Privacy Policy

Who we are

CARTT.AI is an Australian-built multi-portal B2B2C e-commerce platform operated from Byron Bay, New South Wales, Australia by Timothy Worley. References to "we", "us" and "CARTT.AI" in this Privacy Policy refer to the operator of the platform at cartt.ai.

This Privacy Policy is written to meet our obligations under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Personal information we collect

We collect personal information in three different contexts:

Marketing and sales enquiries

When you submit a contact form, request a demo, or otherwise enquire about CARTT.AI, we collect your name, email address, company name, and the platform or context you describe in your message. We use this to respond to your enquiry and to follow up with related sales information you are likely to want.

Tenant administrator accounts

When you create or are invited to administer a CARTT.AI tenant, we collect your name, email address, role, and authentication credentials (hashed, never stored in plaintext). We collect billing information (business name, ABN, billing address) for tenants on paid plans.

End-customer data (held on behalf of tenants)

CARTT.AI tenants operate online stores. The personal information of their end-customers (shoppers) is held by us on the tenant's behalf — we are the data processor, the tenant is the data controller. See Tenant data vs. platform data below.

How we use your information

• To provide the service — authentication, billing, support, transactional notifications, and the day-to-day operation of your tenant.
• To respond to enquiries — replying to contact form submissions, sales conversations, onboarding scoping.
• To improve the platform — diagnosing bugs, analysing aggregate usage patterns, prioritising features.
• To meet our legal obligations — taxation, fraud prevention, lawful requests from Australian authorities.

We do not sell personal information to third parties.

Tenant data vs. platform data

CARTT.AI is a multi-tenant platform. We make a clear distinction between two categories of personal information:

Platform data — information about tenant administrators, billing contacts, and people who interact directly with cartt.ai (e.g. via the marketing site contact form). We are the data controller for this information; this Privacy Policy governs it.

Tenant data — information about end-customers (shoppers) of stores running on CARTT.AI. This includes customer accounts, orders, addresses, support conversations, marketing list memberships and behavioural analytics. The tenant is the data controller for this information; CARTT.AI is the data processor. Tenants publish their own privacy policies on their own storefronts. If you are a shopper and want a copy of your personal information or want it deleted, contact the store you purchased from in the first instance.

When we share information

We share personal information only in these circumstances:

• Sub-processors who run parts of the platform — hosting (Australian-based providers), email delivery (Amazon SES), SMS gateways the tenant selects (MessageMedia, Twilio, Vonage, Kudosity), AI providers the tenant has wallet-funded usage with (Anthropic, OpenAI, ElevenLabs, HeyGen, Black Forest Labs, Google Gemini), payment processors the tenant has connected (eWAY, PayPal, Afterpay, Zip, Stripe).
• Accounting and inventory integrations — only with the tenant's explicit connection (MYOB, Xero, QuickBooks Online, Datapel WMS, Cin7 Core, Unleashed, Retail Express, Lightspeed Retail, Starshipit, Shippit).
• Where required by law — lawful Australian government requests, court orders, or fraud-prevention obligations.
• In a business transaction — if CARTT.AI is sold, merged or acquired, customer data may transfer as part of that transaction, subject to the acquirer's continuation of this Privacy Policy.

Storage and security

CARTT.AI is hosted in Australia. We use industry-standard technical and organisational measures to protect personal information: encryption in transit (TLS), hashed passwords (bcrypt / Argon2), tenant-isolated databases, encrypted credentials for third-party integrations, network-level firewalls, and CageFS-based per-tenant process isolation on shared hosts.

No system is impenetrable. If we become aware of a personal information breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in line with the Notifiable Data Breaches scheme.

Retention

We keep platform data while your CARTT.AI account is active and for a reasonable period afterwards (typically up to 7 years for billing records to meet Australian taxation requirements). Marketing-enquiry data is retained for 24 months unless you request earlier deletion.

Tenant data retention is governed by the tenant's own data retention policy. When a tenant closes their CARTT.AI account, tenant data is purged in line with our offboarding procedure (typically within 30 days), except where retention is legally required.

Your rights under the Australian Privacy Principles

Under the Australian Privacy Principles, you have the right to:

• Request access to the personal information we hold about you (APP 12).
• Request that we correct inaccurate personal information (APP 13).
• Make a complaint about how we have handled your personal information.
• Lodge a complaint with the Office of the Australian Information Commissioner: oaic.gov.au.

To exercise any of these rights, see Contact us.

Cookies and tracking

See our Cookies Policy for full details on the cookies we set, why we set them, and how to control them.

AI processing

Tenants can use AI features in CARTT.AI (content generation, page audits, image generation, video studio, chatbot, AI Business Advisor). These features process tenant data through third-party AI providers (Anthropic Claude, OpenAI, ElevenLabs, HeyGen, Black Forest Labs Flux, Google Gemini). The tenant chooses which features to enable; usage is metered through a prepaid wallet.

For tenant administrators: we contractually require AI providers not to train their general-purpose models on your content. The AI Business Advisor (Network tier) is grounded in your tenant's signals and never auto-acts — it only suggests work with deep-links for you to approve.

Changes to this policy

We may update this Privacy Policy. Material changes will be notified by email to tenant administrators or by a banner on the marketing site. The "Last updated" date at the top of this page reflects the most recent revision.

Contact us

For privacy enquiries, access requests, correction requests or complaints, contact us at privacy@cartt.ai or via the contact form on our marketing site. We will acknowledge receipt within 5 business days and respond substantively within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner.