Last updated: 1 July 2025
Celxius Ltd. (“Celxius”, “we”, “our”, “us”) operates the GrenCart marketplace located at grencart.com and its sub-domains (collectively, the “Platform”). We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, store and protect the information of:
- Consumers who browse, shop or create a customer account
- Vendors / business users who create and manage an online store
- Visitors who interact with public GrenCart pages
Because GrenCart is headquartered in Grenada and targets users in the Caribbean, the Data Protection Act 2023 (Grenada) is our primary legal framework. We also follow the Grenada Constitution's privacy protections and recognised international best-practice standards. The EU/UK GDPR does not directly apply to our processing activities.
If you have questions, contact us at [email protected] or by mail at Celxius Ltd., Grenada.
1. Who We Are (Updated)
| Item | Detail |
|---|---|
| Data-controller | Celxius Ltd. |
| Company-registration no. | 2024/B1144 |
| Registered office | La Tante, St David, Grenada |
| [email protected] | |
| Phone | +1 (473) 422-5041 |
2. Personal Data We Collect
| Category | Examples | Collected from |
|---|---|---|
| Identification | Name, email, phone, sex, profile image | Registration forms • Social log-in |
| Credentials | Password (hashed) • Social-login tokens | Registration forms • Google / Facebook |
| Contact & Delivery | Shipping and billing address • GPS pin for delivery | Checkout • Maps picker |
| Business details (vendors) | Store name, logo, business address, banking details | Vendor on-boarding |
| Payment | Encrypted / tokenized card info via Stripe | Checkout (Stripe Elements) |
| Device & usage | Browser type, OS, IP address, referring URLs, pages viewed, session timestamps | Cookies • Log files • Google Analytics |
| Location | IP-based geolocation • GPS (when you enable it) | Device permissions |
We do not knowingly collect special-category data (e.g., health, religion) except where a user chooses to include it in a profile photo or free-text field.
3. How We Collect Data
- Forms on registration, checkout and vendor dashboards
- File or image uploads (e.g., profile photo, product images)
- Third-party sign-in with Google or Facebook (only after you grant permission)
- Cookies and similar technologies (see section 8)
- Automatic logs from servers, security tools and analytics scripts
4. Why We Process Your Data
| Purpose | Typical legal ground under Grenada law |
|---|---|
| Create and manage your account; authenticate log-in | Contract necessity |
| Process and deliver orders; facilitate vendor payouts | Contract necessity |
| Detect and prevent fraud, spam or security threats | Legitimate interests; legal obligation |
| Send transactional messages (order updates, invoices) | Contract necessity |
| Send marketing emails or newsletters you opt into | Consent (you may withdraw at any time) |
| Provide customer support | Legitimate interests |
| Analyse usage to improve features & UX | Legitimate interests |
| Comply with accounting, tax or law-enforcement requests | Legal obligation |
| Run automated fraud screening on payments | Legitimate interests; public interest in preventing crime |
5. Sharing & Disclosure
We never sell your personal information. We share it only with:
- Stripe - secure payment processing and fraud screening
- DigitalOcean - ISO-certified US data centres hosting our servers
- Google Workspace - transactional and support email
- Google Analytics - usage statistics (IP-masked where possible)
- Identity providers - Google & Facebook for social log-in
- Delivery agents / couriers - address, contact number and order contents needed to fulfil delivery
- Competent authorities, courts or regulators where legally required
All service providers sign data-processing agreements and receive only the minimum information necessary.
6. International Transfers
Our primary infrastructure is located in the United States in ISO-27001-certified data centres operated by DigitalOcean. By using the Platform, you acknowledge that your information may be transferred to and stored in the United States, which offers strong commercial-grade security safeguards. We rely on contract clauses and rigorous vendor due-diligence to ensure an adequate level of protection.
7. Retention
| Data set | Retention rule |
|---|---|
| Customer & vendor accounts | Stored indefinitely while the account is active. You may delete your account at any time (section 9). |
| Orders, invoices & payout records | Retained indefinitely for bookkeeping, anti-fraud and analytics. |
| Logs & security events | Minimum 12 months; may be kept longer if needed for investigations. |
| Marketing opt-in records | Kept until you unsubscribe plus 2 years for audit purposes. |
When you delete an account, personal or brand-identifiable information becomes invisible to the public and is queued for secure deletion or anonymisation unless legal retention rules require otherwise.
8. Security Measures
- TLS/SSL encryption for all traffic
- PCI-DSS Level 1 payment processing via Stripe; we never store full card numbers
- Strong password hashing (bcrypt)
- Rate-limiting and access-control lists to mitigate brute-force attacks
- Continuous log analysis for suspicious behaviour
- Mandatory email + password or SMS OTP for authentication
- Staff access restricted by role and logged
- Automatic account or store suspension for policy breaches
9. Cookies & Tracking
GrenCart uses first-party cookies to:
- keep you logged in
- remember cart contents
- protect against CSRF
We also set Google Analytics cookies to understand site performance and page popularity. No advertising or cross-site tracking cookies are used. Your browser settings allow you to delete or block cookies; essential site features may not work without them. Because cookies are strictly limited, we do not display a banner at first visit.
10. Your Rights
Under the Grenada Data Protection Act 2023 you can:
- Access — request a copy of personal data we hold
- Rectify — correct inaccurate or incomplete data
- Erase / delete — close your account and request deletion (subject to statutory retention)
- Object / restrict certain processing such as marketing emails
- Portability — request an export of your store catalogue or purchase history in CSV/JSON
You can exercise most rights via your account settings. Alternatively email [email protected]. We may ask for proof of identity before processing a request and will respond within 30 days.
11. Children
GrenCart is not intended for persons under 16. We do not knowingly collect data from children. If we learn that a minor has provided personal data, we will delete it promptly.
12. Automated Decision-Making
We employ automated transaction-scanning (including AI models) to detect fraud or high-risk orders. Decisions that result in order rejection or account suspension are reviewed by a human upon request.
13. Changes to This Policy
We may update this Privacy Policy to reflect operational, legal or regulatory changes. Material changes will be emailed to registered users at least seven (7) days before they take effect, and the “Last updated” date will change accordingly.
14. Contact Us
Celxius Ltd. Grenada [email protected]
If you believe we have not adequately resolved a privacy concern, you may lodge a complaint with Grenada's Information Commission once established under the Data Protection Act 2023.