Cartinel

Data Privacy Policy

1. Introduction

This Privacy Policy describes how we collect, use, protect, and share information when you use our services. We are committed to protecting your privacy and ensuring the security of your personal information in accordance with GDPR, CCPA, and other applicable privacy laws.

2. Information We Collect

2.1 Personally Identifiable Information (PII)

We collect the following personal information to provide and improve our services:

  • Account Information: Name, email address, display name
  • Contact Details: Email address for communication and account recovery
  • Profile Data: User preferences, avatar URL (if provided)
  • Age Verification: Date of birth or age range (where required)
  • Unique Identifiers: User ID, session identifiers

2.2 Authentication Information

We implement secure authentication practices:

  • Credentials: Encrypted passwords (using industry-standard hashing)
  • Security Questions: Optional security questions for account recovery
  • Personal Identification Numbers (PINs): Where applicable, stored using secure encryption
  • OAuth Tokens: Third-party authentication tokens (e.g., Google OAuth)
  • Session Tokens: JWT tokens for maintaining secure sessions

Important: We never store passwords in plain text. All authentication data is encrypted using AES-256-GCM encryption at rest and TLS 1.3 in transit.

2.3 User Activity Data

We collect limited activity data to improve service functionality:

  • Application Usage: Features accessed, interaction timestamps
  • Click Events: UI interaction patterns (no keystroke logging)
  • Mouse Position & Scroll Data: For user experience optimization only
  • Network Monitoring: Limited to security and performance monitoring
  • Purchase Interceptions: E-commerce interaction data (if using browser extension)

Note: We do not engage in invasive tracking. No keystroke logging or screen recording is performed. Activity data is collected only for functionality and security purposes.

3. How We Use Your Information

3.1 Primary Uses

  • Service Provision: To create and manage your account
  • Authentication: To verify your identity and maintain secure access
  • Communication: To send service-related notifications
  • Security: To detect and prevent fraudulent activities
  • Improvement: To enhance user experience and service functionality

3.2 Legal Basis for Processing

We process your data based on:

  • Consent: Where you have given explicit consent
  • Contract: To fulfill our service agreement with you
  • Legitimate Interest: For security and service improvement
  • Legal Obligation: To comply with applicable laws

4. Data Protection & Security

4.1 Technical Safeguards

  • Encryption: AES-256-GCM for data at rest, TLS 1.3 for data in transit
  • Database Security: Row Level Security (RLS) ensuring data isolation
  • Access Controls: Multi-factor authentication options available
  • Rate Limiting: Protection against brute force attacks
  • Audit Logging: Complete trail of data access and modifications

4.2 Organizational Measures

  • Data Minimization: We collect only necessary information
  • Access Restrictions: Limited to authorized personnel only
  • Regular Security Audits: Ongoing assessment of security measures
  • Incident Response Plan: Established procedures for security incidents

5. Data Sharing & Disclosure

5.1 We Do Not Sell Your Data

We never sell, rent, or trade your personal information to third parties.

5.2 Limited Sharing Scenarios

We may share information only in these circumstances:

  • Service Providers: With trusted partners who assist in service operation (under strict agreements)
  • Legal Requirements: When required by law or valid legal process
  • Protection: To protect rights, property, or safety
  • Business Transfers: In case of merger or acquisition (with continued protection)

6. Your Rights & Choices

6.1 GDPR Rights (European Users)

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate information
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Portability: Receive your data in a portable format
  • Restriction: Limit processing of your data
  • Objection: Object to certain processing activities

6.2 CCPA Rights (California Residents)

  • Know: What personal information we collect and how it's used
  • Delete: Request deletion of personal information
  • Opt-Out: Opt-out of sale (though we don't sell data)
  • Non-Discrimination: Equal service regardless of privacy choices

6.3 General User Controls

  • Account Settings: Manage your profile and preferences
  • Communication Preferences: Control notification settings
  • Data Export: Download your data at any time
  • Account Deletion: Permanently delete your account and associated data

7. Data Retention

We retain personal information only as long as necessary:

  • Active Accounts: Data retained while account is active
  • Inactive Accounts: Deletion after 24 months of inactivity
  • Legal Requirements: Longer retention if required by law
  • Audit Logs: Security logs retained for 12 months
  • Deleted Accounts: Permanently removed within 30 days of deletion request

8. Children's Privacy

Our services are not intended for users under 13 years of age. We do not knowingly collect information from children under 13. If we discover such data has been collected, we will delete it immediately.

For users aged 13-18, we implement additional protections and may require parental consent where applicable by law.

9. International Data Transfers

If your data is transferred internationally, we ensure:

  • Adequate Protection: Using Standard Contractual Clauses or equivalent
  • Privacy Shield: Compliance with relevant frameworks
  • Encryption: All international transfers are encrypted

10. Cookies & Tracking Technologies

We use minimal, essential cookies for:

  • Authentication: Maintaining secure sessions
  • Preferences: Remembering your settings
  • Security: Preventing fraudulent activity

We do not use:

  • Third-party tracking cookies
  • Advertising cookies
  • Cross-site tracking

11. Updates to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via:

  • Email notification to registered users
  • Prominent notice on our website
  • In-app notifications

12. Contact Information

For privacy-related questions or to exercise your rights, contact us at:

Data Protection Officer

Email: hello@cartinel.app

Response Time: We aim to respond to all privacy requests within 30 days.

13. Supervisory Authority

European users have the right to lodge a complaint with their local Data Protection Authority if they believe their rights have been violated.

Consent Acknowledgment

By using our services, you acknowledge that you have read and understood this Privacy Policy and agree to the collection and use of information in accordance with this policy.