Menu
Support
Free Trial

Privacy Policy

CLEAN.IO CLEANCART PRIVACY POLICY

Last updated October 4, 2021

This privacy policy describes our privacy practices applicable to cleanCART.  If you are a company or business utilizing cleanCART (or the site visitors, customers, or end users of such companies or businesses), then this privacy policy applies to you. Please note that this privacy policy does not address our privacy practices with respect to our other websites, software solutions and service offerings (for instance, our cleanAD Platform that detects and blocks malicious advertisements on web pages and applications).  Please visit our Clean.io Website Privacy Policy for more information related to how we handle information collected from our general website visitors or individuals who have a direct relationship with us.  Please visit our cleanAD Platform Privacy Policy for more information related to how we handle information and data collected from our cleanAD Platform that detects and blocks malicious advertisements on web pages and applications.

1. INTRODUCTION

Clean.io, Inc. (‚ÄúClean.io‚ÄĚ, ‚Äúus‚ÄĚ or ‚Äúwe‚ÄĚ) provides an online shopping cart platform and related technology and services (as more fully defined below, ‚ÄúcleanCART‚ÄĚ) for use by online shops and e-commerce stores (‚ÄúOnline Shops‚ÄĚ). cleanCART is made available on a software-as-a-service (SaaS) basis and offers a full suite of online shopping cart protections that enable our Users and their Organizations to detect and protect their Online Shops and their Online shop visitors, customers and user base (‚ÄúVisitors/Visitor‚ÄĚ) against form jacking, journey jacking, personal data theft, and fraudulent or unauthorized discount, coupon, rebate, promotional and similar codes (the ‚ÄúShopping Cart Threats‚ÄĚ). This privacy policy (‚ÄúPolicy‚ÄĚ) explains how information is collected, used, and disclosed when our clients (‚ÄúClients‚ÄĚ) use and deploy cleanCART in connection with their Online Shops.  For purposes of this Policy, ‚ÄúVisitor(s)‚ÄĚ does not include Authorized Users that are the employees and agents of our Clients who are accessing the cleanCART Services on behalf of our Clients for purposes of deploying cleanCART on their applicable Online Shops.

2. OVERVIEW OF THE CLEANCART SERVICES

cleanCART consists of an application programming interface, scripts and related services, data, analytics, code, and technology that Clients may deploy on their Online Shops for purposes of detecting and blocking Shopping Cart Threats (collectively, ‚ÄúcleanCART Services‚ÄĚ or the ‚ÄúcleanCART Platform‚ÄĚ). Clean.io may make the cleanCART Services directly available to Clients and their Online Shops, and may also sometimes partner with Third Party E-Commerce Platforms for purposes of making the cleanCART Services available to Online Shops hosted or provided via or on those Third Party E-Commerce Platforms. Our Clients use cleanCART Services in order to attempt to protect their business from the harmful financial and reputational impact caused by such Shopping Cart Threats.

In order to use and receive the cleanCART Services, each Client must first agree to and accept our online cleanCART Terms of Service (the ‚ÄúTerms of Service‚ÄĚ). Such Terms of Service may address aspects of our privacy obligations with our Clients and how Clean.io will retain, use, disclose and otherwise process personal information in connection with such cleanCART Services.  However, unless the Terms of Service expressly states that this Policy shall not apply, this Policy shall apply to and supplement the Terms of Service and shall govern how we collect and use data that may be obtained through the provision of cleanCART Services to Clients.

3. INFORMATION COLLECTED VIA THE CLEANCART SERVICES

3.1 Threat Data and Services Related Data.  When the cleanCART Services detect a Shopping Cart Threat, certain information is collected about the impacted Visitor, the Visitor‚Äôs device, pages within the Online Shop visited by the Visitor, and specific information related to the identified or suspect threat.  The cleanCART Services also collect certain data when deployed on the Online Shop to monitor for threats.    Collected information may consist of the following, which shall be considered Threat Data as defined in the Terms of Service, but Clean.io may collect other similar information or information that it needs to provide the cleanCART Services and such additional information shall be set forth in an update to this Policy.  The following collected information relates to Visitors unless otherwise noted:

client datetime

client timezone

blocking mode

country code

postal code

state/city

script version

ISP

hostname

URL

script path

merchant/platform session ID (non-GDPR/CCPA areas)

clean-assigned pageview ID

clean-assigned session ID

parsed user agent data

present chrome extensions, with ID

state of present chrome extensions (enabled/disabled)

order ID

order items (product ID, variant ID)

order total price

order price of individual line items

shipping cost (inferred)

applied discount cost

name of the coupon code injected/manually entered

name and ID of the extension which injected the code

URL of checkout page at which the injection was made

one-way hashed IP address (non-GDPR/CCPA areas)

currency used

platform used by merchant (e.g. Shopify)

whether or not client is in GDPR territory

blocked affiliate cookie setting attempt

blocked affiliate pixel event with full pixel URL 

referrer

 

Please note that we may use a Visitor‚Äôs IP address for purposes of collecting information regarding a Visitor‚Äôs Internet Service Provider and general geographic location (e.g., country or zip code).  However, we do not store the Visitor‚Äôs IP address into permanent memory and do not use it any manner to identify any individual. Also, while we do collect the Visitor‚Äôs user agent string, we do not combine it with any other personal information or any browser extensions and do not use it to identify any individual.

Please note that the Services may collect order ID information (‚ÄúOrder ID‚ÄĚ) and/or certain cookie session information related to Visitors or the Online Shops or Third Party E-Commerce Platforms they are interacting with (‚ÄúSession ID‚ÄĚ, and collectively with the OrderID, ‚ÄúSpecific Visitor Information‚ÄĚ). This Specific Visitor Information may be considered ‚ÄúPersonal Data‚ÄĚ or ‚ÄúPersonal Information‚ÄĚ (each as defined below) under GDPR or CCPA (each as defined below) as such information may be used to indirectly identify an individual Visitor when combined with other information or data from Clients, Online Shops, Third Party E-Commerce Platform or other third parties (‚ÄúOrder ID Data‚ÄĚ). Clean.io itself is not able to identify an individual based on such Specific Visitor Information and does not itself use such Specific Visitor Information to identify any individuals or build user profiles. In countries that are subject to GDPR as well as California, we (i) do not collect the Session ID, and (ii) do not collect the full Order ID (and in such jurisdictions we truncate or shorten it) unless our Clients requests the full Order ID. When the Client requests we collect the full Order ID in countries that are subject to GDPR as well as California, we collect, process and use the full (and non-truncated) Order ID in accordance with the terms of our DPA (defined below) and solely to provide our cleanCART Services to Clients (in such jurisdictions, the ‚ÄúClient Requested Order ID‚ÄĚ). We collect the full Order ID and the Session ID in other jurisdictions.

3.2 Custom Data Points.  Clients may also elect to pass custom data points or special markers to Clean.io in connection with cleanCART Services, such as Google Analytics IDs, operation modes, data storage modes and configuration for testing. The type of custom information shared via our cleanCART Service is ultimately determined by our Clients with the exception of any client identifiers assigned by us.

3.3 Authorized User Data. In order for a Client‚Äôs employees and authorized agents (the ‚ÄúAuthorized Users‚ÄĚ) to access and use the cleanCART Services on the Client‚Äôs behalf, those Authorized Users will first need to be provisioned access credentials via Clean.io‚Äôs access and login procedures in effect from time to time. Clean.io currently uses Auth0 to facilitate access to the cleanCART Services.  Additionally, we may require an Authorized User‚Äôs name and email address in order to communicate with Authorized Users with respect to Client‚Äôs and the Authorized User‚Äôs use of the cleanCART Services.  Certain of the information that we collect from Authorized Users (e.g. name and email) is considered ‚ÄúPersonal Data‚ÄĚ or ‚ÄúPersonal Information‚ÄĚ (each as defined below) under the terms of applicable privacy laws and is therefore subject to the terms of our cleanCART Data Processing Addendum.

3.4 Personal Data. Except as set forth in Section 3.3 with respect to Authorized Users and as set forth in the last paragraph of Section 3.1 with respect to Specific Visitor Data, we do not knowingly collect, and the Services are not intended to collect, any ‚ÄúPersonal Data‚ÄĚ or ‚ÄúPersonal Information‚ÄĚ (each as defined below) and we ask our Clients not to provide any such Personal Data to us.  For example, we do NOT collect identifiers such as contact information, government IDs, cookies, names, email addresses and other similar information from Visitors. However, in the event that a Visitor enters their address, credit card or any other sensitive info in such a way that the cleanCART Platform classifies this as the information to collect (for example, but not limited to, entering credit card info into coupon text field, etc.) we may inadvertently collect this information. The terms of our Data Processing Addendum shall apply in these limited circumstances described above when we collect ‚ÄúPersonal Data‚ÄĚ or ‚ÄúPersonal Information‚ÄĚ under GDPR and CCPA (including with respect to Authorized User Personal Data and Specific Visitor Information).

3.5 Third Party E-Commerce Platform Data; Customer Provided Data. We will collect certain information and data related to our Clients from Third Party E-Commerce Platforms if you are also a customer of such Third Party E-Commerce Platform. This data and information may be collected automatically via APIs that a Third Party E-Commerce Platform makes available to us and such information or data may include different types of information or data made available by such Third Party E-Commerce Platform related to a Client and their Online Shop and their use of the Third Party E-Commerce Platform (and such information may include data related to a Client’s Online Shop revenues and/or orders that we use to calculate fees owed by a Client related to their use of the Services). In certain situations, we may also ask that a Client provide this information or data directly to us if it is not available from a Third Party E-Commerce Platform.

4. COLLECTION METHODS

Clean.io generally collects information related to the Services via the deployment of a script on the Online Shop and other similar technological methods. As described in Section 3.3, we also collect information directly from Authorized Users in connection with their Platform registration process. Clients sometimes directly send detected Shopping Cart Threats to Clean.io for separate analysis or pre-scanning, and Clean.io may collect data and information from those Shopping Cart Threats. In addition, Clients may send us other types of information directly from time to time. Also, as noted above, we may collect information and data directly from Third Party E-Commerce Platforms related to a Client and their Online Shop and use of the Third Party E-Commerce Platform.

5. CLEAN.IO’S USE OF COLLECTED INFORMATION

We use the information we collect or receive as follows:

5.1 Providing Our Services. Clean.io primarily uses the information we collect to provide the Services. In providing the Service, the information collected helps us determine the types of Shopping Cart Threats impacting Online Shops and their Visitors. The information also helps improve the Services to better protect Online Shops from Shopping Cart Threats or other malicious online activities and the corresponding economic and reputational damage. Clean.io may also use the information collected to enable a Client to block specific Shopping Cart Threats. We use registration information collected from your Authorized Users in order to facilitate their access and use of the Services. We will also use certain information to determine pricing and charges related to your use of the Services.

5.2 Sharing With Our Clients. We may share certain of the information we collect with our Clients, and our Clients may use the information for a variety of purposes, including to block Shopping Cart Threats or make changes to their Online Shops to avoid Shopping Cart Threats.

5.3 Improving Our cleanCART Services.  We may use the information we collect to improve, analyze and monitor our Services.

5.4 Sharing With Third Parties. We may share information with our Subprocessors and other third parties that provide services to us in connection with the provision of our Services to Clients or the improvement of our Services, including, without limitation, related to the analysis of Threat Data or Visitor data that is not personal data or personal information.

5.5 Business Use of Aggregated or Anonymous Data. If and as permitted by applicable law and any applicable third party requirements, we may also use the information collected on an anonymized and/or aggregated basis (i) for the purposes of performing industry tracking and analysis and developing and sharing reports related thereto, and (ii) for our other business, commercial or research purposes. We may share (on any anonymized and/or aggregated basis) information we collect with Third Party E-commerce Platforms and with researchers, experts and third party service providers working in the e-commerce and digital security industries. However, this information shall never contain any personal data or personal information of Visitors.

5.6 Legal Actions.  We may also share any information we store or collect in response to a legal process, or when necessary to protect our cleanCART Services or our Client‚Äôs Online Shop or related services and offerings, or if otherwise required or recommended by applicable law.  We may also share the information with law enforcement on a proactive basis if the information relates to potential illegal or fraudulent activities.

5.7 Bankruptcy and Acquisitions.  In the event that the ownership of Clean.io or an affiliate or their assets changes as a result of a merger, acquisition, sale of assets, change of control or in the unlikely event of a bankruptcy, the information we have collected may be transferred to another company. If we believe a transfer results in a material change in the use of the information we‚Äôve collected or received about our Visits, we will provide notice and choices consistent with applicable law.

5.8 Marketing and Advertising Use.  We use Authorized User information (and not any Visitor information) to engage in advertising and marketing efforts (e.g. marketing emails) directed at Customers and provide Customers with offers and other information about us and our services.

6. OUR DATA RETENTION POLICY

Clean.io removes data within five years after our last encounter with a Visitor or Authorized User or as required by Third Party E-commerce Platforms. After data is removed, Clean.io reserves the right to store and use all anonymized and aggregated indefinitely

7. OUR POLICY REGARDING CHILDREN

We do not knowingly collect data from anyone under the age of 13. In the event that we learn that we have collected data from a child under age 13, we will take reasonable steps to delete that information as quickly as possible. If you believe that we might have any information from or about a child under the age of 13, please contact us at privacy@clean.io.

8. CALIFORNIA CONSUMER PRIVACY ACT ‚Äď CCPA

California has adopted the California Consumer Privacy Act of 2018 (‚ÄúCCPA‚ÄĚ). The CCPA relates to how businesses collect, use, and disclose ‚ÄúPersonal Information‚ÄĚ relating to California residents. The phrase ‚ÄúPersonal Information‚ÄĚ is defined by the CCPA as ‚Äúinformation that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.‚ÄĚ Personal Information of a Consumer (as defined by CCPA) includes things such as: identifiers (such as contact information, government IDs, cookies, etc.), information protected against security breaches (such as a Consumer‚Äôs name and financial account, driver‚Äôs license, social security number, user name and password, health/medical information), protected classification information (like race, gender, ethnicity, etc.), commercial information, Internet/electronic activity, precise geolocation, audio/video data, professional or employment related information, education information, biometrics, and inferences from the foregoing.

Except for the Client Requested Order ID described above in Section 3.1, we do not intentionally collect any ‚ÄúPersonal Information‚ÄĚ (as defined under the CCPA) about Visitors via the Services (although we do collect Personal Information from Authorized Users as set forth in Section 3.3 above). We ask our Clients not to provide any other Personal Information about Visitors to us. However, in the event that a Visitor enters their address, credit card or any other sensitive shopping cart-related info in such a way that the Platform classifies this as the information to collect (for example, but not limited to, entering credit card info into coupon text field, etc.) we may inadvertently collect this information.

If we actually receive or collect such Personal Information despite our intention not to collect or receive such information, and with regard to Client Requested Order ID that we collect upon a Client‚Äôs request, then the terms of the Clean.io Data Processing Addendum (‚ÄúDPA‚ÄĚ) shall apply to our collection, use and processing of such Personal Information. As noted in Section 3.3, the information we collect from Authorized Users during the course of their registration with the Services may be ‚ÄúPersonal Information‚ÄĚ under the CCPA. The terms of the DPA also apply to all such Authorized User Personal Information. For clarity, the DPA shall apply to our relationships with our Clients and sets forth certain rights and obligations between us and our Clients related to the information of their Authorized Users and Visitors ‚Äď our Client would be considered the owner and controller (a ‚ÄúBusiness‚ÄĚ under CCPA) of the Personal Information received from its Authorized Users and Visitors and we will act as a ‚ÄúService Provider‚ÄĚ under CCPA. If you are an Authorized User or Visitor, you should also contact our Client with whom you shared your information to learn about their privacy policies and to exercise your privacy rights.

If we actually receive or collect such Personal Information despite our intention not to collect or receive such information, then the terms of the cleanCART Data Processing Addendum (‚ÄúDPA‚ÄĚ) shall apply to our collection, use and processing of such Personal Information.  As noted in Section 3.3, the information we collect from Authorized Users during the course of their registration with the cleanCART Services may be ‚ÄúPersonal Information‚ÄĚ under the CCPA. The terms of the DPA also apply to all such Authorized Visit Personal Information.   For clarity, the DPA shall apply to our relationships with our Clients and sets forth certain rights and obligations between us and our Clients related to the information of their Authorized Users and Visitors ‚Äď our Client would be considered the owner and controller (a ‚ÄúBusiness‚ÄĚ under CCPA) of the Personal Information received from its Authorized Users and Visitors and we will act as a ‚ÄúService Provider‚ÄĚ under CCPA.  If you are an Authorized User or Visitor, you should also contact our Client with whom you shared your information to learn about their privacy policies and to exercise your privacy rights.

9. GENERAL DATA PROTECTION REGULATION ‚Äď GDPR

Visitors and Authorized Users that are residents of the European Economic Area have certain rights under the European Union‚Äôs General Data Protection Regulation (‚ÄúGDPR‚ÄĚ).  Those Authorized Users and Visitors are referred to as ‚ÄúData Subjects‚ÄĚ by the GDPR and the GDPR applies to ‚ÄúPersonal Data‚ÄĚ of those Authorized Users and Visitors .  ‚ÄúPersonal Data‚ÄĚ is defined as information relating to an identified or identifiable Data Subject (as defined by GDPR).  

Except with regard to Authorized Users as set forth in Section 3.3 and Client Requested Order ID that we collect upon a Client‚Äôs request, we do not intentionally collect any ‚ÄúPersonal Data‚ÄĚ via the Services. We ask our Clients not to provide any other Personal Data to us.

However, in the event that a Visitor enters their address, credit card or any other sensitive info in such a way that the Platform classifies this as the information to collect (for example, but not limited to, entering credit card info into coupon text field, etc.) we may inadvertently collect this information.

If we have Personal Data in our possession despite our intention not to collect or receive such information, and with regard to Client Requested Order ID, then the terms of the Clean.io Data Processing Addendum shall apply. As noted in Section 3.3, the personal information we collect from Authorized Users during the course of their registration with the Services may be ‚ÄúPersonal Data‚ÄĚ under GDPR. The terms of the DPA also apply to all such Authorized User Personal Data. For clarity, the DPA shall apply to our relationships with our Clients and sets forth certain rights and obligations between us and our Clients related to the information of their Authorized Users and Visitors ‚Äď our Client would be considered the owner and controller of the Personal Information of its Visitors and Authorized Users (a ‚ÄúData Controller‚ÄĚ under GDPR) and we will act as a ‚ÄúData Processor‚ÄĚ under GDPR. If you are a Visitor or Authorized User, you should also contact our Clients with whom you shared your information to learn about their privacy policies and to exercise your privacy rights.

If we have Personal Data in our possession despite our intention not to collect or receive such information, then the terms of the cleanCART Data Processing Addendum shall apply.  As noted in Section 3.3, the personal information we collect from Authorized Users during the course of their registration with the cleanCART Services may be ‚ÄúPersonal Data‚ÄĚ under GDPR. The terms of the DPA also apply to all such Authorized User Personal Data.   For clarity, the DPA shall apply to our relationships with our Clients and sets forth certain rights and obligations between us and our Clients related to the information of their Authorized Users and Visitors  ‚Äď our Client would be considered the owner and controller of the Personal Information of its Visitors and Authorized Users (a ‚ÄúData Controller‚ÄĚ under GDPR)  and we will act as a ‚ÄúData Processor‚ÄĚ under GDPR.  If you are a Visitor or Authorized User, you should also contact our Clients with whom you shared your information to learn about their privacy policies and to exercise your privacy rights.

10. SUBPROCESSORS:

Clean.io may from time to time use certain subcontractors (i.e., subprocessors) in connection with providing the cleanCART Services (‚ÄúSubprocessors‚ÄĚ). See our Subprocessor List for more information regarding the specific Subprocessors we use. The cleanCART Data Processing Addendum also provides additional information regarding the Subprocessors we use.

11. DATA SECURITY MEASURES

Clean.io implements industry standard practices on information security management to safeguard information we collect via the cleanCART Services. Our information security systems apply to people, processes and information technology systems on a risk management basis.  Because no method of transmission over the Internet, or method of electronic storage, is 100% secure, Clean.io cannot guarantee that unauthorized parties will not gain access to information or data processed by the cleanCART Services.  Clean.io will promptly notify a Client of any data breach or security incident impacting information or data collected from Client or its Visitors or Authorized Users in any material respect. To the extent permitted by applicable law, Clean.io expressly excludes any liability arising from any unauthorized access to personal or sensitive information.

12. INTERNATIONAL DATA TRANSFERS

All information we have is stored on servers located in the United States. In the process of providing our cleanCART Services, we may transfer information across borders from your country or jurisdiction into the United States. With the exception of data transfers from the EU and Switzerland, by providing Clean.io with your information, you hereby consent to the transfer of that information to the U.S.  Transfers of ‚ÄúPersonal Data‚ÄĚ from the EU and Switzerland to the US will be subject to the cleanCART Terms of Service and/or the cleanCART Data Processing Addendum.

13. LIMITATION OF LIABILITY

Clean.io’s aggregate liability to its Clients arising from or related to this Privacy Policy is subject to the applicable terms and conditions of the cleanCART Terms of Service.

14. CLIENT PRIVACY POLICY & OTHER AGREEMENTS

Client shall obtain from its Visitors and Authorized Users the right for Clean.io to collect and use all of the information as contemplated by this Policy via Client‚Äôs terms of services, terms of use or other similar agreements and its applicable privacy policies.  To the extent required by applicable law, Client shall also provide Visitors and Authorized Users with the ability to opt-out of or opt-in to any applicable data and information collection or usage practices described herein.

15. MODIFICATION OF PRIVACY POLICY; NOTICE OF CHANGES

Clean.io reserves the right to change this Policy at any time and for any reason, subject to any requirements of applicable law. Such changes, modifications, additions or deletions shall be effective immediately upon notice thereof, which may be given by means including, but not limited to posting the revised Policy on our website. By continuing to use our cleanCART Services after any changes or modifications are made to this Policy, you accept the updated Policy and agree to abide by and be bound by the updated Policy.

16. QUESTIONS & CHANGES TO THIS PRIVACY POLICY

We may change this Policy at any time. We will post all changes to this Policy on this page and will indicate at the top of the page the modified policy’s Last Updated date. If you have any questions or suggestions regarding this Policy, please contact us at: privacy@clean.io.

CONTACTS

General legal inquiries: privacy@clean.io
Privacy inquiries: privacy@clean.io
Security inquiries: security@clean.io