Privacy Policy

Last updated: 11 June 2026

HoldCart ("we", "the app") reserves real inventory at add-to-cart for Shopify merchants. This policy explains the personal data we process on behalf of merchants who install HoldCart, why we process it, and how we protect it. For this data the merchant is the data controller and HoldCart is the data processor.

What we process — and what we don't

We process the minimum data needed to hold and release inventory:

• An opaque shopper session identifier generated in the browser.
• A reservation token hash (SHA-256). The raw token never leaves the shopper's browser and is never stored or transmitted to us.
• The product variant ID being reserved.
• Optionally, a Shopify customer ID reference when a shopper is logged in — used only to associate a reservation with a customer. It is scrubbed on a customer redaction request.
• On order/checkout events: the order's line items and the cart token note attribute, used to consume the correct reservation.

We do not collect or store buyer names, emails, addresses, phone numbers, or payment details.

Why we process it

Solely to provide the app's function: granting a reservation at add-to-cart, releasing it when it expires, and consuming it when the matching order is placed. We do not use this data for advertising, profiling, analytics, or any other purpose, and we never sell personal data.

Retention

Reservations are short-lived (typically minutes) and are released or consumed automatically. When a merchant uninstalls or requests shop redaction, all associated records are deleted. Customer ID references are removed on a customer redaction request. We honor Shopify's GDPR webhooks (data request, customer redact, shop redact).

Security

Data is encrypted in transit (TLS) and at rest (managed PostgreSQL). Access is limited to what the app requires to operate.

Subprocessors

• Railway — application hosting and database (EU region).
• Resend — transactional email to merchants (e.g. install notice).
• Shopify — the platform the app runs on.

Your rights & contact

Merchants and their customers may request access to, or deletion of, data we process. Most requests are handled automatically via Shopify's data tools; for anything else, contact support@holdcart.app. We respect customers' consent and opt-out decisions and apply data deletion requests promptly.