Privacy Policy - QARTA | Your Privacy Matters

QARTA Privacy Policy

Last Updated: October 7, 2025

Introduction

QARTA (შპს მფრინავი სპილო / LLC Flying Elephant) is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our website qarta.ge and our photobook creation services.

Data Controller:
შპს მფრინავი სპილო (LLC Flying Elephant)
Trading as: QARTA
Identification Number: 405681178
Address: 14 Merab Kostava St, Tbilisi, 0108, Georgia Email: hi@qarta.ge

This Privacy Policy complies with Georgian data protection laws, including the Law of Georgia on Personal Data Protection, and follows GDPR principles.

1. Personal Information We Collect

1.1 Information You Provide Directly

When you register, place an order, or use our services, we collect:

Account Information:

Full name
Email address
Phone number
Delivery address
Password (stored in encrypted form)

Order Information:

Billing address
Delivery preferences
Order history
Product preferences

Photos and Content:

Photos you upload to create photobooks
Any text, captions, or designs you add to your photobooks
Metadata embedded in your photos (which may include dates, locations, and camera information)

Communications:

Messages you send us via email or contact forms
Customer service correspondence via Crisp chat
Feedback and reviews

1.2 Information Collected Automatically

When you visit our Website, we automatically collect:

Technical Information:

IP address
Browser type and version
Operating system
Device information
Pages visited and time spent
Referring website
Click patterns and navigation

Cookies and Similar Technologies:

Session cookies (essential for service function)
Preference cookies (remember your settings)
Analytics cookies (understand site usage)

1.3 Information from Third Parties

Payment Providers:

Payment confirmation and transaction status
We do NOT receive or store your full card details

2. How We Use Your Personal Information

2.1 To Provide Our Services

✓ Order Processing:

Create and print your photobooks
Process payments
Arrange delivery
Manage your account

✓ Customer Support:

Respond to your inquiries via email and Crisp chat
Resolve technical issues
Handle returns and refunds
Provide product support

✓ Communication:

Send order confirmations
Provide delivery updates via email and SMS
Notify you of order status changes
Send service-related announcements

2.2 To Improve Our Services

Analyze how customers use our Website (via PostHog)
Understand user behavior and session recordings (via PostHog)
Improve our photobook builder tools
Develop new features and products
Optimize user experience
Conduct internal research and analytics

2.3 Legal and Security

Comply with Georgian legal obligations
Prevent fraud and unauthorized access
Enforce our Terms and Conditions
Protect our rights and property
Respond to legal requests from authorities

2.4 Marketing (With Your Consent)

Send promotional emails about new products and offers
Provide personalized recommendations
Inform you about special discounts

You can opt out of marketing communications at any time.

3. Legal Basis for Processing

We process your personal data based on:

3.1 Contract Performance

Processing is necessary to fulfill our contract with you (creating and delivering your photobooks).

3.2 Consent

You have given explicit consent for specific processing activities (e.g., marketing emails, analytics cookies).

3.3 Legitimate Interests

Processing is necessary for our legitimate business interests (e.g., fraud prevention, service improvement), provided your rights are not overridden.

3.4 Legal Obligation

Processing is required to comply with Georgian laws and regulations.

4. How We Share Your Information

4.1 Service Providers

We share information with trusted third-party service providers who help us operate our business:

Cloud Storage:

Cloudflare R2 - stores your uploaded photos securely
Photos are encrypted and access is restricted

Payment Processors:

Payment gateway providers process your transactions
We do not store your card details; processors handle this securely

Delivery Services:

Courier companies receive your name, phone number, and delivery address
This information is used solely for delivering your order

Technical Services:

Website hosting providers
IT security and maintenance services
PostHog - analytics and session recording platform for understanding user behavior
Crisp - customer support chat platform

All service providers are contractually obligated to protect your data and use it only for specified purposes.

4.2 Legal Requirements

We may disclose your information if required to:

Comply with Georgian laws and regulations
Respond to legal processes (court orders, subpoenas)
Protect our rights, property, or safety
Protect the rights, property, or safety of others
Prevent fraud or security threats

4.3 Business Transfers

If QARTA is involved in a merger, acquisition, or sale of assets, your personal data may be transferred. You will be notified of any such change.

4.4 With Your Consent

We may share your information with third parties if you give us explicit consent to do so.

We do NOT:

Sell your personal data to third parties
Share your data for third-party marketing without your consent
Transfer data outside Georgia except to service providers with adequate protection

5. Photo Storage and Retention

5.1 Photo Storage Duration

Important: Your uploaded photos are stored for 90 days from the date of upload.

After 90 days, photos are automatically and permanently deleted
Once deleted, photos cannot be recovered
We recommend downloading or backing up your photos before expiration

5.2 Why We Store Photos

To allow you to edit and reorder photobooks
To create your printed photobooks
To fulfill reprint requests within the 90-day period

5.3 How Photos Are Stored

Stored on Cloudflare R2 secure cloud storage
Encrypted in transit and at rest
Access restricted to authorized personnel only
Regular security audits conducted

5.4 Manual Deletion

You can delete your photos at any time by:

Logging into your account
Selecting photos to delete
Confirming deletion

Deleted photos are permanently removed within 24 hours.

5.5 Completed Orders

Photos used in completed orders are deleted after 90 days from upload, regardless of order completion date.

5.6 Account Closure

When you close your account, all stored photos are deleted immediately.

6. Other Data Retention Periods

6.1 Account Information

Retained while your account is active
Deleted within 30 days of account closure (unless legal retention required)

6.2 Order Information

Retained for 3 years for accounting and tax compliance purposes
Retained longer if required for legal disputes or investigations

6.3 Marketing Communications

Retained until you unsubscribe
Unsubscribed contacts kept on suppression list to honor opt-out

6.4 Technical Logs

Website access logs retained for 12 months
Security logs retained for 24 months
PostHog analytics data retained for 12 months
Crisp chat logs retained for 24 months

7. Your Rights

Under Georgian data protection law, you have the following rights:

7.1 Right of Access

Request confirmation of what personal data we hold about you and receive a copy.

7.2 Right to Rectification

Request correction of inaccurate or incomplete personal data.

7.3 Right to Erasure (Right to be Forgotten)

Request deletion of your personal data in certain circumstances:

Data no longer necessary for the purpose collected
You withdraw consent and no other legal basis exists
You object to processing and no overriding legitimate grounds exist
Data processed unlawfully

Note: We may refuse if we need the data for legal obligations or legitimate interests.

7.4 Right to Restriction

Request limitation of processing in certain situations:

You contest the accuracy of the data
Processing is unlawful but you don't want deletion
We no longer need the data but you need it for legal claims
You've objected to processing pending verification

7.5 Right to Data Portability

Receive your personal data in a structured, machine-readable format and transmit it to another controller.

7.6 Right to Object

Object to processing based on legitimate interests or for direct marketing purposes.

For direct marketing: We will stop immediately upon your request.

7.7 Right to Withdraw Consent

Withdraw consent at any time where processing is based on consent (this doesn't affect past processing).

7.8 How to Exercise Your Rights

Email us at: hi@qarta.ge

Include:

Your full name
Email address associated with your account
Specific request
Proof of identity (copy of ID document)

Response Time: We will respond within 10 business days of receiving your request.

8. Cookies and Tracking Technologies

8.1 What Are Cookies?

Cookies are small text files stored on your device when you visit our Website.

8.2 Types of Cookies We Use

Essential Cookies (Required)

Enable core Website functionality
Manage your login session
Remember items in your cart
Cannot be disabled without breaking the site

Functional Cookies (Optional)

Remember your preferences (language, region)
Personalize your experience
Can be disabled in browser settings

Analytics Cookies (Optional)

PostHog - Help us understand how visitors use our Website
Record session replays to improve user experience
Measure effectiveness of our services
Aggregate and anonymous data
Can be disabled in browser settings

Marketing Cookies (Optional, with consent)

Deliver relevant advertisements
Track campaign effectiveness
Used only with your explicit consent

8.3 Managing Cookies

Browser Settings: You can control cookies through your browser settings:

Block all cookies
Delete existing cookies
Accept/reject cookies on a case-by-case basis

Note: Disabling essential cookies may prevent you from using certain features of our Website.

8.4 Third-Party Cookies

Some cookies are placed by third-party services that operate on our Website:

Crisp (Website Chat)

Privacy Policy: https://crisp.chat/en/privacy/
Purpose: Provide customer support chat functionality
Data Collected: Chat messages, name, email, browsing context
Retention: 24 months

PostHog (Analytics & Session Recording)

Privacy Policy: https://posthog.com/privacy
Purpose: Understand user behavior, improve user experience
Data Collected: Page views, clicks, session recordings, device info
Retention: 12 months
Session Recording: PostHog may record your interactions with our Website (mouse movements, clicks, scrolling) to help us identify and fix issues and improve user experience
You can opt out of session recording in your browser settings or by contacting us

Payment Providers

Secure transaction processing
Payment confirmation status

These third-party cookies are governed by the respective third parties' privacy policies.

8.5 Do Not Track

Our Website does not currently respond to "Do Not Track" signals. You can opt out of analytics tracking by:

Disabling cookies in your browser
Contacting us at hi@qarta.ge to opt out of PostHog tracking
Using browser extensions that block tracking

9. Security Measures

9.1 How We Protect Your Data

Technical Measures:

SSL/TLS encryption for all data transmission
Encrypted storage of photos and sensitive data
Secure password hashing
Regular security audits and vulnerability assessments
Firewall and intrusion detection systems
Secure backup systems

Organizational Measures:

Access controls and authentication
Staff training on data protection
Confidentiality agreements with employees and contractors
Regular policy reviews and updates

9.2 Your Responsibilities

Use a strong, unique password
Do not share your account credentials
Log out after using shared devices
Keep your email account secure
Notify us immediately of suspected unauthorized access

9.3 No Guarantee

While we implement industry-standard security measures, no system is 100% secure. We cannot guarantee absolute security but will notify you promptly of any data breach that affects your personal data.

10. Third-Party Links

Our Website may contain links to third-party websites, social media platforms, or services.

We are NOT responsible for:

Privacy practices of third-party sites
Content on external websites
Data collection by third parties

We recommend: Review the privacy policies of any third-party sites you visit.

11. Children's Privacy

Our services are not intended for individuals under 18 years of age.

We do not knowingly collect personal data from minors
If we discover we have collected data from someone under 18, we will delete it promptly
If you believe we have inadvertently collected data from a minor, please contact us at hi@qarta.ge

12. International Data Transfers

12.1 Data Location

Your personal data is primarily stored and processed in Georgia.

12.2 Service Providers

Some of our service providers (e.g., Cloudflare, PostHog, Crisp) may process data outside Georgia. In such cases:

We ensure adequate protection through contractual safeguards
We comply with Georgian data protection requirements
Data is transferred only to countries with adequate protection or under appropriate safeguards
All service providers are GDPR-compliant

13. Marketing Communications

13.1 Consent

We will only send you marketing communications if:

You have opted in during registration, OR
You have made a purchase and have not opted out

13.2 What We Send

New product announcements
Special offers and promotions
Seasonal campaigns
Personalized recommendations

13.3 Opt-Out

You can unsubscribe at any time:

Click "Unsubscribe" link in any marketing email
Log into your account and update preferences
Email hi@qarta.ge with "Unsubscribe" request

We will process your opt-out within 5 business days.

13.4 Service Communications

You cannot opt out of essential service communications (order confirmations, delivery updates, account notifications).

14. Changes to This Privacy Policy

14.1 Updates

We may update this Privacy Policy from time to time to reflect:

Changes in our services
Changes in data protection laws
Improvements to our practices
Addition or removal of third-party services

14.2 Notification

Material Changes: We will notify you by:

Email to your registered address
Prominent notice on our Website
At least 30 days before changes take effect

Minor Changes: Posted on this page with updated "Last Updated" date.

14.3 Your Acceptance

Continued use of our services after changes take effect constitutes acceptance of the updated Privacy Policy.

15. Contact Us and Complaints

15.1 Data Protection Officer

For privacy-related questions or concerns:

Email: hi@qarta.ge
Subject Line: "Privacy Inquiry" or "Data Protection Request"

Postal Address:
QARTA Data Protection
14 Merab Kostava St, Tbilisi, 0108, Georgia

15.2 Response Time

We will respond to your inquiry within 10 business days.

15.3 Complaints

If you believe we have mishandled your personal data:

Step 1: Contact us at hi@qarta.ge
Step 2: If unsatisfied, you may lodge a complaint with:

Personal Data Protection Service of Georgia
Website: https://www.personaldata.ge
Email: info@pdp.ge

Step 3: You also have the right to seek judicial remedy through Georgian courts.

16. Third-Party Service Providers

16.1 Complete List

Cloudflare R2

Purpose: Photo storage
Data: Photos uploaded by users
Privacy Policy: https://www.cloudflare.com/privacypolicy/

Payment Gateway Providers

Purpose: Process payments
Data: Payment transaction data (card details handled by provider, not QARTA)
PCI-DSS compliant

Courier Services

Purpose: Deliver photobooks
Data: Name, phone number, delivery address
Used solely for delivery purposes

PostHog

Purpose: Analytics and session recording
Data: Usage patterns, session recordings, device info
Privacy Policy: https://posthog.com/privacy
Opt-out: Contact hi@qarta.ge

Crisp

Purpose: Customer support chat
Data: Chat messages, name, email
Privacy Policy: https://crisp.chat/en/privacy/

17. Consent and Acknowledgment

By using QARTA's services, you acknowledge that:

✓ You have read and understood this Privacy Policy
✓ You consent to the collection, use, and disclosure of your personal information as described
✓ You understand your rights regarding your personal data
✓ You accept our photo storage and retention policies
✓ You understand that PostHog may record your sessions on our Website
✓ You accept the use of Crisp chat for customer support

You can withdraw consent for optional processing (analytics, marketing) at any time by contacting hi@qarta.ge

18. Definitions

Personal Data: Any information relating to an identified or identifiable natural person.

Processing: Any operation performed on personal data (collection, storage, use, disclosure, deletion).

Data Controller: The entity that determines the purposes and means of processing personal data (QARTA).

Data Processor: A third party that processes personal data on behalf of the data controller.

Consent: Freely given, specific, informed, and unambiguous indication of agreement to processing.

Data Subject: The individual whose personal data is being processed (you).

Session Recording: Recording of user interactions on a website, including mouse movements, clicks, and scrolling, for analysis purposes.

For the Georgian version of this Privacy Policy, please contact hi@qarta.ge

Last Updated: October 7, 2025
Version: 1.0