Protected Customer Data Compliance

Revised 1/12/2023

Cart Insights

Abstract

Onspruce solutions "we" and Cart Insights "the App" are dedicated to customer and user privacy and data protection. We only collect and use data that is needed to provide the App's functionality. We do not share data or sell data to any other third party. View the app Privacy Policy.

Customer Data Compliance Level 1 Compliance

Cart Insights processes only the minimum personal data required to provide app functionality to merchants

Processing personal data comes with legal and regulatory requirements to secure, monitor, manage, and communicate about the data. The app uses the minimum data required to help minimize the time and effort spent complying with these requirements. Using the minimum data required also limits the potential damage of a data breach or unauthorized access.

Personal data the app processes and the reasons for processing it

Processing of personal data by the app is limited to the the following purposes:

Customer First Name, Customer Last Name

Personal data processing is limited to the stated purposes

Processing of personal data is limited to the stated purposes to ensure that merchants and customers are correctly informed about how their data is used.

We respect and apply customer consent decisions

Customer consent is a critical mechanism for customers to participate in their data processing. The app processes GDPR data request and GDPR erasure requests.

We respect and apply customer decisions to opt out of any data sharing such as a ‘data sale’ or similar concept

We comply with applicable laws and regulations around sharing of personal data.

We do not use personal data for automated decision-making

Automated decision-making can include personal data processing such as profiling, analyzing, predicting, or scoring algorithms. Automated decisions with legal or significant effects are those that have a material impact on people's lives.

We make privacy and data protection agreements with merchants that install the app

Data protection agreements or privacy policies represent an agreement about personal data processing and are an important tool for formal and safe data privacy practices.

We apply specific retention periods to make sure that personal data isn’t kept for longer than needed

Personal data is not kept longer than necessary for the stated processing purposes.

We encrypt data at rest and in transit

Encrypting data when stored and as it transits various networks helps to prevent bad actors from gaining access to it even if they have access to the application. Our database data is encrypted, our backups are encrypted, and our database connections require encryption.

Provide App functionality to shop admin users - identify cart contents per-customer to help shop admin users provide customer service.

Personal Data

Reason for Processing

Customer Email, Checkout Email, Order Email

Provide App functionality to shop admin users - identify cart contents per-customer to help shop admin users provide customer service.

Order Shipping Address Province, State, Country

Customer Cart Contents

Provide App functionality to shop admin users - identify order geolocation to help shop admin users provide customer service and improve shop functionality, services, and geographic marketing.

Provide App functionality to shop admin users - identify cart contents per-customer to help shop admin users provide customer service.

Customer Data Compliance Level 2 Compliance

We encrypt data backups

Data backups contain personal data and are treated with the same level of concern and consideration as production data in order to prevent unauthorized access.

We keep test and production data separate

Strict separation of environments prevents personal data from production from leaking into less secure environments where it could become exposed.

We have a data loss prevention strategy

Our data loss prevention strategy is a combination of technical controls, polices, and standards.

We limit staff access to protected customer data

We limit staff access to protected customer data to prevent data from being improper accessed, exfiltrated, or processed.

We require strong passwords and 2FA for staff accounts

Staff accounts are protected with both strong passwords and Two-factor authentication (2FA).

We keep an access log to protected customer data

We keep and review access logs so that there is audit trail of activity related to data access.

We have a security incident response policy

Our security incident response policy helps us to respond appropriately to security incidents and data breaches should either ever occur.