GDPR Compliance Policy

Last Updated: 29th January 2026

1. Introduction

This GDPR Compliance Policy outlines how Carrott (“we,” “us,” or “our”) complies with the General Data Protection Regulation (GDPR) and the UK GDPR. This document is intended for users in the European Economic Area (EEA), the United Kingdom, and Switzerland.

Data Controller:

• Company Name: Carrott LTD
• Registered Address: Piccadilly Business Centre, Blackett Street, Manchester, M12 6AE
• Data Protection Officer: admin@carrott.io

2. Data Controller and Processor Roles

2.1 When We Act as Data Controller

Carrott acts as the data controller for:

• Business User account data (agencies, subaccounts)
• Platform usage data
• Billing and subscription information
• Direct marketing to our business customers

2.2 When We Act as Data Processor

Carrott acts as a data processor on behalf of Business Users for:

• Customer loyalty program data
• Customer transaction records
• Custom field data collected by businesses
• Marketing communications sent by businesses to their customers

2.3 Business User Responsibilities

When using our platform to process customer data, Business Users act as data controllers and must:

• Determine the purposes and means of processing
• Ensure lawful basis for data collection
• Provide appropriate privacy notices to customers
• Respond to data subject requests
• Report data breaches to supervisory authorities (when applicable)

3. Legal Bases for Processing

We process personal data based on the following lawful bases under Article 6 GDPR:

3.1 Performance of Contract (Article 6(1)(b))

• Account creation and management
• Service delivery and functionality
• Payment processing
• Customer support
• Wallet pass generation and distribution

3.2 Consent (Article 6(1)(a))

• Marketing communications
• Email marketing opt-in
• SMS marketing opt-in
• Non-essential cookies and tracking

3.3 Legitimate Interests (Article 6(1)(f))

• Platform security and fraud prevention
• Service improvement and analytics
• Troubleshooting and debugging
• Business operations and administration

Legitimate Interest Assessment: We have conducted legitimate interest assessments for these purposes and determined that our interests do not override data subjects’ fundamental rights and freedoms.

3.4 Legal Obligation (Article 6(1)(c))

• Tax and accounting records
• Regulatory compliance
• Law enforcement requests
• Legal proceedings

4. Data Subject Rights

Under GDPR, data subjects have the following rights:

4.1 Right of Access (Article 15)

You have the right to:

• Confirm whether we process your personal data
• Obtain a copy of your personal data
• Receive information about our processing activities

Response time: Within 30 days of receiving your request.

4.2 Right to Rectification (Article 16)

You have the right to:

• Correct inaccurate personal data
• Complete incomplete personal data

How to exercise: Contact us at admin@carrott.io or update information in your account settings.

4.3 Right to Erasure (Article 17)

You have the right to request deletion of your personal data when:

• The data is no longer necessary for its original purpose
• You withdraw consent (where consent was the legal basis)
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed
• Deletion is required by law

Limitations: We may retain data required for legal compliance, legal claims, or legitimate archival purposes.

4.4 Right to Restrict Processing (Article 18)

You can request restriction of processing when:

• You contest the accuracy of the data (during verification)
• Processing is unlawful but you prefer restriction over erasure
• We no longer need the data but you need it for legal claims
• You have objected to processing (pending verification)

4.5 Right to Data Portability (Article 20)

You have the right to:

• Receive your personal data in a structured, commonly used format (JSON, CSV)
• Transmit that data to another controller

Applies to: Data you provided to us, processed by automated means, based on consent or contract.

4.6 Right to Object (Article 21)

You have the right to object to processing based on:

• Legitimate interests (we must demonstrate compelling grounds)
• Direct marketing (absolute right to opt out)
• Research or statistics (unless processing serves public interest)

4.7 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produce legal or significant effects. We do not currently engage in such automated decision-making.

4.8 Right to Withdraw Consent

Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

4.9 Exercising Your Rights

To exercise any right:

• Email: admin@carrott.io
• Mail: Data Protection Officer, Piccadilly Business Centre, Blackett Street, Manchester, M12 6AE

We will verify your identity before processing requests. Complex or numerous requests may take up to 90 days.

5. Data Protection Measures

5.1 Technical Measures

• Encryption: TLS 1.3 for data in transit; AES-256 for data at rest
• Access Controls: Role-based access, multi-factor authentication
• Infrastructure: Secure cloud hosting with SOC 2 compliant providers
• Monitoring: Intrusion detection, security logging
• Pseudonymization: Where appropriate for analytics

5.2 Organizational Measures

• Data Protection Policies: Internal policies and procedures
• Staff Training: Regular privacy and security training
• Access Management: Need-to-know basis access
• Vendor Management: Due diligence on sub-processors
• Incident Response: Documented breach response procedures

5.3 Privacy by Design and Default

We implement privacy by design principles:

• Data minimization in product development
• Default privacy-protective settings
• Privacy impact assessments for new features
• Secure development practices

6. Data Breach Notification

6.1 Detection and Assessment

We maintain systems to detect potential data breaches and assess:

• Nature of the breach
• Categories of data affected
• Number of individuals affected
• Likely consequences
• Mitigation measures

6.2 Notification to Supervisory Authority

We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach that poses risk to individuals’ rights and freedoms.

Notification includes:

• Nature of the breach
• Contact details of DPO
• Likely consequences
• Measures taken or proposed

6.3 Notification to Data Subjects

We will notify affected individuals without undue delay when the breach poses high risk to their rights and freedoms.

Notification includes:

• Clear description of the breach
• Contact details for further information
• Likely consequences
• Measures taken and recommended actions

6.4 Business User Notification

For data processed on behalf of Business Users, we will notify them without undue delay upon becoming aware of a breach, enabling them to fulfill their controller obligations.

7. International Data Transfers

7.1 Transfer Mechanisms

Personal data may be transferred outside the EEA/UK to countries without adequacy decisions. We rely on:

Standard Contractual Clauses (SCCs):

• EU Commission approved SCCs (2021 version)
• UK International Data Transfer Agreement (IDTA) where applicable

Supplementary Measures:

• Encryption of data in transit and at rest
• Access controls and authentication
• Assessment of recipient country laws
• Contractual commitments from recipients

7.2 Sub-Processors Outside EEA/UK

7.3 Transfer Impact Assessments

We conduct transfer impact assessments to evaluate:

• Laws and practices in recipient countries
• Effectiveness of transfer mechanisms
• Need for supplementary measures
• Risks to data subjects

8. Data Protection Impact Assessments (DPIAs)

8.1 When We Conduct DPIAs

We conduct DPIAs for processing likely to result in high risk, including:

• New technologies or processing methods
• Systematic evaluation of personal aspects (profiling)
• Large-scale processing of sensitive data
• Systematic monitoring of public areas
• Significant automated decision-making

8.2 DPIA Process

Our DPIA process includes:

1. Description of processing operations
2. Assessment of necessity and proportionality
3. Risk assessment to data subjects
4. Measures to address risks
5. Documentation and sign-off
6. Review with DPO

8.3 Consultation

We consult the supervisory authority before processing if the DPIA indicates high residual risk that cannot be mitigated.

9. Record of Processing Activities

9.1 Controller Records (Article 30(1))

We maintain records including:

• Controller/representative contact details
• Purposes of processing
• Categories of data subjects and personal data
• Categories of recipients
• International transfers and safeguards
• Retention periods
• Security measures description

9.2 Processor Records (Article 30(2))

For processing on behalf of Business Users:

• Processor/representative contact details
• Categories of processing performed
• International transfers and safeguards
• Security measures description

9.3 Availability

Records are available to supervisory authorities upon request.

10. Data Protection Officer

10.1 Contact Details

Data Protection Officer: admin@carrott.io Address: Piccadilly Business Centre, Blackett Street, Manchester, M12 6AE

10.2 DPO Responsibilities

Our DPO:

• Advises on GDPR compliance
• Monitors compliance with policies
• Provides guidance on DPIAs
• Cooperates with supervisory authorities
• Acts as contact point for data subjects

11. Sub-Processors

11.1 Authorized Sub-Processors

See our Data Processors document for a complete list.

11.2 Sub-Processor Requirements

All sub-processors must:

• Sign data processing agreements
• Implement appropriate security measures
• Process data only on documented instructions
• Notify us of any changes or breaches
• Delete or return data upon termination

11.3 Changes to Sub-Processors

We will notify Business Users of any intended changes to sub-processors, providing opportunity to object.

12. Data Retention

12.1 Retention Principles

We retain personal data only as long as necessary for:

• The purposes for which it was collected
• Legal and regulatory requirements
• Establishment or defense of legal claims
• Legitimate business needs

12.2 Retention Periods

12.3 Deletion Process

Upon reaching retention limits:

• Data is securely deleted or anonymized
• Deletion is logged for compliance records
• Backups follow defined retention and deletion cycles

13. Complaints

13.1 Internal Complaints

You may submit complaints about our data processing to:

• Email: admin@carrott.io
• Mail: Piccadilly Business Centre, Blackett Street, Manchester, M12 6AE

We will respond within 30 days.

13.2 Supervisory Authority

You have the right to lodge a complaint with a supervisory authority, particularly in the EU/EEA member state of your residence, place of work, or place of alleged infringement.

UK: Information Commissioner’s Office (ICO) Ireland: Data Protection Commission (DPC) Germany: State Data Protection Authorities France: CNIL

14. Updates to This Policy

We may update this policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email to Business Users.

15. Contact Information

Data Protection Officer:

• Email: admin@carrott.io
• Address: Piccadilly Business Centre, Blackett Street, Manchester, M12 6AE

General Inquiries:

• Email: admin@carrott.io
• Website: https://carrott.io

This GDPR Compliance Policy is effective as of 23rd January 2026.