Privacy Policy

CaratCloud ("CaratCloud," "we," "us," or "our") is a software-as-a-service platform that provides jewelry businesses with inventory management, point-of-sale, customer relationship management, catalog sharing, and reporting tools. CaratCloud is operated by Viraj International Inc., a New Jersey corporation, with its principal place of business at 62W 47th St, Suite 310, New York, NY 10036.

This Privacy Policy explains how we collect, use, share, and protect information when you (a) visit our website at caratcloud.net, (b) sign up for or use the CaratCloud platform, or (c) otherwise interact with us.

By using CaratCloud, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the service.

This policy applies to two distinct groups, and we treat their data differently:

• CaratCloud Customers — jewelry businesses (retailers, wholesalers, manufacturers) who subscribe to our platform and the individual users at those businesses (owners, employees, staff).
• End Buyers — the retail customers of our CaratCloud Customers, whose information our Customers enter into CaratCloud as part of running their business.

For End Buyers: CaratCloud is a data processor, and the jewelry business using CaratCloud is the data controller. If you are an end buyer and want to access, correct, or delete your personal information, you should contact the jewelry business directly. We will assist them in fulfilling your request.

For CaratCloud Customers: CaratCloud is the data controller with respect to your account and usage data.

3.1 Information You Provide Directly

Account information: name, business name, email address, phone number, billing address, role at the business.

Authentication information: password (stored as a salted hash, never in plain text), two-factor authentication settings.

Business operational data: jewelry inventory records, product catalogs, supplier information, internal pricing, customer (end buyer) contact details that you enter, transaction history, invoices, and other data you upload or input into the platform.

Payment information for your CaratCloud subscription: we use a third-party payment processor and do not directly store full payment card numbers. We retain only the last four digits, card brand, and expiry for reference.

Communications: support tickets, emails to us, feedback, and chat messages.

3.2 Information We Collect Automatically

Usage data: features used, pages visited, clicks, session duration, error logs.

Device and connection data: IP address, browser type and version, operating system, device type, time zone, referrer URL.

Session recordings and heatmaps: we use Microsoft Clarity to capture how you use and interact with our website through behavioral metrics, heatmaps, and session replay. This helps us improve and market our products and services. For more information, see Section 8 (Cookies and Tracking) below.

Cookies and similar technologies: see Section 8.

3.3 Information from Third Parties

If you sign in using a third-party login provider (e.g., Google), we receive your name, email, and profile picture from that provider, as authorized by you.

If you connect CaratCloud to a marketplace (Amazon, Etsy, Shopify) or other integration, we receive data from those platforms as you authorize.

We use information to:

1. Provide, maintain, and improve the CaratCloud platform
2. Process subscription payments and manage billing
3. Authenticate users and secure accounts
4. Communicate with you about your account, service updates, security alerts, and (with your consent or as permitted by law) marketing
5. Provide customer support
6. Detect, prevent, and investigate fraud, abuse, security incidents, and violations of our Terms of Service
7. Comply with legal obligations and respond to lawful requests
8. Conduct analytics — including session recordings and heatmaps — to understand how the product is used and improve it. Where possible, we use aggregated or de-identified data for this purpose
9. Develop new features and products

We do not sell personal information. We do not use End Buyer data (data entered into the platform by our Customers about their retail customers) for our own marketing.

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

• Contract — to provide the service you signed up for.
• Legitimate interests — to secure our platform, prevent fraud, and improve our product, balanced against your rights.
• Consent — for marketing communications, non-essential cookies, and session-recording analytics (such as Microsoft Clarity), where required.
• Legal obligation — to comply with tax, accounting, and other laws.

You can withdraw consent at any time where we rely on consent. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.

We share information only as described below:

Service providers and sub-processors. We use third-party vendors to operate the platform. Each has a contract (or Data Processing Agreement) requiring them to handle data securely and only on our instructions, except where a vendor acts as an independent data controller (see the Microsoft Clarity entry below). Current sub-processors:

Business transfers. If CaratCloud is involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction. We will notify you and require any successor to honor this policy or provide reasonable notice and choice.

Legal requirements. We may disclose information when required by law, subpoena, court order, or other legal process, or when we believe in good faith that disclosure is necessary to protect rights, safety, or property.

With your direction. If you connect a third-party integration (e.g., Shopify, Amazon, Etsy), we share data with that service as you authorize.

Affiliates. We may share information with Viraj International Inc. and its affiliated entities for the purposes described in this policy.

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising as defined under CCPA/CPRA.

CaratCloud is operated from the United States. If you access the service from outside the United States, your information will be transferred to, stored, and processed in the United States. Where required by law (e.g., for EEA/UK users), we rely on the EU–US Data Privacy Framework, Standard Contractual Clauses, or other lawful transfer mechanisms.

We use cookies and similar technologies for the purposes described below. "Cookies" includes HTTP cookies, local storage, and similar browser-based storage mechanisms.

8.1 Essential Cookies

These cookies are necessary for the platform to function and cannot be switched off. They include session authentication cookies and CSRF protection tokens.

8.2 Functional Cookies

These cookies remember your preferences, such as language or display settings. They do not track you across other websites.

8.3 Analytics and Performance Cookies

We use Vercel Analytics and Supabase built-in analytics to understand how the product is used.

8.4 Microsoft Clarity Cookies

We use Microsoft Clarity for session recordings, heatmaps, and behavioral analytics. Clarity sets the following cookies:

• _clck — stores a unique user identifier and preferences (first-party, expires after 12 months)
• _clsk — groups pageviews into a single session recording (first-party, expires after 1 day)
• CLID — identifies the first time a user visits a site using Clarity (third-party, expires after 12 months)
• MUID — a Microsoft-wide browser identifier used across Microsoft properties for analytics and advertising (third-party, expires after 12 months)
• ANONCHK, MR, SM — supporting cookies used by Microsoft to maintain the MUID identifier (third-party, short duration)

Important: The MUID cookie is shared across Microsoft services and may be used by Microsoft for advertising purposes. Microsoft acts as an independent data controller for data collected through these cookies.

Clarity cookies are non-essential. Where required by law (e.g., for EEA/UK visitors), we obtain your consent before setting these cookies. You may decline them without affecting core platform functionality.

8.5 Managing Cookies

You can disable cookies in your browser settings at any time. Disabling essential cookies may prevent parts of the platform from functioning. You can also disable non-essential cookies (including Microsoft Clarity) through our cookie consent banner where displayed. We do not use cookies for third-party advertising or cross-site tracking beyond the Microsoft Clarity functionality described above.

We implement appropriate technical and organizational measures to protect personal information, including:

• TLS/HTTPS encryption in transit
• Encryption at rest for databases and backups
• Access controls, role-based permissions, and the principle of least privilege
• Regular security reviews and dependency updates
• Logging and monitoring of access to production systems
• Salted password hashing (never plain text)
• Row-level security policies to isolate tenant data

No system is 100% secure. If we become aware of a security breach affecting your personal information, we will notify you and applicable regulators as required by law (within 72 hours of becoming aware of a breach, where required by the GDPR).

Depending on where you live, you may have the following rights regarding your personal information:

• Access — request a copy of the personal information we hold about you.
• Correction — ask us to fix inaccurate information.
• Deletion — ask us to delete your personal information, subject to legal retention requirements (see our Data Retention Policy).
• Portability — receive a copy of your data in a structured, machine-readable format.
• Objection / Restriction — object to or restrict certain processing.
• Withdraw consent — where we rely on consent (including for Microsoft Clarity session recording).
• Non-discrimination — we will not discriminate against you for exercising these rights.

To exercise these rights, email us at privacy@caratcloud.net. We will respond within the time required by applicable law (generally 30 days, extendable in some cases).

If you are an End Buyer (a customer of a CaratCloud Customer), please contact the jewelry business directly. We will assist that business in fulfilling your request.

For California Residents (CCPA/CPRA)

You have the following rights under the CCPA/CPRA:

• Right to Know — request the categories and specific pieces of personal information we have collected about you, the sources of that information, the business purposes for collection, and the categories of third parties with whom we share it.
• Right to Delete — request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to Correct — request correction of inaccurate personal information.
• Right to Opt Out of Sale/Sharing — we do not sell personal information or share it for cross-context behavioral advertising as defined by the CCPA/CPRA.
• Right to Limit Use of Sensitive Personal Information — we do not use sensitive personal information for purposes beyond what is necessary to provide our services.
• Right to Non-Discrimination — we will not discriminate against you for exercising any of these rights.

Categories of personal information we collect: identifiers (name, email, phone, IP address); commercial information (transaction records, billing history); internet or electronic network activity (usage data, session recordings); professional or employment-related information (business name, role). We collect this information for the business purposes described in Section 4.

For EEA/UK Residents

You have the right to lodge a complaint with your local data protection authority. For session recording and heatmap analytics (Microsoft Clarity), we will obtain your consent before processing. You may withdraw that consent at any time without affecting the lawfulness of processing performed before withdrawal.

CaratCloud is a business-to-business service and is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us at privacy@caratcloud.net and we will delete it.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or via the platform at least 30 days before the changes take effect. The "Last Updated" date at the top reflects the most recent revision. We review this policy at least annually.

CaratCloud (operated by Viraj International Inc.)
62W 47th St, Suite 310, New York, NY 10036

• Privacy inquiries: privacy@caratcloud.net
• General support: support@caratcloud.net