Privacy Policy

Last Updated: January 20, 2026

1. Introduction

Welcome to CartCure NZ ("we," "our," or "us"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains what information we collect, how we use it, and what rights you have in relation to it.

This policy applies to all information collected through our website (cartcure.co.nz) and any related services, sales, marketing, or events (collectively, the "Services").

2. Information We Collect

2.1 Information You Provide to Us

We collect personal information that you voluntarily provide when you submit our contact form. This includes:

• Name: Your full name (maximum 100 characters)
• Email Address: Your email address for communication (maximum 254 characters)
• Store URL: Your Shopify® store URL (optional, maximum 2048 characters)
• Message: Your inquiry or description of services needed (maximum 5000 characters)
• Voice Notes: Optional audio recordings (maximum 3 minutes, 10MB)

2.2 Information Automatically Collected

When you visit our website, we automatically collect certain information, including:

• IP Address: Your Internet Protocol address for security and abuse prevention
• Timestamp: Date and time of form submission (New Zealand timezone)
• Browser Information: Browser type and version for technical support

2.3 Voice Recording Data

If you choose to record a voice note:

• Voice recordings are captured using your browser's MediaRecorder API
• Audio is stored in WebM or similar format
• Maximum duration is 3 minutes
• Maximum file size is 10MB
• Voice data may be used for speaker identification purposes to prevent fraud
• You must explicitly consent before recording

3. Account Access and Passwords

To effectively deliver our Shopify troubleshooting and repair services, we may require access to your Shopify account or other related platforms. This section explains how we handle sensitive access credentials.

3.1 Why We Need Account Access

Many Shopify issues require direct access to your store's admin panel, theme files, or third-party app settings. To diagnose and fix these issues, we may need:

• Shopify Admin Access: Login credentials or staff account access to your Shopify store
• Theme Editor Access: To modify theme code, CSS, or Liquid templates
• Third-Party App Access: Credentials for apps integrated with your store
• Payment Gateway Settings: Access to configure checkout or payment issues

3.2 How We Handle Your Passwords

We take password security extremely seriously:

• Temporary Use Only: Passwords are used solely for the duration of the service engagement
• No Storage: We do not permanently store your passwords in any database or file system
• Secure Transmission: Credentials shared via our contact form are transmitted over encrypted HTTPS connections
• Immediate Deletion: All password information is deleted within 24 hours of project completion
• Staff Accounts Recommended: Where possible, we recommend creating a temporary staff account with limited permissions rather than sharing your main admin credentials

3.3 Your Responsibility

We strongly recommend:

• Changing your password immediately after we complete our work
• Using unique passwords that are not used elsewhere
• Revoking any staff account access we were granted after project completion
• Enabling two-factor authentication on your accounts

4. Remote Computer Access

In some cases, resolving complex Shopify issues may require remote access to your computer. This section outlines our remote access practices and your rights.

4.1 When Remote Access May Be Required

Remote access may be necessary for:

• Local Development Issues: Troubleshooting theme development environments on your computer
• Browser-Specific Problems: Diagnosing issues that only occur on your specific setup
• Software Configuration: Helping configure Shopify CLI, Git, or other development tools
• Real-Time Collaboration: Walking you through complex fixes that require your input
• File Transfer Assistance: Helping upload or download theme files from your system

4.2 Remote Access Tools

We may use the following remote access software:

• AnyDesk: For secure remote desktop connections
• TeamViewer: For remote support sessions
• Zoom Screen Share: For collaborative troubleshooting
• Other Tools: As mutually agreed upon with the client

4.3 Remote Access Safeguards

To protect your privacy and security during remote sessions:

• Explicit Consent Required: We will never initiate remote access without your express permission
• Session Visibility: You can observe all actions taken on your computer in real-time
• Termination Rights: You may end the remote session at any time for any reason
• Scope Limitation: We only access files and applications directly related to your Shopify issue
• No Recording: We do not record remote sessions unless explicitly agreed upon
• Session Logs: You will receive a summary of actions taken during the remote session upon request

4.4 Your Rights During Remote Access

5. How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: To respond to your inquiries and provide requested Shopify fixes and services
• Communication: To contact you regarding your request and provide quotes
• Security: To prevent spam, abuse, and fraud on our platform
• Analytics: To understand how our services are used and improve user experience
• Legal Compliance: To comply with applicable laws and regulations

6. How We Store and Protect Your Information

4.1 Data Storage

Your information is stored using the following services:

• Google Sheets: Form submissions are stored in a private Google Sheet
• Google Drive: Voice recordings are stored in Google Drive
• Google Apps Script: Form data is processed through Google Apps Script

4.2 Security Measures

We implement industry-standard security measures to protect your data:

• Encryption in Transit: All data is transmitted over HTTPS (SSL/TLS)
• CSRF Protection: Cross-Site Request Forgery tokens prevent unauthorized submissions
• Input Sanitization: All inputs are sanitized using DOMPurify to prevent XSS attacks
• Rate Limiting: Maximum 5 submissions per hour per IP address to prevent abuse
• HTML Entity Escaping: All outputs are escaped to prevent code injection
• Access Control: Only authorized personnel can access submission data

4.3 Data Retention

We retain your personal information for the following periods:

• Active Inquiries: Until your request is fulfilled or 90 days, whichever is shorter
• Completed Projects: Up to 2 years for record-keeping and customer support
• Voice Recordings: Deleted within 30 days after inquiry resolution
• IP Address Logs: Retained for 90 days for security purposes

7. Third-Party Data Processors

We use the following third-party services to process your data:

7.1 Google LLC

• Services Used: Google Apps Script, Google Sheets, Google Drive, Gmail
• Purpose: Form processing, data storage, email notifications
• Location: United States (with global data centers)
• Privacy Policy: https://policies.google.com/privacy

7.2 DOMPurify (via CDN)

• Service Used: jsDelivr CDN for DOMPurify library
• Purpose: Client-side input sanitization
• Privacy Policy: jsDelivr Privacy Policy

8. Cookies and Tracking Technologies

We use local browser storage (localStorage) for the following purposes:

• CSRF Tokens: Security tokens stored for 1 hour to prevent unauthorized submissions
• Rate Limiting: Submission timestamps stored to enforce hourly limits

We do not use third-party tracking cookies, analytics cookies, or advertising cookies.

9. Your Privacy Rights

Depending on your location, you may have the following rights:

9.1 General Data Protection Regulation (GDPR) - EU/UK Residents

• Right to Access: Request a copy of your personal data
• Right to Rectification: Request correction of inaccurate data
• Right to Erasure: Request deletion of your data ("right to be forgotten")
• Right to Restrict Processing: Request limitation of data processing
• Right to Data Portability: Receive your data in a machine-readable format
• Right to Object: Object to processing of your data
• Right to Withdraw Consent: Withdraw consent at any time

9.2 California Consumer Privacy Act (CCPA) - California Residents

• Right to Know: Request disclosure of collected personal information
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt-out of the sale of personal information (we don't sell data)
• Right to Non-Discrimination: Not be discriminated against for exercising rights

9.3 New Zealand Privacy Act 2020

• Right to Access: Request access to your personal information
• Right to Correction: Request correction of inaccurate information
• Right to Complain: Lodge a complaint with the Privacy Commissioner

9.4 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

We will respond to your request within 30 days.

10. Data Sharing and Disclosure

We do NOT sell, rent, or trade your personal information to third parties.

We may disclose your information in the following circumstances:

• With Your Consent: When you explicitly authorize us to share information
• Service Providers: With Google (as described in Section 5) to operate our services
• Legal Requirements: If required by law, court order, or government regulation
• Protection of Rights: To protect our rights, safety, or property
• Business Transfers: In connection with a merger, sale, or asset transfer

11. International Data Transfers

Your information may be transferred to and processed in countries other than New Zealand, including:

• United States: Google's data centers and infrastructure
• Other Locations: Where Google maintains infrastructure

We ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Privacy Shield framework compliance (where applicable)
• Adequate level of data protection as determined by relevant authorities

12. Children's Privacy

Our services are not intended for individuals under the age of 16. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. Significant changes will be communicated via:

• Email notification (if we have your email address)
• Prominent notice on our website

Your continued use of our services after changes constitutes acceptance of the updated policy.

14. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

15. Supervisory Authority

If you are located in New Zealand and believe we have not addressed your privacy concerns adequately, you have the right to lodge a complaint with:

16. Do Not Track Signals

We do not track users across third-party websites. We honor Do Not Track (DNT) browser signals. Our website does not respond to DNT signals as we do not engage in tracking.

17. Data Breach Notification

In the event of a data breach that affects your personal information, we will:

• Notify you within 72 hours of discovering the breach
• Provide details of the breach and data affected
• Explain steps we are taking to mitigate harm
• Notify relevant supervisory authorities as required by law

18. Consent

By submitting our contact form, you explicitly consent to:

• Collection and processing of your personal information as described in this policy
• Storage of your data with Google services
• International transfer of data to countries where Google operates
• Use of voice recordings for service delivery and fraud prevention (if you record a voice note)

You may withdraw your consent at any time by contacting us.

---

Thank you for trusting CartCure with your personal information.
We are committed to protecting your privacy and providing transparent data practices.

← Back to Home