Order Directly From Multiple BrandsOne Checkout | Unlimited Free Deliveries
Caboodle Logo

Privacy Policy

Last Updated: March 2026

Effective Date: March 2026

1. Introduction

Caboodle Ireland ("we," "us," or "our") is committed to protecting your personal data and respecting your privacy rights. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our e-commerce marketplace platform.

This policy complies with the General Data Protection Regulation (GDPR) and Irish data protection laws. As we operate exclusively in Ireland, we are subject to the jurisdiction of the Data Protection Commission (DPC) of Ireland.

Data Controller: Caboodle Ireland
Contact: info@caboodle.ie

2. Legal Basis for Processing

Under GDPR, we process your personal data based on the following legal bases:

  • Contract Performance (Article 6(1)(b)): Processing necessary to perform our contract with you, including account management, order processing, and membership services
  • Legitimate Interests (Article 6(1)(f)): For platform security, fraud prevention, business analytics, and service improvements
  • Consent (Article 6(1)(a)): For marketing communications, optional cookies, and certain data sharing activities
  • Legal Obligation (Article 6(1)(c)): For VAT compliance, financial reporting, and regulatory requirements

3. Personal Data We Collect

3.1 Account Information

  • Name and email address (via Google OAuth)
  • Profile picture (via Google OAuth, optional)
  • User role (Member, Partner, Admin)
  • Account creation date and login history
  • Terms of Service acceptance records

3.2 Membership and Payment Data

  • Billing address and Irish county information
  • Payment method details (processed by Stripe - we do not store card details)
  • Subscription status and billing history
  • Membership activation and cancellation records

3.3 Order and Transaction Data

  • Order details (products, quantities, prices)
  • Delivery addresses and contact information
  • Order status and fulfillment tracking
  • Refund and return requests
  • Communication history with vendors and support
  • Product reviews and ratings submitted by members
  • Review moderation and reporting data

3.4 Business Partner Data (Vendors)

  • Business contact information
  • Shopify store connection details and access tokens
  • Product listings, descriptions, and images
  • Sales reports and commission data
  • VAT preferences and tax information
  • Stripe Connect account information
  • Shopify order data and fulfillment information
  • Inventory levels and product variant details

3.5 Technical and Usage Data

  • Device information and browser type
  • IP address and location data (Ireland only)
  • Session data and authentication tokens
  • Platform usage analytics and preferences
  • Error logs and technical diagnostics

4. How We Use Your Personal Data

4.1 Service Provision

  • Creating and managing your account
  • Processing membership subscriptions and payments
  • Facilitating orders between members and vendors
  • Coordinating product delivery and fulfillment
  • Managing refunds and customer service requests
  • Processing and displaying product reviews and ratings
  • Moderating review content and handling disputes

4.2 Business Operations

  • Vendor commission calculations and invoicing
  • Product publishing and quality control
  • Fraud prevention and security monitoring
  • Compliance with Irish VAT and tax obligations
  • Platform performance monitoring and improvements
  • Shopify store integration and product synchronization
  • Order fulfillment tracking and customer support

4.3 Communication

  • Order confirmations and delivery notifications
  • Account and membership updates
  • Customer support and dispute resolution
  • Platform announcements and service updates
  • Marketing communications (with consent)

5. Data Sharing and Third-Party Services

We share your personal data with the following categories of recipients:

5.1 Essential Service Providers

  • Google (OAuth): Authentication services - subject to Google's Privacy Policy
  • Stripe: Payment processing and subscription management - subject to Stripe's Privacy Policy
  • Shopify: E-commerce integration for vendors - subject to Shopify's Privacy Policy
  • Resend: Transactional email delivery services (order confirmations, account notifications) - subject to Resend's Privacy Policy
  • Klaviyo: Marketing email, customer relationship management, and on-site behavioural analytics (with your marketing consent) - subject to Klaviyo's Privacy Policy
  • Meta Platforms Ireland Limited: Advertising measurement and optimisation - subject to Meta's Privacy Policy (see Section 9.3 for full details)

5.2 Shopify Data Processing

When vendors connect their Shopify stores to Caboodle, we process the following data from Shopify:

  • Product Data: Product titles, descriptions, images, variants, pricing, SKUs, and inventory levels for marketplace display and synchronization
  • Order Data: Order details, customer information, product selections, quantities, and fulfillment status for order processing and tracking
  • Fulfillment Data: Real-time fulfillment notifications, tracking information, and delivery status updates
  • Store Information: Basic store details and connection status for platform integration

Purpose: This data is used exclusively for operating our marketplace platform, facilitating transactions between customers and vendors, and providing order fulfillment services. We do not use Shopify data for any other commercial purposes.

Data Security: All Shopify access tokens and data are encrypted and stored securely. We implement industry-standard security measures and comply with Shopify's security requirements.

Data Retention: Shopify data is retained only for as long as the vendor's store remains connected to our platform. Upon disconnection, we securely delete all Shopify access tokens and associated data within 30 days.

Vendor Control: Vendors can revoke Caboodle's access to their Shopify store at any time through their Shopify admin panel or Caboodle Partner Dashboard.

5.3 Business Partners

  • Vendors: Order details necessary for fulfillment (name, delivery address, product requirements)
  • Other Members: Product reviews and ratings are publicly displayed to help inform purchasing decisions
  • Vendors: Review content and ratings for their products to help improve customer service and product quality

5.4 Legal and Regulatory

  • Irish Revenue Commissioners (for VAT compliance)
  • Law enforcement and regulatory authorities (when legally required)
  • Legal advisors and auditors (under confidentiality agreements)

5.5 Review Data Processing

When members submit product reviews and ratings, we process the following data:

  • Review Content: Text reviews, star ratings, and any additional feedback provided by members
  • Purchase Verification: Confirmation that the reviewer has purchased the product being reviewed
  • Reviewer Information: Member name and profile information (as displayed on the platform)
  • Product Association: Link between reviews and specific products/vendors
  • Moderation Data: Information about review moderation, reporting, and dispute resolution

Purpose: Review data is used to provide product feedback to other members, help vendors improve their products and services, and maintain platform quality standards.

Public Display: Reviews and ratings are publicly displayed on our platform to help inform purchasing decisions. Member names are displayed with reviews unless the member chooses to remain anonymous.

Data Retention: Review data is retained for the duration of the product's availability on our platform, plus 2 years for historical reference and analytics. Deleted reviews are retained for 30 days for moderation purposes.

Member Control: Members can edit or delete their reviews through their account dashboard, subject to moderation policies and legal requirements.

6. International Data Transfers

Some of our service providers (Google, Stripe, Shopify, Meta) may process your data outside the European Economic Area (EEA). When this occurs, we ensure appropriate safeguards are in place:

  • European Commission adequacy decisions
  • Standard Contractual Clauses (SCCs)
  • Certification schemes and codes of conduct
  • Service provider adherence to GDPR principles

We regularly review these arrangements to ensure your data remains protected to European standards.

7. Data Retention

We retain your personal data for the following periods:

  • Account Data: Until account deletion + 30 days for system cleanup
  • Transaction Records: 7 years (Irish tax and accounting requirements)
  • Payment Data: As required by Stripe and banking regulations
  • Marketing Consents: Until withdrawn or 3 years of inactivity
  • Technical Logs: 12 months maximum
  • Support Communications: 3 years for service quality and training
  • Review Data: Duration of product availability + 2 years for historical reference
  • Review Moderation Data: 30 days after review deletion for moderation purposes

After these periods, data is securely deleted or anonymized. Some data may be retained longer if required by law or for legitimate business interests (e.g., fraud prevention).

8. Your Data Protection Rights

Under GDPR, you have the following rights regarding your personal data:

Right of Access (Article 15)

Request a copy of the personal data we hold about you

Right to Rectification (Article 16)

Correct inaccurate or incomplete personal data

Right to Erasure (Article 17)

Request deletion of your personal data ("right to be forgotten")

Right to Restrict Processing (Article 18)

Limit how we use your personal data

Right to Data Portability (Article 20)

Receive your data in a structured, machine-readable format

Right to Object (Article 21)

Object to processing based on legitimate interests

How to Exercise Your Rights

Contact us at info@caboodle.ie or through your dashboard. We will respond within one month of receiving your request. Some rights may be limited by legal obligations or legitimate business interests.

9. Cookies and Tracking Technologies

9.1 Essential Cookies

We use strictly necessary cookies for:

  • User authentication and session management
  • Shopping cart functionality
  • Security and fraud prevention
  • Load balancing and system stability

9.2 Analytics and Performance

With your consent, we may use cookies for:

  • Platform usage analytics and improvements
  • Error monitoring and debugging
  • Performance optimization

9.3 Advertising and Marketing Tracking

We use the following advertising tracking technologies to measure and optimise our marketing campaigns:

  • Meta (Facebook) Pixel: We use the Meta Pixel, provided by Meta Platforms Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland), to measure the effectiveness of our advertising on Facebook and Instagram. The Meta Pixel places cookies on your device and collects data about your interactions with our platform.

Data Collected by the Meta Pixel

The Meta Pixel may collect the following data when you use our platform:

  • Pages visited and content viewed
  • Products added to your cart (product IDs, names, values)
  • Checkout initiation (cart contents and total value)
  • Completed purchases (transaction value)
  • Membership activations
  • HTTP headers (IP address, browser information, page location, referrer)
  • Pixel-specific data (Pixel ID, Facebook cookie)
  • Button click data and form field names

Purpose and Legal Basis

This data is processed for the following purposes:

  • Measuring the effectiveness of our advertising campaigns
  • Creating custom audiences to show relevant ads to existing users
  • Building lookalike audiences to reach new potential customers
  • Optimising ad delivery and bidding strategies
  • Providing aggregated conversion analytics and reporting

The legal basis for this processing is Legitimate Interests (Article 6(1)(f) GDPR) — specifically our legitimate interest in measuring advertising effectiveness and reaching potential customers. You have the right to object to this processing at any time (see "Managing Your Preferences" below).

Data Sharing with Meta

Data collected by the Meta Pixel is transmitted to and processed by Meta Platforms Ireland Limited. Meta may combine this data with information it already holds about you (e.g. from your Facebook or Instagram account) to deliver personalised advertising across its services. Meta acts as a joint controller with Caboodle for the collection of data through the Pixel, and as an independent controller for its subsequent processing. For full details, see Meta's Privacy Policy.

Managing Your Preferences

You can control advertising tracking through the following methods:

  • Browser Settings: Configure your browser to block third-party cookies or use private/incognito browsing mode
  • Meta Ad Settings: Manage your ad preferences at facebook.com/adpreferences
  • European Digital Advertising Alliance: Opt out of interest-based advertising at youronlinechoices.eu
  • Mobile Device Settings: Use "Limit Ad Tracking" (iOS) or "Opt out of Ads Personalisation" (Android) in your device settings

Opting out of advertising tracking will not affect essential platform functionality or prevent you from using Caboodle. You will still see advertisements, but they may be less relevant to your interests.

9.4 Klaviyo Marketing and CRM Tracking

With your explicit marketing cookie consent, we use Klaviyo for customer relationship management and marketing email delivery. Klaviyo collects the following data:

Data Collected by Klaviyo

  • Products viewed on our marketplace
  • Items added to your shopping cart
  • Checkout initiation (cart contents and total value)
  • Completed purchases and order history
  • Email address and profile information (when logged in)

Purpose and Legal Basis

This data is used to:

  • Send marketing emails such as abandoned cart reminders, product recommendations, and promotional offers
  • Personalise your shopping experience based on browsing behaviour
  • Create customer segments for targeted marketing campaigns
  • Analyse purchase patterns to improve our marketplace

The legal basis for this processing is Consent (Article 6(1)(a) GDPR). Klaviyo tracking is only activated when you explicitly accept marketing cookies through our cookie consent banner or Cookie Settings page.

Transactional vs Marketing Emails

We use two separate email services: Resend handles transactional emails (order confirmations, shipping updates, account notifications) which are essential to our service and do not require marketing consent. Klaviyo handles marketing emails (promotional offers, product recommendations, abandoned cart reminders) which require your explicit marketing consent.

Managing Klaviyo Preferences

You can control Klaviyo tracking by:

  • Updating your marketing cookie preferences on our Cookie Settings page
  • Clicking "Unsubscribe" in any Klaviyo marketing email
  • Contacting us at info@caboodle.ie to withdraw marketing consent

Withdrawing marketing consent will immediately stop Klaviyo tracking and marketing emails. It will not affect transactional emails sent via Resend. For more details, see Klaviyo's Privacy Policy.

You can manage all cookie preferences at any time through our Cookie Settings page. Disabling marketing cookies will stop Klaviyo and Meta Pixel tracking. Disabling essential cookies may affect platform functionality.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

  • Encryption: Data in transit (TLS/SSL) and at rest
  • Access Controls: Role-based access and authentication
  • Regular Updates: Security patches and system monitoring
  • Third-Party Security: Vetted service providers with security certifications
  • Incident Response: Procedures for detecting and responding to breaches

In the unlikely event of a data breach affecting your rights and freedoms, we will notify the Data Protection Commission within 72 hours and inform affected individuals as required by law.

11. Children's Privacy

Our service is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe we have collected data from a child under 16, please contact us immediately.

For users aged 16-18, we may require parental consent for certain activities as required by Irish law.

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. We will:

  • Post the updated policy on our website
  • Update the "Last Updated" date
  • Notify users of material changes via email or platform notification
  • Obtain fresh consent where required by law

13. Contact Information and Complaints

Data Controller Contact

Caboodle Ireland

Email: info@caboodle.ie

Response Time: Within 30 days

Supervisory Authority

If you're not satisfied with our response to your privacy concerns, you can lodge a complaint with:

Data Protection Commission (Ireland)

Website: www.dataprotection.ie

Phone: +353 57 868 4757

Email: info@dataprotection.ie

This Privacy Policy is compliant with GDPR and Irish data protection laws. By using Caboodle, you acknowledge that you have read and understood this policy.