Skip to content
C
Cartly
Platform launch: May 1, 2026
Try all features now — create your store for free

Data Processing Agreement

Effective Date: March 1, 2026 — Last Updated: March 24, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Cartly Inc. ("Processor," "Cartly") and the merchant ("Controller," "you") using the Cartly platform.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable data protection laws including GDPR and CCPA
  • "Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction
  • "Controller" means the merchant who determines the purposes and means of Processing Personal Data (you)
  • "Processor" means the entity that processes Personal Data on behalf of the Controller (Cartly)
  • "Sub-processor" means any third party engaged by Cartly to process Personal Data on behalf of the Controller
  • "Data Subject" means an identified or identifiable natural person whose Personal Data is processed
  • "Supervisory Authority" means an independent public authority responsible for monitoring the application of data protection laws
  • "Standard Contractual Clauses" (SCCs) means the contractual clauses approved by the European Commission for international data transfers

2. Scope and Purpose

This DPA applies to all Processing of Personal Data by Cartly on behalf of the Controller in connection with the provision of the Cartly e-commerce platform. The categories of Personal Data processed include:

  • Customer data: Names, email addresses, shipping addresses, phone numbers, and order history of your store's customers
  • Payment data: Billing addresses and transaction identifiers (full payment card data is processed exclusively by Stripe)
  • Account data: Merchant account information, staff member details, and authentication credentials
  • Analytics data: Anonymized usage patterns, page views, and conversion metrics

The purpose of Processing is solely to provide and maintain the Cartly e-commerce platform services as described in our Terms of Service.

3. Processing Instructions

Cartly shall process Personal Data only in accordance with the Controller's documented instructions, which are defined by:

  • This DPA and the Terms of Service
  • Configuration choices made by the Controller in the Cartly admin panel
  • Specific written instructions provided by the Controller to Cartly support

Cartly shall immediately inform the Controller if, in its opinion, an instruction infringes applicable data protection laws. Cartly shall not process Personal Data for any purpose other than providing the Service unless required by applicable law, in which case Cartly shall inform the Controller of the legal requirement before Processing (unless prohibited by law).

4. Controller Obligations

The Controller shall:

  • Ensure that there is a lawful basis for the Processing of Personal Data (e.g., consent, contract, legitimate interest)
  • Provide all required notices to Data Subjects about the Processing of their Personal Data
  • Obtain necessary consents from Data Subjects where required by applicable law
  • Ensure that the Processing instructions given to Cartly comply with applicable data protection laws
  • Respond to Data Subject requests (access, rectification, erasure, portability) in a timely manner, with Cartly's assistance as needed
  • Maintain a record of Processing activities as required by applicable law

5. Processor Obligations

Cartly shall:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure that persons authorized to process Personal Data have committed to confidentiality or are under statutory obligation of confidentiality
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see our Security page)
  • Assist the Controller in fulfilling its obligations to respond to Data Subject requests
  • Assist the Controller in ensuring compliance with data protection impact assessments and prior consultation with supervisory authorities
  • Delete or return all Personal Data to the Controller upon termination of the Service, at the Controller's choice, and delete existing copies unless required by law to retain them
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA

6. Sub-processors

The Controller provides general authorization for Cartly to engage sub-processors. Current sub-processors include:

  • Stripe, Inc. (San Francisco, USA) — Payment processing and subscription billing
  • Amazon Web Services, Inc. (Seattle, USA) — Cloud infrastructure, compute, and S3 storage
  • SMTP Provider — Transactional and marketing email delivery
  • Typesense — Product search indexing

Cartly shall inform the Controller of any intended changes to sub-processors at least 30 days before the change. The Controller may object to a new sub-processor by providing written notice within 15 days. If the objection cannot be resolved, the Controller may terminate the affected services.

Cartly shall ensure that all sub-processors are bound by data protection obligations no less protective than those in this DPA.

7. International Data Transfers

Where Personal Data is transferred from the European Economic Area (EEA), United Kingdom, or Switzerland to a country that does not provide an adequate level of data protection, Cartly ensures appropriate safeguards through:

  • Standard Contractual Clauses: EU Commission-approved SCCs (Module 2: Controller to Processor) are incorporated into this DPA by reference
  • Supplementary measures: Technical measures including encryption in transit and at rest, pseudonymization where feasible, and access controls
  • Transfer impact assessments: Cartly maintains and regularly reviews assessments of the legal framework in recipient countries

8. Data Breach Notification

In the event of a Personal Data breach, Cartly shall:

  • Notify the Controller without undue delay and no later than 24 hours after becoming aware of the breach
  • Provide the following information (to the extent available): the nature of the breach, categories and approximate number of affected Data Subjects, likely consequences, and measures taken or proposed to address the breach
  • Cooperate with the Controller in investigating the breach and mitigating its effects
  • Assist the Controller in fulfilling its obligation to notify the relevant Supervisory Authority and affected Data Subjects
  • Document all breaches, including the facts, effects, and remedial actions taken, regardless of whether notification to the Supervisory Authority is required

9. Audit Rights

The Controller has the right to audit Cartly's compliance with this DPA, subject to the following conditions:

  • Audits may be conducted no more than once per year, unless a data breach has occurred or a Supervisory Authority requires additional audits
  • The Controller shall provide at least 30 days' written notice before an audit
  • Audits shall be conducted during normal business hours and shall not unreasonably interfere with Cartly's operations
  • The Controller may engage a qualified, independent third-party auditor (subject to confidentiality obligations)
  • Cartly shall provide reasonable cooperation and access to relevant documentation, systems, and personnel
  • Audit costs shall be borne by the Controller unless the audit reveals material non-compliance by Cartly

As an alternative to on-site audits, Cartly may provide the Controller with relevant audit reports, certifications, or summaries of security assessments conducted by independent third parties.

10. Term and Termination

This DPA shall remain in effect for the duration of the Controller's use of the Cartly platform. Upon termination of the Service:

  • Cartly shall, at the Controller's election, return or delete all Personal Data within 30 days of termination
  • Cartly shall provide the Controller with export tools to download Personal Data in standard formats (CSV, JSON) during the 30-day period
  • After the 30-day period, all Personal Data shall be permanently deleted from active systems
  • Backup copies shall be purged within 90 days of termination
  • Financial records required by law shall be retained for up to 7 years in accordance with applicable regulations
  • Cartly shall certify the deletion of Personal Data upon the Controller's request

Contact

For questions about this Data Processing Agreement or to exercise your rights:

  • Data Protection Officer: dpo@cartly.pro
  • Privacy Team: privacy@cartly.pro
  • Mailing Address: Cartly Inc., Attn: DPO, 251 Little Falls Drive, Wilmington, DE 19808, United States