Privacy Policy

1. Introduction

Shopping Cart Holdings, Inc., doing business as Monotote ("Company," "we," "us," or "our"), respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Catchevo mobile application (the "App") and website (https://catchevo.ai, the "Website").

Please read this Privacy Policy carefully. By using the App or Website, you consent to the practices described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use our services.

This Privacy Policy should be read together with our Terms and Conditions, which govern your use of the App and Website.

2. Who We Are

For the purposes of applicable data protection laws, the data controller of your personal data is:

3. Information We Collect

We collect information in several ways when you use our App and Website.

3.1 Information You Provide Directly

Account Information:

• Email address
• Phone number (if you choose SMS verification)
• Name and profile information (if you use social login via Google or Apple)
• Profile picture (optional)

User Preferences:

• Preferred clothing and shoe sizes
• Notification timing preferences
• Communication channel preferences (push, email)
• Country/region

3.2 Subscription and Payment Data

When you purchase a subscription or catch pack, we receive the following via Apple App Store, Google Play Store, and our subscription management provider RevenueCat:

• Subscription tier and plan type
• Purchase date, renewal status, and expiry date
• Transaction identifier and country of purchase

We do not receive your full payment card details or billing address. These are handled directly and exclusively by Apple App Store or Google Play Store.

3.3 Product Page Data Capture

What is Captured:

• A snapshot image of the product page content displayed within the WebView
• Page structure data
• The URL of the product page

What is NOT Captured:

• System-level elements (device time, battery status, signal strength)
• Checkout pages, payment pages, or login pages
• Any content outside the WebView
• Platform-protected content (automatically blocked by iOS/Android)

When Capture Occurs: Data capture only occurs when you explicitly take action (e.g., tapping "Set Catch"). No data is transmitted off device while you are simply browsing. You are in full control of when data capture occurs.

3.4 Image Search (Camera and Photo Library)

The App includes an Image Search feature. With your permission, we use your device camera to capture a photograph of a physical product, or access photos you select from your photo library, to identify a product and set a catch.

• Camera access: Used solely to capture product images when you initiate Image Search
• Photo library access: Used solely when you choose to select an existing photo for Image Search or to set a profile picture
• Images are uploaded to our servers only after you tap the confirmation button ("Set Catch")
• Uploaded images are processed by AI services to identify the product
• Images are not retained by us or our AI providers for model training purposes

3.5 Device and Technical Information

We automatically collect the following device and technical information:

• Device type, model, and manufacturer
• Operating system and version
• App version
• Unique device identifiers
• IP address
• General location (country/region level, derived from IP address)
• Push notification token and your unique OneSignal subscription ID (used to deliver catch result notifications to your device)
• Crash and error reports (via Firebase Crashlytics)

3.6 Usage and Behavioural Data

We collect data about how you use the App, including:

• Products searched, viewed, and caught
• Catch types set (price drop, restock, variant)
• Notification interactions (opens, click-through rates)
• Search queries and patterns
• Price sensitivity thresholds
• Retailer preferences
• Session duration and frequency
• Feature usage patterns and button taps
• Onboarding completion rates
• Subscription tier and retention data
• Referral source

3.7 Information from Third Parties

Social Login Providers: If you sign in using Google or Apple, we receive your name, email address, and profile picture from those services.

Analytics Providers: We may receive aggregated analytics data from our analytics partners.

4. How We Use Your Information

4.1 Providing Our Services

• Creating and managing your account
• Processing and running your catches
• Sending notifications when your caught products meet your criteria
• Identifying products from captured page data and images using AI processing
• Finding matching products across hundreds of online retailers
• Managing catch credit balances and subscription entitlements

4.2 AI Processing of Product Data

When you capture a product page or use Image Search, the captured data is sent to our servers and processed by artificial intelligence services to extract structured product information.

• Only product data is processed: The AI extracts product name, price, availability, variants, stock status, and product images
• No personal user data is sent to AI providers: Your name, email, phone number, and other personal information are never transmitted to third-party AI services for product extraction
• Active AI providers: We primarily use Google (Gemini) and Anthropic (Claude) for product extraction and analysis. We may add or change providers as needed to improve our services
• AI providers are contractually prohibited from using your product data to train their own models

4.3 Improving and Personalising Our Services

• Analysing usage patterns to improve app functionality
• Personalising your experience based on your preferences
• Recommending sizes based on your past selections
• Identifying and fixing bugs and errors

4.4 Communications

• Sending catch results and notifications you have requested
• Responding to your inquiries and support requests
• Sending important account and service updates

4.5 Analytics and Research

• Understanding shopping trends and product demand
• Conducting market research using aggregated, anonymised data
• Improving our product catching algorithms and source coverage

4.6 Legal and Safety

• Complying with legal obligations
• Enforcing our Terms and Conditions
• Protecting against fraud and unauthorised access
• Protecting the rights and safety of our users

5. Legal Bases for Processing (GDPR)

For users in the European Union, United Kingdom, and European Economic Area, we process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide you with the services you have requested (account creation, catch processing, notifications, subscription management)
• Consent: Where you have given us specific consent to process your data (e.g., camera access for Image Search, marketing communications, product page capture)
• Legitimate Interests: Processing necessary for our legitimate business interests, such as improving our services, conducting analytics, and preventing fraud, where these interests are not overridden by your rights
• Legal Obligation: Processing necessary to comply with legal requirements

6. How We Share Your Information

We do not sell your personal data. We may share your information in the following circumstances:

6.1 Service Providers

We share information with third-party service providers who perform services on our behalf:

AI Processing Providers:

• Google (Gemini) – primary product extraction and image analysis (product data only, no personal user data)
• Anthropic (Claude) – product relevancy and matching (product data only, no personal user data)

Subscription Management:

• RevenueCat – manages subscription state, entitlements, catch credit balances, and purchase attribution

Analytics and Crash Reporting:

• Mixpanel – product analytics and user behaviour tracking (usage data for app improvement)
• Firebase Crashlytics – automatic crash reporting and app stability monitoring
• Firebase Remote Config – feature flag management (no personal data collection)

Notifications:

• OneSignal – push notification delivery
• Mailgun – transactional email delivery

Authentication:

• Google Sign-In – optional third-party authentication
• Apple Sign in with Apple – optional third-party authentication (iOS)

Domain Reputation Checking:

• ScamAdviser – used to verify the trustworthiness of retailer domains before delivering catch results to users. Domain-level data only; no personal user data is shared

Payment Processing:

• Apple App Store – iOS in-app purchases and subscription billing
• Google Play Store – Android in-app purchases and subscription billing

6.2 Aggregated and Anonymised Data

We may share aggregated, anonymised data that cannot identify individual users. This includes market trends and product demand insights, shopping behaviour patterns, price sensitivity analysis by product category, regional shopping trends, and seasonal shopping patterns. This anonymised data may be shared with business partners, researchers, or other third parties for commercial purposes. Because this data is aggregated and anonymised, it cannot be used to identify you personally.

6.3 Legal Requirements

We may disclose your information if required by law, regulation, legal process, or governmental request, or to protect our rights, privacy, safety, or property.

6.4 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, unless a longer retention period is required by law.

• Account Data: Retained while your account is active and for up to 30 days after account deletion to allow for account recovery
• Product Page Captures and Images: Retained for up to 12 months or until the catch is resolved, whichever is shorter
• Usage and Analytics Data: Retained for up to 12 months in identifiable form; may be retained longer in anonymised form
• Subscription and Transaction Data: Retained for up to 7 years for legal and tax compliance purposes
• Anonymised Data: May be retained indefinitely as it cannot be used to identify you

8. Data Storage and Security

8.1 Where We Store Your Data

Your personal data is primarily processed and stored on servers within the United States and European Union. We utilise cloud infrastructure providers that maintain appropriate security standards. When data is stored or processed outside your home jurisdiction, we ensure appropriate safeguards are in place as described in Section 8.2.

8.2 International Transfers

Some of our service providers (including AI processing providers and analytics services) may be located outside the European Economic Area. When we transfer data outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission or reliance on adequacy decisions issued by the European Commission.

8.3 Security Measures

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption of data in transit (TLS) and at rest
• Access controls and multi-factor authentication
• Regular security assessments
• Secure storage of authentication tokens in device keychains

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

9. Your Rights

Depending on your location, you may have certain rights regarding your personal data.

9.1 Rights for All Users

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate personal data
• Deletion: Request deletion of your personal data (subject to certain exceptions)
• Opt-out: Opt out of marketing communications at any time

9.2 Additional Rights for EU/UK/EEA Users (GDPR)

• Restriction: Request restriction of processing of your personal data
• Portability: Receive your personal data in a structured, machine-readable format
• Objection: Object to processing based on legitimate interests
• Withdraw Consent: Withdraw consent at any time where processing is based on consent
• Lodge a Complaint: Lodge a complaint with your local data protection authority

9.3 Additional Rights for California Residents (CCPA/CPRA)

• Right to Know: Request information about the categories and specific pieces of personal information we have collected
• Right to Delete: Request deletion of your personal information
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
• Right to Opt-Out of Sale: We do not sell personal information as defined by the CCPA

9.4 How to Exercise Your Rights

To exercise any of these rights, please contact us at privacy@catchevo.ai or dpo@catchevo.ai. We will respond to your request within the timeframes required by applicable law (typically 30 days for GDPR, 45 days for CCPA).

10. Account Deletion

You may delete your account at any time through the App settings or by contacting us at support@catchevo.ai. When you delete your account:

• Personal Data Deletion: Your personal data (email, phone number, name, preferences, subscription history) will be permanently deleted within 30 days
• Catch Credit Balances: Remaining catch credits are forfeited upon account deletion and are not refundable
• Anonymised Data Retention: Data that has been anonymised and cannot be linked back to you may be retained for analytical and research purposes
• Legal Retention: Certain data, including transaction records, may be retained if required by law or for legitimate business purposes such as fraud prevention or tax compliance

11. Cookies and Website Tracking

Our Website (https://catchevo.ai) uses cookies and similar tracking technologies.

11.1 Types of Cookies We Use

• Essential Cookies: Required for basic website functionality
• Analytics Cookies: Help us understand how visitors interact with our website
• Preference Cookies: Remember your settings and preferences

11.2 Managing Cookies

You can control cookies through your browser settings. Disabling cookies may affect some website functionality. For EU/UK users, we will request your consent before placing non-essential cookies.

12. Children's Privacy

Our App and Website are not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will delete that information as quickly as possible.

For users aged 13–16 in the European Union, parental consent may be required for data processing. If you are a parent or guardian and believe your child has provided personal information without your consent, please contact us at privacy@catchevo.ai.

13. Third-Party SDKs

The following third-party software development kits (SDKs) are integrated into our App. Each SDK is governed by its own privacy policy. We have listed the data handling purpose of each below:

Data-collecting SDKs:

• Mixpanel – product analytics and user behaviour tracking. Privacy policy: mixpanel.com/legal/privacy-policy
• Firebase Crashlytics – automatic crash reporting. Privacy policy: firebase.google.com/support/privacy
• Firebase Remote Config – feature flag delivery (configuration data only, no personal data collected). Privacy policy: firebase.google.com/support/privacy
• OneSignal – push notification delivery. Privacy policy: onesignal.com/privacy_policy
• RevenueCat – subscription management and purchase attribution. Privacy policy: revenuecat.com/privacy
• Google Sign-In – optional authentication. Privacy policy: policies.google.com/privacy
• Apple Sign in with Apple – optional authentication (iOS). Privacy policy: apple.com/legal/privacy

UI and utility libraries (no data collection):

• Lottie – animation rendering (iOS/Android). No data collected.
• Kingfisher – image loading and caching (iOS). No data collected.
• PhoneNumberKit – phone number formatting (iOS). No data collected.
• Coil – image loading (Android). No data collected.

By default, none of the listed SDKs use your data to train AI models. Mixpanel has an opt-in AI training toggle which remains disabled in our implementation.

14. Third-Party Links

Our App and Website may contain links to third-party websites, including retailer websites. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party websites you visit.

15. California Privacy Notice

This section provides additional information for California residents as required by the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

15.1 Categories of Personal Information Collected

In the past 12 months, we have collected the following categories of personal information:

• Identifiers (email address, phone number, device identifiers, push notification token)
• Internet or network activity (browsing history within our app, catch history, interactions with our services)
• Geolocation data (general location based on IP address)
• Commercial information (subscription history, catch credit purchase history)
• Inferences drawn from the above (shopping preferences, product interests, price sensitivity)

15.2 Sale of Personal Information

We do not sell your personal information as defined by the CCPA. We may share anonymised, aggregated data that cannot identify you, which does not constitute a "sale" under the CCPA.

15.3 Do Not Sell My Personal Information

Although we do not sell personal information, we respect your choice to opt out. If you wish to exercise your opt-out right or have questions, please contact us at privacy@catchevo.ai.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the services we offer. We will notify you of any material changes by posting the updated Privacy Policy on our Website and in the App, updating the "Last Updated" date at the top of this policy, and sending you a notification through the App or by email for significant changes. We encourage you to review this Privacy Policy periodically.

17. Contact Us