Menu
Support
Free Trial

Privacy Policy

CLEAN.IO CLEANCART PRIVACY POLICY

Last updated November 13, 2020

This privacy policy describes our privacy practices applicable to cleanCART.  If you are a company or business utilizing cleanCART (or the site visitors, customers, or end users of such companies or businesses), then this privacy policy applies to you. Please note that this privacy policy does not address our privacy practices with respect to our other websites, software solutions and service offerings (for instance, our cleanAD Platform that detects and blocks malicious advertisements on web pages and applications).  Please visit our Clean.io Website Privacy Policy for more information related to how we handle information collected from our general website visitors or individuals who have a direct relationship with us.  Please visit our cleanAD Platform Privacy Policy for more information related to how we handle information and data collected from our cleanAD Platform that detects and blocks malicious advertisements on web pages and applications.

1. INTRODUCTION

Clean.io, Inc. (“Clean.io”, “us” or “we”) provides an online shopping cart platform and related technology and services (as more fully defined below, “cleanCART”) for use by online shops and e-commerce stores (“Online Shops”). cleanCART is made available on a software-as-a-service (SaaS) basis and offers a full suite of online shopping cart protections that enable our Users and their Organizations to detect and protect their Online Shops and their Online shop visitors, customers and user base (“Visitors/Visitor”) against form jacking, journey jacking, personal data theft, and fraudulent or unauthorized discount, coupon, rebate, promotional and similar codes (the “Shopping Cart Threats”). This privacy policy (“Policy”) explains how information is collected, used, and disclosed when our clients (“Clients”) use and deploy cleanCART in connection with their Online Shops.  For purposes of this Policy, “Visitor(s)” does not include Authorized Users that are the employees and agents of our Clients who are accessing the cleanCART Services on behalf of our Clients for purposes of deploying cleanCART on their applicable Online Shops.

2. OVERVIEW OF THE CLEANCART SERVICES

cleanCART consists of an application programming interface, scripts and related services, data, analytics, code, and technology that Clients may deploy on their Online Shops for purposes of detecting and blocking Shopping Cart Threats (collectively, “cleanCART Services” or the “cleanCART Platform”). Clean.io may make the cleanCART Services directly available to Clients and their Online Shops, and may also sometimes partner with Third Party E-Commerce Platforms for purposes of making the cleanCART Services available to Online Shops hosted or provided via or on those Third Party E-Commerce Platforms. Our Clients use cleanCART Services in order to attempt to protect their business from the harmful financial and reputational impact caused by such Shopping Cart Threats.

In order to use and receive the cleanCART Services, each Client must first agree to and accept our online cleanCART Terms of Service (the “Terms of Service”). Such Terms of Service may address aspects of our privacy obligations with our Clients and how Clean.io will retain, use, disclose and otherwise process personal information in connection with such cleanCART Services.  However, unless the Terms of Service expressly states that this Policy shall not apply, this Policy shall apply to and supplement the Terms of Service and shall govern how we collect and use data that may be obtained through the provision of cleanCART Services to Clients.

3. INFORMATION COLLECTED VIA THE CLEANCART SERVICES

3.1 Threat Data and Services Related Data.  When the cleanCART Services detect a Shopping Cart Threat, certain information is collected about the the impacted Visitor, the Visitor’s device, pages within the Online Shop visited by the Visitor, and specific information related to the identified or suspect threat.  The cleanCART Services also collect certain data when deployed on the Online Shop to monitor for threats.    Collected information may consist of the following, which shall be considered Threat Data as defined in the Terms of Service, but Clean.io may collect other similar information or information that it needs to provide the cleanCART Services and such additional information shall be set forth in an update to this Policy.  The following collected information relates to Visitors unless otherwise noted:

  • Ad dimensions for the applicable ad (e.g. 300Ă—250)
  • The Visitor’s internet service provider
  • Technique used by the malicious code to inject into the page
  • Date/time of visit
  • Device Type
  • Time elapsed since the page load until malicious JavaScript execution attempt 
  • Device pixel ratio (as a number from 1 to 4, generally: e.g. 1 on old PCs, 4 on super retina screens)
  • Visitor endpoint network level information (DNS, etc.)
  • User Agent String
  • Duration of the entire page view and “session depth” 
  • JavaScript and certain HTML content of the impacted page (which in some cases may include site content written on the screen, including comments) 
  • URLs of pages viewed
  • General geographic location (e.g., country or zip code)
  • Number of ad impressions shown on the page 
  • Referrer URLs of pages viewed
  • Browser language
  • Price of a cart at discount
  • Browser Type
  • Visitor timezone
  • Individual items in the cart with their value
  • Full Browser with Version
  • Whether the Visitor has encountered malicious event
  • Screenshots of protected pages
  • Operating System
  • Coupon entered into forms (manually or automatically)
  • Potential Purchase Event
  • Fully qualified Operating System
  • Local Storage
  • Session Storage
  • User Interaction / UI Events

 

Please note that we may use a Visitor’s IP address for purposes of collecting information regarding a Visitor’s Internet Service Provider and general geographic location (e.g., country or zip code).  However, we do not store the Visitor’s IP address into permanent memory and do not use it any manner to identify any individual. Also, while we do collect the Visitor’s user agent string, we do not combine it with any other personal information or any browser extensions and do not use it to identify any individual.

3.2 Custom Data Points.  Clients may also elect to pass custom data points or special markers to Clean.io in connection with cleanCART Services, such as Google Analytics IDs, operation modes, data storage modes and configuration for testing. The type of custom information shared via our cleanCART Service is ultimately determined by our Clients with the exception of any client identifiers assigned by us.

3.3 Authorized User Data.  In order for a Client’s employees and  authorized agents (the “Authorized Users”) to access and use the cleanCART Services on the Client’s behalf, those Authorized Users will first need to be provisioned access credentials via Clean.io’s access and login procedures in effect from time to time.  Clean.io currently uses Auth0 to facilitate access to the cleanCART Services.  Additionally, we may require an Authorized User’s name and email address in order to communicate with Authorized Users with respect to Client’s and the Authorized User’s use of the cleanCART Services.  Certain of the information that we collect from Authorized Users (e.g. name and email) is considered “Personal Data” or “Personal Information” (each as defined below) under the terms of applicable privacy laws and is therefore subject to the terms of our cleanCART Data Processing Addendum.

3.4 Personal Data. Except as set forth in Section 3.3 with respect only to Authorized Users, we do not knowingly collect, and the cleanCART Services are not intended to collect, any “Personal Data” or “Personal Information” (each as defined below) and we ask our Clients not to provide any such Personal Data to us.  For example, we do NOT collect identifiers such as contact information, government IDs, cookies, names, email addresses and other similar information from Visitors. However, in the event that a Visitor enters their address, credit card or any other sensitive info in such a way that the cleanCART Platform classifies this as the information to collect (for example, but not limited to, entering credit card info into coupon text field, etc.) we may inadvertently collect this information.  The terms of our cleanCART Data Processing Addendum shall apply in those limited circumstances.

4. COLLECTION METHODS

Clean.io generally collects information related to the cleanCART Services via the deployment of a script on the Online Shop and other similar technological methods.  As described in Section 3.3, we also collect information directly from Authorized Users in connection with their cleanCART Platform registration process. Clients sometimes directly send detected Shopping Cart Threats  to Clean.io for separate analysis or pre-scanning, and Clean.io may collect data and information from those Shopping Cart Threats.  In addition, Clients may send us other types of information directly from time to time.

5. CLEAN.IO’S USE OF COLLECTED INFORMATION

We use the information we collect or receive as follows:

5.1 Providing Our cleanCART Services.  Clean.io primarily uses the information we collect to provide the cleanCART Services. In providing the cleanCART Service, the information collected helps us determine the types of Shopping Cart Threats impacting Online Shops and their Visitors. The information also helps improve the cleanCART Services to better protect Online Shops from Shopping Cart Threats or other malicious online activities and the corresponding economic and reputational damage. Clean.io may also use the information collected to enable a Client to block specific Shopping Cart Threats.  We use registration information collected from your Authorized Users in order to facilitate their access and use of the cleanCART Services.

5.2 Sharing With Our Clients.  We may share certain of the information we collect with our Clients, and our Clients may use the information for a variety of purposes, including to block Shopping Cart Threats or make changes to their Online Shops to avoid Shopping Cart Threats.

5.3 Improving Our cleanCART Services.   We may use the information we collect to improve our cleanCART Services.

5.4 Business Use of Aggregated or Anonymous Data.  If and as permitted by applicable law and any applicable third party requirements, we may also use the information collected on an anonymized and/or aggregated basis for the purpose of performing industry tracking and analysis and developing and sharing reports related thereto and for our other business purposes.  We may share (on any anonymized and/or aggregated basis) information we collect with Third Party E-commerce Platforms and with researchers and experts working in the e-commerce and digital security industries. However, this information shall never contain any personal data or personal information of Visitors.

5.5 Legal Actions.  We may also share any information we store or collect in response to a legal process, or when necessary to protect our cleanCART Services or our Client’s Online Shop or related services and offerings, or if otherwise required or recommended by applicable law.  We may also share the information with law enforcement on a proactive basis if the information relates to potential illegal or fraudulent activities.

5.6 Bankruptcy and Acquisitions.  In the event that the ownership of Clean.io or an affiliate or their assets changes as a result of a merger, acquisition, sale of assets, change of control or in the unlikely event of a bankruptcy, the information we have collected may be transferred to another company. If we believe a transfer results in a material change in the use of the information we’ve collected or received about our Visits, we will provide notice and choices consistent with applicable law.

6. OUR DATA RETENTION POLICY

Clean.io removes data within five years after our last encounter with a Visitor or Authorized User or as required by Third Party E-commerce Platforms. After data is removed, Clean.io reserves the right to store and use all anonymized and aggregated indefinitely

7. OUR POLICY REGARDING CHILDREN

We do not knowingly collect data from anyone under the age of 13. In the event that we learn that we have collected data from a child under age 13, we will take reasonable steps to delete that information as quickly as possible. If you believe that we might have any information from or about a child under the age of 13, please contact us at privacy@clean.io.

8. CALIFORNIA CONSUMER PRIVACY ACT – CCPA

California has adopted the California Consumer Privacy Act of 2018 (“CCPA”). The CCPA relates to how businesses collect, use, and disclose “Personal Information” relating to California residents. The phrase “Personal Information” is defined by the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Personal Information of a Consumer (as defined by CCPA) includes things such as: identifiers (such as contact information, government IDs, cookies, etc.), information protected against security breaches (such as a Consumer’s name and financial account, driver’s license, social security number, user name and password, health/medical information), protected classification information (like race, gender, ethnicity, etc.), commercial information, Internet/electronic activity, precise geolocation, audio/video data, professional or employment related information, education information, biometrics, and inferences from the foregoing.

We do not intentionally collect any “Personal Information” (as defined under the CCPA) about Users via the cleanCART Services (although we do collect Personal Information from Authorized Users as set forth in Section 3.3 above).

We ask our Clients not to provide any such Personal Information about Visitors to us.  However, in the event that a Visitor enters their address, credit card or any other sensitive shopping cart-related info in such a way that the cleanCART Platform classifies this as the information to collect (for example, but not limited to, entering credit card info into coupon text field, etc.) we may inadvertently collect this information. 

If we actually receive or collect such Personal Information despite our intention not to collect or receive such information, then the terms of the cleanCART Data Processing Addendum (“DPA”) shall apply to our collection, use and processing of such Personal Information.  As noted in Section 3.3, the information we collect from Authorized Users during the course of their registration with the cleanCART Services may be “Personal Information” under the CCPA. The terms of the DPA also apply to all such Authorized Visit Personal Information.   For clarity, the DPA shall apply to our relationships with our Clients and sets forth certain rights and obligations between us and our Clients related to the information of their Authorized Users and Visitors – our Client would be considered the owner and controller (a “Business” under CCPA) of the Personal Information received from its Authorized Users and Visitors and we will act as a “Service Provider” under CCPA.  If you are an Authorized User or Visitor, you should also contact our Client with whom you shared your information to learn about their privacy policies and to exercise your privacy rights.

9. GENERAL DATA PROTECTION REGULATION – GDPR

Visitors and Authorized Users that are residents of the European Economic Area have certain rights under the European Union’s General Data Protection Regulation (“GDPR”).  Those Authorized Users and Visitors are referred to as “Data Subjects” by the GDPR and the GDPR applies to “Personal Data” of those Authorized Users and Visitors .  “Personal Data” is defined as information relating to an identified or identifiable Data Subject (as defined by GDPR).  

Except with regard to Authorized Users as set forth in Section 3.3, we do not intentionally collect any “Personal Data” via the cleanCART Services.  We ask our Clients not to provide any such Personal Data to us. 

However, in the event that a Visitor enters their address, credit card or any other sensitive info in such a way that the cleanCART Platform classifies this as the information to collect (for example, but not limited to, entering credit card info into coupon text field, etc.) we may inadvertently collect this information. 

If we have Personal Data in our possession despite our intention not to collect or receive such information, then the terms of the cleanCART Data Processing Addendum shall apply.  As noted in Section 3.3, the personal information we collect from Authorized Users during the course of their registration with the cleanCART Services may be “Personal Data” under GDPR. The terms of the DPA also apply to all such Authorized User Personal Data.   For clarity, the DPA shall apply to our relationships with our Clients and sets forth certain rights and obligations between us and our Clients related to the information of their Authorized Users and Visitors  – our Client would be considered the owner and controller of the Personal Information of its Visitors and Authorized Users (a “Data Controller” under GDPR)  and we will act as a “Data Processor” under GDPR.  If you are a Visitor or Authorized User, you should also contact our Clients with whom you shared your information to learn about their privacy policies and to exercise your privacy rights.

10. SUBPROCESSORS:

Clean.io may from time to time use certain subcontractors (i.e., subprocessors) in connection with providing the cleanCART Services (“Subprocessors”). See our Subprocessor List for more information regarding the specific Subprocessors we use. The cleanCART Data Processing Addendum also provides additional information regarding the Subprocessors we use.

11. DATA SECURITY MEASURES

Clean.io implements industry standard practices on information security management to safeguard information we collect via the cleanCART Services. Our information security systems apply to people, processes and information technology systems on a risk management basis.  Because no method of transmission over the Internet, or method of electronic storage, is 100% secure, Clean.io cannot guarantee that unauthorized parties will not gain access to information or data processed by the cleanCART Services.  Clean.io will promptly notify a Client of any data breach or security incident impacting information or data collected from Client or its Visitors or Authorized Users in any material respect. To the extent permitted by applicable law, Clean.io expressly excludes any liability arising from any unauthorized access to personal or sensitive information.

12. INTERNATIONAL DATA TRANSFERS

All information we have is stored on servers located in the United States. In the process of providing our cleanCART Services, we may transfer information across borders from your country or jurisdiction into the United States. With the exception of data transfers from the EU and Switzerland, by providing Clean.io with your information, you hereby consent to the transfer of that information to the U.S.  Transfers of “Personal Data” from the EU and Switzerland to the US will be subject to the cleanCART Terms of Service and/or the cleanCART Data Processing Addendum.

13. LIMITATION OF LIABILITY

Clean.io’s aggregate liability to its Clients arising from or related to this Privacy Policy is subject to the applicable terms and conditions of the cleanCART Terms of Service.

14. CLIENT PRIVACY POLICY & OTHER AGREEMENTS

Client shall obtain from its Visitors and Authorized Users the right for Clean.io to collect and use all of the information as contemplated by this Policy via Client’s terms of services, terms of use or other similar agreements and its applicable privacy policies.  To the extent required by applicable law, Client shall also provide Visitors and Authorized Users with the ability to opt-out of or opt-in to any applicable data and information collection or usage practices described herein.

15. MODIFICATION OF PRIVACY POLICY; NOTICE OF CHANGES

Clean.io reserves the right to change this Policy at any time and for any reason, subject to any requirements of applicable law. Such changes, modifications, additions or deletions shall be effective immediately upon notice thereof, which may be given by means including, but not limited to posting the revised Policy on our website. By continuing to use our cleanCART Services after any changes or modifications are made to this Policy, you accept the updated Policy and agree to abide by and be bound by the updated Policy.

16. QUESTIONS & CHANGES TO THIS PRIVACY POLICY

We may change this Policy at any time. We will post all changes to this Policy on this page and will indicate at the top of the page the modified policy’s Last Updated date. If you have any questions or suggestions regarding this Policy, please contact us at: privacy@clean.io.

CONTACTS

General legal inquiries: privacy@clean.io
Privacy inquiries: privacy@clean.io
Security inquiries: security@clean.io