Last updated: 1 July 2026
This policy describes how CaratOS handles data for firms and staff using the Service — inventory, customer records, invoices, cash flow, and related business data.
Each firm's data is isolated from every other firm's account. Staff accounts within a firm see only what their assigned role permits — for example, Sales Mode access without visibility into cash flow totals.
Business data is used solely to operate the Service for your firm: displaying inventory, generating invoices, syncing across your devices, and powering features like the WhatsApp business assistant when enabled. We do not sell business data to third parties.
Certain functionality relies on third-party services to operate — for example, cloud database hosting, and optionally Shopify or WhatsApp when a firm connects those integrations. Data shared with these services is limited to what's required for the feature to function.
Business data is retained for as long as the firm account remains active. If a firm account is closed, associated data is handled according to applicable retention obligations.
Access to firm data requires authentication, and staff permissions are scoped by role. Passwords are stored hashed, not in plain text.
Firm administrators can manage staff access and permissions directly within CaratOS. For questions about data associated with your firm account, reach out through your CaratOS account.
We may update this policy as the Service evolves. Material changes will be reflected here with an updated date.