Back to Home
Carthy Logo

Privacy Policy

Last updated: 26 January 2026

1. Introduction

Carthy ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our digital loyalty card platform (the "Service").

This policy complies with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data Controller

For the purposes of GDPR, Carthy acts as:

  • Data Controller: For business owner accounts and platform operations
  • Data Processor: For customer loyalty data collected by businesses using our platform

Individual businesses using our platform are Data Controllers for their customer data.

3. Information We Collect

3.1 Business Owner Information

When you register as a business owner, we collect:

  • Account Information: Email address, password (encrypted)
  • Business Information: Business name, legal entity name, business address, city, postal code, country
  • Usage Data: Login times, features used, actions performed
  • Technical Data: IP address, browser type, device information, operating system

3.2 Customer Information (Loyalty Program Members)

When you join a business's loyalty program, we collect:

  • Personal Information: First name, last name, email address, date of birth
  • Loyalty Data: Visit records, services used, promotions redeemed
  • QR Code: Unique identifier for your digital loyalty card
  • Consent Records: Your acceptance of terms and privacy policy

3.3 Automatically Collected Information

We automatically collect certain information when you use the Service:

  • Log data (timestamps, actions, errors)
  • Device information (type, operating system, browser)
  • Usage patterns and analytics
  • Cookies and similar tracking technologies

4. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

  • Consent: You have given clear consent for us to process your personal data for specific purposes
  • Contract: Processing is necessary to fulfill our contract with you
  • Legal Obligation: Processing is necessary to comply with legal requirements
  • Legitimate Interests: Processing is necessary for our legitimate business interests, provided these do not override your rights

5. How We Use Your Information

5.1 Business Owner Data

We use business owner information to:

  • Create and manage your account
  • Provide the Service's features and functionality
  • Process your requests and communications
  • Send service-related notifications
  • Improve and optimize the Service
  • Detect and prevent fraud or abuse
  • Comply with legal obligations

5.2 Customer Data

We use customer information to:

  • Generate and deliver digital loyalty cards
  • Track visits and loyalty progress
  • Process promotion redemptions
  • Send loyalty cards and updates via email
  • Enable businesses to manage their loyalty programs

6. Data Sharing and Disclosure

6.1 We Share Your Data With:

  • Service Providers: Email service providers, hosting providers, analytics services (only as necessary to provide the Service)
  • Business Owners: Customer data is shared with the business whose loyalty program you joined
  • Legal Requirements: Law enforcement or regulatory authorities when required by law

6.2 We Do NOT:

  • Sell your personal data to third parties
  • Share your data for marketing purposes without consent
  • Transfer data outside the EEA without appropriate safeguards

7. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA). When we transfer data internationally, we ensure:

  • Adequate level of data protection (adequacy decisions)
  • Standard Contractual Clauses approved by the EU Commission
  • Other appropriate safeguards under GDPR

8. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • Encryption in transit (TLS/SSL) and at rest
  • Secure password hashing (bcrypt)
  • Regular security assessments
  • Access controls and authentication
  • Regular backups and disaster recovery
  • Employee training on data protection

However, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

9. Data Retention

We retain your personal data only as long as necessary:

  • Business Accounts: For the duration of your account plus 1 year for legal compliance
  • Customer Data: As determined by the business owner's retention policy, or until you request deletion
  • Technical Logs: Up to 12 months for security and debugging
  • Legal Requirements: Longer if required by law

10. Your Rights Under GDPR

As a data subject in the EEA, you have the following rights:

10.1 Right to Access

You can request a copy of your personal data we hold.

10.2 Right to Rectification

You can request correction of inaccurate or incomplete data.

10.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data when:

  • Data is no longer necessary for its original purpose
  • You withdraw consent
  • You object to processing
  • Data was unlawfully processed

10.4 Right to Restrict Processing

You can request limitation of processing when:

  • You contest the accuracy of data
  • Processing is unlawful but you don't want erasure
  • We no longer need the data but you need it for legal claims

10.5 Right to Data Portability

You can request your data in a structured, commonly used, machine-readable format.

10.6 Right to Object

You can object to processing based on legitimate interests or for direct marketing.

10.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time.

10.8 Right to Lodge a Complaint

You can lodge a complaint with your national data protection authority.

11. Exercising Your Rights

To exercise any of these rights, contact us at:

Email: privacy@carthy.online

Data Protection Officer: dpo@carthy.online

We will respond to your request within 30 days. We may request verification of your identity.

12. Cookies and Tracking Technologies

12.1 Cookies We Use:

  • Essential Cookies: Required for authentication and security (cannot be disabled)
  • Functional Cookies: Remember your preferences and settings
  • Analytics Cookies: Help us understand how users interact with the Service (with your consent)

12.2 Managing Cookies:

You can control cookies through your browser settings. Note that disabling essential cookies may prevent use of the Service.

13. Children's Privacy

The Service is not intended for children under 13. We do not knowingly collect data from children under 13. If you believe we have collected such data, contact us immediately.

For loyalty program members aged 13-18, we require parental consent.

14. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours
  • Notify affected individuals without undue delay
  • Provide information about the breach and our response

15. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

16. Third-Party Links

The Service may contain links to third-party websites. We are not responsible for their privacy practices. We encourage you to read their privacy policies.

17. Business Transfers

If Carthy is involved in a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before your data is transferred and becomes subject to a different privacy policy.

18. Updates to This Policy

We may update this Privacy Policy periodically. We will notify you of significant changes via:

  • Email notification
  • Prominent notice on the Service
  • In-app notification

Continued use after changes constitutes acceptance of the updated policy.

19. Data Protection Officer

For questions about this Privacy Policy or our data practices, contact our Data Protection Officer:

Email: dpo@carthy.online

Address: [Your Business Address]

20. Supervisory Authority

If you are in the EEA and have concerns about our data processing, you have the right to lodge a complaint with your local data protection authority:

Find your local authority: https://edpb.europa.eu/about-edpb/board/members_en

21. Contact Us

For any questions or concerns about this Privacy Policy, please contact us:

Email: privacy@carthy.online

Support Email: support@carthy.online

Data Protection Officer: dpo@carthy.online

Address: Estonska 14, 82106, Bratislava, Slovakia

Your Privacy Matters: We are committed to protecting your personal data and respecting your privacy rights. If you have any questions or concerns, please don't hesitate to contact us.