Privacy Policy

Effective date: 12 June 2026
Last updated: 1 July 2026

This Privacy Policy explains how CartPilot (“CartPilot,” “we,” “us,” or “our”) collects, uses, shares, and protects personal information when you visit our website, create an account, purchase a plan, or use the CartPilot AI sales agent on WooCommerce and Shopify storefronts.

CartPilot is a StorePulse product, built and operated by weDevs Pte. Ltd., a company incorporated in Singapore. This Policy is incorporated into our Terms of Service. If you do not agree with this Policy, please do not use CartPilot.

We serve two roles. For a merchant’s own account, billing, and usage data, we act as the data controller. When our AI sales agent handles the personal data of a merchant’s shoppers (for example, questions a shopper types or speaks, and any contact details they provide), we act as a processor, or “data intermediary” under Singapore law, on that merchant’s documented instructions. The merchant is the controller of its shoppers’ data and is responsible for its own shopper-facing privacy notice and for having a lawful basis to connect that data.

1. Information We Collect

a. Information you provide. Your name, email address, company name, billing address, account credentials, and purchase and license information, along with any support messages and attachments you send us. We collect this when you create an account, buy a plan, contact support, or subscribe to updates.

b. Information collected automatically. Device and usage information such as IP address, browser type and version, device identifiers, time zone, referring URLs, and pages viewed. We collect this through cookies and similar technologies, log files, and analytics tools (see Section 4).

c. Service data (conversations, voice, catalog, training). To provide the AI sales agent, we process: conversation transcripts and logs between shoppers and the agent; voice interactions, which we convert to text and then discard the audio recording; catalog data read from a connected store; and the training items a merchant adds to its knowledge base. Conversation and catalog data are processed on our hosted backend and sent to our model providers to generate responses (see Section 3). We ask merchants not to place special-category or unnecessary personal data into training items.

d. Payment information. Payments are handled by our payment provider and merchant of record, Stripe, Inc. We do not store full payment card numbers. Stripe, Inc. collects the information needed to process your purchase (such as name, email, billing address, tax identifiers, and card details) and handles it under its own privacy statement, where it acts as a controller or joint controller for that payment data.

2. How We Use Information

We use personal information to provide and operate the Service, generate AI responses, process purchases and licenses, provide support and security, send account and transactional messages, send product updates and marketing (which you can opt out of at any time), and meet legal and accounting obligations.

Where the GDPR or UK GDPR applies, our legal bases are: performance of a contract (to provide the Service you purchase); our legitimate interests (to operate, secure, and improve the Service, and for cart and product-discovery analytics), balanced against your rights; your consent (for marketing emails and non-essential cookies, which you can withdraw at any time); and compliance with a legal obligation.

3. AI Model Providers and Your Data

CartPilot does not use your data, conversations, or catalog content to train our own models.

To generate responses, product matches, and buying guidance, we send the data needed for the request to our third-party model providers. We currently use Google’s Gemini models, and may use OpenAI where enabled. These providers process that data under their own terms and privacy policies. You can review their terms here: Google Gemini API terms and OpenAI enterprise privacy.

On a Lifetime BYOK plan, you supply your own model provider key and contract directly with that provider, whose terms then govern your use of its models.

4. Cookies and Analytics

We use cookies and similar technologies for essential site functionality, to remember preferences, and to measure and improve performance. Where required by law, we ask for your consent to non-essential cookies, and you can manage cookies through your browser settings.

5. How We Share Information

We share personal information only as needed, with: our payment provider and merchant of record (Stripe, Inc); our AI model providers (Google, and OpenAI where enabled); hosting, analytics, error-monitoring, email, and support providers that act as our processors; and legal or regulatory authorities where required by law or to protect rights and safety. We may also share data in connection with a merger, acquisition, or sale of assets.

We do not sell your personal information, and we do not “share” it for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA.

For merchants who need it, a Data Processing Agreement is available on request.

6. International Data Transfers

CartPilot operates globally, and we are based in Singapore. Your information may be transferred to and processed in Singapore, the United States, and other countries where we and our service providers operate. These countries may not provide the same level of data protection as your own.

Singapore does not currently have an EU or UK adequacy decision. Where we transfer personal data of individuals in the European Economic Area or the United Kingdom, we rely on appropriate safeguards, including the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Agreement or Addendum, together with a transfer risk assessment. You may request a copy of the relevant safeguards using the contact details below.

7. Data Retention

We keep personal information only as long as necessary to provide the Service and to meet legal, accounting, security, and dispute-resolution needs. When a merchant closes their account, we delete or de-identify account data, conversation transcripts, voice-derived text, catalog data, and training items within a maximum of 90 days, unless a longer period is required by law. You may request deletion at any time, subject to our legal obligations.

8. Your Rights

Depending on where you live, you have rights over your personal information. We honor these rights regardless of location where we reasonably can.

EU / UK (GDPR, UK GDPR): access, rectification, erasure, restriction of processing, data portability, objection to processing, the right not to be subject to a decision based solely on automated processing that has legal or similarly significant effects, the right to withdraw consent, and the right to lodge a complaint with your supervisory authority (in the UK, the Information Commissioner’s Office).

California (CCPA/CPRA): the right to know, access, delete, and correct your personal information, to opt out of the sale or sharing of personal information (we do not sell or share it), to limit the use of sensitive personal information, and not to be discriminated against for exercising these rights.

Singapore (PDPA): the right to access and correct your personal data and to withdraw consent.

To exercise any right, contact us at [email protected]. We will verify your request and respond within the time required by applicable law. If your request concerns shopper data that we process on a merchant’s behalf, we will refer it to the merchant, who is the controller.

9. Automated Processing

CartPilot uses AI to search catalogs, answer questions, and suggest products. This assists shoppers before checkout. It does not make decisions that produce legal or similarly significant effects about a person by automated means alone. AI output can be incomplete or inaccurate, and the merchant remains responsible for the content shown on its storefront.

10. Children

CartPilot is a business tool and is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. A merchant is responsible for its own audience and for any age or consent requirements that apply to its shoppers.

11. Security

We use reasonable technical and organizational measures to protect personal information against unauthorized access, use, disclosure, loss, and misuse. No method of transmission or storage is completely secure, so we cannot guarantee absolute security.

12. Communications and Support

We may contact you with account and transactional messages, product updates, marketing (which you can opt out of at any time using the unsubscribe link or your account settings), and support notices. When you request support, any access to your site or logs is permission-based, limited to the issue, revoked once resolved, and not retained longer than necessary.

13. Changes to This Policy

We may update this Policy to reflect changes in our practices, technology, or legal requirements. We will post updates on this page and update the “Last updated” date. Material changes will be notified by email or in the dashboard where required.

14. Contact Us

For any privacy question or to exercise your rights, contact us at [email protected].

weDevs Pte. Ltd., 160 Robinson Road, #14-04 SBF Centre, Singapore 068914

CartPilot is a StorePulse product, operated by weDevs Pte. Ltd.