Privacy Policy

CartPilot (“we”, “us”, “our”) is a price-comparison service operated from Malta. We help you find the best grocery prices across Maltese supermarkets. You can reach us at hello@cartpilot.mt.

When you create an account we collect:

• Email address — used to sign in and send you alerts you have explicitly requested.
• Display name and town — optional profile fields you provide.
• Basket and watchlist contents — the products you save so we can show you prices and send price-drop alerts.

We also collect standard server logs (IP address, browser type, pages visited) for security and performance monitoring. These are retained for 30 days.

• To provide the CartPilot service and personalise it to your preferences.
• To send transactional emails: account confirmation, password reset, and watchlist price-drop alerts you have enabled.
• To detect abuse, prevent fraud, and keep the service secure.
• To understand aggregate usage patterns and improve CartPilot.

We do not sell, rent, or share your personal data with third parties for marketing.

For users in the European Union and Malta, we process your data on the following legal bases:

• Contract performance — processing your account data is necessary to deliver the service you signed up for.
• Legitimate interests — server logs and security monitoring.
• Consent — optional marketing communications (if and when we introduce them, we will ask explicitly).

CartPilot uses a single first-party session cookie to keep you signed in. We use PostHog for product analytics. PostHog is configured to anonymise IP addresses and does not use cross-site tracking cookies. No data is shared with advertising networks.

We keep your account data for as long as your account is active. If you request account closure, we will disable your account and delete your personal data from active systems within 30 days. Anonymised, aggregated data (e.g. total basket counts) may be retained indefinitely.

Under GDPR you have the right to access, correct, export, or erase your personal data. You also have the right to object to processing and to lodge a complaint with the Information and Data Protection Commissioner (IDPC) of Malta.

To exercise any of these rights, email hello@cartpilot.mt. We will respond within 30 days.

CartPilot relies on the following sub-processors:

• Supabase — database and authentication (hosted within the EU).
• Hetzner — cloud hosting (EU data centres).
• PostHog — product analytics (EU hosting option enabled).

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email. The date at the top of this page always reflects the most recent revision.