Privacy Policy
Last Updated: 29th January 2026
1. Introduction
Welcome to Carrott (“we,” “our,” or “us”). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our digital loyalty card platform and related services.
Company Information:
- Company Name: Carrott LTD
- Registered Address: Piccadilly Business Centre, Blackett Street, Manchester, M12 6AE
- Country of Incorporation: United Kingdom
- Contact Email: admin@carrott.io
- Data Protection Officer: admin@carrott.io
This Privacy Policy applies to:
- Our website at https://carrott.io
- Our mobile applications
- Digital wallet passes (Apple Wallet and Google Wallet)
- All related services and features
2. Information We Collect
2.1 Information You Provide Directly
Account Information (Business Users):
- Email address
- Phone number
- Full name
- Password (stored securely hashed)
- Business/agency information
Customer Information (Loyalty Program Members):
- Email address
- Phone number
- First and last name
- Date of birth (optional, for age-restricted programs)
- Marketing preferences and consent
Custom Fields:
- Businesses may collect additional information through custom fields (e.g., preferences, membership numbers)
- This data is defined by each business operating on our platform
2.2 Information Collected Automatically
Device and Technical Information:
- IP address
- Browser type and version (user agent)
- Device type and operating system
- Unique device identifiers (for wallet pass functionality)
- Push notification tokens (Apple/Google Wallet)
Usage Information:
- Pages visited and features used
- Transaction history (stamps, rewards, redemptions)
- Card interactions and activity timestamps
- QR code scans and location check-ins
Location Information:
- Geolocation data (when you enable location services)
- Location-based notifications (via wallet pass geofencing)
- Business location data for check-ins
2.3 Information from Third Parties
- Payment information processed through Stripe
- Verification data from SMS providers
- Wallet pass installation and update events from Apple and Google
3. How We Use Your Information
3.1 To Provide Our Services
- Create and manage your account
- Process loyalty card enrollments and transactions
- Generate and deliver digital wallet passes
- Send transactional notifications (stamps earned, rewards available)
- Process payments and subscriptions
3.2 To Improve Our Services
- Analyze usage patterns and platform performance
- Develop new features and functionality
- Debug and fix technical issues
- Conduct internal research and analytics
3.3 To Communicate With You
- Send service-related notifications
- Respond to your inquiries and support requests
- Send marketing communications (with your consent)
- Deliver broadcast messages from businesses you’ve enrolled with
3.4 To Ensure Security and Compliance
- Verify your identity (OTP verification)
- Detect and prevent fraud
- Comply with legal obligations
- Enforce our terms of service
4. Legal Basis for Processing (GDPR)
We process your personal data based on the following legal grounds:
| Purpose | Legal Basis |
|---|---|
| Account creation and service delivery | Performance of contract |
| Payment processing | Performance of contract |
| Transactional communications | Performance of contract |
| Marketing communications | Consent |
| Analytics and improvement | Legitimate interests |
| Security and fraud prevention | Legitimate interests |
| Legal compliance | Legal obligation |
5. How We Share Your Information
5.1 With Service Providers
We share data with third-party service providers who assist in operating our platform. These providers are contractually obligated to protect your data and use it only for specified purposes.
See our Data Processors document for a complete list.
5.2 With Businesses (For Loyalty Program Members)
When you enroll in a loyalty program, the operating business receives:
- Your contact information (email, phone, name)
- Your loyalty card data and transaction history
- Custom field data you provide
- Marketing consent status
5.3 For Legal Reasons
We may disclose your information:
- To comply with legal obligations
- To respond to lawful requests from public authorities
- To protect our rights, privacy, safety, or property
- In connection with a merger, acquisition, or sale of assets
5.4 With Your Consent
We may share your information for other purposes with your explicit consent.
6. International Data Transfers
Your information may be transferred to and processed in countries outside your country of residence, including the United States. We ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): We use EU-approved contractual terms with our service providers
- Adequacy Decisions: Where applicable, we rely on adequacy decisions by relevant authorities
- Data Processing Agreements: All processors are bound by contractual obligations
7. Data Retention
We retain your personal data for as long as necessary to:
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account + 2 years |
| Transaction history | 7 years (legal/tax requirements) |
| Marketing consent records | Duration of consent + 3 years |
| Audit logs (form submissions) | 7 years |
| Phone verification codes | 10 minutes |
| Inactive customer accounts | Soft-deleted, retained for 2 years |
You may request deletion of your data at any time, subject to legal retention requirements.
8. Your Privacy Rights
8.1 Rights Under GDPR (EEA/UK Residents)
- Right of Access: Obtain a copy of your personal data
- Right to Rectification: Correct inaccurate or incomplete data
- Right to Erasure: Request deletion of your data (“right to be forgotten”)
- Right to Restrict Processing: Limit how we use your data
- Right to Data Portability: Receive your data in a structured, machine-readable format
- Right to Object: Object to processing based on legitimate interests
- Right to Withdraw Consent: Withdraw consent at any time
- Right to Lodge a Complaint: File a complaint with your supervisory authority
8.2 Rights Under CCPA (California Residents)
- Right to Know: Know what personal information we collect and how it’s used
- Right to Delete: Request deletion of your personal information
- Right to Opt-Out: Opt out of the sale of your personal information (Note: We do not sell personal information)
- Right to Non-Discrimination: Equal service and pricing regardless of privacy choices
8.3 Rights Under Other Jurisdictions
We respect privacy rights under applicable laws worldwide, including:
- Brazil’s LGPD
- Canada’s PIPEDA
- Australia’s Privacy Act
- Other applicable regional regulations
8.4 Exercising Your Rights
To exercise any of these rights, contact us at:
- Email: admin@carrott.io
- Address: Piccadilly Business Centre, Blackett Street, Manchester, M12 6AE
We will respond to your request within 30 days (or as required by applicable law).
9. Data Security
We implement appropriate technical and organizational measures to protect your personal data:
- Encryption: Data encrypted in transit (TLS) and at rest
- Access Controls: Role-based access with authentication requirements
- Secure Infrastructure: Cloud hosting with industry-standard security
- Regular Audits: Security assessments and vulnerability testing
- Employee Training: Staff trained on data protection practices
- Incident Response: Procedures for detecting and responding to breaches
10. Children’s Privacy
Our services are not intended for children under 16 years of age (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.
11. Marketing Communications
11.1 Opt-In Consent
We only send marketing communications with your explicit consent. When enrolling in a loyalty program, you may choose to:
- Receive email marketing from the business
- Receive SMS marketing from the business
11.2 Opting Out
You can opt out of marketing communications at any time:
- Click “unsubscribe” in any marketing email
- Reply “STOP” to SMS messages
- Contact the business directly
- Update your preferences in your account settings
12. Cookies and Tracking
Our website uses cookies and similar technologies. See our Cookie Policy for details on:
- Types of cookies we use
- How to manage cookie preferences
- Third-party cookies
13. Third-Party Links
Our platform may contain links to third-party websites. We are not responsible for the privacy practices of these sites. We encourage you to review their privacy policies.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated policy on our website
- Updating the “Last Updated” date
- Sending email notification for significant changes
Your continued use of our services after changes constitutes acceptance of the updated policy.
15. Contact Us
For questions, concerns, or requests regarding this Privacy Policy:
Carrott LTD
- Email: admin@carrott.io
- Data Protection Officer: admin@carrott.io
- Address: Piccadilly Business Centre, Blackett Street, Manchester, M12 6AE
Supervisory Authority: If you are in the EEA or UK, you have the right to lodge a complaint with your local data protection authority.
This Privacy Policy is effective as of 23rd January 2026.