← Back to CaratOS

Privacy Policy

Last updated: 1 July 2026

1. What this covers

This policy describes how CaratOS handles data for firms and staff using the Service — inventory, customer records, invoices, cash flow, and related business data.

2. Data we store

3. Data isolation

Each firm's data is isolated from every other firm's account. Staff accounts within a firm see only what their assigned role permits — for example, Sales Mode access without visibility into cash flow totals.

4. How we use data

Business data is used solely to operate the Service for your firm: displaying inventory, generating invoices, syncing across your devices, and powering features like the WhatsApp business assistant when enabled. We do not sell business data to third parties.

5. Third-party processors

Certain functionality relies on third-party services to operate — for example, cloud database hosting, and optionally Shopify or WhatsApp when a firm connects those integrations. Data shared with these services is limited to what's required for the feature to function.

6. Data retention

Business data is retained for as long as the firm account remains active. If a firm account is closed, associated data is handled according to applicable retention obligations.

7. Security

Access to firm data requires authentication, and staff permissions are scoped by role. Passwords are stored hashed, not in plain text.

8. Your choices

Firm administrators can manage staff access and permissions directly within CaratOS. For questions about data associated with your firm account, reach out through your CaratOS account.

9. Changes to this policy

We may update this policy as the Service evolves. Material changes will be reflected here with an updated date.

This is a general privacy policy for CaratOS. If your firm operates under specific data-protection regulations (e.g. requiring a Data Processing Agreement), have this reviewed by legal counsel before relying on it for compliance purposes.