Protected Customer Data Compliance

Abstract

onspruce ("we") and Cart Insights ("the App") are dedicated to customer and user privacy and data protection. We only collect and use data that is needed to provide the App's functionality. We do not share or sell customer data to any third party for advertising or marketing purposes. We work with a limited set of infrastructure sub-processors required to operate the App, as described in the Sub-Processors section below. For additional details, see the Cart Insights Privacy Policy.

Customer Data Compliance – Level 1

Processing personal data comes with legal and regulatory requirements to secure, monitor, manage, and communicate about that data. The App uses the minimum data required to provide its functionality, which helps reduce the effort involved in compliance and limits the potential impact of a data breach or unauthorized access.

Personal Data the App Processes

Processing of personal data by the App is limited to the following purposes:

• Customer first and last name – used to provide App functionality to shop admin users by identifying cart contents per customer and helping shop admins provide customer service.
• Customer email, checkout email, order email – used to associate carts and orders with a customer so that shop admins can follow up and provide customer service.
• Order shipping address province, state, and country – used to identify order geolocation to help shop admins provide customer service and improve shop functionality, services, and geographic marketing.
• Customer cart contents – used to identify which items are in a customer's cart so shop admins can provide customer service and better understand cart activity.
• Shopify web pixel event data – used to measure store browsing, product discovery, cart activity, and checkout progression so shop admins can better understand customer behavior and improve the shop experience.
  • Standard events collected: cart_viewed, checkout_address_info_submitted, checkout_completed, checkout_contact_info_submitted, checkout_shipping_info_submitted, checkout_started, collection_viewed, page_viewed, payment_info_submitted, product_added_to_cart, product_removed_from_cart, product_viewed, and search_submitted.
• Browser and storefront context data – used to associate cart activity with a storefront session, understand how a visitor arrived at the store, support customer service, and improve reporting accuracy.
  • Data collected: cart token, customer ID when available in Shopify storefront context, shop domain, referrer URL, landing page URL, IP address, and browser user agent.
• Browser cookie and session storage – the App stores a persistent first-party cookie (cartinsights_data) on the storefront visitor's browser to associate cart activity across page navigation. The cookie expires after 60 days and contains the cart token, customer ID (when present), shop domain, referrer URL, landing page URL, and IP address. Session storage entries are also used to hold the same values for the duration of the browser session.

Personal Data Processing Practices

• Processing is limited to stated purposes. Processing of personal data is limited to clearly stated purposes so that merchants and customers are correctly informed about how their data is used.
• We respect customer consent decisions. Customer consent is a critical mechanism for customers to participate in their data processing. The App implements Shopify's mandatory GDPR webhooks (customers/redact, shop/redact, and customers/data_request). Web pixel event collection operates within Shopify's web pixel framework, which enforces the merchant storefront's customer consent preferences via the Shopify Customer Privacy API before delivering events to the App.
• We honor opt-out decisions. We respect customer decisions to opt out of any data sharing, such as a "data sale" or similar concept, and we comply with applicable laws and regulations around sharing of personal data, including the California Consumer Privacy Act (CCPA/CPRA). We do not sell personal information. California residents may submit requests to know, delete, or opt out by contacting us at info@onspruce.com.
• No automated decision-making. The App does not use personal data for automated decision-making, including profiling, analyzing, predicting, or scoring algorithms that would have legal or similarly significant effects on individuals.
• Data protection agreements with merchants. We make privacy and data protection agreements with merchants that install the App. These agreements formalize how personal data is processed and are an important tool for safe data privacy practices.
• Defined retention periods. Cart activity and associated personal data is automatically deleted from our database after 62 days of inactivity. Merchant-generated CSV export reports are automatically deleted from cloud storage after 92 days. Browser cookies set by the App expire after 60 days.
• Encryption at rest and in transit. Data is encrypted when stored and when transmitted across networks. Our database data is encrypted, our backups are encrypted, and our database connections require encryption.

Sub-Processors

The App relies on the following infrastructure sub-processors to deliver its functionality. No protected customer data is shared with any other third party.

• Amazon Web Services (AWS) – used for application hosting, encrypted data storage, and merchant-generated CSV export file hosting. Data is stored in the United States.
• ipify.org – used to resolve the public IP address of a storefront visitor at the time their cart activity is recorded. Only the visitor's public IP address is transmitted to this service; no other personal data is shared.

Customer Data Compliance – Level 2

• Encrypted data backups. Data backups contain personal data and are treated with the same level of concern and consideration as production data in order to prevent unauthorized access.
• Separate test and production data. We keep test and production data separate so that personal data from production does not leak into less secure environments.
• Data loss prevention strategy. Our data loss prevention strategy combines technical controls, policies, and standards.
• Limited staff access. We limit staff access to protected customer data to prevent data from being improperly accessed, exfiltrated, or processed.
• Strong authentication for staff. Staff accounts are protected with strong passwords and two-factor authentication (2FA).
• Access logging. We keep and review access logs so that there is an audit trail of activity related to data access.
• Security incident response policy. Our security incident response policy helps us respond appropriately to security incidents and data breaches should they ever occur.