Legal
Privacy Policy
Last updated: June 21, 2026
MyCarts (“we”, “us”, “our”) helps users create, manage, and share wishlists, reading lists, vision boards, and related collections. We respect your privacy and aim to be transparent about the personal information we collect, how we use it, how long we keep it, and the choices you have.
This Privacy Policy is intended to explain our practices under applicable privacy laws, including the EU General Data Protection Regulation (“EU GDPR”), UK GDPR, and, where applicable, California privacy laws such as the CCPA/CPRA.
1. Who is responsible for your data?
Data Controller: Luiza Asyamova, operator of MyCarts
Privacy contact: luiza.asyamova@gmail.com
We plan to migrate privacy requests to privacy@mycarts.app once that mailbox is set up.
2. What data we collect
We collect only the information needed to operate, secure, and improve MyCarts.
Account information
This may include your email address, display name, optional nickname, profile picture if you sign in with Google, preferred currency, and language settings.
Authentication information
If you create an account with a password, we store a securely hashed (bcrypt) version of your password — we never see or store your original password. If you sign in with Google, Google handles authentication; we receive and store only your basic profile (name, email, profile picture) and a session token that keeps you signed in. We do not store your Google password, Google account ID, or OAuth access/refresh tokens.
Wishlist and collection content
This includes content you create or add to MyCarts, such as wishlist titles, occasions, dates, item URLs, item names, prices, currencies, uploaded images, fetched preview images, comments, notes, hints, and collection types such as wishlists, reading lists, or vision boards.
Public and shared content
Wishlists or collections you mark as Public are intentionally shareable and may be visible to anyone who visits the page. Content on public pages may include item titles, product links, images, prices, comments, notes, and wishlist details. Your private account information, such as your email address, password, login history, and private settings, is never shown publicly.
You can change a wishlist or collection from Public to Link-only or Private at any time.
Reservations
When someone marks an item as reserved or says “I’ll get this,” we may store an anonymous reservation identifier so the gift can remain a surprise from the wishlist owner.
Technical and security logs
We may collect IP address, browser type, device information, timestamps, authentication events, admin actions, and security-related logs. These logs help us protect the service, investigate abuse, and maintain reliability.
Cookies and similar technologies
We use strictly necessary cookies or tokens to keep you logged in and operate the service. We do not load analytics, marketing cookies, or non-essential tracking unless you give consent. You can change your cookie preferences later through the Manage cookies link in the footer.
3. Why we use your data
We process personal data only when we have a lawful basis to do so.
To provide the service
We use your account information, authentication data, wishlist content, and settings to create and manage your account, save your wishlists, display your collections, and provide the features you request. This processing is necessary to perform our contract with you.
To protect the service
We use technical logs, audit logs, and security events to prevent abuse, investigate suspicious activity, protect users, and maintain platform reliability. This is based on our legitimate interest in keeping MyCarts safe and functional. You may object to this processing, and we will consider your request unless we have compelling legitimate grounds to continue.
To respect your choices
If we introduce analytics, marketing cookies, newsletters, or optional tracking, we will ask for your consent first where required. You can withdraw consent at any time through cookie preferences or account settings.
To comply with legal obligations
We may process or retain certain information where required by law, legal request, dispute, or compliance obligation.
4. How long we keep your data
Account and wishlist data
We keep your account and wishlist content while your account is active.
Account deletion
If you delete your account, your account is deactivated immediately and scheduled for permanent deletion after a 30-day grace period. This gives you time to recover your account if deletion was accidental. If you log back in during this period, deletion may be cancelled.
After the 30-day period, your account and personal data are permanently deleted or anonymized unless we are legally required to keep specific information.
Comments on other people’s wishlists
If you wrote comments, hints, or notes on someone else’s wishlist, we may anonymize those comments after your account is permanently deleted by replacing your name with something like “[removed user].” Where possible, you may request full removal of comments you wrote.
Audit logs
Security, authentication, and admin audit logs are kept for up to 24 months and then deleted or anonymized, unless a longer retention period is required for legal, security, or abuse-prevention reasons.
Backups
We may keep rolling encrypted backups for up to 30 days. Backups are used only for disaster recovery and are not accessed during normal use.
5. Who we share data with
We do not sell your personal information.
We use trusted service providers to operate MyCarts. These providers process data on our behalf and are expected to protect it under appropriate contractual terms, including Data Processing Agreements where required.
Current or expected service providers may include:
- MongoDB Atlas — database hosting
- Google LLC — optional Google Sign-In
- Emergent — application hosting and deployment infrastructure
- Transactional email provider, such as Resend — if email notifications or account emails are enabled
Some providers may process data outside the UK or European Economic Area. Where required, international transfers are protected using appropriate safeguards, such as the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Addendum.
6. Your rights
Depending on where you live, you may have rights over your personal data. These may include:
Access
You can ask for a copy of the personal data we hold about you.
Portability
Where available, you can download a JSON copy of your account and wishlist data through Settings → Privacy.
Correction
You can edit your profile information in settings or contact us for help correcting inaccurate data.
Deletion
You can delete your account through Settings → Privacy. Your account is deactivated immediately and permanently deleted after the 30-day grace period unless you restore it.
Restriction or objection
You can ask us to stop or limit certain processing activities. We will consider your request and respond according to applicable law.
Withdraw consent
Where processing is based on consent, such as optional analytics or marketing cookies, you can withdraw consent at any time using the Manage cookies link in the footer.
Complaint
You can complain to your local data protection authority. In the UK, this is the Information Commissioner’s Office. In the EU, this may be your national supervisory authority. In the United States, you may also have rights under applicable state privacy laws.
To exercise your rights, contact us at: luiza.asyamova@gmail.com
We aim to respond to verified privacy requests within 30 days.
7. California privacy notice
Where California privacy laws apply, California residents may have additional rights, including the right to know what personal information we collect, the right to request deletion or correction, the right to access personal information, and the right to opt out of sale or sharing.
MyCarts does not sell personal information. We also do not knowingly share personal information for cross-context behavioral advertising unless we clearly disclose this and provide any required opt-out controls.
8. Children
MyCarts is not directed at children under 13, or under 16 in the EU/UK where applicable. We do not knowingly collect personal data from children. If you believe a child has created an account or provided personal data, please contact us and we will take appropriate steps to remove it.
9. Security
We use reasonable technical and organizational measures to protect your data. These include password hashing with bcrypt, encrypted database connections using TLS, environment variables for secrets and credentials, access controls, and audit logging for admin actions.
No online service can be guaranteed to be completely secure, but we work to protect your information and respond promptly to security issues.
10. User-uploaded content and images
MyCarts lets users add product links, images, notes, comments, and other content to wishlists and collections. Users are responsible for the content they upload or add.
Images, item titles, product links, comments, and notes on public or shared wishlists may be visible to others. If you upload or add an image, you should only do so if you have the right to use it.
Copyright and content rules are explained further in our Terms & Conditions. If you believe content on MyCarts infringes your rights, please see our Copyright & Takedown process or contact us so we can review and remove it where appropriate.
11. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify users by email where appropriate and/or display a notice on the site.
The Last updated date at the top of this page shows when the current version took effect.