Stellar
Legal

Privacy Policy

Cart Reserve

Version III (2/6/2026) Update Effective as of: February 6, 2026

1. Introduction

Cart Reserve ("the App") provides a product-reservation and fraud-detection service ("the Service") to merchants who use Shopify to power their online stores. This Privacy Policy describes how personal and store information is collected, used, stored, and shared when you install or use the App within your Shopify-supported store.

Provider (Data Processor)

Under the GDPR, the merchant is the data controller for their store customers' data. Cart Reserve acts as a data processor on behalf of the merchant. For data we collect directly from merchants (account, billing, support), we act as the data controller.

By installing or using the App, you agree to this Privacy Policy.

2. Information We Collect

When a merchant installs Cart Reserve, the App accesses store data through Shopify APIs. We collect and process different categories of data depending on the features you use.

2.1 Store & Product Data

  • Product and inventory details (names, SKU, stock levels, variants, prices)
  • Theme configuration settings
  • Product sync status

2.2 Reservation Session Data

  • Cart/session identifiers
  • Cart events (adding, removing, expiring items)
  • Line items (product names, variant titles, quantities, prices)
  • Session timestamps (created, expires, renewed)
  • Renewal count and session state

2.3 Fraud Detection Data

When fraud detection is enabled, we collect additional data from storefront visitors to assess risk:

  • IP address and derived geolocation (country, region, city)
  • User agent string
  • Browser fingerprint signals: languages, plugins, hardware concurrency, screen resolution, color depth, timezone
  • Behavioral patterns: timing data, user interactions, session velocity
  • Cart value and currency
  • Historical session patterns (same-IP session counts over 24h, 7d, 30d)

This data is processed on our servers to derive anonymized statistical signals (e.g., session counts, velocity metrics, behavioral scores). Only these anonymized signals — with no IP addresses, geolocation, user agents, or personally identifiable information — are sent to third-party AI models for risk assessment.

2.4 Analytics & Metrics Data

We collect aggregated, non-personally-identifiable metrics to provide analytics dashboards:

  • Daily and hourly session counts (created, completed, expired, cancelled)
  • Conversion rates and session durations
  • Geographic breakdown by country (session counts, conversion rates)
  • Product performance metrics (reservation counts, conversion rates, revenue)
  • Unique IP counts per time period (counts only, not individual IPs)

2.5 Merchant Account Data

  • Shopify store domain
  • Store owner email (from Shopify session)
  • Alert email preferences
  • Billing name, email, country, address, and VAT number (fetched from Shopify for invoicing)

2.6 Support Data

When merchants contact support, we collect:

  • Email address and name
  • Message content and subject
  • File attachments (stored in cloud storage)
  • Conversation metadata (timestamps, status)

2.7 Observability Data

For application monitoring and debugging, we log:

  • HTTP request metadata (method, URL, status code, duration)
  • IP addresses and user agents
  • Error details and stack traces

This data is retained for 3 days in detail and aggregated for up to 90 days.

3. How We Use the Information

3.1 Core Service

  • Temporarily reserving products in the customer's cart
  • Preventing simultaneous purchases of limited-stock items
  • Real-time synchronization between cart reservations and store inventory

3.2 Fraud Detection

  • Analyzing session behavior to identify fraudulent reservation patterns
  • Generating risk assessments using AI models
  • Maintaining fraud blocklists configured by the merchant
  • Providing fraud case management tools

3.3 Analytics & Insights

  • Generating performance dashboards for merchants
  • Producing AI-powered insights reports on reservation trends, conversion analysis, and product performance
  • Identifying market trends relevant to the merchant's catalog

3.4 Billing & Invoicing

  • Managing subscription plans and billing cycles
  • Generating invoices through our invoicing provider
  • Tracking usage against plan quotas

3.5 Support

  • Responding to merchant inquiries
  • Troubleshooting technical issues

We Do NOT Use Data For

  • Marketing or advertising
  • Selling data to third parties
  • Customer profiling unrelated to the fraud-detection service
  • Cross-store data sharing or aggregation

4. Legal Basis for Processing (GDPR)

PurposeLegal Basis
Core reservation servicePerformance of contract (Art. 6(1)(b))
Fraud detectionLegitimate interest of the merchant (Art. 6(1)(f))
Analytics & insightsPerformance of contract (Art. 6(1)(b))
Billing & invoicingLegal obligation (Art. 6(1)(c))
SupportPerformance of contract (Art. 6(1)(b))
Observability/monitoringLegitimate interest — service reliability (Art. 6(1)(f))

5. Third-Party Services

We use the following third-party services to operate the App:

ServicePurposeData SharedLocation
Shopify Inc.Platform operation, API access, billingStore data, subscription chargesUSA/Canada
Hetzner Online GmbHServer, database, and file storageAll application data, support file attachmentsEU (Germany)
FakturoidInvoice generation (if applicable)Billing name, email, country, address, VAT numberCzech Republic

AI-Powered Features

Fraud detection and AI insights use third-party AI models for risk assessment and analytics generation. These services receive only anonymized, non-personally-identifiable data — such as aggregated session counts, behavioral scores, cart values, and product names. No IP addresses, geolocation, user agents, email addresses, or other personal data is sent to AI providers.

International Data Transfers

All application data, databases, and file storage are hosted in the EU (Hetzner, Germany). Shopify Inc. is located in the USA/Canada; for transfers of personal data to Shopify, we rely on Standard Contractual Clauses (SCCs) and Shopify's participation in recognized data protection frameworks. Fakturoid is located in the Czech Republic (within the EEA).

6. Data Retention

Data CategoryRetention Period
Reservation session dataConfigurable per plan: Starter (14 days), Pro (90 days)
Fraud cases and analysisUntil store redaction or merchant deletion
AI insights reportsUntil store redaction or merchant deletion
Analytics metrics (aggregated)Based on store's data retention setting (default 90 days)
Observability logs (detailed)3 days
Observability stats (aggregated)30 days
Support conversationsUntil store redaction (anonymized, not deleted)
Billing & subscription data10 years (tax compliance)
AI usage logs (token counts, latency)Preserved with anonymized references after store redaction

When the App is uninstalled and Shopify issues a SHOP_REDACT webhook, we execute a comprehensive data deletion process. See Section 10 for details.

7. Data Security

We apply industry-standard security measures:

  • Encrypted HTTPS for all communications
  • Minimal data processing by design
  • Restricted access to authorized processes only
  • Presigned URLs for secure file uploads and downloads (1-hour expiry)
  • Hashed identifiers for redacted store records
  • Token-based authentication for API access with revocation on app uninstall
  • Encrypted storage for all data at rest

8. Sharing & Disclosure

Shared With

  • Shopify Inc. (platform operation and API functionality)
  • Hetzner Online GmbH (infrastructure and file storage, hosted in EU)
  • Fakturoid (billing data, if applicable — within the EEA)
  • Third-party AI providers (anonymized, non-personal data only — see Section 5)

We Do NOT Share With

  • Marketers or advertisers
  • Data brokers
  • General analytics platforms (e.g., Google Analytics, Meta, TikTok)

We may disclose limited information when legally required by applicable law, regulation, legal process, or government request.

9. Data Subject Rights (GDPR & CCPA)

Depending on your jurisdiction, you or your customers may have the following rights:

  • Right of Access — Request a copy of personal data we process
  • Right to Rectification — Request correction of inaccurate data
  • Right to Erasure — Request deletion of personal data
  • Right to Restrict Processing — Request limitation of data processing
  • Right to Data Portability — Receive data in a structured, machine-readable format
  • Right to Object — Object to processing based on legitimate interests
  • Right to Withdraw Consent — Where processing is based on consent
  • Right to Non-Discrimination (CCPA) — Exercise your rights without penalty

For store customers: Contact the merchant (data controller) who installed Cart Reserve. The merchant can then relay the request to us as needed.

For merchants: Contact us directly at support@r3stack.com. We will respond within 30 days.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local data protection authority.

10. App Uninstallation & Data Deletion

When the App is uninstalled and Shopify sends a shop redaction request:

  1. All HTTP authentication tokens for the store are revoked
  2. Stored files (AI analysis files, support attachments) are deleted from cloud storage
  3. The following data is permanently deleted:
    • Reservation sessions and related data
    • Product and variant data
    • Reservation configurations
    • Fraud blocklists
    • AI insights reports
    • Support attachments
    • Theme configuration
    • Shop alerts
    • Telescope/observability events (detailed logs)
    • Session metrics and analytics
    • Store activities and sync jobs
    • Internal event records
    • The Shopify session record
  4. The following data is anonymized (structure preserved, PII removed):
    • Fraud cases (session references and AI analysis content removed; risk scores, risk levels, detection types, cart values, and resolution outcomes preserved for aggregate fraud statistics)
    • Fraud prompt comparisons (prompt text and reasoning removed; risk levels, latency, token counts, costs, and correctness metrics preserved for AI model evaluation)
    • AI usage logs (file references and metadata removed; token counts and latency preserved for aggregate statistics)
    • Telescope/observability statistics (store identifier removed; route performance aggregates preserved for platform monitoring)
    • Support messages (content, sender email, and sender name redacted)
    • Support conversations (email, name, domain, and subject redacted)
  5. The following data is preserved (for tax compliance, up to 10 years):
    • Subscription records and billing events
    • Invoice records
  6. The store record is marked as REDACTED with a hashed domain identifier

11. Cookies

Cart Reserve does not use cookies on storefronts.

Cookies in Merchant Admin Only:

  • Authentication cookies (session management)
  • Preference cookies (UI settings)

These cookies are strictly necessary for the merchant admin interface and do not track store customers.

12. Children's Privacy

The service is not intended for children under age 16. We do not knowingly collect children's data. If data was submitted without proper consent, please contact us for removal.

13. Changes to This Privacy Policy

We may update this document due to operational or regulatory changes. The latest version date will always be displayed at the top. Material changes will be communicated through the App's admin interface. Continued use of the App after changes signifies acceptance.

14. Contact Information

Cart Reserve — Privacy Inquiry

Email: support@r3stack.com

For GDPR-specific inquiries, you may also contact your local data protection authority.