Privacy Policy

1. Overview

      Short version: Cart Manager by dp reads cart and order data from your BigCommerce store on demand. We do not store customer personal data. The only information we retain is cart identifiers and status flags needed to operate the dashboard.
    

This Privacy Policy describes how Cart Manager by dp ("the App", "we", "our") collects, uses, and protects information when you install and use the Cart Manager application on your BigCommerce store.

By installing the App, you agree to the practices described in this policy. If you do not agree, please uninstall the App from your BigCommerce control panel.

2. Who We Are

Cart Manager by dp is an independent BigCommerce application developed and operated by an individual developer.

Developer: dp (Doru Popescu)
Contact email: dorupopescu@hotmail.com
Application URL: hosted on Cloudflare Workers infrastructure

3. Data We Collect

We collect and store the minimum data required to operate the App:

Data	Where stored	Purpose	TTL
BigCommerce store hash (store identifier)	Cloudflare KV	Identify which store's data to show; scope all API calls	1 year
BigCommerce OAuth access token	Cloudflare KV	Authenticate API requests to BigCommerce on behalf of the store	1 year
Cart IDs (UUID strings)	Cloudflare D1 (SQLite)	Track which carts exist so they can be displayed in the dashboard	45 days after last update
Cart status flag ("live" or "abandoned")	Cloudflare D1	Display the correct status badge in the dashboard	45 days after last update
App settings (QB enabled toggle, install date)	Cloudflare KV	Store merchant preferences per store	10 years
QuickBooks OAuth tokens (access + refresh) and Realm ID	Cloudflare KV	Authenticate API requests to QuickBooks on behalf of the store	Standard QB TTLs: 1 hour access / 100 days refresh
Session JWT (in browser cookie)	Browser cookie only — not persisted server-side	Maintain the merchant's session within the BigCommerce iframe	24 hours

4. Data We Do NOT Collect or Store

      We never store customer personal data. Cart content, customer names, email addresses, shipping addresses, phone numbers, and payment information are read from BigCommerce on demand and displayed only within the merchant's active session. They are never written to our database or logs.
    

Specifically, the following data is never stored by this App:

Customer names, email addresses, or phone numbers
Customer shipping or billing addresses
Product names, SKUs, or pricing data
Cart line item details or subtotals
Order details or order totals
Payment method information of any kind
Storefront visitor data or browsing behaviour
Any data from customers who have not interacted with the BigCommerce store directly

5. How We Use Your Data

Data collected by the App is used solely to provide the App's features:

Store hash and access token — used to make authenticated API calls to BigCommerce to fetch cart and order data for display in the dashboard.
Cart IDs and status flags — used to populate the Carts tab and show Live / Abandoned status. Automatically cleaned up after 45 days of inactivity.
App settings — used to remember whether QuickBooks integration is enabled for the store.
QuickBooks tokens — used to create estimates in the merchant's QuickBooks Online account. Never shared with third parties other than Intuit.
Session token — used to keep the merchant logged in during a single browser session within the BigCommerce control panel.

We do not use any collected data for advertising, profiling, analytics, or any purpose other than operating the App.

6. Third-Party Services

The App communicates with the following third-party services in order to function:

Service	Purpose	Data shared	Privacy policy
BigCommerce	Fetch cart, order, and product data; register webhooks	Store hash, OAuth access token	bigcommerce.com/privacy
Intuit / QuickBooks Online	Create estimates and look up or create customers in QB	QB OAuth tokens, Realm ID; customer billing data passed only when creating estimates at merchant request	intuit.com/privacy
Cloudflare	Hosting infrastructure (Workers, D1, KV)	All server-side data transits Cloudflare's network per their data processing terms	cloudflare.com/privacypolicy

We do not sell, rent, or share any data with any other third party.

7. Data Retention

Cart IDs and status flags are automatically deleted from our database 45 days after their last update. They are also deleted immediately when a merchant explicitly deletes a cart via the dashboard.
BigCommerce access tokens are retained for 1 year and refreshed on re-installation. They can be removed at any time by uninstalling the App from BigCommerce.
QuickBooks tokens expire according to Intuit's standard schedule (access token: 1 hour; refresh token: 100 days). They can be removed at any time by disconnecting QuickBooks in the App's Settings.
App settings are retained as long as the App is installed. They are not automatically deleted but contain no personal data.
Upon uninstallation of the App from BigCommerce, you may contact us at the email below to request deletion of all remaining data associated with your store.

8. Security

We implement industry-standard security measures appropriate to the data we handle:

HTTPS only — all data in transit is encrypted using TLS.
HttpOnly cookies — session tokens cannot be accessed by JavaScript, reducing XSS exposure.
Secure + SameSite=None cookies — required for the BigCommerce iframe context; transmitted only over HTTPS.
HS256 signed JWTs — session tokens are signed with a secret key; tampering is detectable.
Per-store isolation — all stored data is scoped to an individual store hash; one merchant cannot access another's data.
Cloudflare infrastructure — all data is stored within Cloudflare's encrypted KV and D1 services.

No security measure is 100% guaranteed. In the event of a data breach affecting personal information, affected merchants will be notified by email as promptly as possible.

9. Your Rights

As a merchant using this App, you have the following rights:

Access — you may request a summary of what data we hold associated with your store.
Deletion — you may request deletion of all data associated with your store at any time by contacting us or by uninstalling the App.
Correction — if any stored data is incorrect (e.g., a misconfigured setting), you may request correction.
Portability — since no personal data is stored by the App, there is no personal data to export. Your cart and order data remains entirely within your BigCommerce account.

Because we do not store customer personal data, GDPR and CCPA data subject requests from your customers regarding their personal information should be directed to BigCommerce and Intuit, who hold that data.

To exercise any of the rights above, contact us at dorupopescu@hotmail.com.

10. Cookies & Session Tokens

The App sets a single cookie named session when a merchant opens the App. This cookie:

Contains a signed JWT with only the store's hash identifier — no personal data.
Is set with HttpOnly, Secure, and SameSite=None flags.
Expires after 24 hours.
Is used solely to authenticate subsequent API requests within the same session.

No tracking cookies, analytics cookies, or advertising cookies are used by this App.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in the App's functionality or legal requirements. The "Last updated" date at the top of this page will always reflect the most recent revision.

Continued use of the App after a policy update constitutes acceptance of the revised policy. For significant changes, we will make reasonable efforts to notify merchants by email.

12. Contact

For any questions, concerns, or requests related to this Privacy Policy or the data we hold:

Email: dorupopescu@hotmail.com
Response time: within 24 hours

Contents