BoxCart
Legal

Privacy Policy

How we handle your data and protect your privacy.

Last updated: April 2026.

Who We Are

BoxCart is a click & collect ordering plugin for WordPress. This policy covers the website at boxcart.dev and the BoxCart plugin itself (both the free build on WordPress.org and the paid Pro build sold through our website).

What Data We Collect and Why

Website Forms

Our website uses Gravity Forms to collect contact, support, feature-suggestion, and custom-development enquiries. When you submit a form we collect the information you provide — typically your name, email address, website URL (if relevant), and message. This is used solely to respond to your enquiry.

Some of our forms include an optional checkbox to subscribe to our newsletter. If you tick it, your email address and name are sent to MailerLite (see below) so we can email you product updates. If you don’t tick it, nothing is sent to MailerLite.

Purchases & Licences

When you buy BoxCart Pro or start a free trial, checkout is handled by Freemius, our payment and licensing provider. Freemius collects the information needed to process your order (name, email, billing address, payment details) and issues you a licence key and invoices. We receive your name, email, and licence/plan information from Freemius so we can provide support and send product emails.

Payment card details are handled by Freemius’s payment processor (Stripe or PayPal, depending on your choice at checkout) and never touch our servers.

Plugin Diagnostics (Opt-In)

The BoxCart plugin uses the Freemius SDK to handle licensing and, if you opt in, to send anonymous usage diagnostics (WordPress version, PHP version, plugin version, site URL, admin email). You are offered a clear choice to skip this during activation, and you can disable it at any time from the plugin’s Account screen. We never collect your customers’ data or the contents of your store.

Cookies

Our website uses a minimal number of cookies:

  • Cookie consent cookie — remembers that you dismissed the cookie notice. No personal information, expires after 1 year.
  • Roadmap voting cookie — remembers which roadmap features you voted for so you can’t vote twice. Feature IDs only, expires after 30 days.
  • Gravity Forms cookies — Gravity Forms may set short-lived cookies to prevent duplicate submissions and to preserve partial form data. No personal information beyond what you’ve typed into the form.
  • WordPress session cookies — set when administrators log in. Essential for site functionality, expire when you close your browser or after 14 days with “Remember Me”.

We do not use third-party analytics, advertising, or tracking cookies.

Embedded Content

Pages on this site may include embedded content (e.g. videos, images). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website. These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content.

Who We Share Your Data With

We use the following trusted third-party processors. Each handles your data under its own privacy policy, which we’ve linked for your reference:

  • Freemius — payment processing, licence issuance, customer invoices, and subscription management for BoxCart Pro. See the Freemius privacy policy.
  • Stripe / PayPal — payment card processors used by Freemius at checkout. Card data goes directly to them and is never seen or stored by us.
  • MailerLite — email marketing for our newsletter, when you opt in. See the MailerLite privacy policy.
  • Our hosting provider — OnRocket (UK/EU) hosts our website. They process your data only to deliver the site to you.
  • WordPress.org — when you install or update the free BoxCart plugin from the WordPress.org repository, your WordPress site communicates with WordPress.org for update checks. Anonymous aggregate install stats are visible on the plugin’s wp.org page. See the WordPress.org privacy policy.

We do not sell your personal data, and we do not share it with anyone outside this list.

How Long We Retain Your Data

  • Website form submissions — kept in our email system for as long as needed to resolve your enquiry, typically no longer than 12 months.
  • Newsletter subscribers — kept in MailerLite until you unsubscribe (every email we send includes an unsubscribe link).
  • Customer & licence records — retained in Freemius for as long as you hold an active licence with us, plus the period we’re legally required to keep records of the transaction (typically 6 years under UK tax law).

Your Rights Over Your Data

Under UK GDPR you have the right to:

  • Ask what personal data we hold about you.
  • Ask us to correct inaccurate data.
  • Ask us to delete your data (subject to any legal retention obligations such as tax records).
  • Ask us to export your data in a portable format.
  • Withdraw consent for marketing emails at any time.

To exercise any of these rights, contact us through the support page. You can also lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk) if you’re unhappy with how we’ve handled your data.

Where Your Data Is Sent

Our website is hosted in the United Kingdom / European Economic Area. Freemius is headquartered in Israel and operates globally. MailerLite operates globally with primary infrastructure in Europe and the United States. Transfers outside the UK/EEA are covered by each provider’s Standard Contractual Clauses or equivalent safeguards, as set out in their privacy policies linked above.

Security

We use HTTPS across our website and select processors that meet industry security standards. No internet transmission can be guaranteed 100% secure, but we take reasonable steps to protect your data.

Contact

For any privacy-related question or request, please use the contact form on our support page. We respond within 7 days.