Privacy Policy

Last updated: 11.06.26

This Privacy Policy explains how TheCart ("TheCart", "we", "us" or "our") collects, uses, shares and protects your personal data when you use the TheCart mobile application, our website at the-cart.co.uk, and any related services (together, the "Service").

We are committed to protecting your privacy and handling your personal data responsibly and transparently, in compliance with the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 ("PECR"), each as amended (including by the Data (Use and Access) Act 2025), and all other applicable data protection laws of the United Kingdom.

Please read this policy carefully. If you do not agree with it, please do not use the Service.

1. Who we are (Data Controller)

TheCart is the "data controller" responsible for your personal data. This means we decide how and why your personal data is processed.

  • Company: The Cart Technology Ltd
  • Registered in England & Wales, company number: 14471716
  • Registered/correspondence address: 56 Ayers Street, London, SE1 1EU
  • Privacy contact: alexcavadias@thecart.online

If you have any questions about this policy or how we handle your data, you can reach us using the details in Section 14.

2. The personal data we collect

We collect the following categories of personal data:

a. Information you give us

  • Account information — your name, email address, and password (stored in encrypted/hashed form) when you create an account.
  • Profile and preference information — your style preferences, gender (where you provide it, used to tailor recommendations), sizes, favourite brands, and any other details you choose to add.
  • Saved items and shopping activity — the products you save, compare, tag or interact with inside the app.
  • Communications — messages, feedback, survey responses and support requests you send us.

b. Information we collect automatically

  • Device and technical data — device type and model, operating system and version, unique device identifiers, IP address, language settings, app version, and diagnostic/crash data.
  • Usage data — how you interact with the Service: features used, screens viewed, items saved or compared, session length, taps and navigation paths.
  • Advertising and analytics identifiers — where you consent, identifiers used to measure and attribute advertising (for example via Apple's SKAdNetwork and the Meta SDK) and to understand app performance.

c. Information we generate

  • Personalisation and profiling data — style "archetype" scores and product recommendations our systems generate from your saved items and activity (see Section 6).

d. Information from third parties

  • Affiliate and retail partners — when you click through to a brand or make a purchase via an affiliate link, our affiliate network partners (see Section 5) may tell us that a click or transaction occurred and provide limited, often anonymised or pseudonymised, transaction data for commission tracking.
  • Sign-in providers — if you register or log in using a third-party account (e.g. Apple), we receive basic profile information permitted by that provider and your settings.

We do not intentionally collect special category data (such as health, race, religion or sexual orientation). Please do not submit such data to us.

3. How and why we use your data (purposes and lawful bases)

Under UK data protection law we must have a "lawful basis" for each use of your data. The table below sets out what we do and the lawful basis we rely on.

What we use your data for

Lawful basis

Creating and managing your account; providing the core app features (saving, comparing, syncing items across devices)

Performance of a contract with you

Generating personalised product recommendations and style profiling

Consent (where required) and/or our legitimate interests in providing a personalised service

Improving, securing and troubleshooting the Service; analytics and aggregate reporting

Our legitimate interests in operating and improving a reliable, secure product

Sending you marketing emails, push notifications and offers

Consent (which you can withdraw at any time)

Advertising measurement, attribution and similar tracking technologies

Consent

Responding to your enquiries and providing customer support

Performance of a contract and/or our legitimate interests

Complying with legal, tax and regulatory obligations; handling disputes

Legal obligation and/or legitimate interests in establishing or defending legal claims

Where we rely on legitimate interests, we have balanced those interests against your rights and freedoms. You can ask us for more information about this balancing exercise, and you have the right to object (see Section 9).

Where we rely on consent, you are free to refuse or withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

4. Marketing communications

If you have opted in, we may send you emails, push notifications and in-app messages about new features, product recommendations, brand offers and updates.

You can opt out at any time by:

  • using the "unsubscribe" link in any marketing email;
  • turning off push notifications in your device settings; or
  • contacting us at alexcavadias@thecart.online.

We will still send you essential service messages (for example, account, security or transactional notices) where necessary, as these are not marketing.

5. Who we share your data with

We do not sell or rent your personal data. We share it only as described below.

a. Service providers (processors) who process data on our behalf under contract, including:

  • Google Firebase / Google Cloud — app hosting, authentication, database and crash reporting. Our primary database is hosted in the UK (London / europe-west2 region).
  • Klaviyo — email and marketing communications and related analytics.
  • OneSignal — push notifications and in-app messaging.
  • Apple — App Store distribution and, where you consent, advertising attribution (SKAdNetwork).
  • Meta Platforms — advertising delivery and measurement, where you consent (Meta Pixel / SDK).
  • TikTok — website advertising and measurement, where you consent.
  • Webflow — hosting of our website.

b. AI / personalisation providers — we use Google's Gemini models to help classify style preferences and generate recommendations. Data sent for this purpose is limited to what is needed and is not used by the provider to train its models where we can prevent it. See Section 6.

c. Affiliate network partners — to track click-throughs and qualifying purchases so brands can pay us commission. These include AWIN, CJ (Commission Junction), Rakuten and BonusArrive. These partners are typically independent controllers of the data they collect through their own tracking; we encourage you to review their privacy policies.

d. Professional advisers and authorities — our accountants, lawyers, insurers and auditors, and regulators, courts or law enforcement where we are legally required or permitted to disclose.

e. Business transfers — if we are involved in a merger, acquisition, financing or sale of assets, your data may be transferred to the party involved, subject to this policy.

We require all our processors to keep your data secure and to use it only for the purposes we specify.

(Please confirm this list is complete and accurate, and that a data-processing agreement is in place with each provider before publishing.)

6. Automated processing and personalisation

A core feature of TheCart is personalisation. To recommend products, we use automated systems — including deterministic scoring across a set of style "archetypes" and AI-assisted classification (Google Gemini) — that analyse the items you save, your stated preferences and your activity to build a style profile and surface relevant products and offers. This is a form of profiling under the UK GDPR.

This profiling does not produce legal effects or similarly significant effects on you — it affects only what products and content you are shown. It does not determine pricing for you individually, eligibility, or access to any service.

You have the right to object to this profiling for personalisation (see Section 9). If you object, you can continue to use the core features of the app, but your experience will be less tailored.

7. International data transfers

Some of our service providers (for example Klaviyo, OneSignal, Meta and TikTok) are based in, or process data in, countries outside the UK, including the United States.

Where we transfer your personal data outside the UK, we ensure an appropriate safeguard is in place, such as:

  • transfer to a country the UK Government has decided provides adequate protection (including, where applicable, the UK Extension to the EU–US Data Privacy Framework); or
  • the UK International Data Transfer Agreement (IDTA), or the International Data Transfer Addendum to the EU Standard Contractual Clauses, together with any additional measures required.

You can contact us for more information about the safeguards we use for a specific transfer.

8. How long we keep your data

We keep your personal data only for as long as necessary for the purposes set out in this policy.

  • Account and profile data — for as long as your account is active. If you delete your account or are inactive for an extended period, we will delete or anonymise your data within a reasonable period (we suggest specifying, e.g. 24 months of inactivity / 30–90 days after deletion request).
  • Marketing data — until you withdraw consent or we determine you are no longer engaged, after which we suppress or delete it.
  • Transaction and commission records — for as long as required to meet tax and accounting obligations (generally 6 years).
  • Support communications — typically for up to 2 years after your query is resolved.

We may keep data for longer where necessary to comply with a legal obligation, or to establish, exercise or defend legal claims.

9. Your rights

Under UK data protection law you have the right to:

  • Be informed about how we use your data (this policy);
  • Access a copy of the personal data we hold about you;
  • Rectification of inaccurate or incomplete data;
  • Erasure of your data ("right to be forgotten"), in certain circumstances;
  • Restrict our processing of your data, in certain circumstances;
  • Data portability — to receive your data in a structured, commonly used, machine-readable format;
  • Object to processing based on our legitimate interests, and to object at any time to processing for direct marketing and to profiling for personalisation;
  • Withdraw consent at any time where we rely on consent.

To exercise any of these rights, contact us at alexcavadias@thecart.online. We will respond within one month (this may be extended for complex requests, and we will tell you if so). We do not charge a fee in most cases. We may need to verify your identity before acting.

10. Cookies and similar technologies

Our website and app use cookies, SDKs and similar technologies to keep you logged in, remember your preferences, measure performance, and — where you consent — to support advertising and measurement (including the Meta Pixel, TikTok Pixel and the Meta/Apple advertising tools described above).

Strictly necessary technologies do not require your consent. For all others, we ask for your consent and you can withdraw it at any time through our cookie settings (website) or your device and in-app privacy settings (app), including Apple's App Tracking Transparency prompt on iOS.

(If you publish a separate Cookie Policy, link it here.)

11. Data security

We implement appropriate technical and organisational measures to protect your data against unauthorised access, alteration, disclosure or destruction — including encryption in transit, access controls, hosting with reputable providers, and restricting staff access to a need-to-know basis. No method of transmission or storage is completely secure, so we cannot guarantee absolute security, but we work to protect your data and to respond promptly to any incident, including notifying you and the Information Commissioner's Office where the law requires.

12. Children's privacy

The Service is not directed at, or intended for use by, children under the age of 16. (Decision point: for a shopping app that runs personalisation and ad measurement, consider 16 or 18 rather than 13 — see note at end.) We do not knowingly collect personal data from children below this age.

In designing and operating the Service we take into account children's higher data protection needs, including that younger users may be less aware of the risks involved. If you believe a child has provided us with personal data, please contact us and we will take steps to delete it.

13. Third-party links

The Service contains links to third-party websites, brands and services we do not control (including retailer and brand sites you reach through affiliate links). This policy does not apply to those third parties, and we are not responsible for their content or privacy practices. We encourage you to review their privacy policies before providing them with personal data.

14. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you through the app or by email and update the "Last updated" date above. We encourage you to review this page periodically.

15. Contact us and complaints

If you have any questions, requests or concerns about this policy or how we handle your data:

TheCart Email: alexcavadias@thecart.online Address: 56 Ayers Street, London, SE1 1EU

You also have the right to complain directly to us about how we handle your data, and we will do our best to resolve your concern.

If you remain dissatisfied, you have the right to lodge a complaint with the UK's data protection regulator:

Information Commissioner's Office (ICO) Website: ico.org.uk Helpline: 0303 123 1113

We would, however, appreciate the chance to address your concerns before you contact the ICO.