Privacy Policy

1. Who we are

Cartapacks is operated by Carta International Limited, registered in Hong Kong SAR with offices at Unit B, 11/F, 23 Thomson Road, Wan Chai, Hong Kong. We're the data controller for the information described here. Privacy questions: privacy@cartapacks.com. General contact: hello@cartapacks.com.

2. What we collect

When you create an account. Your email and password. Passwords are stored as a salted hash — we never see the plain text.

When you buy a pack. The items in your order, the amount paid, and the date. Card details go directly to our payment processor (Stripe); we receive a token, the last four digits, and the card brand — never the full number or CVC.

When you request a shipment. The destination address, courier choice, and the tracking number returned.

When you visit the site. IP address, browser type, language, pages visited, and timing. This is used for security and basic operations.

When you contact us. The email or message you send and any attachments.

3. How we use it

• ·to run your account — sign-in, vault, order history
• ·to process payments and arrange shipping
• ·to respond to your questions and support requests
• ·to detect and prevent fraud, abuse, or terms violations
• ·to comply with legal obligations (tax, customs declarations)
• ·to send you transactional emails (receipts, password resets, shipping notifications)

We don't use your data for behavioural advertising and we don't sell it. The only marketing email we send is the optional weekly drop list, which you opt into at signup and can unsubscribe from at any time.

4. Cookies and local storage

We use a small set of strictly necessary cookies and browser storage:

• ·an httpOnly session cookie (cp_session) so we know who you are after you sign in,
• ·a guest cart cookie (cp_cart) so your basket survives if you close the tab before signing in,
• ·browser localStorage to remember the last email you typed (cartapacks_last_email) so we can autofill the sign-in form.

We don't use third-party tracking cookies. No Facebook Pixel, no Google Ads remarketing, no cross-site advertising IDs.

5. Who we share it with

We share data only with the providers we need to run the service:

• ·Stripe — payment processing
• ·Shipping couriers — your choice at ship-time, to deliver your cards
• ·Email provider — transactional emails (receipts, password reset, shipping notifications)
• ·Hosting and cloud infrastructure — to run the site and store your data

Each of these is bound by data processing agreements appropriate to your jurisdiction.

We may also disclose data when we're legally required to (court order, tax authority, or law enforcement request that meets legal standards). We don't sell, rent, or trade your data.

6. Where we keep it

Our primary servers are in Hong Kong. Some processors (Stripe, our email provider) store data in their own regions globally. If you're in the EU, UK, or another jurisdiction with cross-border transfer rules, this means your data may be transferred outside that region. Where applicable, we rely on standard contractual clauses with our processors.

7. How long we keep it

• ·Account and vault data — while your account is active, plus 24 months after closure for tax and dispute reasons
• ·Order and payment records — 7 years (Hong Kong tax retention)
• ·Web access logs — 90 days, used for security and abuse detection
• ·Marketing email opt-in — until you unsubscribe

You can request deletion at any time (see Section 8). We honour those requests subject to the retention obligations above.

8. Your rights

If you're in the EU, UK, California, or any other jurisdiction with comparable data protection laws, you have the right to:

• ·ask what data we hold about you
• ·correct any errors
• ·delete your data, subject to retention obligations above
• ·export your data in a portable, machine-readable format
• ·object to certain uses, or restrict processing
• ·withdraw consent for marketing email at any time
• ·complain to your local data-protection authority

To exercise any of these, email privacy@cartapacks.com. We respond within 30 days, free of charge for ordinary requests.

9. How we protect it

• ·passwords are hashed with industry-standard algorithms
• ·card data goes directly to Stripe — we never receive or store it
• ·HTTPS everywhere, with HSTS
• ·access to your data is restricted to staff who need it for support or operations
• ·admin access is logged for audit

No security is perfect. If we discover a breach affecting your data, we'll notify you and the relevant authorities without undue delay, as required by applicable law.

10. Children

Cartapacks isn't directed at children under 16. We don't knowingly collect data from anyone under 16. If you believe a child has given us their data, email privacy@cartapacks.com and we'll delete it.

11. Changes

We may update this policy as the service evolves. Material changes will be communicated by email and on the site at least 14 days before they take effect. The "Last updated" date at the top will always reflect the current version.

12. Contact

For privacy questions or rights requests: privacy@cartapacks.com.