Protected Customer Data Compliance
This page explains how Cart Insights handles protected customer data and the controls we use to keep it secure and compliant.
Revised January 12, 2023
Abstract
onspruce solutions ("we") and Cart Insights ("the App") are dedicated to customer and user privacy and data protection. We only collect and use data that is needed to provide the App's functionality. We do not share or sell data to any third party. For additional details, see the Cart Insights Privacy Policy.
Customer Data Compliance – Level 1
Processing personal data comes with legal and regulatory requirements to secure, monitor, manage, and communicate about that data. The App uses the minimum data required to provide its functionality, which helps reduce the effort involved in compliance and limits the potential impact of a data breach or unauthorized access.
Personal Data the App Processes
Processing of personal data by the App is limited to the following purposes:
- Customer first and last name – used to provide App functionality to shop admin users by identifying cart contents per customer and helping shop admins provide customer service.
- Customer email, checkout email, order email – used to associate carts and orders with a customer so that shop admins can follow up and provide customer service.
- Order shipping address province, state, and country – used to identify order geolocation to help shop admins provide customer service and improve shop functionality, services, and geographic marketing.
- Customer cart contents – used to identify which items are in a customer's cart so shop admins can provide customer service and better understand cart activity.
Personal Data Processing Practices
- Processing is limited to stated purposes. Processing of personal data is limited to clearly stated purposes so that merchants and customers are correctly informed about how their data is used.
- We respect customer consent decisions. Customer consent is a critical mechanism for customers to participate in their data processing. The App processes GDPR data request and GDPR erasure requests.
- We honor opt-out decisions. We respect customer decisions to opt out of any data sharing, such as a "data sale" or similar concept, and we comply with applicable laws and regulations around sharing of personal data.
- No automated decision-making. The App does not use personal data for automated decision-making, including profiling, analyzing, predicting, or scoring algorithms that would have legal or similarly significant effects on individuals.
- Data protection agreements with merchants. We make privacy and data protection agreements with merchants that install the App. These agreements formalize how personal data is processed and are an important tool for safe data privacy practices.
- Defined retention periods. We apply specific retention periods to make sure that personal data is not kept longer than necessary for the stated processing purposes.
- Encryption at rest and in transit. Data is encrypted when stored and when transmitted across networks. Our database data is encrypted, our backups are encrypted, and our database connections require encryption.
Customer Data Compliance – Level 2
- Encrypted data backups. Data backups contain personal data and are treated with the same level of concern and consideration as production data in order to prevent unauthorized access.
- Separate test and production data. We keep test and production data separate so that personal data from production does not leak into less secure environments.
- Data loss prevention strategy. Our data loss prevention strategy combines technical controls, policies, and standards.
- Limited staff access. We limit staff access to protected customer data to prevent data from being improperly accessed, exfiltrated, or processed.
- Strong authentication for staff. Staff accounts are protected with strong passwords and two-factor authentication (2FA).
- Access logging. We keep and review access logs so that there is an audit trail of activity related to data access.
- Security incident response policy. Our security incident response policy helps us respond appropriately to security incidents and data breaches should they ever occur.