Privacy Policy
Last updated: July 2, 2026
Feather (“Feather,” “we,” “us”) is a Shopify app built and operated by Heaps Good Studio. This policy describes what data Feather collects when a merchant installs it, and what data it observes on that merchant’s storefront — not what any individual merchant does with their own store or customers, which remains the merchant’s own responsibility.
What we don’t collect
Feather requests a single, read-only Shopify Admin API scope: read_privacy_settings, used only to check whether Shopify’s own native cookie banner is turned on, so we can warn you if it might double up with Feather’s banner. Feather cannot read your products, customers, orders, or any other store data through Shopify’s Admin API. Feather also does not use per-staff-member (“online”) access tokens, so it never learns the name or email of anyone on your team who installs or manages the app.
Data we collect from your store (the merchant)
- Your shop’s domain and a Shopify-issued app access token, so we can operate the app and call Shopify’s APIs on your store’s behalf.
- Your plan/settings (e.g., which features are enabled).
Data we collect from your storefront visitors
Feather’s consent banner and Tracker Monitor observe activity on your storefront to do their job. Specifically:
- Consent choices: when a visitor interacts with the consent banner, we log the choice made (analytics/marketing/preferences, yes or no), a coarse region code, and a timestamp. This is never tied to an individual visitor — there’s no visitor ID, cookie value, or IP address in this record, so we cannot look up or identify which specific visitor made a given choice.
- Tracker fingerprints: the Tracker Monitor records the hostnames of scripts/requests it observes, cookie names (never cookie values), global JavaScript variable names, and a coarse page type (e.g. “product,” “cart”). It never records full URLs, query strings, cookie contents, or anything that identifies a visitor.
- Feather does not set any cookies of its own. The banner relies on Shopify’s own built-in consent-storage mechanism (the Shopify Customer Privacy API). The Tracker Monitor uses a single browser session-storage flag (cleared when the tab closes) to sample once per session; it only runs — and only sets that flag — after Shopify’s Customer Privacy API confirms consent isn’t required in the visitor’s region or has been granted, so it never accesses the device before consent where consent is required.
What we do with this data
We use it solely to operate the features you’ve installed: showing/hiding the consent banner correctly, recording consent for your compliance records, and building your Tracker inventory. We do not sell it, and we do not share it with advertisers, analytics vendors, or any other third party. Feather does not send any storefront data to Google, Meta, or similar platforms — it only observes what’s already present on the page.
Our role
For the storefront-visitor data described above (consent choices and tracker fingerprints), Feather acts as a data processor on your behalf — you, the merchant, are the controller. For your own account data (shop domain, settings, and access token) we act as the controller. A data-processing agreement (DPA) is available on request to support your GDPR Article 28 obligations — email the address below.
Where data is stored
All data is stored in Google Cloud (PostgreSQL, hosted in the United States). As with any web service, our hosting provider may retain standard server access logs (which can include IP addresses) for operational and security purposes; this is separate from, and not linked to, the consent/tracker records described above.
Sub-processors
Currently, Google Cloud Platform (hosting only). Feather does not currently use any AI or third-party data-processing service. If that changes, this policy will be updated first.
Retention and deletion
Your store’s data is retained while the app is installed. If you uninstall Feather, Shopify notifies us automatically and we permanently delete all data associated with your shop — consent logs, tracker records, settings, and access tokens — within 48 hours.
Your rights
Since we don’t store data tied to individual visitors, there’s no per-visitor data to access or delete on request — there’s simply nothing to look up. As the merchant, you can request full deletion of your store’s data at any time by uninstalling the app, or by emailing us at the address below.
Changes to this policy
If we materially change what we collect or how we use it, we’ll update this page and change the “last updated” date above.
Contact
Heaps Good Studio — support@heapsgood.studio