CARTOJoin waitlist
Legal

Privacy Policy

Last updated: 30 May 2026

Carto is built for Indian small business owners. We keep your data minimal, never sell it, and explain everything in plain English below.

What we collect

  • Waitlist signups: Your name and email address when you join the waitlist.
  • Orders placed on seller shops: Customer name, phone number, email address (optional), and delivery address. This information is shared with the seller whose shop you ordered from.
  • Contact form submissions: Your name, email, and message when you reach out to us.
  • Seller accounts: Name, email, password (stored as a bcrypt hash — we never see it), shop name, shop description, Instagram handle, and logo URL.
  • Usage data: Standard server logs including IP address, browser type, and pages visited. We do not use third-party tracking cookies.

How we use it

  • To send you a confirmation email when you join the waitlist, and to notify you when Carto launches.
  • To process orders placed on seller storefronts and pass order details to the relevant seller.
  • To respond to contact form enquiries.
  • To operate and improve the Carto platform.
  • We do not sell your data to anyone. Ever.

Who we share it with

  • Resend (resend.com) — used to send transactional emails (waitlist confirmation, contact notifications). They process email addresses on our behalf.
  • Neon (neon.tech) — our database provider. Your data is stored on their PostgreSQL infrastructure hosted in Singapore.
  • Vercel (vercel.com) — our hosting provider. Web traffic passes through their servers.
  • Google Sheets — waitlist signups are optionally mirrored to a private Google Sheet accessible only to the Carto team.
  • We do not share data with advertisers, data brokers, or any other third party.

Cookies

  • We use a single authentication cookie (`carto_token`) for logged-in sellers. It is HttpOnly, SameSite=Lax, and Secure — it cannot be accessed by JavaScript and is not used for tracking.
  • We do not use advertising cookies, analytics cookies, or any third-party tracking cookies.

Data retention

  • Waitlist data is retained until Carto launches and you have been onboarded, or until you ask us to delete it.
  • Seller account data is retained for as long as your account is active. You can delete your account at any time by contacting us.
  • Order data is retained to give sellers access to their order history. Sellers can export and delete their data on request.
  • Contact form messages are retained for up to 12 months.

Your rights

  • You can request a copy of the personal data we hold about you.
  • You can ask us to correct inaccurate data.
  • You can ask us to delete your data (right to erasure).
  • You can withdraw consent to email communications at any time by contacting us.
  • To exercise any of these rights, email us at privacy@carto.co.in. We will respond within 7 business days.

Security

  • All data is transmitted over HTTPS. Passwords are hashed with bcrypt and never stored in plain text. Authentication tokens are short-lived JWTs stored in secure, HttpOnly cookies.
  • While we take reasonable precautions to protect your data, no system is 100% secure. If you discover a security issue, please report it to security@carto.co.in.

Changes to this policy

  • We may update this policy as Carto evolves. If we make material changes, we will notify waitlist members by email. The date at the top of this page always reflects the latest revision.

Questions?

If you have any questions about this policy or how we handle your data, reach out — we're a small team and we read everything.

privacy@carto.co.inContact form →