GateKeeper

Last updated: June 25, 2026

Privacy Policy

This Privacy Policy describes how GateKeeper ("we", "us", or "our") collects, uses, stores, and shares information when merchants install and use the GateKeeper Shopify app and when visitors interact with a merchant's Online Store where GateKeeper is enabled.

1. Who this policy applies to

GateKeeper is a Shopify app operated for merchants who use Shopify to run their online stores. This policy covers:

  • Merchants — store owners and staff who install and configure GateKeeper in the Shopify admin.
  • Store visitors — people who browse a merchant's storefront where GateKeeper lock actions are active, including customers who attempt to unlock restricted content or complete checkout.

2. Information we collect

2.1 Merchant and app data

When you install and use GateKeeper, we may process:

  • Your Shopify shop domain and app installation status.
  • OAuth access tokens and session data required to authenticate the app inside Shopify admin.
  • Lock actions you create, including rule names, priorities, lock targets, key conditions, and action settings.
  • Hashed passcodes and hashed magic-link tokens configured for unlock rules. We do not store passcodes or magic links in plain text.
  • Shop settings such as default blocked-content messaging and support preferences.
  • Operational logs and rule events, such as webhook receipts, simulation activity, and unlock outcomes. Logs are structured to avoid storing secrets in plain text where possible.
  • Checkout validation configuration synced to your shop metafields for identity-based checkout blocking.

2.2 Storefront visitor data

When GateKeeper runs on a merchant's Online Store, we may process:

  • Basic visitor context provided by the theme or Shopify, such as whether a customer is logged in, customer tags, and customer email when already available to the storefront.
  • Passcodes or magic-link tokens submitted through unlock forms on the storefront. Submitted values are verified against stored hashes and are not retained in plain text after verification.
  • Short-lived signed unlock grants stored in the visitor's browser session storage to remember successful unlocks during a browsing session.
  • Approximate country information derived from request headers (for example, CDN or platform geo headers) when geo-based keys are used. Geo lookup fails open when location cannot be determined.
  • IP address and request metadata used for rate limiting and abuse protection on storefront API endpoints.
  • Checkout buyer identity signals processed by Shopify's cart validation function when checkout lock actions are active.

2.3 Shopify API data

GateKeeper accesses Shopify data only as needed to provide app functionality, based on the permissions granted at install. This may include product, collection, content, customer, and validation-related data required to build lock actions, run previews, and enforce rules.

3. How we use information

We use collected information to:

  • Provide, operate, and maintain GateKeeper features.
  • Authenticate merchants and enforce lock actions on the storefront.
  • Validate passcodes, magic links, and identity-based access rules.
  • Block or allow checkout according to merchant-configured rules.
  • Detect abuse, protect endpoints, and improve reliability.
  • Respond to support requests and legal or compliance obligations.

We do not sell merchant or visitor personal information. We do not use storefront data for unrelated advertising.

4. How we share information

We may share information only in these circumstances:

  • Shopify — as required for app installation, admin embedding, webhooks, checkout validation, and theme app extension functionality.
  • Infrastructure providers — such as hosting and database providers that process data on our behalf to run the app.
  • Legal requirements — when required by law, regulation, court order, or to protect rights, safety, and security.

5. Data retention

We retain merchant app data while the app is installed and as needed to provide the service. When a merchant uninstalls GateKeeper, we mark the shop as uninstalled and remove active sessions. Shopify may also send mandatory compliance webhooks requesting deletion of shop or customer data; we process those requests according to Shopify's requirements.

Short-lived visitor unlock grants expire automatically. Rate-limit and operational logs are retained only as long as needed for security and troubleshooting.

6. Security

We use technical and organizational measures designed to protect data, including HTTPS in production, hashed storage for sensitive unlock credentials, signed expiring unlock grants, webhook HMAC verification, and access controls on admin routes. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

7. Your rights and Shopify compliance webhooks

GateKeeper supports Shopify's mandatory privacy compliance webhooks:

  • customers/data_request — we acknowledge requests to access customer data stored by the app.
  • customers/redact — we delete or redact customer-related data stored by the app when requested.
  • shop/redact — we delete shop data after app uninstallation in accordance with Shopify's timeline.

Merchants are responsible for their own privacy obligations to their customers. Store visitors with privacy questions should contact the merchant operating the store. Merchants may contact us using the details below.

8. International transfers

Information may be processed and stored in countries where we or our service providers operate. We take steps designed to ensure appropriate safeguards when data is transferred internationally.

9. Children's privacy

GateKeeper is not directed to children and is intended for use by merchants operating online stores. We do not knowingly collect personal information from children.

10. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page will reflect the latest revision. Continued use of the app after changes become effective constitutes acceptance of the updated policy.

11. Contact us

If you have questions about this Privacy Policy or GateKeeper's data practices, contact us at cognitiolab1@gmail.com.