Privacy Policy

1. Introduction

Cart Birds B.V., trading as 8ox (“we”, “us”, or “our”), registered in Amsterdam, the Netherlands, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect information when you use the 8ox platform.

This policy applies to all users of the 8ox platform, including data obtained through integrations with third-party services such as advertising platforms, payment providers, and fulfillment partners.

2. Data Controller

The data controller responsible for the processing of your data is:

Cart Birds B.V. (trading as 8ox)
Warmoesstraat 155, 1012JC Amsterdam, the Netherlands
Chamber of Commerce (KVK): 70238642
VAT: NL858207801B01
Phone: +31 (0)20 3086 060
Email: hi@8ox.io

3. What Data We Collect

3.1 Account Information

When you register for an account, we collect:

• Name and email address
• Company or business name
• Account credentials (stored securely using industry-standard encryption)

3.2 Advertising Platform Data

When you connect advertising accounts (such as TikTok Ads, Meta Ads, Google Ads, or Microsoft Advertising), we access and process:

• Campaign, ad group, and ad-level performance data (impressions, clicks, conversions, spend)
• Advertising account identifiers and account structure
• Cost and budget metrics
• Conversion event data and attribution metrics
• Audience segment performance data (aggregated, non-personally identifiable)

We do not collect, store, or process:

• Personal data of individual end users who view or interact with your ads
• User-level behavioral data or browsing history of ad viewers
• Personally identifiable information (PII) of ad viewers such as names, emails, or phone numbers
• Content of private messages or user-generated content on third-party platforms

3.3 E-commerce and Transaction Data

When you use 8ox for e-commerce operations, we process:

• Order information (products, quantities, pricing, shipping details)
• Customer data necessary for order fulfillment (name, shipping address, email)
• Payment transaction references (we do not store full payment card details)
• Returns and refund records

3.4 Technical and Usage Data

We automatically collect limited technical data to maintain and improve the service:

• IP address and approximate location (country level)
• Browser type and device information
• Pages visited within the platform and feature usage
• Timestamps of access and interactions

4. How We Use Your Data

5. Third-Party Platform Data Handling

We access data from third-party advertising platforms through their official APIs in compliance with each platform's developer terms and data use policies. For all connected platforms:

• We only access data that you explicitly authorize through the platform's authentication flow (OAuth or equivalent)
• Data is used exclusively for providing reporting and analytics within the 8ox platform
• We do not share advertising data from one platform with another platform or with any third parties
• We do not use third-party platform data for purposes other than those described in this policy
• We do not sell or license any data obtained from third-party platforms
• Access tokens are stored securely and managed according to each platform's requirements
• You may revoke access at any time through the respective platform's settings or by contacting us

6. Data Sharing and Disclosure

We do not sell, rent, or trade your data. We may share data only in the following limited circumstances:

• Service providers: We use trusted third-party infrastructure providers (hosting, database, payment processing, fulfillment) that process data on our behalf under strict data processing agreements compliant with GDPR Article 28
• Payment processors: Transaction data is shared with our payment service provider (Mollie) to process payments securely
• Fulfillment partners: Order and shipping data is shared with fulfillment partners solely for the purpose of delivering orders
• Legal requirements: We may disclose data if required by law, court order, or governmental request
• Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of the transaction, subject to this Privacy Policy

7. Data Storage and Security

Your data is stored on servers located within the European Economic Area (EEA). We implement appropriate technical and organizational measures to protect your data, including:

• Encryption of data in transit (TLS/SSL) and at rest
• Secure authentication mechanisms
• Role-based access control (RBAC) to limit data access to authorized personnel
• Regular security assessments and monitoring
• Secure storage of API access tokens and credentials

8. International Data Transfers

We primarily store and process data within the EEA. Where data is transferred outside the EEA (for example, when connecting to US-based advertising platform APIs), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on adequacy decisions.

9. Data Retention

• Account data: Retained for the duration of your account, deleted within 30 days of account termination
• Advertising performance data: Retained for the duration of your account to enable historical reporting, deleted within 30 days of account termination
• Order and transaction data: Retained as required by Dutch tax law (7 years for financial records)
• Technical logs: Retained for up to 90 days for security and debugging purposes

10. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the following rights:

• Right of access: Request a copy of the personal data we hold about you
• Right to rectification: Request correction of inaccurate personal data
• Right to erasure: Request deletion of your personal data, subject to legal retention obligations
• Right to restriction: Request that we limit processing of your data in certain circumstances
• Right to data portability: Receive your data in a structured, machine-readable format
• Right to object: Object to processing based on legitimate interest
• Right to withdraw consent: Where processing is based on consent, withdraw consent at any time

To exercise any of these rights, contact us at hi@8ox.io. We will respond within 30 days.

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

11. Cookies

The 8ox platform uses strictly necessary cookies to maintain your session and authenticate your account. We do not use advertising or marketing cookies on the platform itself. For details, see our cookie settings within the platform.

12. Children's Privacy

The 8ox platform is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a minor, we will take steps to delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website with a revised “Last updated” date and, where appropriate, by email. Your continued use of the service after changes are posted constitutes acceptance of the revised policy.

14. Contact and Privacy Point of Contact

Cart Birds B.V. is not required to appoint a Data Protection Officer (DPO) under GDPR Article 37. However, for all privacy-related inquiries, requests, or complaints, you can reach our designated privacy point of contact at:

Cart Birds B.V. (trading as 8ox)
Attn: Privacy
Warmoesstraat 155, 1012JC Amsterdam, the Netherlands
Phone: +31 (0)20 3086 060
Email: hi@8ox.io