Whitepaper
Is Pelicart secure?
By Caleb. Last updated 2026-06-10.
1. What Pelicart actually does
Pelicart works with Woolworths and Checkers. It is a small program that reads the WhatsApp messages you send it, asks a language model what you want, and uses your saved store login to add things to your cart. Once the cart is ready, it tells you to open that store’s app and pay there. That is the whole loop, and it is the same for either store.
The language model runs through Vercel’s AI Gateway, which lets us route to different model providers. We pick whichever one is best at understanding ordinary South African English and the kinds of casual lists people send friends. When the model decides what to do, it can only do one of a handful of things: search the store’s catalogue, add an item to your cart, remove an item, change the delivery address, or show you the cart so far. It cannot place an order. The system prompt that guides the model says so in writing, and there is no code in Pelicart that would let it do so anyway.
Everything below is a more careful look at each part of that loop.
2. Your store login
When you link your Woolworths or Checkers account, we send you a form on WhatsApp that opens a secure form right inside the chat. You type your store email and password into that form, and we use them once to sign you in. The store checks your password and sends back a session token. A session token is a long string of letters and numbers. It says “the holder of this string is logged in as so and so for about an hour.”
We keep the session token. We never keep your password.
Before the session token reaches our database, we scramble it using AES-256-GCM encryption. That is the same kind of encryption banks use to store sensitive data. Unscrambling the token again requires a separate secret key, which lives only on our hosting platform and not inside the database. When the token gets close to expiring, we silently swap it for a fresh one and re-encrypt it.
The linking form is single-use. Once you have logged in, we delete the token behind it, so no one can use it again. If you never use it, it expires on its own within a day.
3. Checkout, and why we never see your card
Pelicart has no code that finalises an order. The assistant can put things into your basket, and it can remove them, but when you say you are ready to check out, the only thing it can do is tell you to open the store’s app on your phone. You then review the cart we built, choose your delivery slot, and pay on the card you have already saved with the store.
Your card never reaches our servers. The store charges you on its own payment system. We do not see the card number, we do not see the transaction, and we do not move money anywhere. If the cart is wrong, you remove the wrong thing inside the store’s app before paying. The assistant is explicitly told, in its instructions, that it cannot claim to check out or pay for you.
4. Your messages, end to end
Here is the path a single WhatsApp message takes through Pelicart, in order.
- You type a message on WhatsApp and send it. WhatsApp belongs to Meta, so Meta receives it first.
- Meta forwards the message to our server at a special address called a webhook. Before we accept the message, we check a cryptographic signature Meta attaches to every request. The signature uses a secret only Meta and we know, so if anyone else tried to send a fake message pretending to be Meta, the signature would not match and we would throw it away.
- We save the message in our database, alongside your previous messages, so the assistant remembers context.
- We send the recent conversation to the language model through Vercel’s AI Gateway.
- The model reads the conversation and picks a single action to take: search the catalogue, add an item, remove an item, set the address, or open the cart. Pelicart runs that action against the store and feeds the result back to the model. The model can run a few of these actions in a row before it has something to say back to you.
- When the model is ready with a reply, Pelicart sends it back through Meta’s WhatsApp Business API to your phone.
We keep a rolling memory of about a hundred recent messages so the assistant feels continuous, and we expire it after seven days. A longer audit log of every message exists while we improve the product so we can debug failures. We plan to shorten how long we keep that audit log as we grow.
5. In theory, what Pelicart staff can do
Because I run Pelicart, I can see the messages you send the assistant and the cart it builds for you. I use that to help you when you ask and to fix problems during onboarding. I can also, in principle, act on your saved store session the way you can, until it expires. I have no reason to, and the next section covers the limits that hold even if I tried.
6. What Pelicart cannot do, even if it wanted to
The things in this section are not promises. They are architectural facts about how Pelicart and the store are built. Even if I went rogue tomorrow, none of the following are available to me.
- I cannot see your bank account. Pelicart never connects to a bank.
- I cannot see your card. Your card sits inside the store’s app on your phone. Pelicart talks to the store the way a logged-in browser does, and a logged-in browser cannot read a saved card.
- I cannot place an order. The Pelicart codebase has no checkout step. The agent is instructed to refuse to claim it can.
- I cannot pay anyone with your money. The only money Pelicart ever charges is your own Pelicart Pro subscription, and Stripe runs that on its own hosted checkout (through Autumn), so your card goes straight to Stripe and never reaches us. Pelicart has no way to send your money to anyone else.
- I cannot change your store password. The session token the store gives us cannot reset credentials. That requires your password, which we do not have.
- I cannot read other shoppers’ baskets. Your session token only authorises me to act on your account. The store isolates every account from every other.
7. Third parties, in detail
Pelicart sends some of your data to a small list of other services so that the product can actually work. Here is who, what they see, why they need it, and how long they keep it.
Meta, via the WhatsApp Business API
Meta receives every message you send Pelicart, and every reply we send back. They have to, because they are the company that runs WhatsApp. Meta’s own privacy policy governs that traffic. Pelicart does not have any extra agreement with Meta beyond signing up for their Business API.
Vercel AI Gateway
The language model that decides what to put in your cart runs through Vercel’s AI Gateway. Each time a message arrives, we send the recent conversation through the gateway to whichever model provider it routes to. Using a gateway lets us move between providers without changing how your data is handled. Your messages reach a provider only at the moment we need them to build a reply. A provider may keep API traffic briefly to investigate abuse.
PostHog
PostHog is our observability tool. It captures detailed traces of the assistant as it runs, including the text of your messages and the tool calls the model made. We use those traces to find and fix bugs. If you would rather we did not capture them for your account, email me and we will switch them off.
Mem0
Mem0 is the memory service that lets the assistant remember your preferences between conversations, like the brands you reach for or that you shop halaal. It receives traces of the assistant as it runs, including the text of your messages, and distils them into a short set of notes about you. Those memories are the point of the feature, so we keep them until you ask us to delete your data.
Convex
Convex is the database where your account, your messages, your saved addresses, and your encrypted store token live. Convex encrypts data at rest on its own infrastructure as a baseline. On top of that, we add a second layer of AES-256-GCM encryption to the store token specifically, using a key Convex does not hold.
Vercel
Vercel hosts the website you are reading right now and runs the Pelicart server code. It sees request metadata (which page was requested, when, from what country) the same way any web host does.
Google Maps
If you ask Pelicart to deliver to a new address that the store has not seen before, we ask Google Maps to convert your description into coordinates the store can understand. Google Maps sees only that address, and only when you give us a new one.
Woolworths and Checkers
Whichever store you link sees the cart Pelicart loads on your account, the same way it would see any cart you built yourself in their app. From the store’s point of view, Pelicart is indistinguishable from you logging in on a different device.
8. How to verify any of this
You do not have to take my word for any of this. Book a half hour with me and I will share my screen, open the source code, and walk you through the parts of this document you are most worried about. I am happy to do this on a Google Meet, or in person at Workshop 17, Kloof Street, Cape Town, most weekdays.
9. Changelog
- 2026-06-17 Pelicart now supports Checkers Sixty60 alongside Woolworths. Generalised this whitepaper to cover both stores; the security model is identical for each, so nothing about how we store your login or stay away from your card has changed.
- 2026-06-10 Linking your Woolworths account now happens in a secure form inside WhatsApp instead of on a page on our website. Rewrote section 2 to match. Nothing changed about what we store: we keep the encrypted session token and never your password.
- 2026-06-03 Added Pelicart Pro, a paid subscription billed through Stripe’s hosted checkout (via Autumn). Your grocery payment is unchanged: it still happens on your own card inside the Woolworths app, and Pelicart never sees it.
- 2026-05-11 Initial publication.