Privacy Policy

RecartIQ (“we”, “us”) is an abandoned-cart recovery service offered to ecommerce merchants (“merchants”). We help merchants identify visitors on their storefronts and run automated rules — popups, top bars, AI chat, email and WhatsApp follow-ups — that encourage those visitors to complete a purchase.

This policy explains what data we collect, how we use it, and the choices you have. For any question that isn't answered here, contact us any time.

Merchants are the store owners who sign up at www.recartiq.com and install our tracker on their storefronts.

Visitorsare the shoppers who browse a merchant's storefront. Our tracker observes those shoppers on the merchant's behalf so we can power recovery rules. Visitors do nothave a direct contractual relationship with us — their merchant is the data controller; we are a data processor.

• Account details: name, email, hashed password, OAuth provider identifier
• Sites you register: name, primary domain, currency, integration configuration
• Encrypted secrets you provide: email provider keys, WhatsApp credentials, AI provider API keys, coupon webhook signing secret. All stored AES-256-GCM at rest; never returned to the dashboard in plaintext after entry.
• Subscription & billing data we receive from Polar.sh
• Audit metadata: login IPs, session timestamps

Our storefront script collects only the data required to operate recovery rules on the merchant's behalf:

• A pseudonymous visitor ID stored in the visitor's localStorage and a first-party cookie (ac_vid)
• Pageviews, product views, add-to-cart events, and order events (URL, product name, cart value, currency, timestamp)
• Email address and phone number, when the visitor submits them voluntarily through a form on the merchant's store
• The visitor's IP address (for rate limiting only)

We do notcollect: passwords, payment card details, addresses, or browsing activity outside the merchant's storefront.

• Build a journey timeline so the merchant can see what a specific visitor did
• Evaluate the merchant's rules and trigger their configured actions (popup, email, WhatsApp, etc.)
• Compute uplift / recovery analytics for the merchant's dashboard
• Detect abusive traffic and rate-limit it to protect our service and the merchant's endpoints

We do not sell visitor data, share it with other merchants, or use it to build cross-site advertising profiles.

When a merchant enables the AI chat action, the merchant supplies their own Gemini, OpenAI, or Anthropic API key. Visitor messages are sent to that provider on the merchant's key — we do not store the merchant's key in plaintext, and we do not train any model on visitor conversations.

AI rule generation (the “describe a rule in plain English” feature in the dashboard) uses an AI provider on our own key, and operates only on the merchant-supplied prompt.

All operational data is stored in MongoDB Atlas in regions we select for performance and resilience (currently us-east). Encrypted secrets remain encrypted in transit and at rest. Backups are retained for 30 days and encrypted.

• Visitor events & analytics: kept while the merchant's site is active. Deleted within 30 days after the site is removed.
• Merchant account data: kept while the account is active. Deleted within 90 days of account closure.
• Order & conversion records (anonymized) may be kept for legal & reporting reasons up to 7 years.

You have the right to access, export, correct, or delete the data we hold about you. Merchants can self-serve account deletion from the dashboard. Visitors should contact the merchant whose storefront they used; the merchant is the data controller and we will honour their deletion instructions within 30 days.

For Shopify-installed stores, the mandatory customers/redact and shop/redact webhooks are wired and will hard-delete the matching visitor or shop data on receipt.

• MongoDB Atlas (database)
• Vercel (hosting)
• Polar.sh (subscription billing)
• Resend / per-merchant SMTP (transactional email)
• Tawk.to (live support chat on this site)
• The AI provider chosen by each merchant (Gemini / OpenAI / Anthropic), only when their AI chat action fires

Our application uses an authentication session cookie and a theme-preference cookie. Our tracker on merchant storefronts uses the ac_vidfirst-party cookie purely for visitor re-identification — no third-party tracking.

We'll update this policy as the product evolves. Material changes will be notified via email to the merchant account owner. Minor edits will be reflected in the “last updated” date above.

Questions, deletion requests, or data-portability asks? Open the chat using the bubble in the bottom-right of any page, or click here. We'll respond within two business days.