1. Introduction

Welcome to Eaglecart ("we," "us," or "our"). Eaglecart is a unified commerce platform enabling merchants ("you" or "Merchants") to manage online stores, Point of Sale (POS) systems, and Warehouse Management (WMS) operations.

We value your trust and are committed to protecting the privacy of you and your customers. This Privacy Policy explains how we collect, use, and safeguard personal information, in compliance with applicable data protection laws, including the UAE Personal Data Protection Law (PDPL), GDPR, and CCPA.

2. Roles & Definitions

Eaglecart operates in two distinct roles regarding data processing:

• Data Controller: We act as the controller for your direct account data (e.g., your Merchant registration details) to deliver our services to you.
• Data Processor: For your end-customers' information (e.g., shoppers on your store), you are the Controller. Eaglecart acts solely as the Data Processor, processing this data only on your instructions.

3. Information We Collect

A. Merchant Data

• Account Details: Name, email address, phone number, and password.
• Business Information: Store name, trade license documents, VAT/Tax IDs, and physical business address.
• Financial Data: Payment card or bank information (processed securely via tokenization).

B. Customer Data

• Transaction Data: Name, shipping/billing addresses, email, and phone number.
• Order Details: Products purchased, payment methods used, and transaction amounts.
• Device & Usage: IP address, browser type, device information, and timestamps used for security audits and analytics.

4. How We Use Your Information

We use the collected data for the following purposes:

• Service Delivery: To process orders, manage inventory, and enable payment and shipping integrations.
• Platform Enhancement: To analyze usage trends, improve features, and train AI-based analytics tools.
• Communication: To send invoices, system notifications, feature updates, and security alerts.
• Security & Fraud: To detect and mitigate unauthorized access, malicious activity, or fraudulent transactions.
• Legal Compliance: To report to authorities when required and fulfill tax/VAT obligations.

5. Data Storage & Security

We employ industry-standard measures to protect data:

• Hosting: Data is hosted primarily on Amazon Web Services (AWS) with redundancy across AP, ME, EU, and US regions.
• Encryption: We use TLS/SSL encryption for data in transit and AES-256 encryption for data at rest.
• Protection: Our infrastructure is protected by Cloudflare WAF and DDoS mitigation systems.
• Access Control: Access to personal data is restricted to authorized personnel and subject to periodic security audits.

6. Sharing Information

We do not sell or rent personal data. We share information only in the following circumstances:

• Sub-processors: Trusted infrastructure providers like AWS and Cloudflare.
• Payment & Logistics: Integrated partners such as Stripe, Telr, Tabby, and shipping carriers (data shared strictly for processing transactions).
• Legal Obligations: Compliance with court orders, government requests, or tax authorities.

7. Your Rights

Depending on your jurisdiction, you have the following rights regarding your data:

• Access & Export: You may request a copy of your personal data.
• Correction: You have the right to update inaccurate or incomplete information.
• Deletion: You may request account or data deletion (subject to legal retention requirements).
• Data Portability: Merchants can export orders, customers, and product data via the dashboard.

8. Cookies & Tracking

We use cookies to maintain session security, remember dashboard preferences, and analyze platform usage. Users can control cookie settings via their browser, though disabling them may affect platform functionality.

9. Retention & Deletion

• Account Data: Retained as long as your account is active or as legally required for tax and audit purposes.
• Customer Data: Retained based on your instructions as the Data Controller.
• Deletion: Upon account termination, data is securely erased following our standard backup retention cycles.

10. International Transfers

Eaglecart is a global platform. Data may be processed outside your country of residence. We ensure all cross-border transfers comply with applicable laws (such as GDPR adequacy decisions) and are protected by standard contractual clauses and strict security safeguards.

11. Data Breach Response

In the unlikely event of a data breach, Eaglecart has a dedicated incident response plan. We will notify affected Merchants within legal timelines (e.g., 72 hours under UAE PDPL/GDPR) and provide assistance to mitigate risks to your business and customers.

12. Children’s Privacy

Eaglecart does not knowingly collect personal data from children under the age of 18. If we become aware that we have inadvertently collected such data, we will take immediate steps to delete it from our servers.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or for other operational, legal, or regulatory reasons. Material updates will be communicated to you via dashboard notifications or email.