Privacy Statement

• Business name and store domain
• Email address (for account access and notifications)
• Shopify store owner information (as provided by Shopify)

• Product names, SKUs, and descriptions
• Product variants and attributes
• Inventory quantities and locations
• Product costs and pricing information
• Supplier information
• Bill of Materials (BOM) data
• Purchase order information

• Order numbers and line item details
• Order dates and fulfillment status
• Sales quantities (for velocity calculations)
• Marketplace order identifiers (Shopify, Amazon, Walmart)

• IP addresses and browser information
• Device type and operating system
• Pages visited and features used
• Timestamps of actions
• Error logs and performance data

• Shopify OAuth access tokens
• Amazon SP-API credentials
• Walmart API credentials
• Session identifiers

• Customer personal information (names, addresses, phone numbers)
• Customer payment information (credit cards, bank accounts)
• Customer browsing history or shopping behavior
• Social Security numbers or tax IDs
• Health or biometric data

• Information you provide when creating an account
• Data entered into forms (SKUs, suppliers, purchase orders)
• Settings and preferences you configure

• Shopify: Product data, inventory levels, and order information via Shopify Admin API
• Amazon: Product listings, inventory, and order information via Amazon Seller Partner API
• Walmart: Product listings, inventory, and order information via Walmart Marketplace API

• Server logs generated during your use of the Service
• Session cookies for authentication (essential functionality only)
• No advertising or tracking cookies

• Provide inventory management functionality
• Sync inventory levels across Shopify, Amazon, and Walmart
• Generate purchase order recommendations
• Calculate product velocity and demand forecasting
• Manage Bill of Materials (BOM) and manufacturing workflows
• Track inventory movements and adjustments

• Create and maintain your account
• Authenticate users and maintain security
• Process payments and manage subscriptions

• Analyze usage patterns to improve features
• Diagnose and fix technical issues
• Develop new features based on user needs

• Respond to support requests
• Provide important updates about the Service
• Send security alerts

• Comply with legal obligations
• Enforce our Terms of Service
• Protect against fraud and abuse
• Respond to law enforcement requests

• Contractual Necessity: Processing is necessary to perform our contract with you
• Legitimate Interest: We have a legitimate interest in improving and securing our Service
• Consent: Where required, we obtain your explicit consent
• Legal Obligation: We process data to comply with applicable laws

Your data is stored in secure databases located in the United States, maintained in SOC 2-compliant data centers. To ensure fast, reliable access worldwide, the Service is delivered through a global content delivery network (CDN) that caches static assets and application code at edge locations closer to you. The CDN does not store your merchant business data — all persistent data, including inventory records, order data, and account information, resides in our US-based infrastructure.

A current list of subprocessors is available upon request at privacy@carpeinventory.com.

• Encryption in Transit: All data transmitted using TLS/HTTPS encryption
• Encryption at Rest: Database encryption for stored data
• Access Controls: Role-based access control (RBAC) and authentication
• API Security: HMAC signature verification for all marketplace webhooks
• Regular Security Updates: Continuous monitoring and patching
• Secure Token Storage: OAuth tokens encrypted and securely stored

• Multi-tenant architecture with strict data separation
• Each merchant’s data is isolated and accessible only to authorized users
• No data sharing between merchant accounts

While we implement industry-standard security measures, no system is 100% secure. We cannot guarantee absolute security. In the event of a data breach that affects your information:

• We will notify affected merchants by email within 72 hours of confirming the breach
• We will notify the relevant supervisory authorities where required by applicable law (e.g., GDPR, state breach notification statutes)
• Our notification will include the nature of the breach, the categories of data affected, and the steps we are taking in response

We retain your data for as long as your account is active and you continue using our Service.

When you uninstall our app or delete your account:

• Immediate Action: Your account is deactivated and API access tokens are revoked
• Grace Period: Your data is preserved for 30 days in case you reinstall
• Data Deletion: All merchant data is permanently deleted after 30 days
• What is Deleted: All SKUs, inventory records, BOMs, purchase orders, locations, suppliers, and associated data
• No Recovery: Once deleted, data cannot be recovered

We may retain certain data longer if required by law, including:

• Financial records (for tax compliance)
• Audit logs (for security and fraud prevention)
• Aggregated, anonymized analytics (no personal identification)

Data in automated backups is deleted within 30 days following account deletion.

We exchange data with e-commerce and marketplace platforms that you connect to the Service in order to perform requested functionality such as inventory synchronization, order processing, and system integrations. Information is transmitted only as necessary to provide the Service.

We use trusted third-party service providers to operate and support the Service, including providers of infrastructure, hosting, database storage, communications, security, and system monitoring. These providers:

• Process data solely on our instructions
• Are contractually bound to maintain confidentiality and security safeguards
• May not use your data for their own purposes

A current list of subprocessors is available upon request at privacy@carpeinventory.com.

We may disclose information when required by law or valid legal process, including:

• Court orders or subpoenas
• Lawful regulatory requests
• Protection of rights, property, or safety
• Investigation or prevention of fraud or illegal activity

If we undergo a merger, acquisition, financing, or sale of assets, your data may be transferred as part of that transaction. We will provide notice before your data becomes subject to a different privacy policy, where required by law.

We treat all merchant business data — including inventory levels, product costs, supplier information, sales velocity, purchase orders, bills of materials, and pricing — as confidential and proprietary to the merchant.

• We will never voluntarily disclose, share, license, or otherwise make available any merchant’s business data to any third party, including other merchants, competitors, data brokers, researchers, or analytics providers.
• We will never use one merchant’s data to benefit another merchant, generate competitive intelligence, produce benchmarking insights, or train models on identifiable merchant data.
• Merchant data will only be disclosed to third parties when compelled by a valid legal obligation and only to the minimum extent required. Where legally permitted, we will provide prompt notice before such disclosure so that the merchant may seek protective relief.
• Internal access to merchant data is limited to authorized personnel who require it to operate, maintain, or support the Service, all of whom are subject to confidentiality obligations.

This confidentiality commitment survives termination of your account.

• We access data via official Shopify Admin API
• OAuth tokens are stored securely and never shared
• We comply with Shopify’s API Terms of Service and Partner Program Agreement
• Our app requests the read_orders scope to track which products sold and in what quantities for inventory calculations. We extract only SKU identifiers, quantities, and order reference numbers from order data. We do not read, store, or process any customer personal information (names, emails, addresses, phone numbers) contained in order records.
• Mandatory GDPR webhooks implemented:
  • customers/data_request
  • customers/redact
  • shop/redact

• We access data via Amazon SP-API under the Selling Partner Agreement
• We comply with Amazon’s Data Protection Policy (DPP)
• Data usage is limited to providing inventory management services as described in this statement
• We do not store Amazon customer personal information
• Credentials are encrypted and rotated per Amazon’s requirements

• We access data via Walmart Marketplace API
• We comply with Walmart’s Marketplace Developer Agreement and API Terms of Use
• Inventory and order synchronization (no customer personal data access)
• Secure credential storage and transmission

If you are located in the EEA, you have the following rights:

• Right to Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your data (“right to be forgotten”)
• Right to Restriction: Limit how we use your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interest
• Right to Withdraw Consent: Withdraw consent at any time where consent is the basis for processing

California residents have the following rights:

• Right to Know: Request information about data collected, used, and shared
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: Opt out of sale of personal information (we do not sell data)
• Right to Non-Discrimination: Not receive discriminatory treatment for exercising rights

Canadian users have rights to:

• Access personal information
• Correct inaccuracies
• Withdraw consent
• File complaints with the Privacy Commissioner

To exercise any of these rights, contact us at:

• Email: privacy@carpeinventory.com
• Subject Line: “Privacy Rights Request”
• Required Information: Your name, email, and Shopify store domain

We will respond to requests within 30 days (or as required by applicable law).

• We comply with applicable data protection laws for international transfers
• We implement appropriate safeguards including encryption and security measures
• We rely on Standard Contractual Clauses (SCCs) where applicable

For transfers from the EEA to the US, we rely on:

• Standard Contractual Clauses approved by the European Commission
• Supplementary security measures to protect data

Essential Cookies (Required):

• Session Cookie (carpe_session): Maintains your logged-in session
• Duration: 30 days
• Purpose: Authentication and security
• Can be disabled: No (required for service functionality)

• No advertising cookies
• No third-party tracking cookies
• No analytics cookies
• No social media tracking pixels

• Privacy Policy: shopify.com/legal/privacy
• Purpose: E-commerce platform integration
• Data Shared: Product and inventory data

• Privacy Policy: amazon.com/privacy
• Purpose: Marketplace inventory and order synchronization
• Data Shared: Product listings, inventory levels, and order data

• Privacy Policy: corporate.walmart.com/privacy-security
• Purpose: Marketplace inventory and order synchronization
• Data Shared: Product listings, inventory levels, and order data

• Minor Changes: Updated “Last Updated” date at the top of this statement
• Material Changes: Email notification to registered users at least 30 days before changes take effect

Continued use of the Service after changes become effective constitutes acceptance of the revised statement.