CartBoss Service Customer directly or send us your request at [email protected] so that we may promptly assist you in this regard and forward your request to the relevant Customer.

Personal Data types and the subject-matter, nature, purpose and legal basis for Processing in connection with the CartBoss Service

Customers may use the CartBoss Service to generate input fields on their check-out pages, whereby Personal Data is entered into the Service by the Data Subjects (i.e. End Users) themselves, or alternatively, Customers may input End User Personal Data directly into the service. In both situations we may process the data for the provision of the service as follows:

Personal Data Type* Subject-matter and nature of Processing Purpose of Processing Legal basis for Processing
Event / User Action type (purchase completion, cart abandonment, newsletter subscription) Automatically collecting, segmenting and storing each End User event / action relating to purchase completion, cart abandonment or newsletter subscription. So that Customers may better segment the End Users based on their events or the actions that they performed on their website (completion of the purchase, subscription to the newsletter, the abandonment of their cart). This type of segmentation allows Customers to customize / select / draw-up the appropriate contents of their End User Messages.

This information remains anonymous (that is, it does not identify the Data Subject personally), but in some cases it can be traced back to personal information.

Contractual (i.e. the DPA we concluded with the Customer).
Automatically collecting and storing website / storefront type data. Different platforms work in different ways (implementation of discounts and discount codes, different ways of generating URLs at the end of the check-out process and different ways of restoring the contents of an abandoned cart). In order to properly process the data and send a compatible link, discount code, coupon code, etc. with regards to the website / storefront and for the CartBoss Service to be compatible with different platforms, data on the platform sending the API call is required. This information remains anonymous (that is, it does not identify the Data Subject personally), but in some cases it can be traced back to personal information. Contractual (i.e. the DPA we concluded with the Customer).
Service widget/plug-in version data Automatically collecting and storing Service widget/plug-in version data. To reduce the possibility of errors and incompatibilities with older versions of our widget/plug-in, we collect data about the version in use by the End User. This information remains anonymous (that is, it does not identify the Data Subject personally), but in some cases it can be traced back to personal information. Contractual (i.e. the DPA we concluded with the Customer).
Basic End User Contact Information (Phone Number, delivery address, IP address, Name, Surname) Automatically collecting, storing and using such data when the Customer wishes to send End User Messages. So that the Customers may send End User Messages to such End Users. To recognise and use the relevant phone number prefix based on the End User‘s country prefix number. So that prepopulated End User Messages and End User Message templates may be personalised by the Customer with the End User‘s name, surname and further contextualised with regards to his delivery address. Collecting and processing the End User IP address falls under the category of legitimate interest of Cart DATA d.o.o., whereby this data is processed in order to defend the CartBoss Service from DDOS attacks. Contractual (i.e. the DPA we concluded with the Customer) or legitimate interest (i.e. in the case of DDOS protection).
Data relating to the End User's Cart (Cart value, Chosen currency, Chosen Payment Method, Coupon code, URL to complete the purchase, Cart Contents -Product ID, Product Name, Quantity, Product Price) Automatically collecting, storing and using such data for when the Customer wishes to send End User Messages. So that the Customer may offer End Users a way to restore the contents of their previously abandoned cart. Used for the personalization of End User Messages and for the conditional logic of sending such messages. So that the Customer may offer valid discount coupons to his End Users. Each check-out page has a different URL and thereby storing the relevant URL of a particular abandoned cart is essential for restoring the contents of a previously abandoned cart. This information remains anonymous (that is, it does not identify the Data Subject personally), but in some cases it can be traced back to personal information. Contractual (i.e. the DPA we concluded with the Customer)
Values ​​of checkboxes (Cart Abandonment SMS consent, Marketing SMS consent, Newsletter consent) Automatically collecting and storing data on whether the checkbox is displayed, what content it relates to and whether the End User has checked it. This data is processed in order to collect and store evidence regarding End User consent, so that the Customer can legally send End User Messages via the Service. Similarly, processing and storing this data stems from our legitimate interest to provide information on why an End User received a End User Message. This information remains anonymous (that is, it does not identify the Data Subject personally), but in some cases it can be traced back to personal information. Contractual (i.e. the DPA we concluded with the Customer) or legitimate interest (i.e. in the case of providing information on why an End User received a End User Message).
Traffic data Automatically collecting and storing technical as well as Personal Data in relation to the conveyance of communications on an electronic communications network or billing thereof. This data is processed in order for the communication with the End User to take place (i.e. in order for the SMS Message to be sent) and for the appropriate charge to be paid to the communications provider and includes information about the routing and timing of the SMS Message. This information remains anonymous (that is, it does not identify the Data Subject personally), but in some cases it can be traced back to personal information. Contractual (i.e. the DPA we concluded with the Customer and based on the contract we have with the communications provider).
End User Message content data (i.e. the actual contents/text of the SMS Message) Automatically collecting and storing technical as well as Personal Data in relation to the conveyance of communications on an electronic communications network. This data is processed in order to provide the key feature of the CartBoss Service (i.e. to allow the Customer to send End User Messages). This information remains anonymous (that is, it does not identify the Data Subject personally), but in some cases it can be traced back to personal information. Contractual (i.e. the DPA we concluded with the Customer).

*Please note that special categories of Personal Data, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or health data, may be processed through the CartBoss Service, if the service is used by the Customer to process such data, whereby the customer is required under the DPA and Applicable Legislation to obtain explicit consent from the Data Subject for such data processing.

Timescales for our processing and keeping of End User Personal Data as a data Processor

We keep End User Personal Data as a Processor in the above-mentioned cases. Most of the data represents technical information which remains anonymous (that is, it does not identify the End User personally), but in some cases it can be traced back to personal information.

We generally keep and Process End User Personal Data for as long as it is necessary to fulfil the purposes for processing (i.e. the provision of the CartBoss Service) whereby most Processing takes place instantly after initiation by the Controller via the User dash board.

The DPA instructs us to delete or procure the deletion of all copies of any and all stored End User Personal Data within 15 (fifteen) business days of the date of termination of the Customers registered account by either the Customer or Cart DATA d.o.o. under the applicable clauses of the Terms of Service).

We may also cease all Processing activities and delete such data sooner, should:

  • you as the Data Subject, or
  • the Customer, or
  • any duly appointed public authority or third party citing relevant parts of the Applicable Legislation,

demand that we do so, by reaching out to us at [email protected].

Some examples and criteria for our right to Process End User Personal Data also include:

  • possible legal requirements under which we might be required to forward End User Personal Data to a duly appointed public authority or third party citing relevant parts of the Applicable Legislation based on their explicit request (i.e. criminal investigations where we are provided with a court order).
  • Where a data transfer is required in order to provide the CartBoss Service (whereby the Customer is required to enter into a DPA or standard contractual clauses, as the case may be).
  • Where customer service record data may include parts End User Personal Data and be kept by us on the basis of our legitimate interest, should the need to demonstrate or legally prove that a service was provided or carried out by us.
  • In order to carry out maintenance or service updates, we may also make appropriate duplicate records against loss and create intermediate files or workspaces, whereby all such records and data are promptly deleted after maintenance or the application of the update.

Should you as an End User require that End User Personal Data stopped being processed or is deleted, you should reach out to the relevant Customer or to us directly at [email protected].

However, in certain situations, we shall have the legal right to Process or keep your data even though you wish to exercise your right to cease processing or your right to erasure on the basis of our own legal and valid reasons (i.e. criminal investigations where we are legally required to keep or forward your data as per the received court order etc.). We shall explicitly notify you in this regard and cooperate with you to minimise any and all relevant data in the context of the situation, should the Applicable Legislation allow us to do so.

  1. Additional information on Data Processing that Cart DATA d.o.o. offers to all Data Subject

Regardless of whether we process your Personal Data as a data Controller or data Processor, the following sections shall apply.

Changes to this Privacy Policy

Cart DATA d.o.o. may change this Privacy Policy without notice. We therefore recommend that you read these terms each time you visit our website, use our services or require information as to how we Process Personal Data.

Who processes or otherwise comes into contact with the Personal Data?

  • Certain employees of Cart DATA d.o.o.: your Personal Data is processed by individual employees of Cart DATA d.o.o. Employees only process the Personal Data needed for work related purposes, and may, if their work tasks and the company's internal rules allow it, exchange the data between them. All employees are committed to confidentiality and respect for the protection of Personal Data.
  • Duly appointed public authorities or third parties citing relevant parts of the Applicable Legislation: in certain cases prescribed by the Applicable legislation, we are required to provide Personal Data competent state authorities or other public authorities that cite relevant parts of the Applicable Legislation (i.e. police authorities with a court order etc.). We must also provide the data to third parties if such an obligation to provide or disclose the data is imposed on us by the Applicable Legislation.
  • External processors and sub-processors: We may also engage and employ external contractual partners for our Processing. When this is the case, employees of such contractual processors as well as their automatic system may process Personal Data under an agreement that we have concluded with them. Contractual processors may only process personal data in accordance with the our (or the Customers, as the case may be) instructions, and may not use the data to pursue any of their own interests. The contractual processors with which we cooperate may fall within one or more of the following categories are: persons who supplement our workforce (i.e. external developers), hosting providers, accounting services, IT system maintenance services, communications providers, The exact names and contact information of our contractual processors shall be disclosed to you upon receiving such request at [email protected].
  • We shall only forward Personal Data to other third parties to the extent required by the Applicable Legislation or in order to enforce our Terms of Service, the DPA or other agreements and to protect the legally demonstrated rights of third parties.

Please note that: we do not sell or otherwise share any Data Subject or End User Personal Data with any other third party or marketing organisation.

Information on where we store the data and on data portability

Our servers are located Ljubljana, Slovenia (i.e. in the EEA). We do not transmit Personal Data to any international organisations or third parties outside of the EEA.

Automated decision making and profiling

We do not carry out any automated decision making or profiling.

Protection of Personal Data

We protect Personal Data with appropriate physical, technological and organizational safeguards as well as security measures and practices, which are appropriate to the scope and nature of the Personal Data. Personal Data we collect is stored on secure servers using standard security procedures whereby measures are taken in order to protect the Personal Data from unauthorised access, destruction, use, modification, or disclosure. Despite our best efforts, we cannot however guarantee that the safeguards we maintain will ensure the security and integrity of Personal Data in all given situations, since no technological system is completely unaffected by the possibility of external manipulation and all modern-day data transfers include certain risks.Online privacy protection of persons under the age of 18

Our products and services are not intended to be used by anyone under the age of 18. Therefore we will never knowingly collect data from or on anyone below the age of 18. If you become aware of a situation in which personal information is being supplied to Us with regards to anyone under the age of 18, please contact us via [email protected].

Use of cookies

We use cookies on the www.cartboss.io website, whereby all of the relevant information on our use of cookies can be found in our Cookie Policy.

Data Protection & Privacy Rights

If you are a Data Subject wanting to exercise his data protection and privacy rights
in connection with Cart DATA d.o.o. and regarding the processing of Personal Data that we carry out as a data Processor, feel free to reach us at: [email protected]

If you are an End User (i.e. a person that received a SMS Message through the CartBoss Service from our Customer) and wish to exercise your data protection and privacy rights, you may address the CartBoss Service Customer directly or send us your request at [email protected] so that we may promptly assist you in this regard and forward your request to the relevant Customer.

We offer Data Subject the following rights:

The right to be informed – Individuals have the right to be informed about the collection and use of their Personal Data.

The right of access – Individuals have the right to access their Personal Data and supplementary information

The right to rectification – Individuals have the right to have inaccurate Personal Data rectified, or completed if it is incomplete.

The right to erasure – The right for individuals to have Personal Data erased. This is also known as “the right to be forgotten”. Please note this right is not absolute and only applies in certain circumstances.

The right to restrict processing – The right to request the restriction or suppression of their personal data. Please note this is not an absolute right and only applies in certain circumstances.

The right to data portability – The right to data portability allows individuals to obtain and reuse their Personal Data for their own purposes across different services.

The right to object – Individuals have the right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling), direct marketing (including profiling) and processing for purposes of scientific/historical research and statistics.

You can exercise your rights by contacting us via: [email protected].

Extensive information on Data Subject rights under GDPR can be found at this link.

You also have the right to launch a claim with the data protection supervisory authority in the country in which you live or work when you believe, that have infringed on your data protection rights, mishandled your Personal Data, or otherwise breached our obligations under the Applicable Legislation.

A list of data protection supervisory authorities and their contact information can be found here.

Last Revision on the: 1st of March 2021