Privacy Policy.

CartAI, LLC ("CartAI," "we," or "us") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, share, and protect information in connection with our websites, dashboards, developer portals, APIs, SDKs, Hosted Cart component, and any other online services that link to this Privacy Policy (collectively, the "Services").

This Privacy Policy applies to Developers and businesses that integrate CartAI ("Customers" or "Developers"); End Users whose transaction workflows are processed through CartAI-powered flows; and visitors to our marketing sites and documentation.

By using the Services, you agree to the practices described in this Privacy Policy.

01Key Definitions

02Information We Collect

2.1 Information You Provide Directly

We may collect Personal Data that you provide when you sign up for a CartAI account, use CartAI-powered checkout flows as an End User, integrate our APIs or SDKs, communicate with us, or subscribe to our communications. This may include:

• Identifiers: Name, email address, phone number, company, job title, username, and password.
• Checkout Data: Shipping address, billing address, phone number, email address, and other information required to complete a transaction. CartAI operates as a B2B2C service — End Users are the customers of our Customers. End User Checkout Data is submitted to CartAI by or on behalf of the Customer. CartAI stores this as part of an End User's Checkout Profile to enable faster, pre-filled transaction workflows on future visits. Customers are responsible for obtaining End User consent for this storage. Where CartAI's Hosted Cart is used, the Customer provides consent language; the component may display a "Powered by CartAI" attribution.
• Payment Credentials: When you provide card data through CartAI or a CartAI-powered interface, that data is transmitted directly to our PCI-compliant vaulting partner, which returns a Vaulted Token to CartAI. CartAI stores only the Vaulted Token — never the raw PAN. At transaction time, CartAI requests an Agentic Payment Token from the relevant protocol provider; that token — not the PAN — is used to complete the purchase.
• Account and Integration Information: API keys, integration settings, and configuration details.
• Support and Communications: Content of messages you send us, including support tickets and feedback.

2.2 Information We Receive from Customers and Developers

Customers may submit Personal Data — including identifiers, Checkout Data, transaction history, and interaction data about End Users — through the Services. Customers are responsible for their own privacy practices. Where CartAI processes Personal Data on a Customer's behalf, the Customer's privacy policy may also apply.

2.3 Information We Automatically Collect

• Device Information: IP address, operating system, browser type and version, device identifiers, and language settings.
• Log Data: Access logs, timestamps, API endpoint calls, response times, error codes, and diagnostic information.
• Product Usage Data: Which features you use, which endpoints you call, and performance metrics. We may aggregate or de-identify this information.

2.4 Information from Third Parties

We may obtain information from analytics providers, fraud prevention services, identity verification services, and payment processors, subject to their permitted sharing rights.

03How We Use Personal Data

3.1 To Provide and Operate the Services

Executing CartAI-powered transaction workflows; pre-filling Checkout Profiles for repeat transactions; creating and managing accounts; operating APIs, SDKs, the Hosted Cart, and dashboards; and providing customer support.

3.2 Payment Processing and Card Vaulting

When you submit card data: (1) it is transmitted to our PCI-compliant vaulting partner, which stores it and returns a Vaulted Token; (2) CartAI stores only the Vaulted Token; (3) at transaction time, CartAI requests an Agentic Payment Token from the relevant protocol provider; (4) the Agentic Payment Token — not the PAN — is used to complete the purchase. CartAI agents and systems are never exposed to your raw card number.

3.3 To Secure and Maintain the Services

Monitoring, preventing, and detecting fraud, abuse, and security incidents; protecting infrastructure integrity; debugging and troubleshooting; and enforcing our Terms of Service.

3.4 To Analyze and Improve the Services

Understanding how the Services are used; developing new features and products; improving performance, reliability, and transaction success rates; and conducting research and analytics.

3.5 To Communicate with You

Sending service-related messages, responding to support requests, and sending marketing communications where permitted by law. You can opt out of marketing at any time.

3.6 To Comply with Legal Obligations

Complying with applicable laws, regulations, and legal processes; responding to lawful requests; and fulfilling tax, accounting, and auditing obligations.

04How We Share Personal Data

4.1 Service Providers and Vaulting Partners

We share Personal Data with third-party service providers who help us operate the Services, including PCI-compliant vaulting partners (who store Payment Credentials and return Vaulted Tokens, subject to PCI DSS requirements); agentic payment protocol providers (Visa Intelligent Commerce, Mastercard AgentPay) who issue Agentic Payment Tokens at transaction time; hosting and infrastructure providers; analytics and performance monitoring; fraud prevention and identity verification; and customer support tools. All are authorized to use Personal Data only as necessary to provide services to CartAI.

4.2 Merchants

When CartAI executes a transaction, we share relevant Checkout Data with the applicable Merchant to process the order, arrange shipping, handle returns, and comply with legal obligations. Merchants are independent third parties with their own privacy policies.

4.3 Customers and Developers

If you interact with CartAI through a Customer integration, we may share transaction and order information, usage logs, and contact information relevant to that integration. Customers are expected to use such information in accordance with their own privacy policies.

4.4 De-Identified and Aggregate Data

We may share de-identified or aggregate data for analytics and research. This data cannot reasonably be used to identify an individual.

4.5 Legal and Safety Reasons

We may disclose Personal Data if reasonably necessary to comply with law or legal process; enforce our Terms of Service; protect the rights, property, or safety of CartAI, our users, or the public; or detect, prevent, or address fraud or security issues.

4.6 Business Transfers

In connection with a merger, acquisition, or sale of assets, Personal Data may be transferred to a successor or affiliate, who will be required to honor this Privacy Policy or provide appropriate notice.

05Legal Bases for Processing (EEA / UK)

• Performance of a Contract: To provide the Services, execute transaction workflows, and fulfill our agreements with you or the Customer you act for.
• Legitimate Interests: To operate, secure, and improve the Services; prevent fraud; conduct analytics; and support business operations, provided our interests are not overridden by your rights.
• Consent: Where required by law (e.g., certain marketing communications or non-essential cookies).
• Legal Obligations: To comply with applicable laws and regulations.

06California Privacy Disclosures (CCPA / CPRA)

This section applies to California residents and supplements the rest of this Privacy Policy.

6.1 CartAI's Role Under CCPA

CartAI operates primarily as a Service Provider under the CCPA with respect to End User Personal Data. End Users are the customers of CartAI's Customers, not direct customers of CartAI. CartAI processes End User Personal Data on behalf of and at the direction of the Customer, pursuant to a written services agreement that restricts CartAI's use to providing the contracted services.

6.2 Categories of Personal Data Collected

From Customers and Developers in the preceding 12 months: Identifiers (name, email, phone, company, username, IP address); Commercial Information (transaction records, API usage, billing data); Internet or Network Activity (usage logs, API calls, diagnostic data); and Professional or Employment Information (job title, company affiliation).

As a Service Provider for End User data: identifiers, Checkout Data, commercial information (transaction and order data), and Payment Credentials (via PCI-compliant vaulting partners; CartAI stores only Vaulted Tokens).

6.3 Purposes for Collection

To provide and operate the Services, process billing for CartAI accounts, secure and maintain infrastructure, communicate about the Services, and comply with legal obligations. End User data is processed solely to fulfill transaction workflows and maintain Checkout Profiles for future efficiency, as directed by Customers.

6.4 No Sale or Sharing of Personal Data

CartAI does not sell Personal Data and does not share Personal Data with third parties for cross-context behavioral advertising as defined under the CCPA/CPRA. CartAI discloses Personal Data only to service providers under written contracts restricting use, and to Merchants as necessary to complete transactions.

6.5 California Consumer Rights (Direct Customers and Developers)

• Know: Request the categories and specific pieces of Personal Data we have collected, sources, business purpose, and third-party categories.
• Delete: Request deletion of your Personal Data, subject to exceptions (e.g., completing a transaction, legal obligations, security).
• Correct: Request correction of inaccurate Personal Data.
• Opt Out of Sale/Sharing: CartAI does not sell or share data for advertising. No opt-out required, but contact us to confirm.
• Non-Discrimination: We will not discriminate against you for exercising these rights.

To submit a request, contact us at legal@cartai.ai.

6.6 California Consumer Rights (End Users)

End Users must direct CCPA rights requests to the Customer (business) whose application or surface they used. CartAI processes End User data as a Service Provider and is not responsible for responding to consumer rights requests under the CCPA for that data.

6.7 Shine the Light

CartAI does not disclose Personal Data to third parties for their direct marketing purposes.

07Your Privacy Choices and Rights

7.1 Marketing Communications

You may opt out of marketing emails at any time by clicking "unsubscribe" in any email or by contacting legal@cartai.ai. We may still send service-related communications.

7.2 Rights Under Applicable Law

Depending on your jurisdiction, you may have the right to access, correct, delete, restrict, or port your Personal Data, and to not be discriminated against for exercising these rights. Contact legal@cartai.ai to submit a request. EEA/UK residents may also lodge a complaint with their local data protection authority.

7.3 Vaulted Payment Data

You may request deletion of your Vaulted Token and associated payment profile by contacting legal@cartai.ai. CartAI will instruct our vaulting partner to delete the underlying Payment Credentials. Note that deletion disables pre-filled checkout for future transactions.

7.4 Checkout Profile and Stored Data

You may request correction or deletion of your stored Checkout Profile by contacting legal@cartai.ai or through your account settings where available.

08International Transfers

CartAI is based in the United States. We and our service providers may process Personal Data in the US and other countries with different data protection laws. Where required by law, we implement appropriate safeguards (such as standard contractual clauses) for transfers from the EEA/UK.

09Children's Privacy

Our Services are not directed to children under 16, and we do not knowingly collect Personal Data from children under 16. If you believe a child has provided us Personal Data, contact legal@cartai.ai.

10Do Not Track

We do not currently respond to Do Not Track browser signals, as the industry has not established a standard for doing so. You can manage cookie preferences through your browser settings.

11Cookies and Similar Technologies

We use cookies, pixels, and similar technologies to help our Sites function properly, remember your preferences, understand how you use our Services, and measure marketing effectiveness. You can control cookies through your browser settings and, where available, through our cookie banner.

12Data Retention

We retain Personal Data for as long as necessary to provide the Services; maintain Checkout Profiles and Vaulted Tokens for repeat transaction workflows (until you request deletion or close your account); comply with legal, tax, and accounting obligations; and resolve disputes and enforce our agreements.

When we no longer have a legitimate need to process Personal Data, we will delete or de-identify it. Data in backup archives will be securely isolated until deletion is possible.

13Security

We implement reasonable technical and organizational measures to protect Personal Data, including encryption in transit, access controls, and regular security reviews. Payment Credentials are handled exclusively by PCI DSS-compliant vaulting infrastructure; raw PANs are never stored in CartAI systems or accessible to CartAI agents.

No method of transmission or storage is completely secure. We cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.

14Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date and may provide additional notice where required by law. Your continued use of the Services after an updated policy is posted constitutes acceptance of the changes.

15Contact Information

If you have questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us at: