1. Introduction

Cartinel ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our browser extension and web application.

By using Cartinel, you agree to the collection and use of information in accordance with this policy.
2. Information we collect
2.1 Information you provide

Account information (email address, name)
Financial goals you create (target amounts, categories, deadlines)
Savings capacity settings
Notification preferences


2.2 Browser extension monitoring

Our browser extension uses AI-powered detection to identify purchase opportunities. Here's exactly how it works:

What we monitor: Only e-commerce checkout pages and product pages where purchase buttons are detected
What we collect: Merchant names, product names, prices, and your decision (cancelled or proceeded)
What we DON'T track: Your browsing on non-commerce pages, personal content sites, banking sites, or any pages without purchase buttons
Technical mechanism: DOM pattern matching and AI analysis of page content to identify purchase buttons and extract prices
Browser permissions required:
Active tab access: To detect purchase buttons on the current page
Storage: To save your settings and sync with the dashboard
No permission to: Read passwords, access banking data, or track your full browsing history


Important: The extension only activates on e-commerce sites. It does not monitor or record your activity on news sites, social media, email, banking, or any other non-shopping websites.
2.3 Automatically collected information

Usage statistics and analytics
Device and browser information
Time to decision (how long before you cancel or proceed)


2.4 Information we do NOT collect

Payment card numbers or banking credentials
Full browsing history
Passwords or authentication tokens from other sites
Personal identification documents
Social security numbers or tax IDs


1. How we use your information

We use the collected information for:

Providing and maintaining the Cartinel service
Detecting purchase attempts and calculating goal impact
Tracking your progress toward financial goals
Sending notifications about goals, budgets, and achievements
Analyzing spending patterns and providing insights
Improving our AI categorization algorithms
Processing payments for Pro subscriptions
Communicating with you about service updates
Preventing fraud and abuse


3.5 Legal basis for processing (GDPR)

For users in the European Economic Area (EEA), we process your personal data based on the following legal grounds:

Contract (performance of our agreement with you):
Providing the Cartinel service and features
Processing subscription payments
Sending service-related notifications
Maintaining your account and goals
Legitimate Interest (our business interests, balanced against your rights):
Analytics and service improvement
Fraud prevention and security
Technical troubleshooting
AI model training (anonymized data only)
Consent (you have explicitly agreed):
Marketing communications and newsletters
Non-essential analytics cookies
Optional features that process additional data
Legal Obligation:
Tax and accounting records
Responding to lawful government requests


Withdrawing consent: Where we rely on your consent, you can withdraw it at any time by contacting hello@cartinel.app or adjusting your account settings. This will not affect the lawfulness of processing before withdrawal.
4. Data storage and security

We implement comprehensive security measures following industry best practices:

Encryption: All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption
Access controls: Row-level security ensures users can only access their own data
Authentication: Secure authentication via Clerk with support for multi-factor authentication (MFA)
Security audits: Regular security assessments and vulnerability testing
Access logging: All system access is logged and monitored for suspicious activity
Regular updates: Security patches and updates are applied promptly
Data backups: Encrypted backups stored in geographically distributed locations


Your data is stored on Supabase servers in secure, SOC 2 Type II compliant data centers.
4.5 Data breach notification

In the unlikely event of a data breach that affects your personal information:

We will notify affected users within 72 hours of discovering the breach
Notification will include:
Nature of the breach and data affected
Potential consequences and risks
Measures taken to address the breach
Recommended actions you should take
Notifications will be sent via email to your registered address
We will also notify relevant supervisory authorities as required by law


To report a security concern, email hello@cartinel.app with subject line "Security Concern"
5. Data sharing and disclosure

We do not sell, trade, or rent your personal information. We may share data with:

Service Providers: Supabase (database), Clerk (authentication), Paddle (payments), Google AI (categorization)
Legal Requirements: If required by law, court order, or government request
Business Transfers: In case of merger, acquisition, or asset sale (with notice to you)


5.1 Google AI data processing

We use Google AI (Gemini) to automatically categorize merchants and purchases. Here's what you need to know:

Data sent to Google AI:
Merchant names and URLs (e.g., "amazon.com")
Product names and categories
Purchase amounts (for categorization purposes)
Data NOT sent: Payment information, passwords, full browsing history, or personal identifiers
Google's use of data: According to Google's Enterprise Agreement, your data is not used to train Google's AI models and is not retained beyond the processing session
Data Processing Agreement: We have a Data Processing Agreement (DPA) with Google Cloud that ensures GDPR compliance
Opt-out: Currently, AI categorization is essential to the service. If you prefer not to use AI categorization, you can manually categorize purchases in your dashboard


1. Your privacy rights

You have the right to:

Access: Request a copy of your data
Correction: Update or correct inaccurate data
Deletion: Request deletion of your account and data
Export: Download your data in a portable format (JSON)
Opt-Out: Unsubscribe from marketing communications
Object: Object to processing of your data
Restrict: Request restriction of processing


To exercise these rights, contact us at hello@cartinel.app. We will respond within 30 days.
6.5 California residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

We Do Not Sell Personal Information

Cartinel does not sell, rent, or share your personal information for monetary or other valuable consideration. We do not have any such practices and have not engaged in any such practices in the past 12 months.

Your CCPA rights include:

Right to Know: Request disclosure of personal information we collect, use, and share
Right to Delete: Request deletion of your personal information
Right to Opt-Out: Opt out of the sale of personal information (not applicable as we don't sell data)
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights


How to submit a request:

Email: hello@cartinel.app with subject "CCPA Request"
Include: Your full name, email address, and specific request
Verification: We may ask for verification to protect your privacy
Response time: We will respond within 45 days (may extend by 45 additional days if necessary)
Authorized agent: You may designate an authorized agent to make requests on your behalf


1. Cookies and tracking

We use essential cookies for:

Authentication and session management
Remembering your preferences
Analytics (anonymized usage data)


You can control cookies through your browser settings, but some features may not work properly if cookies are disabled.
8. Data retention

We retain your data according to the following schedule:

Account data: Retained while your account is active and for 30 days after deletion (for recovery purposes)
Financial goals and interceptions: Retained while your account is active; deleted within 30 days of account deletion
Transaction records: Retained for 7 years to comply with tax and financial regulations
Analytics data: Anonymized after 90 days; aggregate anonymous data retained indefinitely for service improvement
Support communications: Retained for 3 years for customer service and legal purposes
Deleted account data: Permanently removed from production systems within 30 days (may persist in encrypted backups for up to 90 days)


We may retain data longer where required by law or for legitimate business purposes (e.g., fraud prevention, resolving disputes). Anonymized data that cannot identify you may be retained indefinitely.
9. Children's privacy

Cartinel is not intended for users under 18 years old. We do not knowingly collect personal information from children. If you believe we have collected data from a child, contact us immediately and we will delete it promptly.
10. International data transfers

Your data may be transferred to and processed in countries other than your own, including the United States. We ensure appropriate safeguards are in place:

EU-US transfers: We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EEA to the United States
Service provider agreements: All third-party service providers handling EU data have committed to GDPR-compliant data processing
Data Processing Agreements: We have DPAs in place with Supabase, Clerk, and Google Cloud that include SCCs
Security measures: Technical and organizational measures ensure your data receives equivalent protection regardless of location


For more information about our data transfer safeguards, contact hello@cartinel.app
11. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through a prominent notice in our app at least 30 days before changes take effect. Continued use after changes constitutes acceptance of the updated policy. You can review previous versions by contacting us.