Legal

Privacy Policy

Last updated on July 1, 2026. This page is maintained by Carto Catral SL to answer common questions about how we handle data.

Who we are

Carto Catral SL operates the Carto Catral customer platform. We are headquartered in Toronto, Canada, with team members distributed across Europe and North America.

What we collect

Account information you provide (name, email, workspace), billing details (order ID, amount, currency — full card data is handled by our payment providers and never touches our servers), product usage telemetry (feature interactions, error reports), and content you send through the platform (campaigns, contacts, conversations). We do not sell personal information.

How we use it

To operate and improve the product, provide support, prevent abuse, and comply with legal obligations. We never train external AI models on your customer data without your explicit opt‑in.

Legal bases (GDPR)

We rely on contract (to deliver the service you purchased), legitimate interest (to keep the platform safe and improve it), consent (for non‑essential cookies and marketing email), and legal obligation (tax, accounting, and lawful requests).

Data retention

Account data is kept for as long as your workspace is active and for up to 90 days after deletion so we can recover from accidental removal. Billing records are retained for 7 years to meet tax obligations. Aggregated, non‑identifiable analytics may be kept indefinitely.

Where it lives

Data is stored in the region you select at signup (EU, US, or APAC). Backups are encrypted at rest and in transit. Only a small number of trained engineers can access production systems, and every access is logged.

Your rights

You may access, correct, export, or delete your personal information at any time from your account settings, or by writing to [email protected]. We respond to verified requests within 30 days.

International transfers

When data moves between regions we rely on Standard Contractual Clauses and additional safeguards described in our Data Processing Addendum, available on request at [email protected].

Sub‑processors

We use a small set of infrastructure and security providers. A current list is available on request and in your workspace settings.

Cookies

We use a minimal set of first‑party cookies for authentication and product analytics. See our Cookie Policy for the full list and control non‑essential cookies from the banner shown on your first visit.

Children

Carto Catral is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us data, contact [email protected] and we will delete it.

Security incidents

In the event of a personal data breach that is likely to affect you, we notify the relevant supervisory authority within 72 hours where required, and affected customers without undue delay. Report suspected issues to [email protected].

Changes to this policy

We update this policy from time to time. Material changes are announced in‑product and by email at least 14 days before they take effect.

Contact us

Questions? Reach the privacy team at [email protected].

This page is app‑owner editable content, not a certification or legal advice.