Privacy Policy

PlatinumConsent ("we", "our", "the app") is a Shopify app that helps merchants display cookie consent banners on their storefronts. This policy explains what data we collect, how we use it, and how we protect it.

We are the data controller for the merchant data described below. You can contact us at [email protected].

Merchant store data. When you install the app we store your Shopify store domain, installation date, billing plan status, and your banner settings (region, colours, text, position). This is required to provide the service.

Merchant admin session data. We store the Shopify OAuth session required to authenticate you in the app admin. This session record may include your name, email address, locale, and account role as provided by Shopify during the OAuth flow. This data is used solely for authentication and is not used for any other purpose.

We do not collect any data from storefront visitors. Consent preferences chosen by visitors are stored locally in the visitor's browser (via localStorage) and are never sent to our servers. We do not collect visitor IP addresses, device identifiers, or any other personal information from shoppers.

We process merchant data on the basis of contract performance — the data is necessary to deliver the service you have subscribed to. If you are located in the EU or UK, this corresponds to Article 6(1)(b) of the UK/EU GDPR.

Data is used exclusively to operate the app: authenticating you in the admin, displaying the correct banner configuration on your storefront, and gating features by subscription plan.

We do not sell, rent, or share your data with third parties for marketing purposes.

Shopify. We access your store through the Shopify API as required to install and operate the app. Shopify's own privacy policy applies to data they hold.

Railway. Our application and database are hosted on Railway (railway.app), a US-based infrastructure provider. Data is stored on servers located in the United States. If you are based in Australia or New Zealand, this means your personal information is transferred to and processed in the United States. We have taken reasonable steps to ensure Railway maintains appropriate security standards. Railway's privacy policy is available at railway.app/legal/privacy.

Your store and session data is retained while the app is installed. When you uninstall the app, your authentication sessions are deleted immediately and all remaining store data is deleted within 48 hours via Shopify's mandatory shop redact webhook. You can also request full deletion by emailing [email protected] and we will remove all records within 30 days.

All data is transmitted over HTTPS. Session data is stored securely in our database and access tokens are never exposed to the browser. We do not retain access tokens beyond what Shopify session management requires.

If a data breach occurs that is likely to result in serious harm, we will notify affected individuals and the relevant authority without undue delay. In Australia this means notifying the Office of the Australian Information Commissioner under the Notifiable Data Breaches (NDB) scheme. In New Zealand this means notifying the Privacy Commissioner and affected individuals as required under the Privacy Act 2020. We will contact you at the email address associated with your Shopify account.

Depending on your location you may have the right to access, correct, or delete your data, or to object to or restrict its processing. This includes rights under the EU/UK GDPR, the Australian Privacy Act 1988, and the New Zealand Privacy Act 2020.

We do not store any data about storefront visitors — consent choices are handled entirely in the visitor's browser and are not transmitted to our servers.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

Questions about this policy? Email us at [email protected] or visit our support page.