Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Cartful is a US based AI shopping assistant for e-commerce stores. It loads as an on site chat style widget, asks visitors guided questions, ingests the merchant product catalogue and builds a shopper profile to deliver personalised product recommendations. Cartful tracks browsing behaviour, clicks, cart events and chat responses across sessions, and stores them on US cloud infrastructure. For European deployments this combines non essential analytics, behavioural profiling and a Schrems II transfer, all of which require GDPR consent and a transfer assessment.
Cartful is an AI driven shopping assistant for e-commerce stores, operated by Cartful Solutions Inc. from the United States. It is delivered as a JavaScript widget that loads on category, product and cart pages and engages visitors with a chat style conversation: a few targeted questions about preferences, then ranked product suggestions drawn from the merchant catalogue. Cartful is sold to mid market and enterprise retailers as a conversion lift and personalisation tool, and is typically integrated through Shopify, BigCommerce or custom platforms via a tag, a Storefront API key and a catalogue feed.
From a data protection perspective Cartful sits at the intersection of analytics, behavioural profiling and decision support. Its core value depends on building and reusing a shopper profile across sessions and pages, which means it is unambiguously a non essential, consent based service under European law.
Cartful sets persistent first party cookies and local storage entries to identify the same shopper across sessions, store the recommendation profile and remember chat history. It collects IP address, device and browser fingerprint, page URL, referrer, UTM parameters, click and scroll events, products viewed, time on page, add to cart and checkout events, the merchant catalogue (product IDs, attributes, prices), and the answers the visitor gives to the assistant. When the merchant enables it Cartful can also receive logged in customer identifiers or email captured through a sign up flow.
That stream is sent to Cartful APIs hosted on AWS in the United States. Cartful then builds a derived preference profile (style, size, occasion, budget, brand affinity) and stores it under a persistent identifier to feed future recommendations. Profiles and event histories are retained for the contractual lifetime of the merchant account.
Two layers of European law apply. Article 5(3) of the ePrivacy Directive (and its national transpositions: CNIL guidelines, paragraph 25 TDDDG, AEPD Guía Cookies) requires prior consent to read or write the Cartful cookie and local storage. Article 6 GDPR requires a separate legal basis for the underlying processing of personal data; given the profiling component, the EDPB Guidelines 03/2022 on dark patterns and Guidelines 8/2020 on targeting recommend explicit, granular consent. Article 22 GDPR may also come into play if recommendations are presented in a way that produces significant effects without meaningful human review.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The script must not load and the widget must not render before a positive consent is recorded by the consent management platform. Consent should be explicit, informed and granular, presented in the same prominence as the accept button, and as easy to refuse as to accept. The legal basis under Article 6 GDPR is consent (Art. 6(1)(a)). Legitimate interest is unlikely to survive a balancing test, because the processing involves persistent profiling for marketing influence and a transfer to a country without a full adequacy decision absent DPF certification of the importer.
Cartful Solutions Inc. is established in the United States and hosts production data on AWS US regions. Transfers from the EEA rely on the EU US Data Privacy Framework where Cartful or its sub processors are certified, with EU Standard Contractual Clauses (2021/914) as fallback for any uncovered transfer, plus a transfer impact assessment that addresses FISA 702 and Executive Order 12333 in line with Schrems II (CJEU C 311/18). Even with DPF coverage the CNIL, the BfDI and the AEPD expect merchants to document the data flows, the categories transferred, the retention at the importer, and the supplementary technical measures (encryption, pseudonymisation, access controls).
Sign the Cartful DPA and verify DPF certification of the importing entity. Conduct a DPIA covering profiling and the US transfer. Gate the Cartful widget behind explicit consent in the CMP (TCF v2.2 vendor entry where possible). Block the script in the head of the document until the consent state is read. Disable optional features (email capture, cross device matching) when consent is withdrawn. Document retention of profile and event history, and request deletion through the Cartful admin API. Update the privacy notice and the cookie notice. Add Cartful to the vendor list and to the record of processing activities.
Websites using Cartful must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA under Article 35 GDPR is recommended because Cartful conducts systematic behavioural profiling of online shoppers, builds an inferred preference profile and uses it to influence purchasing decisions, while also transferring data to the United States. The DPIA must describe categories of data (IP, browsing path, click and scroll events, cart events, chat answers, derived preferences, optional email if captured), purposes (personalisation, recommendations, analytics), retention (chat history and profile), the legal basis (consent), the transfer mechanism (DPF and/or SCCs), the supplementary measures, the risk of decisional influence on the data subject, the redress mechanism and the right not to be subject to solely automated decisions when relevant.
Sample consent text
We use Cartful, an AI shopping assistant operated by Cartful Solutions Inc. in the United States, to ask you a few questions and recommend products. With your consent Cartful sets persistent cookies and local storage, records your answers, clicks and cart activity, builds a shopper profile and stores it on US cloud servers. The transfer to the United States relies on the EU US Data Privacy Framework and EU Standard Contractual Clauses. You can decline; the store remains fully usable without personalised recommendations.
Third-party domains contacted
cartful.comapp.cartful.comapi.cartful.comcdn.cartful.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| cartful_visitor | Persistent | 12 months | Persistent first party identifier that recognises the same shopper across sessions on the merchant site. Used to associate browsing events, chat answers and the inferred preference profile maintained by Cartful in the United States. |
| cartful_session | Session | Session | First party session cookie that groups page views, click events and chat interactions within a single Cartful conversation, used to deduplicate events and to serve the next recommendation step. |
| cartful_profile | Local Storage | Until cleared | Local storage entry holding the derived preference profile (style, size, occasion, brand affinity, budget) so the assistant can resume the conversation and pre rank product suggestions without a round trip on every page. |
| cartful_consent | Persistent | 6 months | Records the consent state read from the merchant CMP so the Cartful widget knows whether it is allowed to load, send events and persist the visitor identifier on subsequent visits. |
Cartful uses cookies for user preferences — inform visitors with a consent banner.
Cartful sets persistent first party cookies and local storage entries to identify a shopper across sessions, remember chat history and store the inferred preference profile. It records IP address, device and browser fingerprint, page URL, referrer, UTM parameters, click and scroll events, products viewed, time on page, add to cart and checkout events, the merchant catalogue (product IDs, attributes, prices) and the answers the visitor gives to the assistant. With optional features enabled it can also receive a logged in customer identifier or an email collected through a sign up flow. All data flows to Cartful APIs on AWS US.
Yes. Cartful is a non essential service that sets persistent cookies and local storage for analytics and profiling, so Article 5(3) of the ePrivacy Directive and its national transpositions require prior, freely given, specific and informed consent. The processing also involves systematic profiling within the meaning of Article 4(4) GDPR, which makes explicit and granular consent the right approach under EDPB Guidelines 03/2022. The widget must therefore not load, and no event must be sent to Cartful APIs, before a positive consent is registered by the consent management platform. Refusal must be as easy as acceptance.
Consent under Article 6(1)(a) GDPR is the only realistic legal basis for Cartful on a European site. Legitimate interest is hard to defend because the processing combines persistent cross session profiling, recommendation influence on purchase decisions and a transfer to the United States. Contract performance does not fit either, because shoppers can complete the order without the recommender. Consent must be paired with the ePrivacy consent for cookies and local storage, must be specific to the purpose (personalised recommendations), must be informed (controller, processor, transfer, retention) and must be withdrawable at any time.
Yes. Cartful Solutions Inc. is established in the United States and processes events on AWS US infrastructure. Transfers from the EEA rely on the EU US Data Privacy Framework where the importing entity is certified, with EU Standard Contractual Clauses (2021/914) as fallback and a transfer impact assessment that addresses FISA 702 and Executive Order 12333 in line with the Schrems II ruling. The merchant must verify the importer DPF status, document supplementary measures (encryption in transit and at rest, pseudonymised identifiers, access controls, government access procedure) and refresh the assessment when sub processors change.
A DPIA under Article 35 GDPR is recommended and often mandatory because Cartful conducts systematic large scale behavioural profiling of online shoppers, builds an inferred preference profile, uses it to influence purchase decisions and transfers data to a third country. The DPIA should describe the categories of data, the profiling logic, the legal basis, the retention period for the profile and event history, the supplementary measures, the residual risk after measures, the right of the data subject under Article 22 GDPR if recommendations have significant effects, and the channels to exercise rights of access, rectification, erasure and objection.
Sign the Cartful DPA, verify DPF certification of the importing entity, conduct a DPIA covering profiling and US transfer, and configure the consent management platform so that the Cartful tag is blocked until a positive consent is recorded. Disable optional features (email capture, cross device, logged in user enrichment) until consent is granted, and disable them again as soon as it is withdrawn. Document profile and event retention, and request deletion of inactive profiles through the Cartful admin API. Update the privacy notice with the legal basis, transfer mechanism and retention, and the cookie notice with the named Cartful cookies.
Several EU hosted product recommendation and on site assistant tools can be evaluated: Nosto (EU regions), Algolia Recommend (EU residency), Klevu, Crobox, Findologic, Recombee (EU servers), Dynamic Yield (with EU residency), and open source approaches such as Recommendations API on a self managed stack. For chat style assistants, Hubspot ChatSpot or self hosted Rasa or Botpress instances on EU infrastructure reduce both consent friction and transfer risk. The right choice depends on catalogue size, latency, conversion lift, contractual terms (DPA, sub processors, transfer mechanisms) and the level of profiling that you can justify under your CMP.
In the cookie notice, list the Cartful cookies by name (cartful_session, cartful_visitor, cartful_profile) with their stated duration and category, and tie them to the Cartful purpose in the CMP. In the privacy notice, name Cartful Solutions Inc. as a processor (or joint controller depending on the contract), list the data categories (IP, device data, behavioural events, chat answers, derived profile, optional email), name the country of destination (United States), reference the EU US Data Privacy Framework and the EU Standard Contractual Clauses, give the retention period and the rights mechanism. Re audit after every Cartful configuration change.