Privacy Policy

This Privacy Policy describes how NanoCart ("we," "our," or "us") collects, uses, processes, and protects your personal information when you use our platform available at nanocart.app ("Platform"). This policy applies to all users of our services and complies with the European General Data Protection Regulation (GDPR) and Estonian data protection laws.

1. Data Controller Information

Data Controller:
Email: [email protected]
Website: https://nanocart.app

For data protection inquiries, please contact us at [email protected].

2. Personal Data We Collect

2.1 Information You Provide Directly

Account Registration Data:

• Email address (required for account creation and communications)
• Account credentials (password, stored in encrypted format)
• Profile information you choose to provide
• Payment information for platform fees (processed by third-party payment processors)

Content and Communications:

• Product information, descriptions, and images you upload
• Communications with our support team
• Feedback and survey responses

2.2 Information We Collect Automatically

Technical Data:

• IP address and location data
• Device type, browser type, and operating system
• Pages visited and time spent on the Platform
• Referral sources and exit pages
• Platform usage patterns and feature interactions

Cookies and Tracking Technologies:

• Session cookies for platform functionality
• Analytics cookies for service improvement
• Performance cookies for optimization
• Preference cookies for user settings

2.3 Information from Third Parties

• Data from integrated payment processors (transaction confirmations, not payment details)
• Analytics data from third-party services you connect (Google Analytics, etc.)
• Information from social media platforms if you choose to connect them

3. How We Use Your Personal Data

3.1 Service Provision (Legal Basis: Contract Performance)

• Creating and maintaining your account
• Providing platform functionality and features
• Processing payments for our services
• Hosting and maintaining your product pages
• Providing customer support and technical assistance

3.2 Communication (Legal Basis: Contract Performance & Legitimate Interest)

• Sending service-related notifications and updates
• Responding to your inquiries and support requests
• Providing important account and security information
• Notifying you of Terms of Service or Privacy Policy changes

3.3 Platform Improvement (Legal Basis: Legitimate Interest)

• Analyzing platform usage to improve services
• Identifying and fixing technical issues
• Developing new features and functionality
• Conducting security monitoring and fraud prevention

3.4 Legal Compliance (Legal Basis: Legal Obligation)

• Maintaining records as required by tax and commercial laws
• Responding to legal requests and regulatory requirements
• Preventing illegal activities and policy violations
• Protecting our rights and the rights of other users

3.5 Marketing (Legal Basis: Consent)

• Sending promotional emails about new features (only with your consent)
• Conducting user surveys and research (optional participation)

4. Legal Basis for Processing

Under GDPR, we process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide our services
• Legitimate Interest: Improving our platform, security, and user experience
• Legal Obligation: Compliance with applicable laws and regulations
• Consent: Marketing communications and optional features (you may withdraw consent anytime)

5. Data Sharing and Disclosure

5.1 Third-Party Service Providers

We may share personal data with trusted service providers who assist in platform operations:

Essential Service Providers:

• Cloud hosting and infrastructure providers
• Payment processing services
• Email delivery services
• Analytics and monitoring tools

Data Processing Agreements:

All third-party processors are bound by data processing agreements ensuring GDPR compliance and appropriate data protection measures.

5.2 Legal Requirements

We may disclose personal data when required by law:

• Court orders or legal proceedings
• Regulatory investigations
• Law enforcement requests
• Protection of rights, property, or safety

5.3 Business Transfers

In case of merger, acquisition, or sale of assets, personal data may be transferred as part of the business assets, with appropriate notice and protection measures.

5.4 What We Do NOT Share

• We do not sell personal data to third parties
• We do not share data with advertisers for targeting purposes
• We do not provide user lists to marketing companies
• Customer transaction data remains between users and their payment processors

6. International Data Transfers

6.1 Data Storage Location

Your data is primarily stored within the European Economic Area (EEA). When data is transferred outside the EEA, we ensure appropriate safeguards:

• Adequacy Decisions: Transfers to countries with EU adequacy decisions
• Standard Contractual Clauses: EU-approved contracts for data protection
• Certification Schemes: Transfers under approved certification mechanisms

6.2 Third-Party Services

Some integrated services may involve data transfers outside the EEA. Users are responsible for reviewing the privacy policies of third-party services they choose to integrate.

7. Data Retention

7.1 Active Accounts

Personal data is retained while your account remains active and as necessary to provide services.

7.2 Account Deletion

Upon account deletion:

• Most personal data is deleted or anonymized within 30 days
• Tax-related information retained as required by Estonian tax law (typically 7 years)
• Some anonymized data may be retained for legitimate business purposes

7.3 Legal Requirements

Certain data must be retained longer when required by:

• Estonian tax law and EU fiscal regulations (typically 7 years for financial and transaction records)
• Legal obligations and other regulatory requirements
• Pending legal proceedings or disputes
• Fraud prevention and security purposes

Note: Data subject requests for erasure or deletion will be honored except for information that we are legally required to retain for tax reporting, regulatory compliance, or other mandatory legal purposes.

8. Data Security

8.1 Technical Measures

• Encryption of data in transit and at rest
• Secure authentication and access controls
• Regular security assessments and updates
• Intrusion detection and monitoring systems

8.2 Organizational Measures

• Staff training on data protection principles
• Access controls based on need-to-know basis
• Regular review of data processing activities
• Incident response and breach notification procedures

8.3 User Responsibilities

• Use strong, unique passwords
• Keep account credentials confidential
• Report suspected security incidents promptly
• Review account activity regularly

9. Your Rights Under GDPR

As a data subject, you have the following rights:

9.1 Right to Information

You have the right to know how your personal data is processed (addressed in this Privacy Policy).

9.2 Right of Access

You can request a copy of your personal data we hold about you.

9.3 Right to Rectification

You can request correction of inaccurate or incomplete personal data.

9.4 Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data in certain circumstances.

9.5 Right to Restrict Processing

You can request limitation of processing in specific situations.

9.6 Right to Data Portability

You can request your data in a structured, machine-readable format.

9.7 Right to Object

You can object to processing based on legitimate interests or direct marketing.

9.8 Right to Withdraw Consent

You can withdraw consent for processing based on consent at any time.

9.9 Right to Lodge a Complaint

You can file a complaint with supervisory authorities if you believe your rights have been violated.

10. Exercising Your Rights

10.1 How to Submit Requests

To exercise your rights, contact us at [email protected] with:

• Clear identification of the right you wish to exercise
• Sufficient information to verify your identity
• Specific details about your request

10.2 Response Timeline

• We will acknowledge your request within 72 hours
• Most requests will be fulfilled within 30 days
• Complex requests may require up to 90 days with explanation
• Some requests may require additional verification for security

10.3 Data Export

Before account termination, you have 7 days to export your data using our provided tools.

11. Cookies and Tracking Technologies

11.1 Types of Cookies We Use

Strictly Necessary Cookies:

• Authentication and session management
• Security and fraud prevention
• Core platform functionality

Analytics Cookies:

• Platform usage statistics
• Performance monitoring
• Error tracking and debugging

Preference Cookies:

• User interface settings
• Language and region preferences
• Feature customization options

11.2 Cookie Management

You can control cookies through:

• Browser settings and preferences
• Platform cookie preferences (where available)
• Third-party opt-out mechanisms

11.3 Third-Party Tracking

Users may integrate third-party tracking tools (Google Analytics, advertising pixels). These integrations are:

• Controlled by the user, not by us
• Subject to the third party's privacy policies
• The user's responsibility regarding compliance and consent

12. Children's Privacy

Our Platform is not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that personal data from someone under 18 has been collected, we will delete such information promptly and may terminate the associated account.

13. Data Breach Notification

13.1 Our Obligations

In case of a personal data breach:

• We will notify relevant supervisory authorities within 72 hours when feasible
• Affected users will be notified without undue delay when the breach poses high risk
• We will document all breaches and remedial actions taken

13.2 User Notification

Breach notifications to users will include:

• Nature and scope of the breach
• Potential consequences and risks
• Measures taken to address the breach
• Recommended actions for affected users

14. Changes to This Privacy Policy

14.1 Update Process

We may update this Privacy Policy to reflect:

• Changes in our data processing practices
• Legal or regulatory requirements
• Platform feature updates or improvements

14.2 Notification

• Users will receive 7 days advance notice of material changes
• Notice will be provided via email and platform notification
• Continued use after the effective date constitutes acceptance
• Previous versions will be archived and available upon request

15. Supervisory Authority

The Estonian Data Protection Inspectorate is our lead supervisory authority:

Estonian Data Protection Inspectorate
Address: Väike-Ameerika 19, 10129 Tallinn, Estonia
Phone: +372 627 4135
Email: [email protected]
Website: https://www.aki.ee

16. Contact Information

For privacy-related questions, requests, or concerns:

Email: [email protected]
Website: https://nanocart.app

Response Time: We aim to respond to privacy inquiries within 48 hours during business days.

---

Document Version: September 9, 2025
Last Updated: September 9, 2025
Language: This Privacy Policy is provided in English. In case of translation, the English version governs.