Last Updated: February 26, 2026 | Effective Date: February 26, 2026
1. Introduction
Welcome to CART We are committed to protecting your privacy and safeguarding the personal information you share with us.
This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our mobile application ("CART")
By using our Services, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use our Services.
2. Information We Collect
2.1 Information You Provide Directly
- Account Information: Name, email address, phone number, date of birth, gender, and password when you create an account.
- Delivery Addresses: Street address, city, area, building/apartment details, and geographic coordinates (latitude/longitude) for delivery purposes.
- Payment Information: We do not directly store your credit/debit card numbers. Payment processing is handled by our third-party payment processor, Paymob. We store only tokenized card references (last 4 digits, card brand, expiry) for your convenience in managing saved payment methods.
- Order Information: Products ordered, quantities, delivery preferences, and special instructions.
- Communication Data: Messages, complaints, support tickets, reviews, and ratings you submit through the App.
- Preferences: Language preference, notification settings, and app preferences.
2.2 Information Collected Automatically
- Device Information: Device type, operating system version, unique device identifiers, and push notification tokens.
- Usage Data: App interactions, pages viewed, search queries, and feature usage patterns.
- Location Data: With your permission, we collect precise location data to provide delivery services, show nearby delivery zones, and enable address selection via map. For drivers, location is collected in the background to enable real-time delivery tracking.
- Log Data: IP address, browser type, access times, and referring URLs for security and analytics purposes.
- Network Information: Connection type (Wi-Fi, cellular) for optimizing app performance.
2.3 Information from Third Parties
- Social Login: If you sign in using Google or Apple, we receive your name and email address from those providers. We do not receive or store your social media passwords.
- Payment Provider: Paymob provides us with transaction status, tokenized card data, and payment confirmation details.
3. How We Use Your Information
We use the information we collect for the following purposes:
| Purpose |
Data Used |
| Account creation and authentication |
Name, email, phone, password |
| Processing and delivering orders |
Address, payment info, order details |
| Real-time delivery tracking |
Driver location, order status |
| Customer support and complaint resolution |
Communication data, order history |
| Push notifications (order updates, promotions) |
Device tokens, notification preferences |
| Personalization and recommendations |
Purchase history, search queries, preferences |
| Security and fraud prevention |
IP address, device info, login history |
| Service improvement and analytics |
Usage data, performance metrics |
| Legal compliance |
All data as required by applicable laws |
4. Data Storage and Security
4.1 Data Encryption
All data transmitted between your device and our servers is encrypted using TLS/SSL (HTTPS). Sensitive data at rest is encrypted using industry-standard encryption. Passwords are hashed using bcrypt and are never stored in plain text.
4.2 Security Measures
- HTTPS/TLS encryption for all data in transit
- Bcrypt password hashing (never stored in plain text)
- Token-based authentication (Laravel Sanctum) with automatic expiry
- HMAC SHA-512 verification on all payment webhooks
- Rate limiting to prevent brute-force and abuse attacks
- IP-based security monitoring and blacklisting
- Security headers (CSP, HSTS, X-Frame-Options, X-XSS-Protection)
- Input validation and sanitization on all endpoints
- Admin activity audit logging for accountability
- Role-based access control (RBAC) for internal access
4.3 Data Retention
- Account data: Retained while your account is active. Deleted upon account deletion request (see Section 8).
- Order history: Retained for 3 years for legal and financial compliance, then anonymized.
- Payment tokens: Retained until you remove the saved card or delete your account.
- Support tickets: Retained for 2 years after resolution.
- Activity logs: Retained for 1 year for security purposes.
- Analytics data: Aggregated and anonymized after 1 year.
5. Data Sharing and Disclosure
We do not sell your personal information to third parties. We may share your data only in the following circumstances:
5.1 Service Providers
- Paymob — Payment processing (card transactions, refunds)
- Cloudinary — Image storage and delivery (product images, avatars)
- Expo / Google FCM — Push notification delivery
- Pusher — Real-time communication (order tracking, chat)
- Nominatim/OpenStreetMap — Geocoding and map services
5.2 Delivery Drivers
When you place an order, your delivery address and name are shared with the assigned driver to complete the delivery. Drivers cannot see your full account details.
5.3 Legal Requirements
We may disclose your information if required by law, court order, or governmental regulation, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
6. Your Rights
You have the following rights regarding your personal data:
- Access: View your personal data through your App profile at any time.
- Correction: Update your name, phone number, email, date of birth, and avatar through the App.
- Deletion: Request complete deletion of your account and associated data (see Section 8).
- Data Portability: Request a copy of your data by contacting our support team.
- Notification Control: Manage notification preferences granularly within the App settings. You can opt out of marketing notifications at any time.
- Withdraw Consent: Revoke location permissions or other consents through your device settings at any time.
7. Cookies and Local Storage
As a mobile application, CART does not use browser cookies. However, we use the following local storage mechanisms:
- AsyncStorage: To persist your preferences, language settings, cached data, and session information locally on your device.
- SecureStore: To securely store authentication tokens and biometric credentials using your device's secure enclave.
- File System Cache: To cache product images locally for faster loading (automatically cleared after 7 days).
8. Account Deletion
You can request the deletion of your account and all associated personal data at any time by visiting our Account Deletion page or through the App under Profile → Settings.
Upon submitting a deletion request:
- Your account will be deactivated immediately.
- All personal data (profile, addresses, favorites, notification preferences, saved payment methods) will be permanently deleted within 7 days.
- Order history will be anonymized (personal identifiers removed) but retained for legal and financial compliance for up to 3 years.
- Active orders, if any, will be completed before the account is fully deleted.
- Wallet balance refunds, if applicable, will be processed before deletion.
This action is irreversible. Once your data is deleted, it cannot be recovered.
9. Biometric Data
If you enable biometric login (fingerprint), your biometric data is processed entirely on your device by the operating system. We never receive, transmit, or store your actual biometric data. We only store a flag indicating that biometric login is enabled, and encrypted credentials in your device's secure enclave.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we make significant changes, we will notify you through the App or via email. The "Last Updated" date at the top of this page indicates when the policy was last revised.
Your continued use of the Services after any changes constitutes acceptance of the updated policy.
11. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: