cartapacks
Sign in
Last updated · 19 May 2026

Privacy Policy

This describes what data cartapacks collects, why, and what you can do about it. We try to keep it short and honest.

1. Who we are

Cartapacks is operated by Carta International Limited, Unit B, 11/F, 23 Thomson Road, Wan Chai, Hong Kong SAR, the data controller for the personal data described in this policy.

Privacy questions: privacy@cartapacks.com. General contact: our contact form.

2. What we collect

When you create an account. Your email and password. Passwords are stored as a salted hash. We never see the plain text.

When you buy a pack. The items in your order, the amount paid, and the date. Card details go directly to our payment processor (Stripe); we receive a token, the last four digits, and the card brand. Never the full number or CVC.

When you request a shipment. The destination address, courier choice, and the tracking number returned.

When you visit the site. IP address, browser type, language, pages visited, and timing. This is used for security and basic operations.

When you contact us. The email or message you send and any attachments.

3. How we use it

  • ·to run your account: sign-in, vault, order history
  • ·to process payments and arrange shipping
  • ·to operate the vault storage policy and notify you before any auto-trade-in
  • ·to respond to your questions and support requests
  • ·to detect and prevent fraud, abuse, or terms violations
  • ·to comply with legal obligations (tax, customs declarations)
  • ·to send you transactional emails (receipts, password resets, shipping notifications)

We don't use your data for behavioural advertising and we don't sell it. Any marketing email we may send is opt-in only, with one-click unsubscribe.

4. Cookies and local storage

We use cookies and browser storage to keep you signed in, remember your cart, and measure how the site is used in aggregate.

For analytics we use Google Analytics 4 via Google Tag Manager. It receives technical browsing data only. No name, email, or order details. You can opt out by blocking third-party cookies in your browser.

5. Who we share with

We share data only with the providers we need to run the service:

  • ·Stripe: payment processing.
  • ·Email provider: transactional emails (receipts, password resets, shipping notifications).
  • ·Fulfilment partners: vault custody, parcel preparation, and customs paperwork for shipments.
  • ·Shipping couriers: parcel delivery.
  • ·Cloudflare: site hosting, account data storage, and pack video hosting (via Cloudflare Stream).
  • ·Google Analytics 4 + Tag Manager: anonymous traffic and usage data (see section 4).

Each of these is bound by data processing agreements appropriate to your jurisdiction.

We may also disclose data when we're legally required to (court order, tax authority, or law enforcement request that meets legal standards). We don't sell, rent, or trade your data.

6. Where we keep it

The site runs on Cloudflare's global infrastructure. Other processors (Stripe, our email provider) store data in their own regions. If your jurisdiction has cross-border transfer rules, this means your data may be transferred outside that region. Where applicable, we rely on standard contractual clauses with our processors.

7. How long we keep it

  • ·Account and vault data: while your account is active, plus the order and payment retention period below
  • ·Pack videos: while your account is active
  • ·Order and payment records: 7 years (Hong Kong tax retention)
  • ·Web access logs: 90 days, used for security and abuse detection
  • ·Marketing email opt-in: until you unsubscribe

You can request deletion at any time (see Section 8). We honour those requests subject to the retention obligations above.

8. Your rights

Depending on where you live, you may have the right to:

  • ·ask what data we hold about you
  • ·correct any errors
  • ·delete your data, subject to retention obligations above
  • ·export your data in a portable, machine-readable format
  • ·object to certain uses, or restrict processing
  • ·withdraw consent for marketing email at any time
  • ·complain to your local data-protection authority

To exercise any of these, email privacy@cartapacks.com. We respond within 30 days, free of charge for ordinary requests.

9. How we protect it

  • ·passwords are hashed with industry-standard algorithms
  • ·card data goes directly to Stripe. We never receive or store it
  • ·HTTPS everywhere, with HSTS
  • ·access to your data is restricted to staff who need it for support or operations
  • ·admin access is logged for audit

No security is perfect. If we discover a breach affecting your data, we'll notify you and the relevant authorities without undue delay, as required by applicable law.

10. Children

Cartapacks isn't directed at children. If you're under the age of digital consent in your country, a parent or legal guardian must consent before you create an account, and is responsible for it. If you believe a child has given us their data without that consent, email privacy@cartapacks.com and we'll delete it.

11. Changes

We may update this policy as the service evolves. Material changes will be communicated by email and on the site at least 14 days before they take effect. The "Last updated" date at the top will always reflect the current version.

12. Contact

For privacy questions or rights requests: privacy@cartapacks.com.