Privacy policy
Last updated 2026-06-03.
This page describes what Pelicart collects about you, who else processes that information, how long we keep it, and how to ask us to delete it. For a deeper, technical explanation of how the service is built and what could go wrong, read the security whitepaper.
What we collect
When you message Pelicart on WhatsApp, Meta tells us your phone number and the display name on your WhatsApp profile. We keep the text and images you send and the replies we send back. We learn your first name once you tell the assistant what it is.
When you link your Woolworths or Checkers account, we store an encrypted session token that proves you are logged in. We scramble the token with AES-256-GCM encryption before it reaches our database. We also remember any delivery addresses you ask the assistant to use, so it can pick the right one next time.
We assign you a user ID inside our database and keep track of whether you subscribe to Pelicart Pro. Stripe bills subscriptions (via Autumn), and we give Stripe your name and email so it can manage them. That is the full list.
What we never collect
We never store your Woolworths or Checkers password. We never touch your credit card or your bank. You pay inside the store’s app on your phone, on your card, after you review the cart we loaded. The security whitepaper explains why the architecture makes it impossible for us to see any of those things.
Who else processes this data
Pelicart is a small website talking to a short list of other services on your behalf. Each one sees only what it needs.
- Meta (WhatsApp Business API) delivers your messages to us and our replies back to you.
- Vercel AI Gateway routes your recent conversation to the language models that decide what to add to your cart.
- Convex is the database where your account, your encrypted store token, and your messages live.
- Vercel is our hosting platform. It serves this website and runs our server code.
- PostHog receives traces of the assistant while it runs so we can find and fix bugs.
- Google Maps only sees a new delivery address when you give us one to add.
- Mem0 receives traces of the assistant while it runs so we can remember your preferences.
- Woolworths and Checkers see the cart we load on your account, in the same way they see any logged-in shopper.
How long we keep it
We keep recent chat memory for seven days so the assistant remembers what you asked yesterday. After that, we delete it automatically.
A longer audit log of your messages stays in our database while the product is new. We use it to investigate problems and to improve the assistant. We plan to shorten it once the product is stable.
Your account, your encrypted store token, any saved addresses, and the preferences Pelicart remembers about you stay until you ask us to delete them.
Deleting your data
Message “delete me” on WhatsApp or email hello@pelicart.com. We remove your account, your encrypted store token, your saved addresses, your saved preferences, the audit log, and the chat memory.
Contact
For anything privacy or security related, email hello@pelicart.com. If you want to understand exactly how Pelicart is built before you trust it, the security whitepaper walks through the threat model and what each third party sees.