Privacy Policy

This document (herein after: “Privacy Policy”) describes the privacy practices of Cart DATA ltd., Drenov Grič 171D Vrhnika, 1360 Vrhnika, Slovenia, EU, Company Registration Number: 8838399000, VAT ID Number: SI49081616, (hereinafter: “we”, “us”, “our” or “Cart DATA d.o.o.”), whereby Cart DATA d.o.o. is the owner and supplier of www.cartboss.io and the CartBoss Plugins, which all represent a proprietary software as a service marketing tool for sending SMS messages (hereinafter: “CartBoss Service”).

We recognize the significance personal information plays in today's world and have thereby designed both our internal processes and the CartBoss Service with data and privacy protection in mind.

Our resident Data Protection Officer can be reached at [email protected]

If you have any questions about this Privacy Policy or any other data protection queries, please contact us at the above address We would always welcome the opportunity to rectify any complaints that you have about your data and privacy held with us and can be contacted as shown in the Data Controller Contact Details section below. If you would like to make a complaint to your national data protection authority, you can find their contact information here.

In addition to being a data Controller for any data we Process in the performance of our own business operations and communications, we also act as data Processors in connection with the CartBoss Service, namely, when the CartBoss Service Customers (i.e. business entities who have registered an account with us under our Terms of Service), set-up the service on their own websites and their customers (i.e. End Users) enter their Personal Data into the service.

This Privacy Policy is therefore split into three parts:

Interpretation of certain bolded terms in this Privacy Policy

Terms not otherwise defined in this Privacy Policy shall have the meaning as set forth in the GDPR.

  1. Information on Data Processing when Cart DATA d.o.o. is acting as the Controller of Personal Data

Data Controller Contact Details

Cart DATA ltd.,

Drenov Grič 171D Vrhnika, 1360 Vrhnika,

Slovenia, EU,

Company Registration Number: 8838399000,

VAT ID Number: SI49081616

Our Data Protection Officer may be reached at [email protected].

Personal Data types and the subject-matter, nature, purpose and legal basis for Processing

The CartBoss Service may only be used by businesses (i.e. we do not allow account registration by natural persons or non-corporate entities), whereby (i.e. when setting up a demo presentation, communicating with us via email or registering an account, issuing an invoice, etc.), we primarily process the Personal Data of Customer representatives:

Personal Data Type* Subject-matter and nature of Processing Purpose of Processing Legal basis for Processing
Account registration data (name, last name, email address, job title, company name, company registered address and country). Automatically collecting, storing and using the data Customers enter when registering their account. We require this data in order to form and maintain a business relationship with our Customer for the provision of the CartBoss Service. Contractual (i.e. the Customer enters into a contract with us under the Terms of Use when he validly registers an account).
Payment method data (might include: card details should you pay via card, please have no concern, we cannot and do not keep this data) Automatically collecting and providing said data to our payment processors (Visa, Braintree, PayPal). We require this data in order to collect payment from our Customer in exchange for offering the CartBoss Service. Contractual (i.e. payment is a necessary condition for the use of the service, as stipulated by our Terms of Use).
Invoicing information (might include: business representative names, emails or phone numbers). Automatically collecting, storing and using said data for invoicing. We require this data in order to invoice our Customers every time they top-up their funds with us and to detect and prevent fraud. Compliance with a legal obligation.
Customer service records (might include: email, first and last name, telephone number, etc.). Collecting, storing and using Customer Personal Data that is sent or communicated to us during inquiries and other communication regarding our service. We process this data in order to answer requests and communicate with Data Subjects (i.e. Customers or third parties) who have reached out to us (i.e. via our contact form, the messaging application on our website, etc.) in order to provide optimal support and staff training. Contractual.
Commercial communication with existing Customers (emails, and might also include telephone numbers). Automatically collecting, storing and using Customer representative Personal Data for commercial communication (i.e. newsletters, special offers, etc.) We process this data in order facilitate our sales and marketing activities. Contractual, legitimate interest (i.e. by registering an account or by being our Customer in the past).
Commercial communication with Data Subjects who are not our Customers (emails). Automatically collecting, storing and using third party Personal Data for commercial communication (i.e. newsletters, special offers, etc.) We process this data in order facilitate our sales and marketing activities. Consent (i.e. if you sign up to our newsletter, etc.).
Collecting CartBoss Service usage data (might include:). Automatically collecting, storing and using technical information regarding service usage. Like most websites and software providers, we automatically collect and use technical information data contained in log files. We log and review data about Customers accessing their account and using the CartBoss Service in order to analyse service usage for strategical and planning purposes, and to detect and prevent fraud. This information remains anonymous (that is, it does not identify the Data Subject personally), but in some cases it can be traced back to personal information such as an IP or e-mail address. Contractual.
www.cartboss.io cookie data (might include: website visitor Internet Protocol address (IP), date and length of website visit, website interactions, interests from visitor Facebook Profile or Google Account information, etc.). Automatically collecting, receiving (from our marketing partners such as Facebook / Google) and using the collected information for analytical and marketing purposes (usually through the use of the Google Analytics / Display Network / FB Pixel services). We process this data in order facilitate our sales and marketing activities and to discovering which products, features and services you appreciate as a Customer. Consent.

*Please note, that to the best of our knowledge, we do not collect or process Special categories of Personal Data, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or health data, when carrying out the processing activities mentioned above as a data Processor.

Timescales for our processing and keeping of Personal Data as a data Controller

We will keep your data for the term you have consented to, the contracted term between us or where there is a legitimate interest for us to remain in contact with you plus 3 years in case of any queries or issues that you may have or for legally required reasons (e.g. revenue, tax and customs requirements), whichever is the longest.

The timescale for this will vary depending on the requirement. Some examples and criteria for our Processing and keeping Personal Data also include:

Should you as a Data Subject require that your Personal Data stopped being Processed or that it is deleted, you should reach out to us at [email protected].

However, in certain situations, we shall have the legal right to Process or keep your data even though you wish to exercise your right to cease processing or your right to erasure, on the basis of our own legal and valid reasons (i.e. invoicing data, data that pertains to an ongoing fraud or other investigation, etc.). We shall explicitly notify you in this regard and cooperate with you to minimise any and all relevant data in the context of the situation, should the Applicable Legislation allow us to do so.

  1. Information on Data Processing when Cart DATA d.o.o. is providing the CartBoss Service to Customers and acting as the Processor of Personal Data

The CartBoss Service is used by our Customers as a marketing tool for sending SMS messages to their own customers (i.e. End Users), whereby we may process End User (i.e. Data Subject) Personal Data to the extent necessary for the provision of the CartBoss Service, as stated below and have concluded the necessary DPA agreement with all of our Customers to this end, whereby we are the data Processor of such data.

Please note that: each individual CartBoss Service Customer (i.e. the organization you gave your telephone number to and consented into receiving their SMS Messages) is responsible for the processing of your data through the CartBoss Service as the data Controller. Customers are also required to obtain your prior legal Consent for sending End User Messages under the Applicable Legislation. If you have received a SMS Message through the CartBoss service and require information on its sender, where the sender received your data, the senders data retention, security measures, third party processors your rights, or other applicable data processing information, you should contact the sender and consult his privacy policy.

Cart DATA d.o.o. does not suggest, monitor, inhibit or in any other way influence the contents, form and overall legality of any and all SMS Messages sent via the CartBoss Service by its Customers to the End Users.

If you are a Data Subject wanting to exercise his data protection and privacy rights in connection with the CartBoss Service, you may address the CartBoss Service Customer directly or send us your request at [email protected] so that we may promptly assist you in this regard and forward your request to the relevant Customer.

Personal Data types and the subject-matter, nature, purpose and legal basis for Processing in connection with the CartBoss Service

Customers may use the CartBoss Service to generate input fields on their check-out pages, whereby Personal Data is entered into the Service by the Data Subjects (i.e. End Users) themselves, or alternatively, Customers may input End User Personal Data directly into the service. In both situations we may process the data for the provision of the service as follows:

Personal Data Type* Subject-matter and nature of Processing Purpose of Processing Legal basis for Processing
Event / User Action type (purchase completion, cart abandonment, newsletter subscription) Automatically collecting, segmenting and storing each End User event / action relating to purchase completion, cart abandonment or newsletter subscription. So that Customers may better segment the End Users based on their events or the actions that they performed on their website (completion of the purchase, subscription to the newsletter, the abandonment of their cart). This type of segmentation allows Customers to customize / select / draw-up the appropriate contents of their End User Messages.

This information remains anonymous (that is, it does not identify the Data Subject personally), but in some cases it can be traced back to personal information.

Contractual (i.e. the DPA we concluded with the Customer).
Automatically collecting and storing website / storefront type data. Different platforms work in different ways (implementation of discounts and discount codes, different ways of generating URLs at the end of the check-out process and different ways of restoring the contents of an abandoned cart). In order to properly process the data and send a compatible link, discount code, coupon code, etc. with regards to the website / storefront and for the CartBoss Service to be compatible with different platforms, data on the platform sending the API call is required. This information remains anonymous (that is, it does not identify the Data Subject personally), but in some cases it can be traced back to personal information. Contractual (i.e. the DPA we concluded with the Customer).
Service widget/plug-in version data Automatically collecting and storing Service widget/plug-in version data. To reduce the possibility of errors and incompatibilities with older versions of our widget/plug-in, we collect data about the version in use by the End User. This information remains anonymous (that is, it does not identify the Data Subject personally), but in some cases it can be traced back to personal information. Contractual (i.e. the DPA we concluded with the Customer).
Basic End User Contact Information (Phone Number, delivery address, IP address, Name, Surname) Automatically collecting, storing and using such data when the Customer wishes to send End User Messages. So that the Customers may send End User Messages to such End Users. To recognise and use the relevant phone number prefix based on the End User‘s country prefix number. So that prepopulated End User Messages and End User Message templates may be personalised by the Customer with the End User‘s name, surname and further contextualised with regards to his delivery address. Collecting and processing the End User IP address falls under the category of legitimate interest of Cart DATA d.o.o., whereby this data is processed in order to defend the CartBoss Service from DDOS attacks. Contractual (i.e. the DPA we concluded with the Customer) or legitimate interest (i.e. in the case of DDOS protection).
Data relating to the End User's Cart (Cart value, Chosen currency, Chosen Payment Method, Coupon code, URL to complete the purchase, Cart Contents -Product ID, Product Name, Quantity, Product Price) Automatically collecting, storing and using such data for when the Customer wishes to send End User Messages. So that the Customer may offer End Users a way to restore the contents of their previously abandoned cart. Used for the personalization of End User Messages and for the conditional logic of sending such messages. So that the Customer may offer valid discount coupons to his End Users. Each check-out page has a different URL and thereby storing the relevant URL of a particular abandoned cart is essential for restoring the contents of a previously abandoned cart. This information remains anonymous (that is, it does not identify the Data Subject personally), but in some cases it can be traced back to personal information. Contractual (i.e. the DPA we concluded with the Customer)
Values ​​of checkboxes (Cart Abandonment SMS consent, Marketing SMS consent, Newsletter consent) Automatically collecting and storing data on whether the checkbox is displayed, what content it relates to and whether the End User has checked it. This data is processed in order to collect and store evidence regarding End User consent, so that the Customer can legally send End User Messages via the Service. Similarly, processing and storing this data stems from our legitimate interest to provide information on why an End User received a End User Message. This information remains anonymous (that is, it does not identify the Data Subject personally), but in some cases it can be traced back to personal information. Contractual (i.e. the DPA we concluded with the Customer) or legitimate interest (i.e. in the case of providing information on why an End User received a End User Message).
Traffic data Automatically collecting and storing technical as well as Personal Data in relation to the conveyance of communications on an electronic communications network or billing thereof. This data is processed in order for the communication with the End User to take place (i.e. in order for the SMS Message to be sent) and for the appropriate charge to be paid to the communications provider and includes information about the routing and timing of the SMS Message. This information remains anonymous (that is, it does not identify the Data Subject personally), but in some cases it can be traced back to personal information. Contractual (i.e. the DPA we concluded with the Customer and based on the contract we have with the communications provider).
End User Message content data (i.e. the actual contents/text of the SMS Message) Automatically collecting and storing technical as well as Personal Data in relation to the conveyance of communications on an electronic communications network. This data is processed in order to provide the key feature of the CartBoss Service (i.e. to allow the Customer to send End User Messages). This information remains anonymous (that is, it does not identify the Data Subject personally), but in some cases it can be traced back to personal information. Contractual (i.e. the DPA we concluded with the Customer).

*Please note that special categories of Personal Data, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or health data, may be processed through the CartBoss Service, if the service is used by the Customer to process such data, whereby the customer is required under the DPA and Applicable Legislation to obtain explicit consent from the Data Subject for such data processing.

Timescales for our processing and keeping of End User Personal Data as a data Processor

We keep End User Personal Data as a Processor in the above-mentioned cases. Most of the data represents technical information which remains anonymous (that is, it does not identify the End User personally), but in some cases it can be traced back to personal information.

We generally keep and Process End User Personal Data for as long as it is necessary to fulfil the purposes for processing (i.e. the provision of the CartBoss Service) whereby most Processing takes place instantly after initiation by the Controller via the User dash board.

The DPA instructs us to delete or procure the deletion of all copies of any and all stored End User Personal Data within 15 (fifteen) business days of the date of termination of the Customers registered account by either the Customer or Cart DATA d.o.o. under the applicable clauses of the Terms of Service).

We may also cease all Processing activities and delete such data sooner, should:

demand that we do so, by reaching out to us at [email protected].

Some examples and criteria for our right to Process End User Personal Data also include:

Should you as an End User require that End User Personal Data stopped being processed or is deleted, you should reach out to the relevant Customer or to us directly at [email protected].

However, in certain situations, we shall have the legal right to Process or keep your data even though you wish to exercise your right to cease processing or your right to erasure on the basis of our own legal and valid reasons (i.e. criminal investigations where we are legally required to keep or forward your data as per the received court order etc.). We shall explicitly notify you in this regard and cooperate with you to minimise any and all relevant data in the context of the situation, should the Applicable Legislation allow us to do so.

  1. Additional information on Data Processing that Cart DATA d.o.o. offers to all Data Subject

Regardless of whether we process your Personal Data as a data Controller or data Processor, the following sections shall apply.

Changes to this Privacy Policy

Cart DATA d.o.o. may change this Privacy Policy without notice. We therefore recommend that you read these terms each time you visit our website, use our services or require information as to how we Process Personal Data.

Who processes or otherwise comes into contact with the Personal Data?

Please note that: we do not sell or otherwise share any Data Subject or End User Personal Data with any other third party or marketing organisation.

Information on where we store the data and on data portability

Our servers are located Ljubljana, Slovenia (i.e. in the EEA). We do not transmit Personal Data to any international organisations or third parties outside of the EEA.

Automated decision making and profiling

We do not carry out any automated decision making or profiling.

Protection of Personal Data

We protect Personal Data with appropriate physical, technological and organizational safeguards as well as security measures and practices, which are appropriate to the scope and nature of the Personal Data. Personal Data we collect is stored on secure servers using standard security procedures whereby measures are taken in order to protect the Personal Data from unauthorised access, destruction, use, modification, or disclosure. Despite our best efforts, we cannot however guarantee that the safeguards we maintain will ensure the security and integrity of Personal Data in all given situations, since no technological system is completely unaffected by the possibility of external manipulation and all modern-day data transfers include certain risks.Online privacy protection of persons under the age of 18

Our products and services are not intended to be used by anyone under the age of 18. Therefore we will never knowingly collect data from or on anyone below the age of 18. If you become aware of a situation in which personal information is being supplied to Us with regards to anyone under the age of 18, please contact us via [email protected].

Use of cookies

We use cookies on the www.cartboss.io website, whereby all of the relevant information on our use of cookies can be found in our Cookie Policy.

Data Protection & Privacy Rights

If you are a Data Subject wanting to exercise his data protection and privacy rights
in connection with Cart DATA d.o.o. and regarding the processing of Personal Data that we carry out as a data Processor, feel free to reach us at: [email protected]

If you are an End User (i.e. a person that received a SMS Message through the CartBoss Service from our Customer) and wish to exercise your data protection and privacy rights, you may address the CartBoss Service Customer directly or send us your request at [email protected] so that we may promptly assist you in this regard and forward your request to the relevant Customer.

We offer Data Subject the following rights:

The right to be informed – Individuals have the right to be informed about the collection and use of their Personal Data.

The right of access – Individuals have the right to access their Personal Data and supplementary information

The right to rectification – Individuals have the right to have inaccurate Personal Data rectified, or completed if it is incomplete.

The right to erasure – The right for individuals to have Personal Data erased. This is also known as “the right to be forgotten”. Please note this right is not absolute and only applies in certain circumstances.

The right to restrict processing – The right to request the restriction or suppression of their personal data. Please note this is not an absolute right and only applies in certain circumstances.

The right to data portability – The right to data portability allows individuals to obtain and reuse their Personal Data for their own purposes across different services.

The right to object – Individuals have the right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling), direct marketing (including profiling) and processing for purposes of scientific/historical research and statistics.

You can exercise your rights by contacting us via: [email protected].

Extensive information on Data Subject rights under GDPR can be found at this link.

You also have the right to launch a claim with the data protection supervisory authority in the country in which you live or work when you believe, that have infringed on your data protection rights, mishandled your Personal Data, or otherwise breached our obligations under the Applicable Legislation.

A list of data protection supervisory authorities and their contact information can be found here.

Last Revision on the: 1st of March 2021