This Data Processing Agreement (“DPA”) forms part of the Terms of Service between CartGain (“Processor,” “we,” “us”) and the merchant (“Controller,” “you”) using the CartGain platform. This DPA sets out the terms relating to the processing of personal data by CartGain on behalf of the merchant, in compliance with the General Data Protection Regulation (GDPR), India's Digital Personal Data Protection Act (DPDP Act, 2023), and other applicable data protection laws.
2. Definitions
Controller: The merchant who determines the purposes and means of processing personal data.
Processor: CartGain, which processes personal data on behalf of the Controller.
Personal Data: Any information relating to an identified or identifiable natural person (customer).
Processing: Any operation performed on personal data, including collection, storage, use, and transmission.
Sub-processor: A third party engaged by CartGain to process personal data on behalf of the Controller.
Data Subject: The customer whose personal data is being processed.
3. Details of Data Processing
Categories of Data Subjects:
Customers of the Controller who abandon their shopping carts on the Controller's e-commerce store.
Categories of Personal Data:
Customer name, email address, and phone number
Shipping address and billing information
Cart contents, product details, and order values
Communication preferences and opt-in/opt-out status
Message delivery status and engagement metrics
Nature and Purpose of Processing:
Automated sending of cart recovery notifications via email, SMS, and WhatsApp to encourage customers to complete their purchases.
Duration of Processing:
For the duration of the Controller's active subscription, plus 90 days after termination for backup purposes, after which data is deleted or anonymized.
4. Processor Obligations
CartGain shall:
Process personal data only on documented instructions from the Controller, unless required by law to do otherwise.
Ensure that persons authorized to process the data are bound by confidentiality obligations.
Implement appropriate technical and organizational security measures.
Not disclose personal data to third parties except as instructed or as required by law.
Assist the Controller in fulfilling their obligations to respond to data subject rights requests.
Notify the Controller of any personal data breaches without undue delay.
Delete or return all personal data at the end of the service term, as directed by the Controller.
Maintain records of all processing activities.
5. Controller Obligations
The Controller shall:
Ensure they have a lawful basis for processing customer data (e.g., consent, legitimate interest).
Provide clear privacy notices to customers about how their data is used.
Obtain necessary consents for SMS and WhatsApp messaging as required by applicable laws.
Ensure the accuracy and relevance of personal data provided to CartGain.
Respond to data subject requests and notify CartGain of any such requests.
Cooperate with CartGain in the event of a data breach investigation.
6. Sub-processors
The Controller authorizes CartGain to engage the following sub-processors:
Sub-processor
Service
Data Location
Supabase (PostgreSQL)
Database hosting
AWS Mumbai, India
Vercel
Application hosting & CDN
Global (multi-region)
MSG91
SMS delivery
India
Resend
Email delivery
US / EU
Meta (WhatsApp Cloud API)
WhatsApp message delivery
Global
Razorpay
Payment processing
India
OpenAI
AI-powered message generation (GPT-4o-mini)
US / Global
Redis (Upstash)
Job queue & caching
AWS Mumbai, India
CartGain will notify the Controller of any changes to sub-processors and the Controller may object within 14 days.
7. Security Measures
CartGain implements the following technical and organizational security measures:
Encryption
Data encrypted in transit (TLS 1.3) and at rest (AES-256). API keys stored with encryption.
Access Control
Role-based access, least-privilege principle, and multi-factor authentication for admin access.
Monitoring
24/7 system monitoring, intrusion detection, and automated threat response.
Backups
Automated daily backups with 90-day retention. Point-in-time recovery capability.
Employee Training
Annual security and privacy training for all employees with access to personal data.
Incident Response
Documented incident response plan with 24-hour breach notification commitment.
8. Data Breach Notification
In the event of a personal data breach, CartGain will:
Notify the Controller within 24 hours of becoming aware of the breach.
Provide details of the nature, scope, and potential impact of the breach.
Identify affected categories of data and approximate number of data subjects.
Outline measures taken to address the breach and prevent recurrence.
Cooperate with the Controller in notifying regulatory authorities and data subjects as required by law.
9. Data Subject Rights
CartGain shall assist the Controller in responding to data subject requests, including:
Right of Access: Providing a copy of personal data held about a data subject.
Right to Rectification: Correcting inaccurate or incomplete data.
Right to Erasure: Deleting personal data upon request (“right to be forgotten”).
Right to Restriction: Limiting the processing of personal data.
Right to Data Portability: Exporting data in a structured, machine-readable format.
Right to Object: Objecting to certain types of processing, including direct marketing.
Controllers can exercise these rights by contacting support@cart-gain.com. We will respond within 30 days.
10. Data Retention & Deletion
Personal data is retained for the duration of the Controller's active subscription.
Upon termination, data is retained for 90 days for backup and recovery purposes.
After 90 days, all personal data is securely deleted or anonymized.
Controllers may request earlier deletion by contacting support.
Backup data is automatically purged within the backup retention window.
11. Audit & Compliance
CartGain maintains records of all processing activities as required by Article 30 of the GDPR.
Upon reasonable notice (minimum 30 days), CartGain will provide access to relevant records for audit purposes.
Audits shall be conducted in a manner that does not disrupt CartGain's operations.
Audit reports and findings shall be treated as confidential.
12. Governing Law
This DPA is governed by the laws of India. Any disputes arising from this DPA shall be resolved in accordance with the dispute resolution provisions in the Terms of Service. In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data processing matters.