TroveCart Privacy Policy

RocketCart ("CartIQ", "we", "us", or "our") is a Shopify application that provides AI-powered cart upselling, product recommendations, and cart customization tools for online merchants. This Privacy Policy explains how we collect, use, store, and protect information when you install and use our app.

By installing RocketCart, you agree to the collection and use of information as described in this policy. If you do not agree, please uninstall the app.

Store Information

When you install RocketCart, we access and store the following from your Shopify store:

• Shop details — store domain, store name, email address, Shopify plan, currency, and timezone
• Product catalog — product titles, descriptions, images, prices, tags, collections, variants, and inventory status
• Order data — order totals, line items, and product IDs (used for analytics and recommendation training)

Customer Browsing Behavior

RocketCart tracks anonymous, session-based browsing activity on your storefront:

• Product views — which products a visitor views and how many times (session-scoped)
• Cart interactions — add-to-cart events, cart updates, and checkout initiation
• Widget interactions — impressions, clicks, and add-to-cart events on recommendation widgets
• Session identifiers — randomly generated session IDs stored in the browser (not linked to personal identity)

We do not collect customer names, email addresses, physical addresses, or payment information through our widget.

IP Addresses

For intent-recovery discount rate limiting, we store a one-way SHA-256 hash of the visitor's IP address combined with a shop-specific salt. The raw IP address is never stored.

Merchant Account Information

Through the Shopify OAuth flow, we receive and store your Shopify access token (encrypted) to make API calls on your behalf.

• AI Product Recommendations — Product catalog, order history, browsing behavior
• Intent Recovery Discounts — Session product views, hashed IP (rate limiting)
• Analytics Dashboard — Widget impressions, clicks, add-to-carts, order data
• Revenue Attribution — Cart tokens, session IDs, order line items
• Billing & Subscriptions — Shop domain, subscription plan, order counts
• Customer Support — Shop domain, support ticket content
• App Functionality — Widget settings, translations, product data

• Database — All data is stored in a PostgreSQL database with encryption at rest
• Access Tokens — Shopify access tokens are encrypted using AES-256-GCM before storage
• Transport — All communication is over HTTPS/TLS. No unencrypted connections are accepted
• Webhook Verification — All incoming Shopify webhooks are verified via HMAC signature validation
• OAuth Security — Authentication uses Shopify's OAuth 2.0 with HMAC verification, CSRF state tokens, and timestamp validation to prevent replay attacks
• Rate Limiting — API endpoints are rate-limited to prevent abuse

We share data with the following third-party services strictly for app functionality:

• Shopify API — Store data, products, orders. Purpose: Core app functionality, billing, webhooks.
• OpenAI — Anonymized product titles, descriptions, and tags only. Purpose: AI-powered product recommendation generation.

We do not sell, rent, or trade your data to any third parties for marketing or advertising purposes.

OpenAI data handling: Only product catalog metadata (titles, descriptions, tags) is sent to OpenAI. No customer data, store credentials, order details, or personally identifiable information is shared.

• Active installation — Data is retained while the app is installed and your subscription is active
• App uninstallation — Upon uninstallation, your subscription remains active through the end of the billing period. Data is retained during this period to allow reinstallation
• Shop redact webhook — When Shopify sends a shop/redact webhook (48 hours after uninstall), we soft-delete all associated shop data in compliance with Shopify and GDPR requirements
• Analytics data — Aggregated, anonymized analytics may be retained for service improvement
• Support tickets — Retained for 12 months after resolution for quality assurance, then deleted

RocketCart complies with the General Data Protection Regulation (GDPR) and implements the required Shopify mandatory webhooks.

Your Rights

• Right to Access — Request a copy of all data we hold about your store
• Right to Erasure — Request deletion of your data at any time
• Right to Portability — Export your analytics data in CSV format directly from the app
• Right to Rectification — Request correction of inaccurate data

Mandatory Webhooks

• customers/data_request — We respond with all data held about the requested customer
• customers/redact — We delete or anonymize all data associated with the specified customer
• shop/redact — We soft-delete all shop data within the GDPR-mandated timeframe

Data Processing Basis

We process data under the following legal bases:

• Contractual necessity — Processing required to provide the app's core services
• Legitimate interest — Analytics and service improvement using anonymized data
• Consent — Granted when the merchant installs the app and accepts this policy

RocketCart does not set any cookies on your customers' browsers.

• Session tracking uses randomly generated session IDs stored in the browser's localStorage, scoped to the storefront domain
• Product view tracking uses localStorage for session-scoped product view counts
• No cross-site tracking, no advertising pixels, and no third-party analytics scripts are injected

Merchant sessions within the Shopify admin are managed by Shopify's own session handling, not by RocketCart.

RocketCart is a business-to-business application for Shopify merchants. We do not knowingly collect information from children under 13 (or 16 in the EU). If you believe we have inadvertently collected such data, please contact us for immediate deletion.

Your data may be processed and stored on servers located outside your country of residence. We ensure appropriate safeguards are in place for international data transfers, including encryption in transit and at rest.

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes:

• We will update the "Last updated" date at the top of this page
• For significant changes, we will notify you via the app dashboard or email
• Continued use of the app after changes constitutes acceptance of the updated policy

If you have any questions about this Privacy Policy, wish to exercise your data rights, or have concerns about how your data is handled, please contact us:

• Email: support@eassyapp.com
• In-App: Use the Help Center within the RocketCart dashboard to create a support ticket

We aim to respond to all privacy-related inquiries within 48 hours.