Cartback

Data Handling

Last updated: 13 February 2026

What data Cartback receives from Klaviyo

  • Abandoned cart flow event triggers (cart ID, timestamp, flow identifier).
  • Customer email address (hashed for entry matching and de-duplication).
  • Flow action status (whether the Cartback step was executed).

Cartback connects to Klaviyo via OAuth and only requests the permissions required to operate within abandoned cart flows. We do not access your full Klaviyo subscriber list or other flow data.

What data Cartback receives from Shopify

  • Order confirmation events for carts where a Cartback incentive was delivered.
  • Merchant account information (store name, store URL, billing email).
  • We do not access your full product catalogue, customer list, or order history beyond what is required for entry verification.

What we store in order to run draws

  • Entry records: hashed customer identifier, ticket ID, draw period, entry timestamp, purchase confirmation reference.
  • Draw records: draw ID, date, prize amount, entry count, winner selection result.
  • Winner records: winner identifier (masked for publication), ticket ID, prize amount, payment status.
  • Audit logs: timestamped records of all draw operations, entry creations, and winner selections.

How merchants can request deletion

Merchants can request deletion of their account data and associated entry records by contacting support@cartback.com.au. We will process deletion requests within 30 days, subject to any regulatory retention requirements.

Note: Some records may need to be retained for the period required by trade promotion regulations (typically 7 years). In these cases, we will inform you which records must be retained and for how long.

Audit log retention for compliance

Audit logs for draw operations, entry creation, and winner selection are retained for a minimum of 7 years in accordance with Australian trade promotion record-keeping requirements. These logs are stored securely and access is restricted to authorised compliance personnel.

Data protection measures

  • All data is encrypted in transit (TLS 1.2+) and at rest (AES-256 via managed database encryption).
  • Customer email addresses are hashed with SHA-256 for entry matching and de-duplication.
  • Our draw audit trail is hash-chained — each draw record cryptographically links to the previous, making the record tamper-evident.
  • Winner selection uses provably fair randomness via drand (League of Entropy), which can be independently verified.
  • Infrastructure runs on managed services (Vercel for compute, Neon PostgreSQL for data) — no self-hosted servers to patch or maintain.

Data loss prevention

  • Database backups: automated point-in-time recovery via Neon PostgreSQL, retained per Neon's backup policy.
  • No personal data is stored on staff devices or local machines.
  • All data access occurs via authenticated web interfaces — no direct database access in production for day-to-day operations.
  • The draw audit trail is hash-chained, providing an immutable, verifiable record even in the event of partial data loss.
  • Automated daily data purge removes expired sessions and stale tracking data, reducing the volume of data at risk.

Staff access controls

  • Access to personal data follows the principle of least privilege.
  • Admin panel is secured with magic-link authentication — no passwords to phish or reuse.
  • No shared credentials. Each staff member has individual access.
  • All service accounts (Shopify, Klaviyo, Tremendous, database) use strong, unique credentials stored in environment-level secrets management.
  • Staff access is reviewed regularly and revoked promptly on role change or departure.
  • Production database access is restricted to emergency break-glass procedures only.

Access logging

  • All access to personal data through the admin panel is logged with timestamp, user identity, and action performed.
  • Webhook processing (including GDPR data requests and deletions) is logged with full audit trail.
  • Admin authentication events (magic link requests, session creation) are recorded.
  • Logs are stored securely and retained for review, accessible only to authorised compliance personnel.

Security incident response

We maintain a documented security incident response policy covering:

  • Detection and classification of potential incidents.
  • Immediate containment and impact assessment.
  • Root cause analysis and remediation.
  • Notification of affected parties.

Under the Australian Privacy Act (Notifiable Data Breaches scheme), we will notify the OAIC and affected individuals of eligible data breaches as soon as practicable.

For merchants: we will notify you directly if a breach affects your data or your customers' data.

Post-incident reviews are conducted to identify improvements and prevent recurrence.

To report a security concern, contact security@cartback.com.au.