Privacy Policy – Cartt

1. Introduction

This Privacy Policy explains how Cartt, an online e-commerce website builder operated by Blumox Technologies, collects, uses, stores, and protects personal data in accordance with applicable Indian laws, including the Digital Personal Data Protection Act, 2023.

2. Data We Collect

Cartt collects various types of personal and business data to provide and improve our services. The information we gather includes:

Account Information

• Name: Your full legal name for account identification and communication
• Email Address: Used for account verification, notifications, and service updates
• Phone Number: Collected for account recovery, verification, and customer support purposes

Business Information

• Store Name: The name of your e-commerce business
• GST Registration Number: Collected for tax compliance and regulatory purposes in India
• Business Address: Your registered business location for verification and compliance
• Business Category: The type of products or services you offer

KYC & Verification Documents

• Government-issued identification documents (Aadhaar, PAN, Passport)
• Business registration certificates and licenses
• Address proof documents
• Bank account details for verification purposes

Payment-Related Data

• Payment Metadata: Transaction history, order summaries, and invoice records
• Billing Information: Amount, currency, payment method type (not actual card data)
• Note: Cartt does not collect, store, or process credit/debit card information directly

Technical & Usage Data

• IP Address: Your internet protocol address for security and analytics
• Device Information: Browser type, operating system, and device identifiers
• Usage Logs: Pages visited, features used, and interaction patterns
• Cookies & Tracking Data: Session tokens and preference information

3. Purpose of Data Processing

Cartt processes personal and business data for the following specific purposes:

Service Delivery & Account Management

• Account Creation and Authentication: To establish and maintain your Cartt account, verify your identity, and enable secure access to our platform
• Providing and Maintaining the Service: To deliver e-commerce website building tools, hosting services, and related features you have subscribed to
• Customer Support: To respond to your inquiries, resolve issues, and provide technical assistance

Compliance & Legal Requirements

• KYC Verification and Compliance: To verify your identity and business legitimacy in accordance with Indian regulatory requirements and anti-money laundering (AML) laws
• Legal and Regulatory Compliance: To comply with applicable Indian laws, tax regulations, and government directives
• Fraud Prevention and Risk Management: To detect, prevent, and investigate fraudulent activities, unauthorized access, and security threats

Financial & Business Operations

• Billing, Invoicing, and Payment Processing: To generate invoices, process payments, and maintain transaction records for accounting and tax purposes
• Financial Reporting: To maintain accurate business records and financial statements

Service Improvement & Analytics

• Product Development: To understand user needs and improve our services, features, and functionality
• Analytics and Performance Monitoring: To analyze user behavior, platform usage patterns, and system performance
• Marketing and Communications: To send service updates, promotional materials, and policy changes (with your consent)

Security & Protection

• Data Security: To protect user data, prevent unauthorized access, and maintain platform integrity
• Legal Claims: To establish, exercise, or defend legal claims and protect our rights

4. Legal Basis

Under the Digital Personal Data Protection Act, 2023, and other applicable Indian laws, Cartt processes personal data based on the following legal grounds:

Consent

• Explicit User Consent: We obtain your informed, voluntary, and specific consent before collecting and processing personal data for purposes such as marketing communications, analytics, and non-essential service features
• Consent Withdrawal: You may withdraw consent at any time, and we will cease processing data for those specific purposes, except where continued processing is required by law

Contractual Necessity

• Service Delivery: Processing of data essential to establish, maintain, and deliver the Cartt platform and services you have subscribed to is necessary for contract performance
• Account Management: Your account information, business details, and usage data are necessary to provide the contracted e-commerce solutions and support services

Legal and Regulatory Obligations

• Statutory Compliance: We process data to comply with applicable Indian laws, including the Income Tax Act, GST regulations, and anti-money laundering (AML) requirements
• KYC Requirements: Collection and processing of identification and verification documents are mandatory under Indian financial regulations and government directives
• Government Requests: We may process and disclose data in response to lawful government requests, court orders, or regulatory inquiries

Legitimate Business Interests

• Fraud Prevention: We process data to detect, investigate, and prevent fraudulent activities, unauthorized access, and security threats to protect our platform and users
• Service Improvement: Analysis of usage patterns and user behavior helps us enhance features, improve performance, and develop better services
• Legal Rights Protection: We process data to establish, exercise, or defend legal claims and protect our intellectual property, rights, and business interests

Vital Interests

• Emergency Situations: In rare cases where processing is necessary to protect the vital interests of individuals or the public, we may process data without prior consent

5. User Responsibilities

As a Cartt user, you bear important responsibilities regarding the data you collect, store, and process through our platform. These responsibilities are critical to ensure compliance with applicable data protection laws and ethical business practices.

Data Collection Authority

• Lawful Authority: You must ensure that you have obtained lawful consent and authority from all individuals whose personal data you collect and store through your e-commerce store. This includes customer names, contact information, purchase history, and any other personal data.
• Transparency: You are responsible for informing your customers about what data you collect, why you collect it, and how you will use and protect their information through a clear and accessible privacy policy.
• Consent Management: You must maintain documented evidence of customer consent and provide mechanisms for customers to withdraw consent at any time.

Data Protection Compliance

• Regulatory Compliance: You must comply with all applicable data protection laws, including the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, and any other relevant Indian or international regulations that apply to your business operations.
• Data Security: You are responsible for implementing appropriate technical and organizational measures to protect customer data from unauthorized access, disclosure, alteration, or destruction while stored on or processed through Cartt's platform.
• Privacy Policy Maintenance: You must maintain an updated, clear, and legally compliant privacy policy for your e-commerce store that accurately describes your data practices and aligns with applicable laws.

Prohibited Data Categories

• Sensitive Personal Data: You must not collect or store sensitive personal data (such as biometric information, medical records, or financial details) unless absolutely necessary for service delivery and with explicit customer consent and appropriate safeguards.
• Children's Data: You must not knowingly collect personal data from individuals under 18 years of age unless you have obtained explicit consent from a parent or legal guardian.
• Illegal Data: You must not use Cartt's platform to store, process, or transmit data obtained illegally or for unlawful purposes.

Data Usage Restrictions

• Purpose Limitation: You must use customer data only for the purposes for which it was collected (e.g., order fulfillment, customer service, marketing with consent) and must not repurpose or share data beyond the scope of customer expectations without fresh, explicit consent.
• Third-Party Sharing: If you share customer data with third parties (such as shipping providers, payment processors, or analytics services), you must obtain appropriate customer consent and ensure those third parties implement equivalent data protection standards.
• Marketing Communications: You must comply with applicable telemarketing and email marketing laws. You must obtain explicit opt-in consent before sending promotional communications and provide easy mechanisms for customers to unsubscribe or opt-out.

Data Subject Rights

• Access Requests: You must facilitate customer requests to access their personal data and provide it in a clear, understandable format within the timeframe required by applicable laws.
• Correction and Deletion: You must allow customers to correct inaccurate data and delete their information upon request, subject to legal retention requirements.
• Data Portability: You must be prepared to provide customer data in machine-readable formats if requested, enabling customers to transfer their information to other services.

Breach Notification

• Notification Obligations: In the event of a data breach involving customer data, you must promptly notify affected customers and, where required by law, notify relevant regulatory authorities within the prescribed timeframe.
• Cartt Notification: You must immediately notify Cartt of any data breaches that may affect our platform or infrastructure.

Liability and Indemnification

• User Accountability: You are solely responsible for ensuring compliance with data protection laws regarding customer data you collect and process. Cartt is not liable for any violations of data protection laws resulting from your misuse of the platform or failure to comply with applicable regulations.
• Indemnification: You agree to indemnify and hold Cartt harmless from any claims, damages, fines, or legal actions arising from your data processing activities, including violations of data protection laws, unauthorized data collection, or misuse of customer information.

Training and Awareness

• Team Compliance: You are responsible for ensuring that your team members who handle customer data are trained on data protection principles and your company's privacy practices.
• Policy Updates: You must keep yourself informed of changes in applicable data protection laws and update your practices accordingly.

6. KYC & Verification

KYC (Know Your Customer) documents are collected solely for identity verification, fraud prevention, regulatory compliance, and to ensure the legitimacy of users and their business operations on the Cartt platform.

Types of KYC Documents

• Government-Issued Identification: Aadhaar Card, PAN Card, Passport, Voter ID, or Driving License for personal identity verification
• Business Registration Certificates: GST Registration Certificate, Business Registration Certificate, or Partnership Deed for business legitimacy verification
• Address Proof: Utility bills, rent agreements, property documents, or bank statements to verify your residential or business address
• Bank Account Details: Bank account information for verification and payment processing purposes (account numbers, IFSC codes, and account holder names)

KYC Verification Process

• Document Submission: You are required to submit valid, legible copies of the documents listed above during account creation or when requested by Cartt for compliance purposes
• Verification Timeline: Cartt will review and verify submitted documents within 5-7 business days. You will be notified of verification status via email
• Rejection and Re-submission: If documents are rejected due to illegibility, incompleteness, or validity concerns, you will be informed of the reasons and given an opportunity to resubmit corrected documentation
• Third-Party Verification: Cartt may engage third-party verification service providers to validate document authenticity and cross-check information against official databases

Regulatory Compliance

• Anti-Money Laundering (AML): KYC verification is mandatory under Indian AML regulations to prevent money laundering, terrorist financing, and other financial crimes
• Goods and Services Tax (GST): GST registration details are verified to ensure tax compliance and legitimate business operations
• Income Tax Compliance: PAN information is verified to comply with income tax regulations and financial reporting requirements
• Government Directives: KYC data may be shared with government authorities in response to lawful requests, regulatory inquiries, or legal proceedings

Data Security and Privacy

• Encrypted Storage: All KYC documents and sensitive information are stored using industry-standard encryption and secure protocols
• Access Control: Only authorized Cartt personnel involved in verification and compliance activities have access to KYC documents
• Limited Retention: KYC documents are retained only as long as necessary for regulatory compliance, fraud prevention, and account management purposes
• No Unauthorized Sharing: KYC documents will not be shared with third parties except as required by law or regulatory authorities

User Obligations

• Accuracy and Truthfulness: You must ensure that all KYC information provided is accurate, current, and truthful. Providing false or fraudulent documents is strictly prohibited and may result in account termination and legal action
• Document Validity: You are responsible for ensuring that submitted documents are valid, unexpired, and legible
• Timely Submission: You must submit required KYC documents promptly when requested by Cartt to maintain uninterrupted access to the platform
• Updates: You must inform Cartt immediately if any information in your KYC documents becomes outdated or changes (e.g., name change, address change, GST number changes)

Consequences of KYC Non-Compliance

• Account Restrictions: Failure to complete KYC verification may result in restricted functionality, inability to process payments, or account suspension
• Account Termination: Persistent non-compliance with KYC requirements or submission of fraudulent documents may result in permanent account termination
• Legal Consequences: Providing false information or fraudulent documents in KYC verification violates applicable laws and may expose you to criminal and civil liability

Data Subject Rights

• Access to KYC Data: You have the right to request and access copies of your KYC documents and verification records maintained by Cartt
• Correction: You may request corrections to KYC information if you believe any data is inaccurate or incomplete
• Grievance Redressal: If you have concerns regarding KYC verification processes or data handling, you may file a formal grievance with our Grievance Officer (contact details in Section 17)

7. Payment Information

Cartt processes all payments through Razorpay, a PCI-DSS compliant payment gateway. We do not directly collect, store, process, or have access to your credit/debit card information, UPI details, or other sensitive payment data.

Payment Processing

• Third-Party Payment Gateway: All payment transactions are processed exclusively through Razorpay, a secure and regulated payment service provider licensed by the Reserve Bank of India (RBI)
• No Card Data Storage: Cartt does not collect, store, retain, or process credit card, debit card, or direct banking information. Your payment credentials are transmitted directly to Razorpay's secure servers
• Payment Methods Supported: Razorpay processes multiple payment methods including credit/debit cards, UPI, net banking, digital wallets, and other methods available on their platform

Payment Data Collected by Cartt

• Transaction Metadata: We collect and store transaction ID, payment amount, currency, timestamp, and payment status for billing, invoicing, and accounting purposes
• Billing Information: We maintain records of your billing address, invoice details, and order summaries for tax compliance and customer service
• Payment Method Type: We record only the type of payment method used (e.g., "Credit Card," "UPI," "Net Banking") without storing actual payment credentials
• Subscription Details: For recurring payments, we maintain your subscription plan information, billing cycle, and renewal dates

Razorpay Integration

• PCI-DSS Compliance: Razorpay is certified as PCI-DSS Level 1 compliant, meeting the highest international standards for payment card data security
• Tokenization: Razorpay may use tokenization to securely store payment information on your behalf if you opt for saved payment methods. Cartt does not have access to these tokens
• Payment Status Webhooks: Cartt receives payment status notifications from Razorpay (success, failure, pending) to update your account and process orders accordingly
• Razorpay Privacy Policy: Your payment data processed by Razorpay is governed by their privacy policy. We encourage you to review Razorpay's privacy and security practices at https://razorpay.com/privacy

Payment Security Measures

• Secure Transmission: All payment transactions are encrypted using SSL/TLS protocols (HTTPS) to prevent unauthorized interception or access
• No Sensitive Data Logging: Cartt does not log, cache, or retain sensitive payment information in our systems or databases
• Fraud Detection: Razorpay implements advanced fraud detection mechanisms to identify and prevent unauthorized transactions and suspicious activities
• Secure Checkout: The payment checkout interface is hosted securely by Razorpay, isolating payment processing from Cartt's infrastructure

Billing and Invoicing

• Invoice Generation: Upon successful payment, Cartt generates invoices containing transaction details, plan information, and billing address
• Invoice Storage: Invoices are retained in your account for record-keeping, tax compliance, and financial reporting purposes
• Invoice Access: You can download and access all invoices related to your account at any time through your Cartt dashboard
• Tax Information: If applicable, invoices include GST and other tax details as per your business registration information

Refunds and Chargebacks

• Refund Processing: All refunds are processed back to the original payment method used for the transaction through Razorpay
• Refund Timeline: Refunds are typically processed within 5-7 business days, though your bank may take additional time to credit the amount
• Chargeback Resolution: In case of disputed transactions or chargebacks, Cartt will work with Razorpay to resolve the matter in accordance with card network rules and RBI guidelines

Data Sharing with Payment Partner

• Information Shared: To process payments, Cartt shares your name, email address, phone number, billing address, and order details with Razorpay
• Contractual Obligation: This information sharing is necessary to complete payment transactions and is covered under Cartt's Data Processing Agreement with Razorpay
• Razorpay Liability: Razorpay handles your payment data as a payment processor and is bound by their own privacy policy and applicable data protection laws

Recurring Payments and Subscriptions

• Auto-Renewal: If you subscribe to a recurring plan, Cartt (via Razorpay) will automatically charge your selected payment method on each billing cycle
• Subscription Management: You can manage your subscription, update payment methods, or cancel subscriptions from your account dashboard
• Payment Failure Handling: If a recurring payment fails, Cartt will notify you and provide options to update your payment method or resolve the issue
• Cancellation Policy: You may cancel your subscription at any time. Your access will be terminated at the end of your current billing cycle unless otherwise specified

User Responsibilities

• Accurate Information: You must provide accurate billing address and payment method information to ensure successful transaction processing
• Authorization: You confirm that you are authorized to use the payment method provided and that all information submitted is accurate and truthful
• Unauthorized Transactions: You must promptly notify Cartt and Razorpay of any unauthorized transactions or suspicious activity on your account
• Account Security: You are responsible for maintaining the confidentiality of your login credentials and for all activities that occur under your account

Data Retention for Payment Records

• Transaction Records: Payment transaction metadata and invoices are retained for a minimum of 7 years in accordance with Indian GST and Income Tax regulations
• Compliance Requirement: Extended retention of financial records is necessary to comply with tax audit requirements and statutory obligations
• Deletion After Retention Period: Payment records are securely deleted after the applicable retention period unless retention is required for ongoing legal proceedings

Currency and International Payments

• Currency Support: Cartt supports payments primarily in Indian Rupees (INR). International payments may be accepted based on your subscription plan and Razorpay's supported currencies
• Currency Conversion: If you make payments in a currency other than INR, applicable exchange rates and conversion charges will be applied by Razorpay
• International Compliance: International payment transactions are processed in compliance with RBI regulations and applicable international financial laws

8. Data Sharing

Cartt may share your personal and business data with third parties in specific circumstances. Data sharing is conducted on a strict need-to-know basis, with appropriate contractual safeguards, and only for purposes consistent with this Privacy Policy.

Data Sharing Categories

• Payment Processors: Payment information and transaction details are shared with Razorpay to process your subscriptions, payments, and refunds. Razorpay is bound by PCI-DSS compliance standards and data protection agreements
• Hosting and Infrastructure Providers: Your account data, usage logs, and business information may be shared with cloud hosting providers (such as AWS, Google Cloud, or similar services) who host Cartt's infrastructure and maintain platform uptime and security
• Service Partners and Vendors: We may share necessary data with third-party service providers who assist with email delivery, customer support, analytics, backup and disaster recovery, KYC verification, and fraud prevention
• Government Authorities: We may disclose data to government agencies, regulatory bodies, or law enforcement in response to lawful requests, court orders, subpoenas, or legal proceedings. This may include tax authorities, RBI, GST department, and other regulatory agencies
• Legal and Compliance Purposes: We may share data when required to comply with Indian laws, regulations, or court orders, or to protect our legal rights and interests

Third-Party Service Providers

• Data Processing Agreements: All third-party service providers are bound by Data Processing Agreements (DPA) that stipulate confidentiality obligations, data security requirements, and compliance with applicable data protection laws
• Limited Access: Service providers receive only the minimum personal data necessary to perform their contracted functions and are prohibited from using your data for any other purpose
• Verification Services: For KYC verification purposes, we may share your identification documents and business information with third-party identity verification services and document validation providers
• Email and Communication Services: We may use third-party email service providers to send you transactional emails, account notifications, and service updates. These providers have access to your email address and communication preferences
• Analytics and Monitoring: We may share anonymized and aggregated usage data with analytics service providers to monitor platform performance, identify trends, and improve user experience
used, and machine-readable format users may receive phone calls or SMS notifications users and regulatory authorities of the necessity and timeline user feedback. We aim to minimize unnecessary changes while ensuring compliance and
• Fraud Prevention Services: We may share transaction data and account information with fraud detection and prevention services to identify suspicious activities and protect against unauthorized access

Legal and Regulatory Disclosures

• Compliance with Law: Cartt may disclose your personal data when required by applicable Indian laws, including the Digital Personal Data Protection Act, 2023, Income Tax Act, GST Act, Goods and Services Tax Law, and other statutory requirements
• Law Enforcement Requests: We may share data with law enforcement agencies, government departments, and regulatory authorities in response to lawful requests, legal proceedings, or investigations related to fraud, money laundering, or other criminal activities
• Tax Compliance: Your GST registration number, PAN, business address, and transaction records may be shared with tax authorities as required under Indian tax laws and regulations
• Anti-Money Laundering (AML): KYC information may be shared with government financial intelligence agencies in compliance with AML regulations and terrorist financing prevention requirements
• Court Orders and Subpoenas: Cartt will comply with lawful court orders, subpoenas, and judicial directives requiring the disclosure of your personal data
• Government Directives: We may share data in response to government directives, notices from regulatory authorities, or emergency situations affecting public safety

Business Partners and Integrations

• Strategic Partnerships: If Cartt enters into partnerships with complementary service providers (such as shipping, logistics, or business service providers), we may share necessary business information with your explicit consent
• API and Third-Party Integrations: If you authorize third-party applications or integrations with your Cartt account (such as accounting software, CRM platforms, or marketing tools), relevant data will be shared with those services in accordance with their privacy policies
• Consent Requirement: We will not share your data with business partners without obtaining your prior, explicit, and informed consent unless required by law

Data Sharing with Sub-Processors

• Sub-processor Authorization: Cartt may engage additional sub-processors to handle specific data processing activities (such as backup services, security monitoring, or customer support platforms)
• Contractual Obligations: All sub-processors are bound by written contracts that impose data protection obligations equivalent to those in this Privacy Policy
• Notification of Changes: Cartt will notify you of any significant changes to our sub-processor list or data processing arrangements as required by applicable law

No Unauthorized Commercial Sharing

• Commercial Use Prohibition: Cartt does not sell, lease, rent, or commercially trade your personal data to third parties for marketing or advertising purposes without your explicit, opt-in consent
• Data Broking Restriction: We do not function as a data broker and do not engage in the business of selling or monetizing personal data
• Marketing Communications: We will not share your personal data with external marketers or advertisers unless you have provided explicit, documented consent for such sharing

Aggregated and Anonymized Data

• Anonymization: We may share aggregated, anonymized, and de-identified data with partners for analytics, research, and business intelligence purposes. This data cannot be used to identify individuals
• Statistical Analysis: Usage patterns, feature adoption rates, and platform performance metrics may be shared in aggregated form with stakeholders and service providers
• No Personal Identification: Anonymized data sharing does not require individual consent as the data is not personal data under data protection laws

International Data Transfers

• Cross-Border Processing: Your data may be processed, stored, or transferred to servers or service providers located outside India, particularly for cloud hosting and infrastructure services
• Adequate Safeguards: All international data transfers are conducted with appropriate technical and organizational safeguards to ensure data protection standards equivalent to Indian law
• Standard Contractual Clauses: Where applicable, Cartt uses Standard Contractual Clauses and other legally recognized mechanisms to ensure lawful and secure international data transfers

Data Sharing in M&A and Business Transitions

• Business Acquisition: In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your personal data may be transferred as part of the business transition
• Notice Requirement: You will be notified of any change in ownership or control of your data, and we will ensure that any successor entity maintains privacy protections consistent with this Privacy Policy
• Data Protection Continuity: Any successor entity will be bound by the terms of this Privacy Policy or will provide equivalent privacy protections

User Control and Opt-Out

• Consent Management: For non-essential data sharing (such as marketing partner sharing), you can withdraw consent at any time through your account settings or by contacting our Grievance Officer
• Mandatory Sharing: Data sharing required for legal compliance, payment processing, or service delivery cannot be opted out of, as it is essential for contract performance and legal obligations
• Communication Preferences: You can manage your communication preferences and opt out of promotional communications and non-transactional data sharing

Data Sharing Transparency

• Disclosure Statement: This section provides comprehensive disclosure of all categories of third parties with whom your data may be shared
• Right to Information: You have the right to request information about all third parties with whom your data has been shared and the purpose of such sharing
• Privacy Notices: Third parties handling your data are required to provide their own privacy notices explaining how they process your information

Grievance and Dispute Resolution

• Data Sharing Concerns: If you have concerns about unauthorized data sharing or believe your data has been shared inappropriately, you may file a formal grievance with our Grievance Officer
• Investigation: Cartt will investigate any allegations of improper data sharing and take corrective action if violations are found
• Remediation: If data has been shared in violation of this Privacy Policy, we will take steps to mitigate harm and prevent future violations

9. Data Retention

Cartt retains personal and business data only for as long as necessary to fulfill the purposes for which it was collected, to comply with legal obligations, or to protect our legitimate business interests. This section outlines our data retention policies and the circumstances under which data is deleted or securely disposed of.

General Data Retention Principles

• Purpose Limitation: Data is retained only for the specific purposes outlined in Section 3 (Purpose of Data Processing). Once the purpose is fulfilled, data is deleted or anonymized unless legal, regulatory, or legitimate business requirements mandate continued retention
• Proportionality: The retention period is proportionate to the purpose for which data was collected. We do not retain data longer than necessary
• Regular Review: Cartt periodically reviews retained data and deletes or anonymizes information that is no longer necessary for business or legal purposes
• Secure Deletion: When data is deleted, it is securely disposed of using industry-standard deletion methods that prevent recovery or reconstruction

Account and Business Data Retention

• Active Accounts: While your account is active, Cartt retains your account information (name, email, phone number, business details, and usage logs) to provide services, maintain account security, and comply with regulatory requirements
• Account Termination: Upon account termination or deletion, your personal data (name, email, phone number) is retained for 90 days to allow for account recovery requests. After this period, personal data is deleted unless retention is required by law
• Business Data Archival: Store configuration data, product information, and customization settings are retained for 180 days after account termination to allow for data export or recovery. After this period, the data is securely deleted
• Backup Retention: Automated backups of account data may be retained for up to 30 days for disaster recovery and system restoration purposes. These backups are automatically purged after the retention period unless a recovery is in progress

Financial and Payment Data Retention

• Transaction Records: Payment transaction metadata (transaction ID, amount, currency, timestamp, payment status) are retained for a minimum of 7 years in accordance with Indian GST regulations, Income Tax Act, and financial compliance requirements
• Invoices: Invoices and billing records are retained for a minimum of 7 years for tax audit purposes, statutory compliance, and financial reporting requirements mandated by the Indian Income Tax Department and GST authorities
• Billing Address: Your billing address information is retained for as long as your account is active and for 7 years after account termination for tax and compliance purposes
• Refund and Chargeback Records: Records of refunds, chargebacks, and disputed transactions are retained for 7 years as required by payment processor regulations and RBI guidelines
• Subscription Details: Subscription plan information, billing cycles, and renewal dates are retained for the duration of your subscription and 7 years thereafter for compliance and audit purposes

KYC and Verification Document Retention

• Document Storage: KYC documents (government ID, GST certificates, business registration, address proof, bank account details) are retained for the duration of your account and as long as legally required for regulatory compliance
• Regulatory Retention Period: In accordance with Indian AML regulations, KYC documents must be retained for a minimum of 5 years after account closure or the conclusion of any business relationship
• Extended Retention: If your account is subject to ongoing legal proceedings, investigation, or regulatory scrutiny, KYC documents and verification records are retained until the matter is conclusively resolved
• Document Destruction: After the mandatory retention period expires, KYC documents are securely destroyed using methods that render them unrecoverable, unless retention is required for pending legal action
• Verification Records: Records of KYC verification activities, including verification timestamps, verification status, and communication logs, are retained for 7 years for audit and compliance purposes

Usage Logs and Technical Data Retention

• Server Logs: Technical logs (IP addresses, device information, browser type, access timestamps, and error logs) are retained for 90 days for security monitoring, troubleshooting, and fraud prevention purposes
• Analytics Data: User behavior analytics and usage pattern data are retained for 12 months in aggregated form for service improvement purposes. Individual user tracking data is deleted after 90 days
• Security Logs: Logs related to login attempts, security events, password changes, and account access are retained for 1 year for security audit purposes
• Cookies and Session Data: Session tokens and temporary tracking data are retained only for the duration of your active session or up to 30 days from your last activity, whichever is earlier
• Automated Deletion: Technical data is automatically purged at the end of each retention period through automated data lifecycle management processes

Communication and Support Data Retention

• Customer Support Records: Support tickets, chat transcripts, emails, and communication logs are retained for 3 years after resolution of the support request for quality assurance, dispute resolution, and service improvement purposes
• Complaint and Grievance Records: Records of complaints, grievances, and disputes filed with Cartt are retained for 5 years from the date of resolution to comply with regulatory requirements and to defend against potential legal claims
• Feedback and Surveys: User feedback, survey responses, and feature requests are retained in aggregated form indefinitely for product development purposes. Individual identifiable information is removed or anonymized within 12 months

Legal and Compliance Data Retention

• Legal Holds: If your account or data is subject to a legal hold, litigation, regulatory investigation, or court order, all related data is retained until the matter is legally concluded and all retention obligations are satisfied
• Government Requests: Data disclosed to government authorities in response to lawful requests is retained in accordance with the government's legal requirements and applicable law
• Dispute Resolution: Data related to ongoing disputes, claims, or arbitration proceedings is retained until final resolution, judgment, or settlement agreement is executed
• Tax Audit Data: All data related to tax compliance, GST filings, and income tax matters is retained for a minimum of 7 years to comply with Indian tax authority requirements and allow for audit proceedings

Data Subject Rights Regarding Retention

• Right to Deletion: Upon account termination and expiration of the 90-day recovery period, you may request deletion of personal data. However, data required for legal, tax, or regulatory compliance cannot be deleted
• Right to Access Retention Information: You have the right to request information about the retention period for your specific data and the reasons for extended retention
• Right to Data Portability: Before data is deleted, you may request export or portability of your data in a machine-readable format
• Exemptions from Deletion: Cartt may not be able to delete data if retention is required by applicable Indian law, regulatory obligation, ongoing legal proceedings, or legitimate business purposes

Special Retention Categories

• Fraud and Security Data: Data related to suspected fraudulent activity, security breaches, or unauthorized access attempts is retained for 7 years to prevent recurrence and support potential legal action
• Account Abuse Records: Records of account policy violations, abuse, or misuse are retained for 5 years to maintain security and prevent repeat violations
• Marketing and Consent Records: Records documenting your marketing preferences, consent status, and opt-out requests are retained for the duration of your relationship with Cartt and 2 years thereafter to comply with marketing laws

Data Deletion Process

• Scheduled Deletion: Data is automatically deleted at the end of the applicable retention period through scheduled deletion processes
• Secure Erasure Methods: Deletion uses cryptographic erasure, overwriting, or physical destruction of storage media to ensure data cannot be recovered
• Verification of Deletion: Cartt implements verification procedures to confirm successful deletion of data from primary systems and backup copies
• Residual Data: Due to technical limitations, some residual data may remain in backup systems. Such backups are retained only as long as necessary for disaster recovery and are automatically purged according to backup retention schedules

Anonymization and De-identification

• Anonymization Process: Instead of deletion, Cartt may anonymize data by removing or obscuring personally identifiable information, converting it to non-personal data that cannot identify individuals
• Aggregation: Usage data and analytics may be aggregated and de-identified for long-term retention to support business intelligence and service improvement without identifying individuals
• Anonymized Data Use: Anonymized data is not subject to retention restrictions and may be retained indefinitely for legitimate business purposes

User Responsibility for Customer Data

• Your Data Retention Obligations: As a Cartt user, you are responsible for maintaining appropriate retention policies for customer data you collect through your store. You must comply with all applicable data protection laws and delete customer data as required by law or upon customer request
• Cartt's Limited Liability: Cartt is not responsible for your compliance with data retention laws or for ensuring you delete customer data in a timely manner. You retain full responsibility for data governance and retention decisions regarding customer information on your store
• Data Export Before Deletion: Before account termination, you should export customer data if you wish to retain it. After the 90-day recovery period, customer data stored on Cartt's platform cannot be recovered

Retention Period Summary Table

• Account Information: 90 days after termination (then deleted)
• Financial and Tax Records: Minimum 7 years (statutory requirement)
• KYC Documents: 5 years after account closure (regulatory requirement)
• Technical Logs: 90 days (then deleted)
• Analytics Data: 12 months in aggregated form (then anonymized)
• Support Records: 3 years after resolution (then deleted)
• Fraud Detection Data: 7 years (then deleted)
• Backup Data: 30 days for disaster recovery (then deleted)

Changes to Retention Periods

• Legal Updates: Retention periods may be extended if required by changes in applicable laws, regulatory requirements, or government directives
• Notification: Significant changes to retention policies will be notified to users through this Privacy Policy or email notification
• Compliance Flexibility: Cartt reserves the right to extend retention periods to comply with new legal requirements or court orders

10. Security Measures

Cartt implements comprehensive technical, organizational, and administrative safeguards to protect your personal and business data against unauthorized access, disclosure, alteration, destruction, and other security threats. Our security measures comply with industry best practices and applicable Indian data protection laws.

Technical Security Measures

• Encryption in Transit: All data transmitted between your device and Cartt's servers is encrypted using SSL/TLS (Secure Sockets Layer/Transport Layer Security) protocols with minimum 256-bit encryption. This ensures that data cannot be intercepted or read by unauthorized parties during transmission
• Encryption at Rest: Personal, business, and financial data stored on Cartt's servers is encrypted using AES-256 encryption standards. Database encryption keys are stored separately and securely to prevent unauthorized data access
• Secure Authentication: User accounts are protected by strong password requirements, two-factor authentication (2FA), and multi-factor authentication (MFA) options. Login attempts are monitored for suspicious activity
• Session Management: User sessions are managed securely with time-limited session tokens, secure cookie attributes (HttpOnly, Secure, SameSite flags), and automatic session termination after periods of inactivity
• Web Application Firewall (WAF): Cartt's infrastructure is protected by enterprise-grade WAF systems that detect and block malicious requests, SQL injection attempts, cross-site scripting (XSS), and other web-based attacks
• DDoS Protection: Cartt utilizes distributed denial-of-service (DDoS) mitigation services to protect against large-scale attacks that could disrupt service availability
• API Security: All APIs used by Cartt are secured with API keys, rate limiting, input validation, and OAuth 2.0 authentication protocols to prevent unauthorized access
• Database Security: Databases are secured with access controls, role-based permissions, parameterized queries to prevent SQL injection, and regular security patches
• Regular Security Updates: All software, libraries, frameworks, and dependencies are kept current with the latest security patches and updates to address known vulnerabilities
• Security Monitoring: Cartt maintains continuous monitoring of systems for suspicious activities, unauthorized access attempts, and security anomalies using automated intrusion detection systems

Infrastructure Security

• Cloud Infrastructure: Cartt's infrastructure is hosted on secure, compliant cloud platforms (such as AWS or Google Cloud) that provide physical security, environmental controls, and redundancy
• Data Center Security: Data centers are equipped with multi-layered physical security including biometric access controls, surveillance systems, security personnel, and environmental monitoring
• Network Segmentation: Cartt's network is segmented into isolated zones with firewalls and access controls to prevent lateral movement of threats within the network
• Redundancy and Failover: Critical systems are redundant with automatic failover capabilities to ensure business continuity and prevent single points of failure
• Backup and Disaster Recovery: Regular automated backups are maintained on geographically distributed servers. Disaster recovery procedures are tested periodically to ensure rapid data restoration in case of emergencies
• Load Balancing: Traffic is distributed across multiple servers to prevent overload, ensure high availability, and maintain service performance

Application Security

• Secure Code Development: Cartt follows secure coding practices and the OWASP (Open Web Application Security Project) Top 10 guidelines to prevent common security vulnerabilities
• Input Validation and Sanitization: All user inputs are validated and sanitized to prevent injection attacks, cross-site scripting, and other malicious inputs
• Security Testing: Regular security testing including static code analysis (SAST), dynamic application security testing (DAST), and penetration testing are conducted to identify and remediate vulnerabilities
• Vulnerability Scanning: Automated vulnerability scanning tools continuously scan the application and infrastructure for known security issues
• Security Code Review: Code changes undergo security review before deployment to identify potential security flaws early in the development process
• Bug Bounty Program: Cartt maintains a responsible disclosure policy and encourages security researchers to report vulnerabilities responsibly

Access Control and Authorization

• Role-Based Access Control (RBAC): Access to Cartt's systems and data is controlled through role-based permissions. Employees have access only to data necessary for their specific job functions
• Principle of Least Privilege: Employees and administrators are granted the minimum level of access required to perform their duties
• Administrative Access Logging: All administrative access to systems and databases is logged, monitored, and periodically reviewed for unauthorized activity
• Multi-Factor Authentication for Admins: Administrative and privileged accounts require multi-factor authentication to access sensitive systems
• Access Revocation: When employees leave Cartt or change roles, their access privileges are immediately revoked
• Third-Party Access Management: Access granted to vendors, contractors, and service providers is controlled, monitored, and regularly audited

Data Protection Practices

• Data Minimization: Cartt collects and retains only the minimum personal data necessary to provide services. Unnecessary data is not collected or is deleted promptly
• Anonymization and Pseudonymization: Where possible, personal data is anonymized or pseudonymized to reduce privacy risks while maintaining data utility for analytics and research
• Data Classification: Data is classified by sensitivity level (public, internal, confidential, restricted) and protected according to its classification
• Secure Data Deletion: When data is deleted, it is securely overwritten or destroyed using cryptographic erasure to prevent recovery
• Segregation of Data: Personal data is segregated from general operational data and protected with enhanced security controls

Employee Security and Training

• Employee Background Checks: All Cartt employees undergo background verification and security screening before employment
• Confidentiality Agreements: Employees and contractors sign confidentiality and non-disclosure agreements obligating them to protect personal data
• Security Awareness Training: All employees receive mandatory security awareness training covering data protection, phishing prevention, password security, and incident reporting
• Data Protection Training: Employees handling personal data receive specialized training on data protection principles, regulatory requirements, and secure data handling practices
• Regular Security Updates: Employees receive periodic updates on new security threats, vulnerabilities, and best practices
• Incident Response Training: Staff members are trained on identifying, reporting, and responding to security incidents and data breaches

Third-Party Security

• Vendor Security Assessment: Third-party service providers are evaluated for security practices, certifications, and compliance before engagement
• Data Processing Agreements: All vendors and sub-processors are bound by Data Processing Agreements (DPA) that impose security and confidentiality obligations
• Regular Audits: Cartt conducts periodic security audits and assessments of third-party service providers to ensure compliance with security standards
• Vendor Compliance Monitoring: Vendors are required to maintain security certifications (ISO 27001, SOC 2, etc.) and provide evidence of compliance
• Incident Notification: Vendors are contractually obligated to notify Cartt immediately of any security breaches or incidents affecting customer data

Incident Response and Breach Management

• Incident Response Plan: Cartt maintains a comprehensive incident response plan defining procedures for identifying, containing, investigating, and remediating security incidents
• 24/7 Monitoring: Security monitoring and incident response teams operate 24/7 to detect and respond to security incidents promptly
• Immediate Containment: Upon detection of a security breach, Cartt takes immediate action to contain the breach, isolate affected systems, and prevent further unauthorized access
• Forensic Investigation: Security incidents are thoroughly investigated to determine the cause, scope, and impact. Forensic evidence is preserved for legal and regulatory purposes
• Breach Notification: In compliance with the Digital Personal Data Protection Act, 2023, and other applicable laws, Cartt notifies affected individuals and regulatory authorities of data breaches within the prescribed timeframe (typically 72 hours)
• Remediation and Corrective Action: After a breach, Cartt implements corrective measures to prevent recurrence and strengthen security controls
• Transparency: Affected users are provided with detailed information about the breach, including the nature of the breach, data affected, and steps users should take to protect themselves

Compliance and Certifications

• ISO 27001 Certification: Cartt maintains ISO/IEC 27001 certification, demonstrating compliance with international information security management standards
• SOC 2 Compliance: Cartt undergoes SOC 2 Type II audits to verify security, availability, processing integrity, confidentiality, and privacy controls
• GDPR Compliance: Although Cartt primarily serves Indian users, we comply with GDPR requirements for users in the European Union
• DPDP Act Compliance: All security measures align with the Digital Personal Data Protection Act, 2023, and DPDP Rules requirements
• Regular Audits: Cartt undergoes regular independent security audits and assessments by third-party security firms to verify the effectiveness of security controls
• Compliance Verification: Security certifications and audit reports are maintained and available for regulatory scrutiny

Security Vulnerabilities and Responsible Disclosure

• Vulnerability Reporting: If you discover a security vulnerability in Cartt's systems, you are encouraged to report it immediately to [email protected] with detailed information
• Responsible Disclosure: Cartt follows responsible disclosure practices and does not publicly disclose vulnerabilities until patches have been developed and deployed
• Non-Disclosure of Reporter: The identity of vulnerability reporters is kept confidential unless otherwise agreed
• Timely Patching: Upon receipt of a vulnerability report, Cartt prioritizes development and deployment of patches or workarounds
• Reporter Recognition: Security researchers who responsibly disclose vulnerabilities may be recognized in Cartt's security hall of fame

Limits of Security

• No Absolute Security: While Cartt implements comprehensive security measures, no security system is completely immune to breaches or attacks. Perfect security is not achievable
• User Responsibility: Users are responsible for protecting their login credentials, maintaining secure passwords, enabling two-factor authentication, and not sharing account access with unauthorized parties
• Public Networks: Users should avoid accessing Cartt accounts over unsecured public Wi-Fi networks without a VPN, as such networks may be vulnerable to interception
• Phishing Awareness: Users should be aware of phishing attempts targeting Cartt accounts and verify the authenticity of communications claiming to be from Cartt
• Security Limitations: Cartt's security measures protect against common threats but cannot guarantee protection against sophisticated, targeted attacks or zero-day vulnerabilities

Security Incident Reporting

• Report Security Issues: If you suspect a security breach or unauthorized access to your account, contact Cartt immediately at [email protected] or call +91-9990026008
• Password Reset: Users who suspect account compromise should immediately reset their password and enable two-factor authentication
• Investigation Support: Cartt will investigate reported incidents and provide users with updates on findings and remedial actions
• Cooperation with Authorities: Cartt cooperates fully with law enforcement and regulatory authorities in investigating security incidents when required by law

Continuous Security Improvement

• Security Strategy Review: Cartt regularly reviews and updates security strategies to address emerging threats and vulnerabilities
• Threat Intelligence: Cartt monitors threat intelligence feeds to stay informed of new security threats and attack patterns relevant to our industry
• Technology Upgrades: Security technologies and tools are regularly evaluated and upgraded to maintain state-of-the-art protection
• Feedback Integration: User security feedback and incident reports are analyzed and incorporated into continuous security improvement initiatives

11. User Rights

Under the Digital Personal Data Protection Act, 2023, and other applicable Indian data protection laws, users have fundamental rights regarding their personal data. Cartt is committed to respecting and facilitating these rights.

Right to Access

• Data Access Request: You have the right to request and obtain a copy of all personal data that Cartt holds about you in a structured, commonly
• Request Process: To exercise your right to access, contact our Grievance Officer with a clear request. Cartt will respond within 30 days with your data
• Information Included: Access requests will include all personal data, the purposes of processing, categories of recipients, and retention periods
• Frequency: You may request access to your data once every 6 months free of charge. Subsequent requests may incur a reasonable administrative fee
• Exemptions: Cartt may limit access to data if disclosure would compromise security, violate third-party privacy, or be contrary to law

Right to Correction and Rectification

• Correcting Inaccurate Data: You have the right to request correction, amendment, or completion of personal data that is inaccurate, incomplete, or outdated
• Correction Request Process: Submit a written request detailing the inaccurate information and the correct information. Cartt will verify and correct the data within 30 days
• Notification to Third Parties: Where applicable, Cartt will notify third parties who have received your data of the correction, unless doing so is impractical or impossible
• Self-Service Corrections: You can correct certain information (name, email, phone, business details) directly through your account dashboard
• KYC Data Corrections: Corrections to KYC documents require resubmission of updated documents for re-verification

Right to Data Deletion (Right to be Forgotten)

• Deletion Request: You have the right to request deletion of your personal data under certain circumstances, subject to applicable legal and regulatory exceptions
• Grounds for Deletion: You may request deletion if:
  • Personal data is no longer necessary for the purpose it was collected
  • You withdraw consent and no other legal basis exists for processing
  • You object to processing and no legitimate business interests override your request
  • Personal data has been unlawfully processed
  • Deletion is required by applicable law or court order
• Legal Exemptions: Cartt may refuse deletion if data must be retained for:
  • Compliance with legal obligations (tax, GST, income tax records)
  • Establishment, exercise, or defense of legal claims
  • Fraud prevention and security
  • Ongoing regulatory investigations or proceedings
  • Account recovery during the 90-day grace period
• Deletion Process: Submit a deletion request to our Grievance Officer. Cartt will assess your request and respond within 30 days. If approved, data is securely deleted using industry-standard erasure methods
• Backup Data: Data in backup systems may be retained for disaster recovery purposes and deleted according to backup retention schedules
• Third-Party Notification: Where feasible, Cartt will request that third parties who received your data also delete it

Right to Data Portability

• Data Portability Right: You have the right to request your personal data in a structured, commonly used, machine-readable format (such as CSV, JSON, or XML) and to transmit it to another service provider without hindrance
• Eligibility: This right applies to data processed based on your consent or to fulfill a contract with you
• Request Process: Contact our Grievance Officer with a data portability request. Cartt will provide your data within 30 days in a machine-readable format
• Direct Transmission: Upon request, Cartt may transmit your data directly to another service provider if technically feasible
• Data Included: Portability includes account information, business data, transaction history, usage logs, and store configuration, excluding data of other users or data that cannot be technically separated
• Scope Limitations: Data portability does not include derived data, analytics, or data held solely for security or fraud prevention purposes

Right to Withdraw Consent

• Consent Withdrawal: If processing is based on your consent, you have the right to withdraw consent at any time without penalty or adverse consequences
• Withdrawal Process: You may withdraw consent through your account settings, by contacting our Grievance Officer, or by replying to marketing communications with an unsubscribe request
• Effect of Withdrawal: Upon withdrawal, Cartt will cease processing data for the specific purpose for which consent was given. However, processing already conducted before withdrawal remains lawful
• Continued Service Access: Withdrawing consent for non-essential processing (marketing, analytics) does not affect your ability to use essential services. Withdrawing consent for essential processing may limit service access
• Granular Consent: You can withdraw consent selectively for specific purposes without withdrawing consent for all processing activities

Right to Object to Processing

• Objection Right: You have the right to object to processing of your personal data for certain purposes, particularly for marketing, analytics, or legitimate business interests
• Grounds for Objection: You may object if you believe processing violates your rights, is unnecessary, or if your interests override Cartt's legitimate interests
• Marketing Objection: You have the absolute right to object to processing for direct marketing purposes. Cartt will immediately cease marketing communications upon objection
• Objection Process: Submit an objection to our Grievance Officer with details of your objection. Cartt will cease processing for the objected purpose within 30 days unless compelling legitimate reasons exist
• Legal Objection: If objection is based on legal grounds, Cartt will provide reasons for continued processing, if applicable

Right to Restrict Processing

• Processing Restriction: You have the right to request restriction of processing of your personal data in certain circumstances, such as when the accuracy of data is contested
• Restriction Grounds: Processing may be restricted if:
  • You contest the accuracy of your data while verification is underway
  • Processing is unlawful but you prefer restriction over deletion
  • Cartt no longer needs the data but you require it for legal claims
  • You have objected to processing and Cartt is determining whether its interests override yours
• Request Process: Contact our Grievance Officer to request processing restriction. Cartt will mark your data as restricted and limit processing to storage and specific purposes
• Notification: When processing is restricted, Cartt will notify you before lifting the restriction

Right to Lodge a Complaint

• Regulatory Complaint: You have the right to lodge a complaint with the Data Protection Board of India or relevant regulatory authority if you believe Cartt has violated your data protection rights
• Internal Grievance: Before escalating to regulatory authorities, you may lodge a formal grievance with Cartt's Grievance Officer for internal investigation and resolution
• No Retaliation: Cartt will not retaliate against you for lodging a complaint or asserting your data protection rights

Right to Explanation and Transparency

• Processing Explanation: You have the right to receive clear explanation of:
  • What personal data Cartt collects about you
  • Why Cartt collects and processes your data
  • The legal basis for processing
  • Who receives your data and why
  • How long your data is retained
  • Your rights regarding your data
• Automated Decision-Making: If Cartt makes decisions about you using automated means (such as fraud detection or account approval), you have the right to understand the decision logic and request human review
• Privacy Policy Clarity: This Privacy Policy is written in clear, accessible language to ensure you understand how your data is handled

Right to Grievance Redressal

• Grievance Officer: Cartt has appointed a Grievance Officer to handle data protection grievances, complaints, and requests from users
• Contact Information: Grievance Officer details are provided in Section 17 (Contact)
• Response Timeline: Cartt will acknowledge your grievance within 5 business days and provide a substantive response within 30 days
• Escalation: If you are unsatisfied with Cartt's response, you may escalate to the Data Protection Board of India or relevant regulatory authority
• Free of Charge: Filing a grievance with Cartt is free and incurs no cost to users

Right to Information About Processing

• Processing Details: You have the right to request information about:
  • The categories of data processed
  • The purposes and legal basis of processing
  • The retention period for each category of data
  • The recipients of your data
  • Any automated decision-making that affects you
  • The source of data (if not collected directly from you)
• Request Format: You may request this information in writing to our Grievance Officer. Cartt will respond within 30 days

Rights of Children and Minors

• No Service to Minors: Cartt does not knowingly provide services to individuals under 18 years of age
• Parental Rights: If we become aware that data of a minor has been collected without parental consent, parents or guardians have the right to request deletion of such data immediately
• Verification of Age: Users must verify their age at account creation. False age declaration may result in account termination

Rights of Users in Specific Circumstances

• Deceased Persons: Immediate family members may request access to or deletion of the data of a deceased user. Verification of relationship and death certificate will be required
• Power of Attorney Holders: Legal representatives with power of attorney or guardianship may exercise rights on behalf of users who lack legal capacity
• Authorized Representatives: You may designate authorized representatives to exercise your data protection rights on your behalf by providing written authorization

Exercise of Rights - General Provisions

• No Fee for Rights Exercise: Cartt will not charge you for exercising your data protection rights, except in cases of manifestly unfounded or excessive requests, in which case a reasonable administrative fee may be charged
• Response Timeline: Cartt will respond to rights requests within 30 days of receipt. In complex cases, the response period may be extended by 60 additional days with notification to you
• Proof of Identity: Cartt may request verification of your identity to ensure data is released to authorized individuals
• Multiple Requests: If you submit multiple redundant requests, Cartt may decline to respond or charge a reasonable administrative fee
• Method of Exercise: You can exercise your rights by:
  • Submitting a written request to our Grievance Officer
  • Using self-service tools in your account dashboard
  • Emailing [email protected] with clear details of your request
  • Calling +91-9990026008 during business hours

Limitations on Rights

• Legal Obligations: Some rights may be limited or modified if exercising them would conflict with legal obligations, court orders, or regulatory requirements
• Security and Fraud Prevention: Rights to access or deletion may be restricted if exercising them would compromise security or fraud prevention measures
• Third-Party Rights: Rights may be limited to protect the rights, privacy, or interests of other users or third parties
• Intellectual Property: Cartt's intellectual property and trade secrets are not subject to disclosure under data access rights
• Business Necessity: Certain data (such as aggregated analytics) cannot be separated from other data and may not be portable or deletable

Data Subject Rights Summary

• ✓ Right to access your personal data
• ✓ Right to correct inaccurate data
• ✓ Right to request deletion of your data
• ✓ Right to data portability in machine-readable format
• ✓ Right to withdraw consent without penalty
• ✓ Right to object to marketing communications
• ✓ Right to restrict processing of your data
• ✓ Right to lodge complaints with regulatory authorities
• ✓ Right to explanation and transparency about processing
• ✓ Right to grievance redressal and investigation

12. Cookies

Cartt uses cookies and similar tracking technologies to enhance functionality, personalize user experience, conduct analytics, and improve our services. This section explains what cookies are, how we use them, your choices regarding cookies, and how to manage cookie preferences.

What Are Cookies?

• Definition: Cookies are small text files stored on your device (computer, smartphone, or tablet) when you visit a website. They contain information about your browsing activity, preferences, and interactions with the website
• How Cookies Work: When you visit Cartt, our servers send a cookie to your browser, which stores it on your device. On subsequent visits, your browser sends the cookie back to our servers, allowing us to recognize you and retrieve stored information
• Duration: Cookies may be session-based (deleted when you close your browser) or persistent (stored on your device for a specified period)
• Similar Technologies: Besides cookies, we also use web beacons, pixels, local storage, and similar tracking technologies that function similarly to cookies

Types of Cookies We Use

• Essential/Necessary Cookies: These cookies are critical for basic website functionality and security. They enable:
  • User authentication and login functionality
  • Session management and security tokens
  • Account access and data protection
  • CSRF (Cross-Site Request Forgery) protection
  • SSL/TLS encryption verification
  • Payment processing and transaction security
  Essential cookies are necessary for the service to function and cannot be disabled
• Performance and Analytics Cookies: These cookies help us understand how users interact with Cartt. They collect data about:
  • Pages visited and time spent on each page
  • Features accessed and functionality used
  • User engagement patterns and click behavior
  • Error rates and page load performance
  • Device types and browser information
  • Geographic location (IP-based, not precise)
  This data helps us optimize performance, identify issues, and improve user experience
• Functionality and Preference Cookies: These cookies remember your preferences and settings to enhance usability:
  • Language and localization preferences
  • Display settings and theme preferences (dark mode, light mode)
  • Customization settings and layout preferences
  • Recent searches and browsing history
  • Form data and auto-fill information
  • Dashboard customization and widget preferences
  Functionality cookies enhance convenience but are not strictly necessary
• Marketing and Advertising Cookies: These cookies track your activity for marketing purposes:
  • Tracking clicks on marketing campaigns and advertisements
  • Identifying which marketing channels drive conversions
  • Building user segments for targeted advertising
  • Measuring advertisement effectiveness and ROI
  • Retargeting users with relevant content across the web
  • Understanding user interests and behavior patterns
  Marketing cookies require explicit consent before activation
• Third-Party Cookies: Cookies set by external service providers integrated with Cartt:
  • Google Analytics for traffic analysis
  • Facebook Pixel for conversion tracking
  • Mixpanel or Amplitude for product analytics
  • Customer support chat platforms
  • Payment gateway providers (Razorpay)
  • Email marketing service providers
  Third-party cookies are governed by those providers' privacy policies

Purposes of Cookie Usage

• Authentication and Security: Cookies authenticate your identity, maintain session security, prevent unauthorized access, and protect against fraud and security threats
• User Experience Enhancement: Cookies remember your preferences, customize content, reduce login frequency, and provide a seamless browsing experience
• Service Improvement: Analytics cookies help identify usability issues, measure feature adoption, understand user needs, and prioritize product improvements
• Performance Monitoring: Cookies track page load times, error rates, and system performance to ensure optimal service delivery
• Analytics and Insights: We analyze user behavior patterns, traffic sources, conversion funnels, and engagement metrics to improve Cartt
• Marketing and Retargeting: Marketing cookies enable targeted advertising, campaign measurement, and audience segmentation for more relevant communications
• Compliance and Legal Obligations: Cookies help us comply with applicable laws, maintain audit trails, and fulfill regulatory requirements

Cookie Consent and Management

• Consent Requirement: Upon first visit to Cartt, you will see a cookie consent banner requesting your permission to use non-essential cookies (analytics, marketing, functionality)
• Granular Control: The consent banner allows you to:
  • Accept all cookies
  • Reject non-essential cookies
  • Customize cookie preferences by category
  • View detailed cookie information
• Consent Storage: Your cookie preferences are saved in a consent cookie that persists for 12 months. You can update preferences at any time
• Essential Cookies Exemption: Essential security and functionality cookies are set regardless of consent, as they are necessary for service operation
• Implied Consent: Continuing to use Cartt after the consent banner appears may be considered as acceptance of cookie usage, subject to applicable law

How to Manage Cookies

• Browser Cookie Settings: Most browsers allow you to control cookie acceptance:
  • Chrome: Settings → Privacy and Security → Cookies and other site data
  • Firefox: Preferences → Privacy & Security → Cookies and Site Data
  • Safari: Preferences → Privacy → Cookies and website data
  • Edge: Settings → Privacy → Cookies and other site data
• Block All Cookies: You can configure your browser to reject all cookies, but this may impair Cartt's functionality and prevent you from accessing certain features
• Third-Party Cookie Rejection: Browsers allow you to reject third-party cookies while accepting first-party cookies
• Clear Cookies: You can delete all cookies or specific cookies from your browser's settings. This will require re-authentication on next visit
• Cookie Consent Tool: You can adjust your cookie preferences directly through Cartt's cookie consent tool available in account settings or by clicking the cookie preferences link in the footer
• Do Not Track (DNT): If your browser sends a DNT signal, Cartt will respect your preference and limit non-essential tracking (note: not all sites honor DNT)

Cookie List and Duration

• Session Cookies:
  • PHPSESSID - PHP session identifier for user authentication (expires at session end)
  • cartt_session - Cartt-specific session token (24 hours)
  • csrf_token - CSRF protection token (session)
  • _ga_session - Google Analytics session cookie (session)
• Persistent Cookies:
  • user_preferences - Stores UI preferences like language and theme (1 year)
  • remember_me - Enables "remember me" login feature (30 days)
  • analytics_id - Unique user identifier for analytics (2 years)
  • _ga - Google Analytics tracking cookie (2 years)
  • _gid - Google Analytics session-based tracking (24 hours)
  • fbp - Facebook Pixel identifier (3 months)
  • cookie_consent - Stores your cookie preferences (1 year)
  • marketing_opt_in - Tracks marketing communication opt-in status (2 years)

Third-Party Cookie Providers

• Google Analytics: Analyzes traffic patterns, user behavior, and engagement. Privacy Policy: https://policies.google.com/privacy
• Facebook Pixel: Tracks conversions and user actions for marketing. Privacy Policy: https://www.facebook.com/privacy/explanation
• Razorpay: Payment gateway integration for transaction processing. Privacy Policy: https://razorpay.com/privacy
• Zendesk: Customer support chat and ticketing system. Privacy Policy: https://www.zendesk.com/company/customers-partners/privacy-policy/
• HubSpot: Email marketing and CRM platform. Privacy Policy: https://legal.hubspot.com/privacy-policy
• Amplitude/Mixpanel: Product analytics and user insights. Privacy Policies available on respective websites

Data Shared Through Cookies

• Essential Data Shared: User ID, session information, authentication status, and security tokens are shared with Cartt's servers for basic functionality
• Analytics Data Shared: Page views, user interactions, browser information, and IP address (anonymized) are shared with Google Analytics and other analytics providers
• Marketing Data Shared: User actions, conversion events, and audience interests are shared with Facebook, Google Ads, and other marketing platforms for targeted advertising
• No Sensitive Data in Cookies: Cartt does not store passwords, credit card information, KYC documents, or other highly sensitive data in cookies
• Encryption: Session cookies are transmitted over encrypted HTTPS connections to prevent interception

International Cookie Usage

• Global Analytics: Some analytics cookies (Google Analytics) may transfer data to servers outside India for processing and analysis
• Data Localization: Cartt ensures that personal data remains localized to India where required by applicable law, while analytics and marketing data may be processed globally
• Standard Contractual Clauses: Where cookies involve international data transfer, appropriate safeguards (Standard Contractual Clauses) are implemented

Cookie Privacy and Security

• Secure Flag: Security-sensitive cookies are marked with the "Secure" flag, ensuring they are transmitted only over encrypted HTTPS connections
• HttpOnly Flag: Session and authentication cookies use the "HttpOnly" flag to prevent JavaScript access and protect against XSS attacks
• SameSite Attribute: Cookies include SameSite attributes to prevent cross-site request forgery (CSRF) attacks and unauthorized cross-site cookie usage
• Scope Limitation: Cookies are scoped to specific domains and paths to limit their accessibility to authorized services only
• No Personal Data Storage: Cartt does not store personally identifiable information (names, email addresses, phone numbers) directly in cookies. User identifiers are encrypted or hashed

Cookie Retention and Deletion

• Session Cookie Deletion: Session-based cookies are automatically deleted when you close your browser or log out of Cartt
• Persistent Cookie Retention: Persistent cookies remain on your device for the specified duration (typically 30 days to 2 years) unless manually deleted
• Manual Deletion: You can manually delete cookies through your browser settings or by clearing browsing data
• Account Deletion Impact: When you delete your Cartt account, we invalidate authentication cookies, but analytics and advertising cookies may persist according to third-party retention policies
• Automatic Expiration: All persistent cookies have expiration dates and are automatically deleted by your browser after the specified period

Cookies and User Rights

• Consent Withdrawal: You can withdraw consent for non-essential cookies at any time through the cookie preferences tool, which takes effect immediately
• Right to Refuse: You have the absolute right to refuse non-essential cookies. Essential cookies cannot be refused as they are necessary for service functionality
• Cookie Audit Request: You can request a list of all cookies used on Cartt by contacting our Grievance Officer
• Third-Party Cookie Limits: You can limit third-party cookies while still using Cartt's essential features by adjusting your preferences

Compliance with Regulations

• Digital Personal Data Protection Act, 2023: Cartt's cookie usage complies with DPDPA 2023 requirements for consent, transparency, and data protection
• GDPR Compliance: For EU users, cookie usage follows GDPR Article 7 requirements for explicit consent before non-essential cookie deployment
• ePrivacy Regulations: Cartt complies with ePrivacy Directive requirements mandating prior consent for non-essential cookies
• Industry Standards: Cookie practices align with industry best practices and recommendations from data protection authorities

Changes to Cookie Practices

• Policy Updates: If Cartt adds new cookies or modifies cookie usage, this policy will be updated to reflect changes
• Notification: Significant changes to cookie practices will be communicated through email notifications or prominent website announcements
• Opt-Out Opportunities: Users will be given fresh consent opportunities for any new non-essential cookies

Cookie Troubleshooting

• Can't Log In: If you cannot log in, try clearing your browser's cookies and cache, then log in again. Ensure cookies are enabled in browser settings
• Lost Preferences: If your preferences are not saved, verify that functionality cookies are enabled and your browser is not blocking them
• Third-Party Tracking Issues: If third-party cookies are blocked by your browser or extensions, analytics and marketing features may be limited
• Cookie Conflicts: Browser extensions may interfere with cookie functionality. Try disabling extensions and retesting
• Support: For cookie-related issues, contact our support team at [email protected] or +91-9990026008

Frequently Asked Questions

• Q: Can I use Cartt without accepting cookies?
  A: You can use Cartt with essential cookies enabled (which are required). Non-essential cookies can be rejected, though some features may be limited
• Q: Will disabling cookies affect my account?
  A: Disabling all cookies may prevent login and basic functionality. Essential cookies must remain enabled for Cartt to work properly
• Q: How long do Cartt cookies stay on my device?
  A: Session cookies expire when you log out. Persistent cookies remain for their specified duration (typically 30 days to 2 years) unless manually deleted
• Q: Are my cookies secure?
  A: Yes, Cartt uses security measures (encryption, HttpOnly flags, SameSite attributes) to protect cookies. However, maintain browser security and keep your device protected
• Q: Can third parties access my Cartt cookies?
  A: Cartt cookies are restricted to Cartt's domain. Third-party cookies set by external providers can only be accessed by those providers according to their privacy policies
• Q: How do I opt out of marketing cookies?
  A: Use the cookie consent tool in your account settings to disable marketing and analytics cookies, or withdraw consent in your browser's privacy settings
• Q: What happens if I clear my cookies?
  A: Clearing cookies will log you out of Cartt, reset your preferences, and require you to log in again. Non-essential cookies will be removed, but essential cookies will be recreated on next visit

13. Children's Privacy

Cartt is not intended for individuals under 18 years of age. We are committed to protecting the privacy of children and comply with applicable laws protecting minors in the digital environment. This section outlines our policies regarding children's data and our commitment to child safety.

No Service to Minors

• Age Restriction: Cartt is exclusively designed for users who are 18 years of age or older. We do not intentionally collect, solicit, or maintain personal data from individuals under 18 years of age
• Terms of Service: By accessing and using Cartt, you represent and warrant that you are at least 18 years old and have the legal capacity to enter into binding agreements
• Age Verification: During account registration, users must confirm their age. False age declarations constitute breach of our Terms of Service and may result in immediate account termination
• Enforcement: Cartt implements technical and procedural measures to prevent underage access and ensure compliance with age restrictions

Children's Data Protection Framework

• Unintentional Collection: If we discover that personal data of a minor has been collected unknowingly, we will take immediate action to:
  • Cease further collection of data from the minor
  • Delete or anonymize the minor's personal data from our systems
  • Notify the child's parent or legal guardian of the data collection
  • Cooperate fully with parents/guardians in protecting the child's privacy
• Immediate Deletion: Upon discovery of underage user data, Cartt will delete all associated information without delay, except where retention is mandated by law for safety reasons
• Parental Notification: Parents or guardians of minors whose data was collected will be notified immediately with details about the data collected and actions taken for remediation
• No Parental Consent Processing: Cartt does not knowingly process data of minors even with parental consent, as our services are not designed for minors

Parental Rights and Responsibilities

• Right to Know: Parents or legal guardians have the right to request information about any personal data Cartt may have collected from their minor child
• Right to Delete: Parents or guardians can request deletion of their child's personal data. Cartt will comply with deletion requests within 30 days, subject to legal retention requirements
• Right to Restrict: Parents can request that Cartt cease collection and processing of their child's data. Cartt will immediately suspend processing upon receipt of a verified parental request
• Verification of Guardianship: To exercise parental rights, Cartt requires verification of guardianship through official documents such as birth certificates or court orders
• Contact Grievance Officer: Parents or guardians should contact our Grievance Officer with requests related to their minor child's data, providing proof of guardianship

Protection from Inappropriate Content

• Content Filtering: Cartt is an e-commerce platform builder designed for business users. It does not contain age-restricted, adult, or inappropriate content that would harm minors
• User-Generated Content Responsibility: Users are responsible for ensuring that content they create or publish on their e-commerce stores complies with applicable laws and does not expose minors to inappropriate material
• Violation Reporting: Users who discover inappropriate content on Cartt or user-created stores can report violations to [email protected]
• Content Removal: Cartt will promptly review and remove content that violates child protection laws or exposes minors to harm

Protection from Online Predation and Exploitation

• No Communication with Minors: Cartt does not facilitate direct messaging, communication, or interaction between adult users and minors
• Grooming Prevention: Our systems include safeguards to detect and prevent grooming, exploitation, or predatory behavior targeting minors
• Monitoring and Reporting: Cartt monitors for suspicious activities that might indicate child exploitation and reports suspected cases to relevant authorities as required by law
• Zero Tolerance Policy: Any user found engaging in exploitation, abuse, or illegal activities targeting minors will face permanent account termination and may be reported to law enforcement
• Cooperation with Authorities: Cartt fully cooperates with law enforcement, NCMEC (National Center for Missing & Exploited Children), CyberTipline, and other agencies investigating child safety violations

Parental Controls and Monitoring

• Parental Guidance Recommended: While Cartt is not designed for minors, parents should monitor their children's online activities and ensure they access age-appropriate services and content
• Parental Control Software: Parents are encouraged to use parental control software, content filters, and monitoring tools to restrict their children's access to inappropriate websites and content
• Education on Online Safety: We recommend that parents educate their children about online safety, privacy protection, and the risks of sharing personal information online
• Digital Literacy: Parents should teach children critical thinking skills to evaluate online content, recognize phishing and scams, and interact safely online
• Open Communication: We encourage parents to maintain open dialogue with their children about their online activities and any concerns they may have

Data Handling for Users Turning 18

• Retention After Majority: If an account created by a minor continues after the user reaches 18 years of age, data retention follows adult user policies outlined in Section 9 (Data Retention)
• Consent Update: Upon reaching 18, users should review and update their consent preferences for data processing activities
• Privacy Policy Acknowledgment: Users should review and acknowledge their understanding of this Privacy Policy upon reaching adulthood

Compliance with Child Protection Laws

• Digital Personal Data Protection Act, 2023: Cartt complies with DPDPA 2023 provisions protecting children's personal data, including stricter consent requirements and enhanced privacy protections
• Protection of Children from Sexual Offences (POCSO) Act, 2012: We strictly comply with POCSO Act provisions and maintain zero tolerance for child exploitation
• Information Technology Act, 2000: We comply with IT Act provisions, particularly Section 67 regarding protection from obscene materials and Section 67A regarding sexually explicit content
• National Commission for Protection of Child Rights (NCPCR): Cartt works in coordination with NCPCR and follows government guidelines on child online safety
• COPPA Compliance: For users in the United States, Cartt's policies align with COPPA (Children's Online Privacy Protection Act) principles of child protection
• International Standards: We adhere to international best practices and standards for child online safety, including UN Sustainable Development Goals related to child protection

Data Security Specific to Minors

• Enhanced Security: If minor's data is encountered, it receives enhanced security protections beyond standard user data security measures
• Separate Storage: Any minor's data is segregated and stored with heightened access controls to prevent unauthorized disclosure
• Encryption Priority: Data of minors receives priority encryption and protection using the strongest available security standards
• Limited Access: Only specifically authorized personnel involved in child safety and legal compliance have access to minor's data
• Immediate Purging: Upon identification and notification, minor's data is immediately purged from all systems and backup locations

Reporting Child Safety Concerns

• Report Suspected Violations: If you suspect Cartt is hosting content harmful to children or if you believe a minor's data has been inappropriately collected, report it immediately to:
  • 📧 [email protected] (with subject: "Child Safety Concern")
  • 📞 +91-9990026008
  • 📋 National Cybercrime Reporting Portal: www.cybercrime.gov.in
  • 🔗 CyberTipline: www.cybertipline.org
• Investigation Priority: All child safety reports are investigated immediately with highest priority
• Confidentiality: Reports of child safety concerns are handled confidentially to protect the child's privacy and facilitate investigation
• Law Enforcement Cooperation: Cartt will cooperate fully with law enforcement agencies in investigating reports of child abuse or exploitation
• No Retaliation: Users who report child safety concerns in good faith will not face retaliation or adverse action

Third-Party Content and Links

• User-Generated Stores: Users create and manage their own e-commerce stores on Cartt. Parents should be aware that content on user-created stores may vary in appropriateness
• External Links: Cartt may contain links to external websites. We are not responsible for the content, practices, or policies of external sites. Parents should monitor children's browsing of external sites
• Third-Party Services: We integrate with third-party services (payment gateways, analytics, etc.). Parents should review third-party privacy policies to understand how children's data is handled
• Disclaimer: Cartt is not responsible for the privacy practices of third-party services or user-created content. Parents bear responsibility for monitoring their children's online activities

Privacy Education for Minors

• Age-Appropriate Resources: While Cartt is not designed for minors, we provide educational resources on digital privacy and safety available to parents
• Resources Available: Parents can access guides on teaching children about:
  • Personal information and privacy importance
  • Online safety and cybersecurity basics
  • Recognizing phishing and scams
  • Respectful online behavior
  • Digital footprint and reputation management
• Parental Resources: We recommend parents visit trusted organizations like Common Sense Media, Internet Watch Foundation, and government digital literacy programs for comprehensive child online safety guidance

Complaint and Redressal for Child Safety Issues

• Grievance Mechanism: Parents or guardians can file formal grievances related to child safety through our Grievance Officer
• Response Timeline: Child safety grievances receive urgent response within 24 hours of receipt
• Escalation Authority: Unresolved child safety complaints can be escalated to:
  • Data Protection Board of India
  • National Commission for Protection of Child Rights (NCPCR)
  • CyberCrime Reporting Portal
  • Local law enforcement and cybercrime authorities
• No Dismissal: Cartt will not dismiss or minimize any child safety concerns. All reports are thoroughly investigated

Policy Review and Updates

• Regular Review: This children's privacy policy is reviewed regularly to ensure alignment with evolving child protection laws and best practices
• Legal Compliance: The policy is updated whenever new legislation, regulatory guidance, or court decisions affect child data protection
• Notification of Changes: Significant changes to child protection policies are communicated to users and regulatory authorities
• Stakeholder Feedback: We welcome feedback from child safety advocates, parents, and organizations focused on child protection

Frequently Asked Questions on Children's Privacy

• Q: What should I do if my child created a Cartt account?
  A: Contact us immediately at [email protected] with proof of guardianship. We will delete the account and all associated data within 48 hours
• Q: Can my child use Cartt with parental consent?
  A: No. Cartt is designed exclusively for users 18 and above. We do not process data of minors even with parental consent
• Q: What happens if someone violates the age policy?
  A: The account will be permanently terminated, and the data will be deleted. Repeated violations may be reported to law enforcement
• Q: How can I report suspicious activity involving minors?
  A: Report to [email protected], call +91-9990026008, or visit cybercrime.gov.in
• Q: Are third-party services integrated with Cartt child-safe?
  A: Third parties follow their own privacy policies. Parents should review those policies. We ensure contractual obligations for data protection
• Q: How long does Cartt investigate child safety reports?
  A: Initial investigation begins within 24 hours. Comprehensive investigation typically concludes within 7-10 business days

14. International Transfers

Cartt may transfer, store, and process personal data on servers and infrastructure located outside India. This section explains how international data transfers are conducted, the safeguards implemented, the legal basis for transfers, and your rights regarding cross-border data movement.

International Data Transfer Overview

• Global Infrastructure: Cartt's infrastructure is hosted on cloud platforms that may have data centers in multiple countries including the United States, Europe, and other regions. Your personal data may be processed, stored, or transferred to these locations to provide services, ensure redundancy, and maintain business continuity
• Necessity for Service Delivery: International data transfers are necessary to:
  • Ensure service availability and reliability across time zones
  • Implement disaster recovery and backup procedures
  • Conduct analytics and performance monitoring
  • Integrate with third-party service providers located globally
  • Comply with regulatory requirements in different jurisdictions
• Data Localization Priority: Despite international transfers, Cartt prioritizes data localization to India where possible. Personal data and sensitive business information are primarily stored on Indian servers while backups and redundancy copies may be maintained internationally
• Transparent Communication: Users are informed through this Privacy Policy that their data may be transferred internationally and that appropriate safeguards are in place

Countries and Regions for Data Transfer

• Primary Hosting Locations:
  • India: Primary data center for personal and business data storage, hosting, and processing
  • United States: Cloud infrastructure (AWS, Google Cloud) may process and store backup copies, analytics, and non-sensitive data
  • Europe: EU-based servers may be used for EU users and GDPR compliance, as well as for disaster recovery
  • Singapore: APAC region servers may process data for redundancy and performance optimization
• Third-Party Processing Locations: Third-party service providers may process data in their own locations:
  • Razorpay (Payment Gateway): May process data in India and internationally
  • Google Analytics: Processes data globally with US-based servers
  • Email Service Providers: May process emails globally
  • Customer Support Platforms: May maintain servers in multiple countries
  • Cloud Hosting Providers: AWS, Google Cloud operate globally
• Country-Specific Data: Different categories of data are handled differently:
  • Personal account data (names, emails) primarily remain in India
  • Business data (store info, GST details) remain in India
  • Financial records remain in India for 7 years per tax law
  • Backup and analytics data may be transferred internationally
  • Technical logs may be processed globally for security

Legal Basis for International Transfers

• User Consent: By agreeing to this Privacy Policy and using Cartt, you provide explicit consent for international data transfers. This consent is informed and voluntary, with clear notice of potential transfer locations
• Contractual Necessity: International transfers are necessary to perform our contractual obligations to you:
  • Delivering the Cartt platform and services
  • Processing payments through international payment gateways
  • Maintaining platform uptime and service reliability
  • Providing customer support and technical assistance
• Legal Obligations: In some cases, international transfers are required by:
  • Law enforcement requests from foreign authorities
  • International regulatory compliance
  • Court orders or legal proceedings in other jurisdictions
  • International treaties and agreements
• Legitimate Business Interests: International transfers support Cartt's legitimate interests in:
  • Ensuring service reliability and disaster recovery
  • Optimizing performance and scalability
  • Conducting analytics and service improvement
  • Managing security and fraud prevention
• Data Subject Protection: International transfers are conducted only when adequate safeguards are in place to protect your rights and freedoms

Adequacy Determinations

• Adequate vs. Non-Adequate Countries: Under data protection laws, countries are classified as having "adequate" or "non-adequate" data protection:
  • Adequate Countries: EU member states, UK, Canada, Switzerland, Japan, South Korea (limited) have legislation deemed adequate by Indian authorities and the EU
  • Non-Adequate Countries: The United States and many other countries are not formally designated as having adequate data protection. Transfers to these countries require additional safeguards
• Transfer to Non-Adequate Countries: When transferring data to countries without formal adequacy determinations (particularly the United States), Cartt implements legally recognized safeguards such as:
  • Standard Contractual Clauses (SCCs)
  • Binding Corporate Rules (BCRs)
  • Adequacy Decisions (where applicable)
  • Contractual safeguards and data processing agreements
• Schrems II Compliance: For EU and international users, Cartt complies with the Schrems II decision requiring supplementary safeguards for data transfers to the United States

Transfer Safeguards and Mechanisms

• Standard Contractual Clauses (SCCs): Cartt uses EU-approved Standard Contractual Clauses in contracts with:
  • Cloud infrastructure providers (AWS, Google Cloud)
  • Third-party service providers in non-adequate countries
  • Subsidiary companies and business partners
  SCCs impose binding contractual obligations to protect personal data equivalent to EU GDPR standards
• Data Processing Agreements (DPA): All service providers receiving personal data are bound by comprehensive Data Processing Agreements that:
  • Impose data protection obligations
  • Require confidentiality and security measures
  • Restrict data use to contracted purposes
  • Mandate sub-processor notifications and audits
  • Include liability clauses for data breaches
• Supplementary Measures: Beyond contractual clauses, Cartt implements supplementary technical and organizational safeguards:
  • Encryption of data in transit and at rest
  • Encryption keys stored separately in India
  • Access controls limiting processing to authorized personnel
  • Anonymization and pseudonymization where feasible
  • Data minimization reducing transfer volume
  • Regular security audits and certifications
• Binding Corporate Rules (BCRs): If Cartt expands internationally with subsidiary companies, we may implement BCRs establishing binding internal standards for intra-group data transfers
• Cloud Provider Security Certifications: Cloud providers used by Cartt maintain:
  • ISO 27001 information security certification
  • SOC 2 Type II compliance audit reports
  • GDPR Data Protection Impact Assessments (DPIAs)
  • Regular third-party security audits

Data Categories and Transfer Distinctions

• Personal Account Data (Low International Transfer Risk):
  • Names, email addresses, phone numbers
  • Account creation dates and login history
  • Primarily stored in India
  • International transfer only for disaster recovery with encryption
• Business and KYC Data (Restricted International Transfer):
  • GST registration numbers and tax identification
  • Business addresses and registration information
  • KYC documents and identity verification files
  • Bank account details (hashed/masked)
  • Stored exclusively in India with limited international access
  • Encrypted if backup copies exist internationally
• Financial and Transaction Data (Controlled Transfer):
  • Transaction metadata and invoice records
  • Payment history and billing information
  • Primarily India-based with encrypted backup copies internationally
  • Payment processing may involve Razorpay servers globally
  • 7-year retention primarily in India per tax law
• Technical and Usage Data (Common International Transfer):
  • IP addresses and device information
  • Usage logs and analytics data
  • Security logs and system monitoring data
  • Cookies and tracking data
  • Regularly transferred for analytics and performance optimization
  • Anonymized/aggregated for international processing
• Backup and Redundancy Data:
  • Full account backups may be stored internationally
  • Disaster recovery copies maintained in multiple regions
  • Encrypted during storage and transmission
  • Automatic deletion per backup retention schedules

Third-Party International Transfers

• Razorpay (Payment Gateway):
  • Payment data processed through Razorpay's global infrastructure
  • Cartt does not control Razorpay's data transfer practices
  • Razorpay maintains PCI-DSS compliance and security standards
  • User governed by Razorpay's Privacy Policy for payment data
  • See: https://razorpay.com/privacy
• Google Analytics:
  • Analytics data transferred to Google's US-based servers
  • Google implements Privacy Shield and SCCs for EU data
  • Data processing governed by Google's Privacy Policy
  • Anonymized/pseudonymized data reduces privacy risks
• Email Service Providers:
  • Email communications may be processed internationally
  • Providers bound by Data Processing Agreements
  • Standard encryption and security protocols applied
• Cloud Infrastructure (AWS/Google Cloud):
  • Core infrastructure hosted on global cloud platforms
  • Providers maintain international data centers
  • Cartt implements region-specific configurations to limit transfers
  • Encryption and access controls protect data across regions

Restrictions on International Transfers

• Prohibited Transfer Destinations: Cartt does not intentionally transfer data to countries with:
  • Active international sanctions or embargoes
  • Known inadequate data protection frameworks
  • Rampant corruption or high fraud rates
  • Unstable political or security environments
• OFAC and Sanctions Compliance: Cartt complies with US Office of Foreign Assets Control (OFAC) sanctions and does not transfer data to sanctioned countries or entities
• Sensitive Data Protection: KYC documents and government identification numbers are not transferred to high-risk jurisdictions
• Verification and Audits: Cartt conducts due diligence on all transfer destinations and sub-processors

Impact Assessments for International Transfers

• Data Protection Impact Assessment (DPIA): Cartt conducts DPIAs for international data transfers to evaluate:
  • Necessity and proportionality of transfer
  • Data protection laws in destination countries
  • Rights and freedoms risks in destination jurisdictions
  • Adequacy of safeguards and supplementary measures
  • Sub-processor risks and capabilities
• Transfer Impact Assessment (TIA): For transfers to non-adequate countries, Cartt conducts Transfer Impact Assessments following Schrems II guidelines to identify and mitigate risks specific to those countries
• Risk Mitigation: If risks are identified during assessments, Cartt implements additional safeguards such as:
  • Enhanced encryption
  • Additional contractual provisions
  • Access restriction limitations
  • Sub-processor vetting
• Assessment Documentation: DPIAs and TIAs are documented and retained for regulatory inspection and user rights inquiries

Right to Challenge Transfers

• User Challenge Right: You have the right to challenge international data transfers that you believe are unnecessary or inadequately safeguarded
• Challenge Process: Submit a written challenge to our Grievance Officer detailing:
  • Specific concerns about the transfer
  • Grounds for the challenge (legal, practical, ethical)
  • Evidence supporting the concern
  • Requested remediation or alternative measures
• Response Timeline: Cartt will respond to challenges within 30 days with:
  • Detailed explanation of why transfer is necessary
  • Description of safeguards implemented
  • Assessment of risks and protective measures
  • Any modifications made to address concerns
• Escalation: If unsatisfied with Cartt's response, you may escalate to the Data Protection Board of India or relevant regulatory authority
• Transfer Restrictions: Upon substantiated challenge, Cartt may restrict or modify specific transfers while maintaining essential service delivery

User Rights Regarding Transfers

• Right to Information: You have the right to request:
  • Countries to which your data is transferred
  • Specific legal basis and safeguards for each transfer
  • Duration of international storage or processing
  • Recipients and sub-processors involved
  • Copy of Data Processing Agreements
• Right to Object: You may object to transfers for non-essential purposes (analytics, marketing). Cartt will cease optional transfers upon objection while maintaining essential service operations
• Right to Restrict: You can request restriction of transfers to specific countries. Cartt will comply where operationally feasible without compromising service quality
• Right to Data Portability: Before transfer or upon request, you can access your data in portable format to migrate services if concerned about transfers
• Right to Deletion: You retain your right to request deletion of international copies of your data, though backups may be retained per retention policies

Transparency and Notification

• Privacy Policy Disclosure: This section provides comprehensive disclosure of international transfer practices, fulfilling transparency requirements
• Sub-Processor Notification: If Cartt engages new international sub-processors, users will be notified in advance with opportunity to object
• Transfer Method Transparency: Cartt maintains transparency about which transfers use SCCs, DPAs, encryption, or other safeguards
• Changes in Transfers: Material changes in international transfer practices (new countries, new sub-processors, new safeguards) will be communicated to users
• Regulatory Notification: Changes may be reported to relevant regulatory authorities as required by law

Compliance with International Laws

• GDPR Compliance (EU Users): For users in the European Union, international transfers comply with GDPR Chapter 5 requirements, including:
  • Adequacy decisions where applicable
  • Standard Contractual Clauses for non-adequate countries
  • Supplementary safeguards under Schrems II
  • DPIA and TIA assessments
• DPDP Act Compliance: For Indian users, transfers comply with DPDP Act 2023 requirements for cross-border data transfers, including:
  • Explicit consent or contractual necessity
  • Adequacy assessment
  • Standard contractual clauses where required
  • Notification to Data Protection Authority
• Country-Specific Laws: Transfers to specific countries comply with their respective data protection and privacy laws
• International Standards: Transfers follow OECD Privacy Principles and international best practices for cross-border data flows

Dispute Resolution for Transfer Issues

• Internal Grievance Mechanism: File grievances with our Grievance Officer for transfer-related concerns
• Regulatory Complaint: Lodge complaints with:
  • Data Protection Board of India
  • National Commission for Protection of Child Rights (NCPCR) if applicable
  • EU Data Protection Authority (for EU users)
  • Relevant national data protection authorities
• Judicial Remedies: You retain the right to pursue legal action in courts of competent jurisdiction if transfers violate your rights
• Arbitration: Disputes may be resolved through arbitration if agreed by both parties

Frequently Asked Questions on International Transfers

• Q: Where is my data stored?
  A: Personal data is primarily stored in India. Backup copies may be maintained internationally. You can request detailed storage location information from our Grievance Officer
• Q: Can I prevent my data from being transferred internationally?
  A: Some transfers are necessary for service delivery (backups, disaster recovery). You can object to non-essential transfers (analytics, marketing) without losing service access
• Q: Is my data safe when transferred internationally?
  A: Yes. International transfers use encryption, Standard Contractual Clauses, and other safeguards equivalent to Indian data protection standards
• Q: How does Cartt ensure GDPR compliance for EU users?
  A: We implement Standard Contractual Clauses, supplementary safeguards, and conduct Transfer Impact Assessments for all transfers to non-adequate countries
• Q: Can I access the Data Processing Agreements?
  A: Yes. Request copies of relevant DPAs from our Grievance Officer. We will provide documents not containing confidential third-party information
• Q: What happens if a country enacts stricter data protection laws?
  A: Cartt continuously monitors regulatory changes and updates transfer mechanisms to comply with new requirements. You will be notified of significant changes

15. Policy Updates

Cartt reserves the right to update, modify, amend, or revise this Privacy Policy at any time to reflect changes in our data processing practices, technological advancements, legal requirements, regulatory compliance obligations, or business operations. This section explains how policy updates are communicated, when they take effect, and your rights regarding changes to privacy practices.

Reasons for Policy Updates

• Legal and Regulatory Changes: Updates to applicable Indian laws including the Digital Personal Data Protection Act, 2023, Income Tax Act, GST legislation, Information Technology Act, 2000, or other statutory requirements may necessitate policy revisions to ensure continued compliance
• Government Directives: Issuance of new guidelines, directives, or notifications from regulatory authorities such as the Data Protection Board of India, Reserve Bank of India, Ministry of Electronics and Information Technology, or other government agencies may require policy modifications
• International Compliance: Changes in international data protection standards (GDPR updates, international treaties, cross-border data transfer regulations) may require corresponding policy updates
• Technological Advancements: Adoption of new technologies, security measures, encryption standards, or infrastructure improvements may necessitate policy revisions to describe enhanced data protection practices
• Service Expansion: Introduction of new services, features, functionality, or integrations with third-party platforms may require disclosure of new data processing activities and practices
• Business Changes: Mergers, acquisitions, reorganizations, changes in data processing locations, or engagement of new sub-processors may require policy updates to reflect modified data handling practices
• Security Incidents: Discovery of security vulnerabilities, data breaches, or incidents may require updates to security measures and incident response procedures described in the policy
• User Feedback: Feedback from users, civil society organizations, data protection advocates, and regulatory authorities may prompt clarifications or enhancements to privacy protections
• Best Practices Evolution: Changes in industry standards, data protection best practices, and recognized frameworks may lead to policy updates to incorporate improved practices
• Clarifications and Corrections: Minor updates to clarify language, correct errors, reorganize sections, or improve readability may be made periodically

Types of Policy Changes

• Material Changes: Substantial modifications that significantly affect user privacy rights or data processing practices, such as:
  • New data collection practices
  • Changes in data sharing with third parties
  • Extended data retention periods
  • New purposes for data processing
  • Reduction in user rights or protections
  • Changes in data transfer destinations
  • New automated decision-making processes
  Material changes require explicit user consent and advance notice
• Non-Material Changes: Minor updates that do not substantively affect privacy protections, such as:
  • Grammatical corrections and language clarifications
  • Reorganization of sections for improved readability
  • Addition of contact information or links
  • Updates to section references or cross-references
  • Clarifications of existing practices without changing them
  • Updates to external links or third-party information
  • Technical corrections or formatting improvements
  Non-material changes may be implemented with minimal advance notice
• Beneficial Changes: Updates that enhance user privacy protections or expand user rights, such as:
  • New user data rights
  • Reduced data retention periods
  • Enhanced security measures
  • Removal of data sharing practices
  • Improved consent mechanisms
  • Greater transparency measures
  Beneficial changes may be implemented immediately

Notification and Communication of Changes

• Advance Notice Period: For material changes that reduce user privacy protections or expand data processing, Cartt provides advance notice of at least 30 days before the changes take effect. This allows users to review changes, raise concerns, and make informed decisions about continued use
• Notice Methods: Policy updates are communicated through multiple channels:
  • Email Notification: Users receive email notifications at the email address registered with their account. Email is the primary notification method for material changes
  • In-Dashboard Alerts: Users are notified through alerts, banners, or notifications within the Cartt dashboard upon login
  • Website Banner: A prominent banner appears on the Cartt website and login page announcing the policy change and linking to the updated policy
  • Privacy Policy Page: The updated privacy policy is published on this page with highlighted changes and version history
  • Blog Post: Significant policy updates are announced through Cartt's official blog with explanation of changes and implications
  • Phone Notification: For critical changes affecting security,
  • Social Media: Policy updates may be announced on Cartt's official social media channels
• Notification Content: Notifications include:
  • Clear summary of what changed
  • Why the change was made
  • Effective date of the change
  • How to access the full updated policy
  • How to contact support if you have questions
  • Your rights regarding the changes
  • Instructions for exercising rights (opt-out, objection, etc.)
• Accessibility: Notifications are provided in plain language and accessible formats to ensure comprehension by all users, including those with disabilities
• Multiple Languages: For non-English speaking users, notifications are provided in Indian languages or users' preferred languages where feasible

Effective Dates and Transition Periods

• Standard Transition Period: Material changes requiring user consent typically become effective 30 days after notification. This transition period allows users time to review, understand, and respond to changes
• Extended Transition for Major Changes: For comprehensive policy overhauls or changes significantly affecting user rights, Cartt may provide 60-90 days advance notice to allow adequate time for user review and decision-making
• Immediate Implementation: Beneficial changes that enhance privacy protections or expand user rights may be implemented immediately without advance notice
• Emergency Changes: In rare emergency situations (discovery of security vulnerabilities, imminent regulatory violation, critical business needs), changes may be implemented immediately with retroactive notification and explanation. Users will have opportunity to object and seek remedy
• Effective Date Posting: Each policy version clearly states its effective date and the date of last update. Previous versions are archived for user reference
• Regulatory Compliance Exception: If regulatory requirements mandate immediate policy changes, Cartt will implement changes as required while notifying

User Consent and Opt-Out for Policy Changes

• Consent Requirement for Material Changes: For material changes that expand data collection, processing, or sharing, users must provide explicit, renewed consent before the changes take effect. Consent is not automatic or implied
• Consent Mechanism: Users provide consent for policy changes through:
  • Online Consent Form: A clear checkbox or button explicitly stating "I agree to the updated Privacy Policy" with link to full policy
  • Email Confirmation: Users receive email with update summary and must click a confirmation link to consent. Failure to confirm may trigger additional reminders
  • Account Dashboard Consent: Prominent consent button in user's account dashboard requiring active acknowledgment before using updated services
  • Rolling Consent: If user takes any action after notification (login, feature use, data update), it may be considered as implicit consent subject to regulations. Users are always free to explicitly object
• Right to Object: Users have the absolute right to object to material changes, particularly those reducing privacy protections:
  • Users can opt-out of specific new data processing activities without affecting existing account functionality where legally possible
  • Opting out of essential processing may limit service access, but users can make informed choices
  • Cartt cannot penalize users for objecting to new privacy-reducing changes
  • Objections are submitted to our Grievance Officer with details of specific concerns
• Continued Use as Consent: Subject to applicable law, continued use of Cartt services after the effective date of policy changes may be considered as acceptance of the updated policy. However:
  • Users are always informed that they can object or discontinue use
  • Continued use is not automatic consent to material privacy-reducing changes
  • Users must have genuine choice to accept or object
  • Service discontinuation cannot be the only remedy offered
• Withdrawal of Consent: If policy changes require consent for new processing, users can withdraw that consent at any time through account settings or by contacting the Grievance Officer
• No Retaliation: Cartt will not penalize, disadvantage, or retaliate against users who object to policy changes or refuse to consent to new processing activities

Version Control and Archive

• Version Numbering: Each privacy policy version is numbered (e.g., v1.0, v1.1, v2.0) to track changes over time. Major revisions increment the first number; minor updates increment the second number
• Last Updated Date: The policy prominently displays "Last Updated: [Date]" at the top, allowing users to quickly identify if changes have occurred since their last review
• Change Log: A detailed change log documents all modifications, including:
  • Version number and effective date
  • Summary of changes made
  • Reason for each change
  • Section(s) affected
  • Impact on user privacy (if any)
  • Link to previous version
• Policy Archive: Previous versions of the Privacy Policy are maintained in a publicly accessible archive for at least 7 years, allowing users to review historical policies and understand how practices have evolved
• Archive Access: Users can access archived policies through:
  • Dedicated "Policy History" or "Archive" link on website
  • Direct URLs to dated versions (e.g., privacy-policy-2023-01-15.pdf)
  • Request from Grievance Officer for specific version
• Version Comparison: Tools or side-by-side comparisons may be provided to help users understand specific changes between versions
• Historical Data Practices: If policy changes affect data collected before the change, users can request information about which policy version applied when their data was collected and how it was processed

Impact Assessment of Policy Changes

• Privacy Impact Assessment (PIA): Before implementing material changes, particularly those affecting data collection or processing, Cartt conducts a Privacy Impact Assessment to evaluate:
  • Necessity of the change
  • Impact on user rights and freedoms
  • Adequacy of safeguards
  • Alternative approaches that might be less privacy-invasive
  • Compliance with applicable laws
• Fairness Analysis: Changes are assessed for fairness, considering whether affected users receive transparent disclosure and meaningful choice
• Vulnerability Assessment: Cartt evaluates how policy changes affect vulnerable user groups (children, elderly, persons with disabilities, economically disadvantaged) and implements additional protections if needed
• Stakeholder Consultation: For significant changes, Cartt may consult with:
  • User representatives and advisory groups
  • Data protection advocates and civil society organizations
  • Industry experts and peers
  • Regulatory authorities (where appropriate)
• Assessment Documentation: PIA documentation is retained and made available to regulatory authorities upon request or user inquiry

User Rights Regarding Policy Updates

• Right to Information: You have the right to:
  • Know when the policy was last updated and what changes were made
  • Access all current and previous versions of the policy
  • Understand the reasons for policy changes
  • Review the effective date and transition period
  • Know how changes affect your data and rights
• Right to Request Explanation: You can request a detailed explanation of specific policy changes by contacting our Grievance Officer. We will respond within 30 days with clarification and additional information
• Right to Object: You can object to material policy changes that reduce your privacy protections or expand data processing. Cartt will consider your objection and may modify its approach or offer alternative solutions
• Right to Discontinue Use: If you disagree with material policy changes and Cartt does not accommodate your concerns, you have the right to discontinue use of Cartt without penalty. You can request data deletion or export before discontinuing
• Right to Data Export: Before policy changes take effect that you disagree with, you can request export of your data in portable format to transfer to another service
• Right to Complaint: You can lodge formal complaints about policy changes with:
  • Cartt's Grievance Officer (internal process)
  • Data Protection Board of India
  • Relevant regulatory authorities
  • Consumer protection authorities

Specific Scenarios and Policy Update Procedures

• New Data Collection: If Cartt begins collecting new categories of personal data:
  • 30-day advance notice provided
  • Clear explanation of new data category
  • Purpose and legal basis for collection
  • Retention period and recipients
  • User rights regarding the new data
  • Explicit user consent obtained for non-essential collection
• New Data Sharing Partners: If Cartt begins sharing data with new third parties:
  • 30-day advance notice before sharing begins
  • Identity and description of new recipient
  • Purpose of data sharing
  • Safeguards and contractual protections in place
  • User opt-out mechanism for optional sharing
• Extended Retention: If Cartt extends data retention periods:
  • 30-day notice with explanation of extension
  • New retention period clearly stated
  • Legal or business justification provided
  • Security measures for extended retention
  • Impact on user rights during extended retention
• New Processing Purposes: If Cartt begins processing existing data for new purposes:
  • 30-day advance notice
  • New purpose clearly described
  • Connection to original collection purpose (if any)
  • User consent obtained for non-essential new uses
  • Right to object without service penalty
• Automated Decision-Making: If Cartt implements new automated decision-making affecting users:
  • Advance notice and detailed explanation required
  • Description of the automated decision process
  • Significance and consequences of automated decisions
  • Right to human review and objection
  • Opt-out option for automated processing

Grandfathering of Data Processing

• Existing Data Practices: Data processing practices in effect when this policy was adopted continue under their original terms unless policy changes provide enhanced protections
• New Restrictions Apply: If policy updates introduce new privacy protections or user rights, they apply retroactively to all data, including data collected under previous policies
• No Retroactive Adverse Changes: Cartt does not retroactively apply policy changes that would reduce privacy protections for data already collected. Users retain protections that existed when their data was collected
• Choice for Existing Data: If policy changes affect how existing data will be used going forward, users can choose whether to allow new uses or request deletion of their data
• Legacy Data Policy: Data collected under previous, superseded policies continues to be protected according to the policy in effect at collection, unless newer protections are more favorable to users

Special Circumstances for Policy Changes

• Legal Requirement Exception: If a new law or regulation requires immediate policy changes, Cartt will:
  • Implement changes as legally required
  • Notify users of the legal requirement and timeline
  • Explain how changes comply with new requirements
  • Provide notice and opportunity to object where legally possible
  • Document the legal mandate requiring the change
• Security Incident Response: If a security breach or vulnerability requires immediate policy or practice changes:
  • Affected users are notified immediately
  • Changes are implemented to prevent recurrence
  • Policy is updated to reflect new security measures
  • Details of incident and remediation are disclosed
• Business Continuity: If business-critical changes are necessary for service survival or continuity:
  • Cartt provides as much advance notice as operationally feasible
  • Changes are explained with business justification
  • User impact is minimized through safeguards
  • Alternative solutions are explored

Communication with Regulatory Authorities

• Regulatory Notification: Material policy changes are communicated to relevant regulatory authorities, including:
  • Data Protection Board of India (if applicable)
  • Ministry of Electronics and Information Technology
  • Reserve Bank of India (for payment-related changes)
  • Other relevant regulators (for industry-specific changes)
• Notification Timing: Regulatory notification occurs simultaneously with or before user notification, ensuring transparent communication
• Change Documentation: Cartt maintains detailed documentation of all policy changes, including:
  • Reason for change
  • Effective date
  • User notification method and date
  • Regulatory notification details
  • User feedback or complaints received
  • Implementation details

Feedback on Policy Changes

• Solicitation of Feedback: During transition periods, Cartt actively solicits user feedback on policy changes through:
  • Email surveys to affected users
  • Online feedback forms and comment mechanisms
  • Public consultation periods for major changes
  • Grievance Officer requests
  • Social media engagement and discussion
• Feedback Review: User feedback is carefully reviewed and considered for modifications to proposed changes
• Impact Adjustment: If substantial user concern or feedback indicates problematic impacts, Cartt may:
  • Delay effective date to allow additional review
  • Modify the change to address concerns
  • Provide additional safeguards or opt-out options
  • Extend the transition period
• Feedback Response: Users providing feedback are notified of how their input was considered and whether changes were made as a result

Dispute Resolution for Policy Change Disputes

• Grievance Filing: If you dispute a policy change or believe it violates your rights, file a formal grievance with our Grievance Officer including:
  • Specific policy change in question
  • How the change affects your rights
  • Legal or ethical basis for your concern
  • Remedies you seek
  • Supporting documentation
• Investigation Process: Cartt will investigate your grievance, considering:
  • Legal compliance of the policy change
  • Procedural fairness in implementing the change
  • Impact on user rights
  • Validity of user's objections
• Resolution Options: Possible resolutions include:
  • Reverting the policy change
  • Modifying the policy to address concerns
  • Providing alternative opt-out or safeguards
  • Compensating affected users (if applicable)
  • Providing detailed explanation of why change was necessary
• Regulatory Escalation: Unresolved disputes can be escalated to the Data Protection Board of India or relevant regulatory authorities

Frequently Asked Questions on Policy Updates

• Q: How often does Cartt update its Privacy Policy?
  A: Policy updates occur as needed based on legal changes, service modifications, or accuracy
• Q: Where can I find previous versions of the Privacy Policy?
  A: Previous versions are available in our Policy Archive section. You can also request specific dated versions from our Grievance Officer
• Q: Do I need to agree to policy updates?
  A: For material changes that affect your privacy, explicit consent is required. You will be notified and asked to confirm acceptance before changes take effect
• Q: What happens if I don't agree with a policy change?
  A: You can object to the change, request clarification, or discontinue your account. You can also export your data before opting out
• Q: How much notice is given before policy changes take effect?
  A: Material changes receive at least 30 days notice. More significant changes may have 60-90 days notice
• Q: Can Cartt change the policy without notice?
  A: No. Cartt always provides advance notice for material changes. Emergency changes are implemented immediately with retroactive notification and explanation
• Q: How do I stay informed about policy updates?
  A: Subscribe to email notifications, check the website regularly, or follow Cartt's official channels for announcements

Policy Update Summary

• ✓ Policy reviewed and updated regularly to ensure accuracy and compliance
• ✓ Material changes receive 30+ days advance notice
• ✓ Multiple notification methods used for maximum visibility
• ✓ User consent required for privacy-reducing material changes
• ✓ Previous policy versions archived and accessible
• ✓ Change logs document all modifications
• ✓ Users have right to object and request explanations
• ✓ Regulatory authorities notified of significant changes
• ✓ User feedback solicited and considered
• ✓ Dispute resolution mechanisms available for policy disputes

16. Grievance Officer

Cartt has appointed a dedicated Grievance Officer to handle data protection grievances, privacy complaints, and requests from users in accordance with the Digital Personal Data Protection Act, 2023, and other applicable Indian laws. This section provides comprehensive information about how to lodge grievances, the grievance resolution process, timelines, and your rights during grievance handling.

Grievance Officer Details

• Name: Data Protection & Grievance Officer
• Organization: Blumox Technologies
• Email: [email protected]
• Phone: +91-9990026008
• Physical Address: Blumox Technologies, [Address], India
• Business Hours: Monday to Friday, 9:00 AM to 6:00 PM IST (excluding public holidays)
• Response Availability: Grievances can be filed 24/7. Initial acknowledgment provided within 5 business days

Types of Grievances We Handle

• Data Protection and Privacy Grievances:
  • Unauthorized data collection or processing
  • Violation of user rights (access, correction, deletion, etc.)
  • Unauthorized data sharing or disclosure
  • Failure to honor consent withdrawal or opt-out requests
  • Excessive or extended data retention
  • Data breach or security incident concerns
  • Inadequate data protection or security measures
  • Unfair or deceptive data practices
• User Rights Requests:
  • Right to access personal data
  • Right to correct or rectify inaccurate data
  • Right to deletion (right to be forgotten)
  • Right to data portability
  • Right to withdraw consent
  • Right to object to processing
  • Right to restrict processing
  • Right to explanation and transparency
• Complaint and Feedback:
  • Concerns about Cartt's data handling practices
  • Questions about this Privacy Policy
  • Complaints about Cartt's customer service regarding privacy
  • Suggestions for improving data protection practices
  • Reports of privacy policy violations by Cartt employees
• Policy and Procedure Disputes:
  • Disputes about policy changes or updates
  • Disagreements with Cartt's interpretation of user rights
  • Concerns about fairness of data processing procedures
  • Objections to legal basis claimed for processing
• Third-Party Data Processing Issues:
  • Concerns about third-party service providers' data handling
  • Complaints about data sharing practices
  • Issues with sub-processors or data recipients

What We Do NOT Handle

• Out of Scope Matters: The Grievance Officer handles only data protection and privacy-related grievances. The following are outside our scope:
  • General service quality complaints (billing, feature requests, bugs)
  • Account access issues unrelated to privacy
  • Disputes about service terms and conditions
  • Complaints about other users' conduct (refer to Community Guidelines)
  • Product feedback and feature requests
  • Billing and payment disputes (contact billing support)
  • Technical support issues (contact technical support)
  For non-privacy matters, please contact the appropriate support team

How to File a Grievance

• Method 1: Email
  • Send a detailed email to [email protected]
  • Subject line: "Privacy Grievance: [Brief Description]"
  • Include all relevant information (see "Required Information" below)
  • Attach supporting documents or evidence
  • Receive confirmation email with grievance reference number
• Method 2: Phone
  • Call +91-9990026008 during business hours
  • Speak to a grievance officer or representative
  • Provide details of your grievance
  • Receive grievance reference number and next steps
  • Receive follow-up email confirmation
• Method 3: Account Dashboard
  • Log into your Cartt account
  • Navigate to Settings → Privacy & Data
  • Click "File a Grievance"
  • Complete the grievance form with details
  • Attach documents if needed
  • Submit and receive immediate confirmation
• Method 4: Postal Mail
  • Send written grievance to: Blumox Technologies, [Address], India
  • Mark envelope: "Attention: Grievance Officer - Privacy"
  • Include contact information and grievance reference (if resubmitting)
  • Send via registered mail for tracking
• Method 5: Authorized Representatives
  • You can authorize another person to file a grievance on your behalf
  • Submit a signed power of attorney or authorization letter
  • Representative must provide their identity verification
  • Cartt will communicate with the representative as directed

Required Information for Grievance Filing

• Your Information:
  • Full name
  • Email address associated with Cartt account
  • Phone number
  • Cartt account username or user ID (if applicable)
  • Preferred contact method
• Grievance Details:
  • Clear, detailed description of the grievance
  • Specific Cartt privacy practices or policies involved
  • Dates when the issue occurred (if applicable)
  • What you believe Cartt did wrong or failed to do
  • How the issue affected you
  • Any previous attempts to resolve the issue
• Supporting Documentation:
  • Screenshots or copies of relevant communications
  • Emails from Cartt regarding the issue
  • Account data or records demonstrating the issue
  • Privacy Policy versions referenced in the complaint
  • Any written correspondence with Cartt support
• Remedies Sought:
  • What resolution or remedy do you request?
  • Do you want data deletion, correction, or access?
  • Do you want an explanation or clarification?
  • Do you seek compensation or damages?
• Optional Information:
  • Whether you've filed a complaint with other authorities
  • Whether this is related to a security breach or incident
  • Any special circumstances or urgency (if applicable)

Grievance Processing Timeline

• Receipt and Acknowledgment (5 business days):
  • Grievance is received and logged in Cartt's system
  • Unique grievance reference number is generated
  • Acknowledgment email sent to your registered email address
  • Reference number and next steps provided
  • Expected resolution timeline communicated
• Initial Assessment (5-10 business days):
  • Grievance is reviewed for completeness
  • Missing information requested (if needed)
  • Grievance categorized by type and severity
  • Assigned to appropriate department or officer
  • Preliminary assessment of merit and next steps
• Investigation (10-30 business days):
  • Detailed investigation of the grievance
  • Relevant Cartt records and systems reviewed
  • Internal processes examined for compliance
  • Supporting documentation gathered
  • You may be contacted for additional information
• Resolution (5-30 business days):
  • Resolution is prepared based on investigation
  • Appropriate remedies determined and implemented
  • Data corrections or deletions processed
  • Compensation (if applicable) calculated
  • All corrective actions completed
• Final Response (Cumulative total: 30-60 business days):
  • Detailed resolution letter sent to you
  • Full explanation of findings provided
  • Remedies implemented and confirmed
  • Your rights regarding further escalation explained
  • Copy of investigation report (if applicable)
• Expedited Processing (5-10 business days):
  • For urgent grievances (security incidents, data breaches, critical privacy violations), expedited processing is available
  • Request expedited processing in your grievance submission
  • Provide clear justification for urgency
  • Initial response provided within 5 business days

Grievance Investigation Process

• Investigation Scope:
  • All relevant facts and circumstances examined
  • Cartt's compliance with Privacy Policy and laws assessed
  • Applicable laws and regulations reviewed
  • Standard industry practices considered
  • User's rights and legitimate interests evaluated
• Evidence Collection:
  • Cartt's system logs and database records reviewed
  • Email and communication records examined
  • Employee statements and interviews (if needed)
  • Third-party involvement assessed (if applicable)
  • Documentary evidence gathered and preserved
• Impartiality and Independence:
  • Investigation conducted by neutral officer without conflicts of interest
  • Investigator not involved in original decision or conduct in question
  • Investigation conducted fairly and objectively
  • Both Cartt's and user's perspectives considered
  • Presumption of fairness unless evidence proves otherwise
• Confidentiality During Investigation:
  • Investigation details kept confidential
  • Third-party information protected unless disclosure required
  • Investigation findings shared only with authorized personnel
  • Final report summary provided to user
• User Participation:
  • You have right to provide additional information during investigation
  • You may request updates on investigation progress
  • You may request disclosure of evidence against you (if applicable)
  • You may provide response or rebuttal to findings

Resolution and Remedies

• Possible Outcomes:
  • Upheld: Grievance is found to be valid. Cartt violated Privacy Policy or law. Remedies provided
  • Partially Upheld: Some aspects of grievance are valid. Partial remedies provided
  • Not Upheld: Grievance is found to be without merit. Detailed explanation provided
  • Unable to Determine: Insufficient evidence to reach conclusion. Investigation continues or further information requested
• Types of Remedies:
  • Data Correction: Inaccurate data corrected or updated in Cartt's systems
  • Data Deletion: Personal data permanently deleted as requested
  • Data Access: Copy of personal data provided in accessible format
  • Data Portability: Data exported in machine-readable format for transfer
  • Consent Withdrawal: Processing of data ceased for consented purposes
  • Policy Compliance: Data handling modified to comply with Privacy Policy and law
  • Explanation: Detailed written explanation of Cartt's practices and legal basis
  • Apology: Formal acknowledgment of error and apology (if appropriate)
  • Compensation: Monetary compensation for damages (if applicable and substantiated)
  • Process Improvement: Changes to Cartt's procedures to prevent recurrence
  • Training: Employee training on data protection compliance
• Implementation of Remedies:
  • Remedies implemented promptly once approved
  • You are notified when remedies are complete
  • Verification provided that actions were taken
  • Timeline for implementation communicated upfront

Appeal and Escalation Process

• Right to Appeal:
  • If dissatisfied with Cartt's grievance resolution, you have the right to appeal
  • Appeal must be filed within 30 days of receiving resolution letter
  • Appeal reviewed by senior officer not involved in original investigation
  • Appeal can request full re-investigation or review specific aspects
• Appeal Filing:
  • Submit written appeal to [email protected] with subject "APPEAL: [Reference Number]"
  • Clearly state reasons for appealing original decision
  • Provide any new evidence or information not previously considered
  • Specify what outcome you seek on appeal
  • Include original grievance reference number
• Appeal Timeline:
  • Appeal acknowledgment within 5 business days
  • Appeal review and decision within 30 business days
  • Decision is final unless escalated to regulatory authority
• Regulatory Escalation:
  • If unsatisfied after internal appeal, escalate to regulatory authorities:
  • Data Protection Board of India: For data protection violations under DPDP Act, 2023
  • National Commission for Protection of Child Rights (NCPCR): For children's privacy violations
  • Consumer Protection Authority: For consumer-related privacy issues
  • Cybercrime Reporting Portal: For illegal data practices (cybercrime.gov.in)
  • Local Police/Cybercrime Cell: For criminal violations
• Right to Legal Action:
  • You retain your right to pursue legal remedies in competent courts
  • Filing internal grievance does not waive legal rights
  • You can pursue regulatory complaints and legal action simultaneously

Your Rights During Grievance Process

• Right to Information:
  • Access to all information relevant to your grievance
  • Right to know investigation findings and basis for decision
  • Right to receive clear written explanation of outcomes
  • Right to request copies of investigation reports (non-confidential parts)
• Right to be Heard:
  • Opportunity to provide information and evidence
  • Right to submit written statement or response
  • Right to request meeting with Grievance Officer (if appropriate)
  • Right to present your perspective before final decision
• Right to Privacy:
  • Your grievance details kept confidential
  • Grievance file information not shared with unauthorized parties
  • Your identity protected unless disclosure required by law
  • Investigation conducted discreetly
• Right to Timeliness:
  • Grievances processed within stated timelines
  • Delays explained and expected completion date provided
  • Expedited processing available for urgent matters
  • Right to request updates on progress
• Right to Fair Treatment:
  • Grievance assessed objectively and fairly
  • No retaliation or adverse action for filing grievance
  • Impartial investigation free from bias
  • Clear and transparent decision-making process
• Right to Non-Retaliation:
  • Cartt will not penalize you for filing a grievance
  • No adverse action against your account or services
  • No discrimination or prejudicial treatment
  • You can file multiple grievances without penalty
• Right to Free Grievance Filing:
  • No fees charged for filing or processing grievances
  • No cost for investigation or resolution
  • Free access to Grievance Officer services
  • No payment required to exercise rights

Grievance Officer Accountability

• Impartiality Requirements:
  • Grievance Officer must be independent from operational departments
  • Reporting structure ensures autonomy and impartiality
  • Conflicts of interest disclosed and managed
  • No interference from senior management in specific cases
• Training and Qualifications:
  • Grievance Officer trained on data protection laws and Privacy Policy
  • Regular training on investigation techniques and fairness
  • Knowledge of user rights and legal obligations
  • Customer service and communication skills development
• Performance Metrics:
  • Timeliness of grievance resolution monitored
  • Quality of investigation and decisions reviewed
  • User satisfaction with grievance process measured
  • Adherence to procedural fairness assessed
• Transparency and Reporting:
  • Grievance Officer reports to senior management
  • Regular reports on grievances received and resolved
  • Trends and patterns identified and addressed
  • Public transparency reports on grievance handling (if required by law)

Frequently Asked Questions - Grievance Officer

• Q: How long does it take to get a response to my grievance?
  A: Initial acknowledgment within 5 business days. Full resolution typically within 30-60 business days depending on complexity
• Q: What if I'm not satisfied with the response?
  A: You can file an appeal within 30 days or escalate to regulatory authorities like the Data Protection Board of India
• Q: Do I need to be a lawyer to file a grievance?
  A: No. Grievances can be filed in simple language. Complex matters can be handled by representatives or lawyers if you choose
• Q: Is my grievance information kept confidential?
  A: Yes. Grievance details are kept confidential except where disclosure is required by law or necessary for investigation
• Q: Can I file a grievance if I'm no longer a Cartt user?
  A: Yes. You can file grievances about Cartt's data handling even after closing your account
• Q: What if Cartt doesn't resolve my grievance?
  A: You can appeal internally or lodge a complaint with Data Protection Board of India, consumer protection authorities, or pursue legal action
• Q: Can I file a grievance on behalf of someone else?
  A: Yes, with proper authorization. Parents/guardians can file for minors or legally incapacitated persons
• Q: Is there a deadline to file a grievance?
  A: There is no strict deadline, but timely filing helps with investigation. File as soon as you become aware of the issue

Regulatory Contacts for Escalation

• Data Protection Board of India:
  • For violations of Digital Personal Data Protection Act, 2023
  • Contact: [DPB website and contact details when established]
• National Cybercrime Reporting Portal:
  • Website: cybercrime.gov.in
  • For reporting illegal data practices and cybercrimes
• Ministry of Electronics and Information Technology:
  • Contact: meity.gov.in
  • For data protection concerns and policy matters
• National Commission for Protection of Child Rights (NCPCR):
  • Contact: ncpcr.gov.in
  • For children's privacy and safety concerns
• Consumer Protection Authority:
  • State/National consumer protection commissions
  • For consumer privacy violations

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy, the collection or use of your personal information, or our data protection practices, you may contact us using the details below. We are committed to addressing your inquiries in a timely and transparent manner.

📧 Email: [email protected]
📞 Phone: +91-9990026008

When contacting us, please include sufficient information to help us understand and respond to your request, such as your name, contact details, and the nature of your inquiry.