Privacy policy

1. Introduction

Cartinel ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our browser extension and web application.

By using Cartinel, you agree to the collection and use of information in accordance with this policy.

2. Information we collect

2.1 Information you provide

• Account information (email address, name)
• Financial goals you create (target amounts, categories, deadlines)
• Savings capacity settings
• Notification preferences

2.2 Browser extension monitoring

Our browser extension uses AI-powered detection to identify purchase opportunities. Here's exactly how it works:

• What we monitor: Only e-commerce checkout pages and product pages where purchase buttons are detected
• What we collect: Merchant names, product names, prices, and your decision (cancelled or proceeded)
• What we DON'T track: Your browsing on non-commerce pages, personal content sites, banking sites, or any pages without purchase buttons
• Technical mechanism: DOM pattern matching and AI analysis of page content to identify purchase buttons and extract prices
• Browser permissions required:
  • Active tab access: To detect purchase buttons on the current page
  • Storage: To save your settings and sync with the dashboard
  • No permission to: Read passwords, access banking data, or track your full browsing history

Important: The extension only activates on e-commerce sites. It does not monitor or record your activity on news sites, social media, email, banking, or any other non-shopping websites.

2.3 Automatically collected information

• Usage statistics and analytics
• Device and browser information
• Time to decision (how long before you cancel or proceed)

2.4 Information we do NOT collect

• Payment card numbers or banking credentials
• Full browsing history
• Passwords or authentication tokens from other sites
• Personal identification documents
• Social security numbers or tax IDs

3. How we use your information

We use the collected information for:

• Providing and maintaining the Cartinel service
• Detecting purchase attempts and calculating goal impact
• Tracking your progress toward financial goals
• Sending notifications about goals, budgets, and achievements
• Analyzing spending patterns and providing insights
• Improving our AI categorization algorithms
• Processing payments for Pro subscriptions
• Communicating with you about service updates
• Preventing fraud and abuse

3.5 Legal basis for processing (GDPR)

For users in the European Economic Area (EEA), we process your personal data based on the following legal grounds:

• Contract (performance of our agreement with you):
  • Providing the Cartinel service and features
  • Processing subscription payments
  • Sending service-related notifications
  • Maintaining your account and goals
• Legitimate Interest (our business interests, balanced against your rights):
  • Analytics and service improvement
  • Fraud prevention and security
  • Technical troubleshooting
  • AI model training (anonymized data only)
• Consent (you have explicitly agreed):
  • Marketing communications and newsletters
  • Non-essential analytics cookies
  • Optional features that process additional data
• Legal Obligation:
  • Tax and accounting records
  • Responding to lawful government requests

Withdrawing consent: Where we rely on your consent, you can withdraw it at any time by contacting hello@cartinel.app or adjusting your account settings. This will not affect the lawfulness of processing before withdrawal.

4. Data storage and security

We implement comprehensive security measures following industry best practices:

• Encryption: All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption
• Access controls: Row-level security ensures users can only access their own data
• Authentication: Secure authentication via Clerk with support for multi-factor authentication (MFA)
• Security audits: Regular security assessments and vulnerability testing
• Access logging: All system access is logged and monitored for suspicious activity
• Regular updates: Security patches and updates are applied promptly
• Data backups: Encrypted backups stored in geographically distributed locations

Your data is stored on Supabase servers in secure, SOC 2 Type II compliant data centers.

4.5 Data breach notification

In the unlikely event of a data breach that affects your personal information:

• We will notify affected users within 72 hours of discovering the breach
• Notification will include:
  • Nature of the breach and data affected
  • Potential consequences and risks
  • Measures taken to address the breach
  • Recommended actions you should take
• Notifications will be sent via email to your registered address
• We will also notify relevant supervisory authorities as required by law

To report a security concern, email hello@cartinel.app with subject line "Security Concern"

5. Data sharing and disclosure

We do not sell, trade, or rent your personal information. We may share data with:

• Service Providers: Supabase (database), Clerk (authentication), Paddle (payments), Google AI (categorization)
• Legal Requirements: If required by law, court order, or government request
• Business Transfers: In case of merger, acquisition, or asset sale (with notice to you)

5.1 Google AI data processing

We use Google AI (Gemini) to automatically categorize merchants and purchases. Here's what you need to know:

• Data sent to Google AI:
  • Merchant names and URLs (e.g., "amazon.com")
  • Product names and categories
  • Purchase amounts (for categorization purposes)
• Data NOT sent: Payment information, passwords, full browsing history, or personal identifiers
• Google's use of data: According to Google's Enterprise Agreement, your data is not used to train Google's AI models and is not retained beyond the processing session
• Data Processing Agreement: We have a Data Processing Agreement (DPA) with Google Cloud that ensures GDPR compliance
• Opt-out: Currently, AI categorization is essential to the service. If you prefer not to use AI categorization, you can manually categorize purchases in your dashboard

6. Your privacy rights

You have the right to:

• Access: Request a copy of your data
• Correction: Update or correct inaccurate data
• Deletion: Request deletion of your account and data
• Export: Download your data in a portable format (JSON)
• Opt-Out: Unsubscribe from marketing communications
• Object: Object to processing of your data
• Restrict: Request restriction of processing

To exercise these rights, contact us at hello@cartinel.app. We will respond within 30 days.

6.5 California residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

Your CCPA rights include:

• Right to Know: Request disclosure of personal information we collect, use, and share
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt out of the sale of personal information (not applicable as we don't sell data)
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

How to submit a request:

• Email: hello@cartinel.app with subject "CCPA Request"
• Include: Your full name, email address, and specific request
• Verification: We may ask for verification to protect your privacy
• Response time: We will respond within 45 days (may extend by 45 additional days if necessary)
• Authorized agent: You may designate an authorized agent to make requests on your behalf

7. Cookies and tracking

We use essential cookies for:

• Authentication and session management
• Remembering your preferences
• Analytics (anonymized usage data)

You can control cookies through your browser settings, but some features may not work properly if cookies are disabled.

8. Data retention

We retain your data according to the following schedule:

• Account data: Retained while your account is active and for 30 days after deletion (for recovery purposes)
• Financial goals and interceptions: Retained while your account is active; deleted within 30 days of account deletion
• Transaction records: Retained for 7 years to comply with tax and financial regulations
• Analytics data: Anonymized after 90 days; aggregate anonymous data retained indefinitely for service improvement
• Support communications: Retained for 3 years for customer service and legal purposes
• Deleted account data: Permanently removed from production systems within 30 days (may persist in encrypted backups for up to 90 days)

We may retain data longer where required by law or for legitimate business purposes (e.g., fraud prevention, resolving disputes). Anonymized data that cannot identify you may be retained indefinitely.

9. Children's privacy

Cartinel is not intended for users under 18 years old. We do not knowingly collect personal information from children. If you believe we have collected data from a child, contact us immediately and we will delete it promptly.

10. International data transfers

Your data may be transferred to and processed in countries other than your own, including the United States. We ensure appropriate safeguards are in place:

• EU-US transfers: We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EEA to the United States
• Service provider agreements: All third-party service providers handling EU data have committed to GDPR-compliant data processing
• Data Processing Agreements: We have DPAs in place with Supabase, Clerk, and Google Cloud that include SCCs
• Security measures: Technical and organizational measures ensure your data receives equivalent protection regardless of location

For more information about our data transfer safeguards, contact hello@cartinel.app

11. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through a prominent notice in our app at least 30 days before changes take effect. Continued use after changes constitutes acceptance of the updated policy. You can review previous versions by contacting us.

12. Contact us

If you have questions about this Privacy Policy, our data practices, or wish to exercise your privacy rights, contact us: