Last Updated: 17 May 2026 ยท Version 1.0.0
This Privacy Policy explains how YourCart Ltd (registered as YOURCART.STORE LTD, Companies House No. 15316188, registered office 15 Timperley Lane, Leigh, Greater Manchester, WN7 3DZ, United Kingdom; "YourCart", "we", "us") collects and uses Personal Data when you interact with us. It covers our website at yourcart.store, the YourCart vendor admin app, the customer-facing apps and storefronts we publish on behalf of our merchants, and any other channel through which we communicate with you.
This policy describes the Personal Data we hold as Controller — that is, where we determine the purposes and means of processing. The principal categories of person it applies to are:
yourcart.store and any other public YourCart marketing or documentation site.It does not cover:
When you sign up as a merchant, we collect:
| Data | Source | Purpose |
|---|---|---|
| Name, email, business name, business address, telephone number | You, at sign-up or in account settings | Operating your account, contacting you, complying with our legal obligations |
| Authentication credentials (email + hashed password, or third-party auth identifiers from Apple / Google) | You, or your chosen identity provider | Authenticating you and securing your account |
| Billing and payment-method tokens (we do not store full card numbers — Stripe does) | You, via Stripe Checkout / Stripe Elements | Processing your subscription payments |
| Companies House number, VAT number where supplied | You | Verifying business status; tax reporting where required |
| Support correspondence, BugReport submissions, and any other content you send to us | You | Handling your enquiry; investigating issues; product improvement |
| App and admin-tool usage telemetry (sign-in events, admin actions, IP address, device and browser information) | Automatically captured | Security, fraud prevention, abuse detection, debugging, regulatory audit logging |
When you visit yourcart.store or other YourCart marketing or documentation pages, we may collect:
We use only strictly necessary cookies prior to your consent. Non-essential analytics, marketing, or product cookies (where used at all) are loaded only after you provide informed consent through our cookie banner — see section 5.
If you are an end customer using a merchant's YourCart-built shop or app, the merchant is the Controller of your data and you should consult that merchant's privacy policy. YourCart processes that data only on the merchant's instructions, under the Data Processing Agreement between us and the merchant. This Privacy Policy does not extend any rights to end customers against YourCart that the merchant's policy does not also provide.
| Purpose | Lawful basis under UK GDPR |
|---|---|
| Operating your merchant account, providing the contracted YourCart service, processing your subscription | Contract — performance of our agreement with you (Article 6(1)(b)) |
| Authenticating you, securing your account, detecting and preventing fraud or abuse, rate-limiting | Legitimate interest — securing the platform for all merchants (Article 6(1)(f)) |
| Sending transactional emails (welcome, billing, password reset, system notifications, support replies) | Contract (where the email relates directly to the service); legitimate interest (where operational) |
| Sending product updates, founding-cohort communications, or other commercial messages to active merchants | Legitimate interest (Article 6(1)(f)) — soft opt-in under PECR Regulation 22(3) for existing customers, with an unsubscribe link in every message; consent for any new commercial channel where required |
| Complying with our legal obligations (tax reporting, ICO information notices, court orders, regulatory enquiries) | Legal obligation (Article 6(1)(c)) |
| Maintaining audit logs, business records, and accounting books | Legal obligation (Companies Act 2006, HMRC retention rules); legitimate interest (Article 6(1)(f)) |
| Defending or pursuing legal claims | Legitimate interest (Article 6(1)(f)) |
We do not use Personal Data for automated decision-making with legal or similarly significant effects, do not carry out behavioural profiling for advertising purposes, and do not sell or rent Personal Data to third parties.
We engage the following sub-processors to deliver the YourCart service. Where a sub-processor processes Personal Data of a merchant's end customers, this is governed by the Data Processing Agreement; the table below lists the same set as it applies to merchant-account-holder data we hold as Controller.
| Sub-processor | Purpose | Data location | Transfer mechanism |
|---|---|---|---|
| Stripe Payments Europe Ltd | Subscription billing, payment-method tokenisation, Connect-account payouts | Ireland (primary), United States (failover) | Stripe is its own Controller for payment data; UK adequacy (EEA→UK) for the Irish leg |
| Google LLC (Firebase) | Authentication, push-notification delivery (FCM), Firestore for ephemeral state | United States | UK International Data Transfer Addendum (IDTA) to the EU Standard Contractual Clauses |
| Microsoft Ireland Operations Limited (Azure) | Application hosting, SQL Server, Blob Storage, Key Vault, Application Insights | UK South region (primary) | Data residency UK; Microsoft Online Services DPA. EMEA contracting entity: Microsoft Ireland Operations Limited, 70 Sir John Rogerson's Quay, Dublin, D02 R296, Ireland |
| Mailgun Technologies Inc. | Transactional email delivery | United States | UK IDTA to the EU Standard Contractual Clauses |
A current sub-processor list is maintained at https://yourcart-api-prod.azurewebsites.net/SubProcessors. We will notify active merchants by email at least 14 days before any material change (addition or replacement of a sub-processor) takes effect.
In addition to the sub-processors above, we may disclose Personal Data:
We do not sell Personal Data to third parties for their own marketing purposes.
We use only strictly necessary cookies before your consent — these are required for the site or admin tool to function and cannot be disabled (session, authentication, CSRF protection, basic security).
Where we use any non-essential cookies or similar technologies (analytics, product telemetry, marketing pixels), we will load them only after you have given informed consent through our cookie banner. The banner offers an "Accept" and a "Reject" of equivalent prominence; choosing "Reject" causes only strictly-necessary cookies to load. You can change your preference at any time from the cookie-preferences link in the website footer.
A list of cookies and their purposes is maintained on the cookie-preferences page itself.
Where we transfer Personal Data outside the United Kingdom, we rely on:
A current list of transfer destinations is given in section 4.1.
| Data category | Retention period |
|---|---|
| Active merchant-account data | For as long as your account is open, plus a wind-down period of up to 30 days after termination |
| Billing, invoicing, and accounting records | 6 years from the end of the relevant accounting period (HMRC requirement under the Finance Act 2008 and Companies Act 2006) |
| Audit and security logs (admin actions, sign-in events, abuse-detection records) | Up to 24 months for operational purposes; longer where required for legal claims or regulatory obligations |
| Support correspondence and BugReport submissions | Up to 24 months from last interaction |
| Marketing-site analytics (where collected with consent) | Up to 14 months at the analytics provider, or such shorter period as the provider's defaults dictate |
| Backups | Daily SQL backups with 30-day point-in-time recovery; deletion requests flow through to backups on the next backup-cycle expiry, not immediately |
Where a longer retention period is required by applicable law, regulatory request, or to defend or pursue a legal claim, we retain the data for that longer period and segregate it from operational use where reasonably practicable.
We apply technical and organisational measures appropriate to the risk, including:
No information system is completely secure. We do not represent or warrant that our security measures will prevent every unauthorised access, and we accept no liability for breaches not directly attributable to a failure on our part to apply the measures described in this section. Our liability where it does apply is governed by our Terms of Service and the Data Processing Agreement, including the liability cap set out there.
Subject to UK GDPR and the Data Protection Act 2018, you have the right to:
To exercise any of these rights, contact us using the details in section 12. We will respond within 30 days of receiving a verifiable request, subject to UK GDPR Article 12(3) which permits an extension where the request is complex or numerous. Where we cannot accommodate a request (for example, where retention is required by law), we will explain why.
We may need to verify your identity before acting on a request, particularly where the request relates to data we hold about a third party. We will not charge a fee for processing requests except where they are manifestly unfounded or excessive (in which case we may charge a reasonable fee or refuse to act, in accordance with UK GDPR Article 12(5)).
YourCart is a B2B service intended for use by merchants and their staff. The vendor admin tool, marketing site, and merchant-facing surfaces are not directed at children under 16 and we do not knowingly collect Personal Data from children under 16 in those contexts.
End-customer-facing storefronts and apps published on behalf of merchants may be used by individuals of any age permitted by the merchant's own products, content, and policies. The merchant is the Controller in that context and is responsible for any age-related compliance (for example, age-gating where required). Section 1 of the AUP and section 2.6 of the DPA limit the categories of data the merchant may collect through the platform, and high-risk Processing is excluded under DPA section 14.
If you are dissatisfied with how we handle your Personal Data, please first contact us at admin@yourcart.store so that we can attempt to resolve the matter directly.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
ico.org.uk · 0303 123 1113
Our ICO registration number will be published here once registration is complete (registration trigger: first merchant taking real customer orders).
For privacy questions, Data Subject requests, or to raise concerns:
YourCart Ltd
Privacy: admin@yourcart.store
General support: admin@yourcart.store
Postal: 15 Timperley Lane, Leigh, Greater Manchester, WN7 3DZ, United Kingdom
We aim to acknowledge privacy emails within 2 UK business days and substantively respond within the 30-day UK GDPR window.
We may update this Privacy Policy from time to time to reflect changes in the service, sub-processor list, applicable law, or our practices. The version and last-updated date at the top of this document are the canonical record.
Continued use of the YourCart service after the effective date of a change constitutes acceptance of the updated policy, save where the change requires fresh consent.
This Privacy Policy is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction over any dispute arising under or in connection with it, without prejudice to your statutory right to lodge a complaint with the ICO under section 11.