Legal

Privacy Notice

How CartLink handles account, checkout, payment, receipt, and analytics data.

Last updated: 2 June 2026

This Privacy Notice is a starter notice and should be reviewed before production use.

This Privacy Notice explains how CartLink may collect, use, disclose, retain, and protect personal data.

1.

Who this notice applies to

This notice applies to CartLink account users, workspace members, sellers, customers who open checkout links, and visitors to public CartLink pages.

2.

Personal data we collect

We may collect account details, workspace and store details, contact channels, checkout customer details, payment references, receipts, subscription records, audit records, and support messages.

3.

Checkout and analytics data

When a customer opens a CartLink checkout page, we may log checkout page views, selected payment method, QR download clicks, payment proof clicks, gateway payment clicks, receipt views, receipt downloads, referral clicks, IP address, user agent, referer URL, approximate device/browser information, and anonymous visitor identifiers.

4.

How we use personal data

We use personal data to provide checkout links, process or verify payments, issue receipts, manage subscriptions, secure accounts, maintain audit logs, provide analytics to sellers, improve the service, and communicate service updates.

5.

Seller responsibilities

Sellers are responsible for ensuring they have a lawful basis or valid permission to collect and use customer information entered through their checkout links.

6.

Payment providers and third parties

If a seller connects ToyyibPay or another payment provider, payment-related data may be sent to that provider to create payment pages, process payments, verify callbacks, and issue receipts.

7.

Disclosure

We may disclose data to payment providers, hosting providers, email providers, analytics or security providers if used, professional advisers, authorities where legally required, and authorised workspace users.

8.

Cookies and identifiers

We may use cookies or similar identifiers to keep users signed in, protect accounts, remember checkout visitors, support repeat-customer prefill where enabled, and measure checkout activity.

9.

Security and retention

We apply reasonable technical and organisational safeguards. Personal data is retained only as long as needed for service, legal, accounting, audit, and dispute purposes.

Some records, including payment records, receipts, audit logs, security logs, and subscription records, may be retained even after an account or workspace is closed where required for legal, accounting, audit, dispute, or fraud-prevention purposes.

10.

Your choices and access rights

You may request access, correction, or deletion where applicable. Some records may need to be retained for legal, audit, payment, accounting, dispute, security, or fraud-prevention reasons.

11.

International processing

Some providers may process data outside Malaysia. Where this happens, we rely on contractual, technical, and organisational safeguards appropriate to the service.

12.

Contact

For privacy requests, contact the CartLink administrator using the official support channel published by the business.