Privacy Policy

1 Introduction & Who We Are

Carto Site Ltd ("Carto Site", "we", "us", or "our") is a company registered in England and Wales under company number 15847263, with its registered office at 20 Fenchurch Street, Floor 14, London, EC3M 3BY, United Kingdom. We operate the online marketplace accessible at www.carto.site (the "Platform").

We are committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our Platform, register an account, make a purchase, or otherwise interact with our services. Please read this policy carefully and in full before using our Platform.

By accessing or using www.carto.site, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with any part of this policy, you must not use our Platform. This policy applies to all users of the Platform worldwide, including visitors, registered users, buyers, and sellers.

For the purposes of UK data protection law (including the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018), Carto Site Ltd is the data controller of personal data collected through this Platform. We are registered with the Information Commissioner's Office (ICO) and comply with all applicable data protection legislation.

2 Information We Collect

We collect various categories of personal information depending on how you interact with our Platform. This includes information you provide directly, information collected automatically, and information received from third parties.

2.1 Information You Provide

When you create an account, we collect your username, email address, and password (stored in encrypted form). When placing an order, we collect your full name, delivery address, billing address, phone number, and payment information. Payment card details are processed directly by our payment processors and are not stored on our servers.

When you contact our customer support team via email (support@carto.site) or telephone (+44 20 3987 6543), we collect the content of your communications, including any personal information you choose to share. We retain these records to assist with follow-up enquiries and to improve our support services.

2.2 Information Collected Automatically

When you visit our Platform, we automatically collect certain technical information, including your IP address, browser type and version, operating system, device identifiers, pages visited, time spent on pages, referring URLs, and clickstream data. This information is collected using cookies and similar tracking technologies.

We also collect log data, which includes information that your browser sends whenever you visit our Platform, such as server request times, error logs, and hardware settings. This data is used primarily for security monitoring and performance optimisation.

2.3 Payment Information

All payment transactions are processed by PCI-DSS compliant third-party payment processors. We do not store full credit or debit card numbers on our systems. We may retain the last four digits of a card number and expiry date for transaction reference purposes only.

3 How We Use Your Information

We use your personal information for a range of purposes related to the operation of our Platform and the provision of our services. We will only use your data for the purposes for which it was collected or for compatible purposes.

• ›Account Management: To create and manage your account, verify your identity, and provide access to Platform features.
• ›Order Processing: To process, fulfil, and deliver your orders; handle returns and refunds; and communicate order status.
• ›Customer Support: To respond to enquiries, resolve disputes, troubleshoot problems, and provide technical assistance.
• ›Platform Improvement: To analyse usage patterns, conduct research, test features, and improve performance and security.
• ›Marketing Communications: With your consent, to send promotional emails and personalised offers. You may opt out at any time.
• ›Legal Compliance: To comply with applicable laws, regulations, court orders, and requests from public authorities.
• ›Fraud Prevention: To detect, investigate, and prevent fraudulent transactions and illegal activities.

We do not sell, rent, or trade your personal information to third parties for their own marketing purposes without your explicit consent.

4 Legal Basis for Processing (UK GDPR)

Under the UK GDPR, we are required to have a lawful basis for processing your personal data. We rely on the following legal bases:

• ›Contract Performance (Article 6(1)(b)): Processing necessary for the performance of a contract with you — processing orders, managing your account, facilitating deliveries.
• ›Legitimate Interests (Article 6(1)(f)): Improving our Platform, preventing fraud, and ensuring network security, where not overridden by your rights.
• ›Legal Obligation (Article 6(1)(c)): Complying with legal obligations, such as retaining financial records for HMRC or complying with court orders.
• ›Consent (Article 6(1)(a)): For marketing emails or non-essential cookies — you may withdraw consent at any time without affecting prior processing.

For questions about the specific legal basis for a processing activity, please contact privacy@carto.site.

5 Data Retention

We retain your personal data for as long as necessary to fulfil the purposes for which it was collected, including any legal, accounting, or reporting requirements. Retention periods depend on the type of data and purpose of collection.

Account data is retained for the duration of your account and for seven (7) years after account closure, in accordance with UK tax law. Transaction data including order history and payment records is retained for a minimum of six (6) years as required by HMRC.

Customer support communications are retained for three (3) years after the date of communication. Marketing consent records are retained for the duration of our relationship plus three (3) years.

When personal data is no longer required, we will securely delete or anonymise it. Anonymised data may be retained indefinitely for statistical purposes as it can no longer identify you.

6 Data Sharing & Third Parties

We may share your personal information with trusted third-party service providers who assist us in operating our Platform. These parties are permitted to use your data only as instructed by us and are bound by appropriate data processing agreements.

Categories of third parties include: payment processors, logistics and delivery partners, cloud hosting providers, email service providers, and analytics providers.

We may also disclose your personal data to regulators, courts, or authorities where legally required, or to protect our legal rights or the safety of others.

In the event of a merger, acquisition, or business sale, your personal data may transfer to the acquiring entity with prior notice to you.

7 International Data Transfers

As a global marketplace, some service providers are located outside the United Kingdom. Where we transfer personal data to countries not covered by UK GDPR adequacy regulations, we ensure appropriate safeguards are in place including UK International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses approved by the ICO.

If you are located outside the UK, your information may be transferred to, stored, and processed in the United Kingdom and other countries in accordance with this Privacy Policy.

8 Your Rights

Under the UK GDPR and Data Protection Act 2018, you have the following rights. We will respond to all valid requests within one calendar month:

• ›Right of Access: Request a copy of personal data we hold about you (Subject Access Request).
• ›Right to Rectification: Request correction of inaccurate or incomplete data.
• ›Right to Erasure: Request deletion where there is no compelling reason to continue processing.
• ›Right to Restriction: Request restricted processing in certain circumstances.
• ›Right to Data Portability: Receive data in a structured, machine-readable format.
• ›Right to Object: Object to processing based on legitimate interests or direct marketing at any time.
• ›Right to Withdraw Consent: Withdraw consent at any time without affecting prior processing.

To exercise any right, contact us at privacy@carto.site. We may verify your identity before processing requests.

9 Security

We implement appropriate technical and organisational measures including SSL/TLS encryption, encrypted password storage, firewalls, intrusion detection systems, regular security audits, and staff access controls to protect your personal data against unauthorised access, loss, or alteration.

All payment transactions are processed over encrypted connections using PCI DSS-compliant systems. We do not store sensitive payment card data on our servers.

No method of internet transmission is completely secure. In the event of a data breach likely to risk your rights, we will notify you and the ICO in accordance with our legal obligations.

10 Children's Privacy

Our Platform is not intended for use by children under 16. We do not knowingly collect personal data from children under 16. If you are under 16, please do not use our Platform or provide any personal information.

If we become aware of data inadvertently collected from a child under 16, we will immediately delete it. Contact privacy@carto.site if you believe we may have such data.

11 Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by posting the updated policy on our Platform with a revised "Last updated" date and, where appropriate, by email notification.

Your continued use of our Platform after any changes constitutes acceptance of the updated policy.

12 Contact & Complaints

For questions, concerns, or complaints about this Privacy Policy or our data practices, contact our Data Protection team:

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):