1. Introduction
Cartivo ("we", "us", "our", or the "Service") is a social commerce application that helps Facebook Page owners convert customer comments on their posts into structured orders. This Privacy Policy explains what data we collect, why we collect it, how it is used and protected, and the choices available to you.
By using the Service, or by interacting with a Facebook Page that uses the Service, you acknowledge the practices described in this policy.
2. Data We Collect
2.1 Data from Facebook Page administrators (our users)
- Account credentials for the admin dashboard (username/email and a hashed password);
- Facebook Page identifiers and Page access tokens granted through the official Facebook Login (OAuth) flow;
- Product catalogue, inventory and order data entered by the administrator.
2.2 Data from Facebook users (Page customers)
When a customer comments on a post of a connected Facebook Page, we receive via Meta's Webhooks and Graph API:
- The public comment text (e.g. a product code such as "A12 size M");
- The commenter's Facebook name and Facebook user ID (as provided by the platform);
- The identifiers of the related post and comment, and the comment timestamp.
2.3 Technical data
- Standard server logs (IP address, request time, user agent) kept for security and troubleshooting;
- Session cookies strictly required for administrator authentication. We do not use advertising or third-party tracking cookies.
3. How We Use Data
We use the collected data exclusively to:
- Detect product codes in comments and create the corresponding orders;
- Associate an order with the customer who placed it so the seller can fulfil it;
- Manage inventory and prevent overselling;
- Maintain the security, integrity and reliability of the Service;
- Comply with legal obligations.
4. Meta Platform Data
The Service uses the Meta Graph API and Webhooks under Meta's official developer programme. Our use of data received from Meta Platforms, Inc. ("Platform Data") complies with the Meta Platform Terms and Developer Policies. In particular:
- We only request permissions that are necessary for the Service to function (e.g. reading comments on Pages the administrator has explicitly connected);
- Platform Data is used solely to provide the functionality described in this policy;
- Platform Data is never sold, licensed, or transferred to data brokers, advertising networks or other third parties;
- Page access tokens are stored encrypted and are used only to call the Graph API on behalf of the connected Page;
- Upon request by Meta or the Page administrator, or when access is revoked, related Platform Data is deleted.
5. Legal Basis for Processing (GDPR)
Where the EU General Data Protection Regulation applies, we process personal data on the following bases:
- Performance of a contract — processing a customer's comment to register and fulfil the order they requested;
- Legitimate interest — operating, securing and improving the Service;
- Legal obligation — retaining records where required by law (e.g. accounting).
6. Data Sharing
We share data only in these limited situations:
- With the Facebook Page owner whose post the customer commented on — they see the order details needed for fulfilment;
- With service providers that host our infrastructure, bound by confidentiality obligations;
- When required by law, court order or competent authority;
- With Meta Platforms, to the extent required by their audit and compliance processes.
7. Data Retention
- Order and comment data is retained for as long as needed to fulfil the order and meet legal record-keeping requirements;
- Server logs are retained for a limited period for security purposes and then deleted;
- When a Facebook Page is disconnected from the Service, its access tokens are invalidated and deleted;
- Data no longer needed is deleted or irreversibly anonymized.
8. Data Security
We apply technical and organizational measures appropriate to the risk, including:
- Encrypted storage of access tokens and sensitive settings;
- Password hashing for administrator accounts;
- HTTPS transport encryption, security headers and CSRF protection;
- Access to the admin dashboard restricted to authenticated administrators only.
9. Your Rights
Depending on your jurisdiction (including under the GDPR), you have the right to:
- Access the personal data we hold about you;
- Request correction of inaccurate data;
- Request deletion of your data ("right to be forgotten");
- Restrict or object to processing;
- Receive your data in a portable format;
- Lodge a complaint with your local data protection authority.
To exercise any of these rights, contact us using the details in Section 13.
10. Data Deletion Requests
You may request the deletion of your personal data at any time:
- Email us at griskusaugustinas@gmail.com with the subject "Data Deletion Request", including the name of the Facebook Page you interacted with; or
- Follow the instructions on our Data Deletion page.
We will confirm and complete verified deletion requests within 30 days.
11. Children's Privacy
The Service is not directed at children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us personal data, please contact us and we will delete it.
12. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Material changes will be communicated through the Service where practicable. Continued use after changes take effect constitutes acceptance of the updated policy.
13. Contact Us
If you have questions about this Privacy Policy or how your data is handled, contact:
- Data controller: Augustinas Griškus, operating under individual activity as "Cartivo" (registered in the Republic of Lithuania)
- Address: Girios g. 15-14, Giraitės k., Užliedžių sen., Kauno r. sav. 54307, Lithuania
- Email: griskusaugustinas@gmail.com