Privacy Policy

Effective date: October 20, 2025

Last updated: October 20, 2025

This Privacy Policy explains how AgenticCart ("AgenticCart", "we", "our", "us") collects, uses, discloses, and protects personal data when you use our website, the AgenticCart plugin, and related cloud services (together the "Service"). It also explains your rights under the EU General Data Protection Regulation (GDPR) and Austrian law.

By using the Service you agree to this Privacy Policy. If you do not agree, please do not use the Service.

1. Who we are and how to contact us

Controller for data described in this Policy:
AgenticCart
Austria
Email: legal@agenticcart.ai

If you are a Merchant using the Service on your WooCommerce store, AgenticCart also acts as processor for limited pass-through personal data when we relay ACP requests on your behalf. See Section 5.

Data Protection Officer: If we appoint a DPO we will publish the contact details here. You can always contact legal@agenticcart.ai.

Supervisory authority: Austrian Data Protection Authority (Datenschutzbehörde, "DSB"). Website: www.dsb.gv.at

2. Scope

This Policy applies to visitors of agenticcart.ai, Merchant account holders, and users who interact with the Service, including our APIs and cloud relay. It does not cover processing performed by Merchants on their own WooCommerce stores, which is governed by each Merchant's privacy notices.

3. Categories of personal data we process

We process the following categories of data, depending on your interaction with the Service:

Account and identity data

Name, company, role, email address, authentication identifiers, password hash (stored by Supabase Authentication), profile preferences.

Commercial and subscription data

Plan, billing status, license state, service usage entitlements, transaction history with us.

Technical and usage data

IP address, timestamps, user agent, device and browser metadata, API call identifiers, request and response logs, error codes, performance metrics, idempotency keys.

Transactional metadata for ACP routing

Order identifiers, payment initiation identifiers, delegated token references or non-sensitive token metadata, ACP endpoint URLs, status codes. We do not store full cardholder data.

Support and communications data

Support tickets, emails, chat transcripts, attachments, issue diagnostics, feedback.

Marketing and deliverability data

Mailing opt-in state, unsubscribe tokens, campaign opens and clicks, bounce information, and similar standard email deliverability metrics.

Cookies and similar technologies

Cookies, local storage, and similar technologies as described in Section 12.

We do not intentionally collect special categories of data within the meaning of Article 9 GDPR. We do not direct the Service to children and do not knowingly collect data from persons under 18.

4. Purposes and legal bases

We process personal data for the purposes and on the legal bases below. Where multiple bases apply we rely on each as appropriate.

Provide and operate the Service

Create accounts, authenticate users, provide ACP relay, payment initiation, and WooCommerce order synchronization, maintain core functionality.
Legal bases: performance of a contract Article 6(1)(b), legitimate interests Article 6(1)(f).

Security and abuse prevention

Detect, investigate, and prevent fraud, abuse, misuse, and security incidents, enforce rate limits, protect our infrastructure.
Legal bases: legitimate interests Article 6(1)(f), legal obligation Article 6(1)(c) where applicable.

Service improvement and diagnostics

Monitor performance, fix bugs, improve reliability, develop new features, and analyze aggregated usage patterns.
Legal basis: legitimate interests Article 6(1)(f).

Communications

Transactional messages about your account, service notices, security alerts, and changes to terms.
Legal bases: performance of a contract Article 6(1)(b), legal obligation Article 6(1)(c).

Marketing

Send product updates and marketing emails to business contacts where permitted by law. You can opt out at any time.
Legal bases: consent Article 6(1)(a) or legitimate interests Article 6(1)(f), depending on jurisdiction and context.

Legal compliance

Fulfill legal obligations, respond to lawful requests, maintain business records, tax and accounting.
Legal basis: legal obligation Article 6(1)(c).

5. Roles: controller and processor

AgenticCart as controller

We are controller for account, website, and platform data that we collect for our own purposes, including identity, contact, subscription, security, and marketing data.

AgenticCart as processor for Merchants

When we relay ACP payment initiation payloads through our servers and automatically create WooCommerce orders for a Merchant, we process any personal data contained in those payloads on behalf of the Merchant. In this context the Merchant is the controller. We process such data only to provide the Service, subject to our Data Processing Addendum (DPA). We do not decide the purposes or means of processing on the Merchant's store.

If you are an End User of a Merchant's store, please contact that Merchant to exercise your GDPR rights. We will assist the Merchant as required by law.

6. How payments and orders work

When an agent or customer initiates a transaction via ACP:

  • The payment initiation request is transmitted to our servers over TLS.
  • We validate and normalize the payload and call Stripe using a delegated payment token tied to the Merchant's Stripe account.
  • Stripe handles authorization, capture, settlement, refunds, disputes, and chargebacks directly with the Merchant.
  • After Stripe acknowledges initiation, we create a corresponding order in the Merchant's WooCommerce system.
  • We store minimal metadata for idempotency, reconciliation, security, and debugging. We do not store full cardholder data.

7. Sources of data

We collect data directly from you, from your use of the Service, from your configured integrations, and from our subprocessors including Supabase and our email service. We may also receive basic company and contact data from public sources or business networking tools where permitted by law.

8. Disclosures and recipients

We disclose personal data to the following categories of recipients, only as necessary and subject to appropriate safeguards.

Subprocessors that help us deliver the Service

  • Supabase: managed Postgres database, object storage, and authentication
  • Stripe: delegated payment token initiation for the Merchant's Stripe account
  • Cloud hosting and CDN providers
  • Email delivery and customer support tooling
  • Logging, monitoring, and security vendors

Merchants and integration partners

When acting as processor, we transmit payloads to the Merchant's WooCommerce instance and to Stripe for payment initiation.

Professional advisors and legal authorities

Auditors, accountants, lawyers, and government authorities where legally required.

Corporate transactions

If we engage in a merger, acquisition, reorganization, or asset sale, data may be transferred to the relevant parties subject to confidentiality.

We do not sell personal data.

9. International transfers

Our subprocessors may process data in countries outside the EEA. Where we transfer personal data internationally, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, together with technical and organizational measures designed to protect the data. Details are available in our DPA and subprocessor list.

10. Retention

We retain personal data only for as long as necessary for the purposes set out in this Policy.

  • Account and contract data: for the life of the account and a reasonable period thereafter to comply with legal, tax, and audit requirements.
  • Security and logs: for the time needed to ensure security, investigate incidents, and improve reliability, then deleted or anonymized.
  • Marketing data: until you opt out and for a short period to document your preference.
  • Processor data handled for Merchants: retained only as necessary for routing, idempotency, legal obligations, and diagnostics, then deleted or anonymized.

Specific retention periods may vary depending on legal requirements.

11. Security

We use technical and organizational measures appropriate to the risk, including access controls, encryption in transit, encryption at rest provided by Supabase, key and secret management, least-privilege access, environment hardening, monitoring and alerting, and routine vulnerability management. No system can be guaranteed 100 percent secure. You are responsible for securing your WordPress, WooCommerce, and server environments, as well as API keys and credentials.

12. Cookies and similar technologies

We use cookies and similar technologies to provide and secure the Service, remember preferences, and measure performance.

Types

  • Strictly necessary cookies: required for authentication and core functionality.
  • Functional cookies: remember settings and preferences.
  • Analytics cookies: help us understand usage and improve the Service.
  • Marketing cookies: used for permitted B2B communications and campaign measurement.

Consent

We obtain your consent for non-essential cookies in jurisdictions where consent is required under the ePrivacy rules. You can change your preferences at any time via the Cookie Settings link in the footer.

Browser controls

You may set your browser to block or delete cookies. Some features may not function if you disable certain cookies. We do not respond to Do Not Track signals.

Google Analytics (GA4)

We use Google Analytics 4 operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. GA4 helps us understand how our website and dashboard are used. GA4 may collect device identifiers, approximate location, and event data. We configured GA4 with Consent Mode v2. Analytics data is only collected after you give consent. Before consent, Consent Mode prevents analytics cookies from being set.

Legal basis: your consent under Article 6(1)(a) GDPR for analytics cookies. You can withdraw consent at any time via Cookie Settings. Where data is transferred to the United States, Google relies on the EU United States Data Privacy Framework and, where applicable, the Standard Contractual Clauses together with additional safeguards.

Settings we apply for privacy:

  • Google Signals disabled unless you consent to marketing.
  • Ads personalization disabled unless you consent to marketing.
  • Data retention set to a minimal period.
  • No transmission of personal data such as names, email addresses, exact postal addresses, or other identifiers.

Provider: Google Ireland Limited. Privacy information and terms are available in Google's documentation. You can opt out of analytics at any time via our Cookie Settings or by using browser level opt out tools.

13. Your rights under GDPR

Subject to conditions and exceptions under GDPR, you have the following rights:

  • Access: request confirmation whether we process your personal data and obtain a copy.
  • Rectification: request correction of inaccurate or incomplete data.
  • Erasure: request deletion where there is no overriding reason to continue processing.
  • Restriction: request limitation of processing in certain cases.
  • Portability: receive your data in a structured, commonly used, machine-readable format and transmit it to another controller.
  • Objection: object to processing based on legitimate interests or to direct marketing.
  • Withdraw consent: withdraw consent at any time where processing is based on consent.
  • Complaint: lodge a complaint with a supervisory authority, especially in the EEA Member State of your habitual residence, place of work, or place of the alleged infringement. In Austria you may contact the DSB.

Exercising rights for Merchant-controlled data

If you are an End User of a Merchant's store, please contact that Merchant. We will assist the Merchant to respond to your request where we act as processor.

14. How to exercise your rights

You can submit requests by emailing legal@agenticcart.ai. We may need to verify your identity and your relationship to the account or Merchant. We aim to respond within one month as required by GDPR, or let you know if more time is needed due to complexity.

15. Children's privacy

The Service is intended for business users and is not directed to individuals under 18. If you believe a child has provided personal data to us, contact legal@agenticcart.ai so we can take appropriate action.

16. Changes to this Policy

We may update this Policy from time to time. The updated version will be posted at agenticcart.ai/privacy with a new Last updated date. If changes are material, we will provide additional notice where required by law. Continued use of the Service after changes means you accept the updated Policy.

17. Data Processing Addendum for Merchants

For Merchants established in the EEA, UK, or Switzerland, a GDPR compliant DPA including the applicable Standard Contractual Clauses is available on request. The DPA governs our processor processing on your behalf.

18. Contact

AgenticCart Privacy
Email: legal@agenticcart.ai
Postal: AgenticCart, Austria

Annex A: Subprocessors

We use carefully selected subprocessors to deliver the Service. Each subprocessor only processes data necessary for its function and is bound by written agreements that include confidentiality, security, and data protection obligations. The current list may include:

Supabase

Function: managed Postgres database, object storage, and authentication
Data: account data, authentication identifiers, application data, limited logs
Location: EEA region where available or other regions depending on configuration
Safeguards: encryption at rest and in transit, SCCs for any international transfers

Stripe

Function: delegated payment token initiation for Merchant's Stripe account
Data: payment initiation metadata and token references, no full card data stored by AgenticCart
Location: EU and other regions depending on Stripe's architecture
Safeguards: SCCs where applicable, PCI DSS certification by Stripe

Cloud hosting and CDN provider(s)

Function: application hosting, databases, networking, content delivery
Data: application data and logs as necessary
Location: as configured, including EEA and other regions
Safeguards: SCCs where applicable

Email delivery and customer communications

Function: transactional and permitted marketing emails, support tickets
Data: contact data, message content, deliverability metrics
Location: EEA and or other regions depending on vendor
Safeguards: SCCs where applicable

Logging, monitoring, and security tooling

Function: application logs, metrics, incident response
Data: technical and usage data, error details, pseudonymized identifiers
Location: EEA and or other regions
Safeguards: SCCs where applicable

We may update this list as our Service evolves. Merchants can request change notifications for subprocessors.

Annex B: Data flow summary

Account creation and login

Data flows from your browser to Supabase Authentication, which issues session tokens. Account profile data is stored in Supabase DB.

ACP payment initiation

Agent or customer initiates payment via ACP. Payload reaches our relay over TLS. We validate and normalize, then call Stripe using a delegated token tied to the Merchant's Stripe account. We store minimal metadata for idempotency and debugging. We do not store full cardholder data.

WooCommerce order creation

After Stripe acknowledges initiation, we call the Merchant's WooCommerce APIs to create the order and return statuses to the requesting agent. The Merchant is controller of End User data in WooCommerce.

Email and support

We send transactional emails and service notices. Marketing emails are sent only where permitted, with an unsubscribe link.