Privacy Policy for CartGate

Last Updated: March 9, 2026

Introduction

CartGate ("we", "our", or "us") is a Shopify app that validates cart contents at checkout, blocking incompatible product combinations and enforcing purchase rules configured by the merchant. This Privacy Policy explains how we collect, use, store, and protect information when you use our application.

This policy applies to merchants who install CartGate and to their customers whose cart data is processed by our checkout validation function.

Information We Collect

1. Merchant Information

When you install CartGate, we collect and store:

  • Shop Information: Your Shopify shop domain, shop name, and associated account details provided through Shopify OAuth
  • Email Address: Your email address, used for account communication and product updates
  • Authentication Data: OAuth access tokens and session tokens required to interact with your Shopify store
  • App Configuration: Your cart validation rules, including incompatible product combinations, solo-purchase restrictions, and enforcement settings (block or warn)

2. Customer Information

When your customers proceed to checkout:

  • Cart Contents: Product IDs and variant IDs in the customer's cart are processed in real time by our validation function to check against your configured rules
  • No Storage: Customer cart data is processed at the point of checkout validation and is not stored by CartGate. The validation function runs as a Shopify Function (compiled to WebAssembly) that evaluates the cart and returns a pass/fail result — no customer data is transmitted to or retained on our servers.

3. Technical Information

  • Session Data: Server-side session tokens for merchant authentication, stored with a 7-day time-to-live (TTL) and automatically deleted upon expiration
  • Webhook Data: App installation, uninstallation, and mandatory compliance webhook events from Shopify

How We Use Your Information

Merchant Data

We use merchant information to:

  • Authenticate and authorize access to your Shopify store
  • Store and apply your cart validation rules via Shopify metafields
  • Send transactional emails related to your account (e.g., service notices, security alerts)
  • Send product update emails about new features, changes, or improvements to CartGate (you may unsubscribe at any time)
  • Provide customer support

Customer Data

Customer cart data is used solely to evaluate checkout validation rules in real time. CartGate does not store, transmit, or retain any customer personal information. The validation function runs entirely within Shopify's infrastructure as a Shopify Function.

Data Storage and Security

Where We Store Data

  1. Cloudflare D1 Database:
    • Shop records (domain, email, configuration state)
    • App settings and onboarding status
  2. Cloudflare KV Storage:
    • Merchant session tokens (encrypted, 7-day TTL with automatic expiration)
  3. Shopify Metafields (stored within your Shopify store):
    • Cart validation rules (under the $app:cart-gate namespace)
    • Warning display rules (under the cart_gate namespace)
    • All metafield data remains within your Shopify store and under your control

Security Measures

  • All data transmitted over HTTPS/TLS encryption
  • OAuth 2.0 authentication with Shopify (token exchange flow)
  • Session tokens stored server-side with automatic expiration
  • Webhook request validation using Shopify HMAC signatures
  • Infrastructure hosted on Cloudflare's global network with built-in DDoS protection
  • No customer personal data is stored on our servers

Data Sharing and Third Parties

We share data with the following third parties:

Cloudflare

Shopify

  • Purpose: App platform, merchant store integration, checkout validation
  • Data Shared: Validation rules (via metafields), webhook events
  • Privacy Policy: https://www.shopify.com/legal/privacy

We do not share your data with:

  • Advertising networks
  • Data brokers
  • Marketing services
  • Any other third parties not listed above

Analytics

CartGate may use server-side, cookieless analytics to understand how the app is used and to improve the product. No cookies or client-side tracking technologies are used. No personally identifiable information is collected through analytics. If we introduce analytics in the future, this policy will be updated accordingly.

Data Retention

Automatic Expiration

  • Session Tokens: Automatically expire and are deleted after 7 days
  • Customer Cart Data: Not stored — processed in real time only

Active Use

  • Shop records and app configuration are retained for the duration of your use of CartGate
  • Validation rules stored in Shopify metafields persist within your Shopify store

After Uninstallation

When you uninstall CartGate:

  • Session tokens are automatically deleted upon expiration (within 7 days)
  • Shop records and configuration data are retained for up to 12 months after uninstallation to allow seamless restoration if you choose to reinstall
  • After 12 months, all shop data is permanently deleted from our systems
  • Metafield data in your Shopify store remains under your control — you may delete it through the Shopify admin at any time
  • You may request immediate deletion of all your data at any time by contacting us (see "Contact Us" below)

Your Data Rights

As a Merchant

You have the right to:

  • Access: Request a copy of all data we store about your shop
  • Correct: Update your validation rules and configuration at any time through the app
  • Delete: Request immediate deletion of all your data by contacting us, or uninstall the app (data deleted within 12 months)
  • Portability: Request your data in a portable format
  • Unsubscribe: Opt out of product update emails at any time via the unsubscribe link in any email

As a Customer

CartGate does not store any customer personal data. The validation function processes cart contents in real time within Shopify's infrastructure and does not retain any information. If you have questions about how a merchant uses CartGate on their store, please contact the merchant directly.

Compliance with Privacy Laws

GDPR (European Union)

For merchants and customers in the EU/EEA:

  • We process merchant data based on contractual necessity (to deliver the service you installed) and legitimate interest (to communicate product updates, with opt-out available)
  • Customer cart data is processed by a Shopify Function running within Shopify's infrastructure — CartGate acts as a processor under the merchant's controllership
  • You have the right to data portability, erasure, restriction of processing, and to lodge a complaint with your local supervisory authority
  • We comply with Shopify's mandatory GDPR webhooks for data deletion requests
  • Data is stored on Cloudflare's infrastructure, which maintains appropriate safeguards for international data transfers

CCPA (California)

For California residents:

  • We do not sell personal information
  • We do not share personal information for cross-context behavioral advertising
  • You have the right to know what personal information is collected, to request deletion, and to non-discrimination for exercising your rights

Shopify Mandatory Compliance Webhooks

We handle Shopify's mandatory compliance webhooks:

  • customers/data_request: We will respond within 30 days. Note: CartGate does not store customer personal data.
  • customers/redact: We will process the request within 30 days. Note: CartGate does not store customer personal data.
  • shop/redact: We will delete all shop data within 30 days of receiving the request.

Cookies and Tracking

CartGate does not use cookies or client-side tracking technologies.

  • No browser cookies are set by CartGate
  • No client-side analytics or tracking scripts
  • No fingerprinting or cross-site tracking
  • All session management is server-side with automatic expiration

Note: Shopify's embedded app framework may set its own cookies as part of its authentication and session management. Those cookies are governed by Shopify's Privacy Policy.

Email Communications

We may send you the following types of emails:

  • Transactional Emails: Service-related notices, security alerts, and account notifications. These are necessary for the operation of the service and cannot be opted out of while you use CartGate.
  • Product Updates: Information about new features, changes, and improvements to CartGate. You may unsubscribe from these at any time using the unsubscribe link included in every email.

We will never share your email address with third parties for marketing purposes.

Children's Privacy

CartGate is a business-to-business application intended for use by Shopify merchants. It is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a child, please contact us immediately.

Data Breach Notification

In the event of a data breach that affects your information:

  • We will notify affected merchants within 72 hours of becoming aware of the breach, as required by GDPR
  • Notification will include the nature of the breach, categories of data affected, and remediation steps taken
  • We will cooperate with relevant supervisory authorities as required by law

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make changes:

  • The "Last Updated" date at the top will be revised
  • Merchants will be notified of material changes via email
  • Continued use of CartGate after changes constitutes acceptance of the revised policy

Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, or need to submit a data deletion request, please contact us:

Email: [email protected]
Mailing Address: 6545 Market Avenue N., Suite 100, North Canton, Ohio 44721

When contacting us about a data request, please include:

  • Your Shopify shop domain
  • A description of your request

We will respond to all requests within 30 days.

By installing and using CartGate, you acknowledge that you have read and understood this Privacy Policy and agree to its terms.