This Notice covers personal data that Cartanalytics, operating under the Cartlytics brand ("Cartlytics," "we," "us," "our"), collects, processes, and makes available to business clients through its data enrichment and licensing services.
Cartlytics operates as both a B2B and B2C data services provider. Our datasets include enriched consumer profiles sourced from real e-commerce transactions, representing individual consumers (B2C data subjects) as well as business professionals and organizational contacts (B2B data subjects). Both categories of personal data are collected, processed, and licensed under the terms described in this Notice.
Note on consumer data scope: Unlike data services providers that handle only business-to-business records, Cartlytics processes and licenses data relating to individual consumers (B2C), including purchase behavior, demographic attributes, and geographic signals derived from retail and DTC e-commerce activity. If you are an individual consumer whose data may be included in Cartlytics datasets and you wish to exercise your privacy rights, please see Section 8.
This Notice does not govern how our business clients use data they receive from us. Clients are independent data controllers and are solely responsible for their own use of data in compliance with applicable law. If you have received a communication from a business that obtained data from Cartlytics and have a question or request, you should contact that business directly.
Email addresses (hashed and raw) and associated identifiers.
Purchase history, product affinity, average order value, purchase frequency, and related transactional attributes sourced from e-commerce activity.
Inferred demographic and geographic attributes including income tier, homeowner status, geographic market type, and age bracket. These attributes are statistically inferred and are not guaranteed to reflect individual circumstances.
Inferred behavioral attributes derived from commercial activity, including category affinity, brand affinity, and purchase lifecycle signals.
Email deliverability classifications.
We do not intentionally process special categories of personal data as defined under applicable law, including health data, biometric data, racial or ethnic origin, religious beliefs, political opinions, or precise geolocation. To the extent any such data is inadvertently present in source datasets, Cartlytics applies reasonable technical measures to identify and suppress it.
Cartlytics collects personal data from the following categories of sources:
We do not purchase personal data from individual consumers, social media platforms, or data obtained without authorization.
Cartlytics processes personal data for commercial data services purposes, including:
We make data available to business clients who use it for their own commercial purposes. Each client is an independent data controller and is contractually required to use data only for permitted purposes and in compliance with applicable law.
We engage third-party service providers who process personal data on our behalf under written agreements and are restricted to processing data solely as directed by Cartlytics.
We may disclose personal data when required by applicable law, court order, or regulatory demand, or to protect the rights, safety, or property of Cartlytics or others.
In the event of a merger, acquisition, or sale of assets, personal data may be transferred to a successor entity subject to equivalent data protection obligations.
Cartlytics operates as a data broker under applicable U.S. state privacy laws, including the California Consumer Privacy Act (CCPA/CPRA), and complies with state data broker registration requirements where applicable. Our processing of consumer personal data is conducted in accordance with applicable law, including honoring consumer opt-out rights as described in Section 8.
For personal data of individuals located in the EU/EEA, Cartlytics relies on legitimate interests (Article 6(1)(f) GDPR) as the legal basis for processing consumer data for commercial purposes, having conducted Legitimate Interest Assessments for applicable processing activities. Where the nature of the data or the intended use requires consent as the legal basis, Cartlytics processes only data for which documented consent has been established.
Upon expiration of applicable retention periods, personal data is deleted or irreversibly anonymized.
Depending on your jurisdiction, you may have rights regarding personal data Cartlytics holds about you. These may include the right to know, access, correct, delete, or opt out of the sale or sharing of your personal data.
How to Submit a Request:
Email: legal@cartlytics.ai
Subject line: "Privacy Rights Request"
We will acknowledge your request within ten (10) business days and fulfill verified requests within thirty (30) calendar days, with an extension of up to sixty (60) additional days for complex requests. We may require identity verification before fulfilling a request. We will not discriminate against you for exercising your privacy rights.
You may opt out of the distribution of your personal data at any time by contacting legal@cartlytics.ai with the subject line "Do Not License My Data." Opt-outs apply to future distributions and do not retroactively affect data already delivered under prior agreements. We maintain a permanent suppression list. Opted-out records will not be re-added to active datasets.
California residents may submit requests under the CCPA/CPRA to know, delete, correct, opt out of sale/sharing, and limit use of sensitive personal information. You may also designate an authorized agent to submit requests on your behalf. For more information, see Section 10.
EU/EEA data subjects may exercise rights under GDPR Articles 15 through 22, including the right to object to processing based on legitimate interests. Submit requests to legal@cartlytics.ai with the subject line "GDPR Data Subject Request."
When Cartlytics transfers personal data of EU/EEA data subjects to recipients located outside the EEA, such transfers are governed by Standard Contractual Clauses adopted by the European Commission (Commission Implementing Decision (EU) 2021/914) incorporated into the applicable agreement. Cartlytics conducts Transfer Impact Assessments as required.
Under the CCPA/CPRA, Cartlytics is a "business" that sells and shares personal information with third parties.
Categories of personal information collected in the preceding 12 months:
Categories of sources: our own business operations, third-party data providers, publicly available commercial sources.
Business or commercial purpose: making consumer data available to business clients for commercial purposes including audience targeting, segmentation, and enrichment.
Categories of third parties to whom personal information was disclosed: business clients, service providers.
California residents may opt out of the sale and sharing of their personal information by contacting legal@cartlytics.ai with the subject line "California Do Not Sell/Share." We do not have actual knowledge that we sell or share personal information of consumers under 16 years of age.
Cartlytics complies with state data broker registration requirements where applicable, including California (California Delete Act, Cal. Civ. Code ยง 1798.99.80 et seq.) and other states with enacted data broker registration statutes. Consumers in applicable states may submit deletion requests through the California Data Broker Registry or directly to Cartlytics at legal@cartlytics.ai.
Cartanalytics (Cartlytics)
Email: legal@cartlytics.ai
Subject: "Privacy Rights Request" / "Do Not License My Data" / "GDPR Data Subject Request" / "California Do Not Sell/Share"
We may update this Notice from time to time. Material changes will be posted with a revised "Last Modified" date.