§1 — Architecture
How the data flows.
The central choice in Gatekeeper’s design is that visitor personal data never travels to our infrastructure. The age-verification form is rendered in the visitor’s browser, the visitor’s input is processed in the visitor’s browser, and the result is recorded in your Shopify admin.
We chose this architecture not because it was convenient, but because the simplest way to protect data is not to collect it.
The Gatekeeper data flow
◯
Visitor
Enters DOB locally
→
◐
Gate
Evaluates in browser
→
●
Shopify
Order tag applied
The data path runs left to right and stops at Shopify. HoneyWired’s servers receive only anonymous pings, aggregated daily — never the visitor’s input, never their IP, never anything identifying.
§2 — Data inventory
What we store. What we don’t.
This list is a summary. The full authoritative version lives in our Privacy Policy §4.
✓ We store
- Your shop domain and Shopify ID
- Your store owner name and email (for support)
- Your subscription and billing state
- Your rule and design configurations
- A daily count of tags we’ve written to Shopify (the tags themselves live in Shopify)
- Anonymous event pings (90-day max retention)
- Daily aggregate counts for your dashboard
- One-way hashed identifiers for abuse prevention
✕ We do not store
- Visitor dates of birth
- Visitor IP addresses
- Visitor user agents or browser fingerprints
- Visitor session IDs or tracking cookies
- Visitor names, emails, or identifying data
- Raw payment card data (Shopify handles billing)
- Order contents beyond the tag we applied
- Anything we can sell, monetize, or trade
§3 — Safeguards
How we protect what we do store.
The measures below are our implementation of GDPR Article 32. They are also enumerated in the Data Processing Agreement Annex II for EU and UK merchants.
01
Data minimization
The Service is architected so visitor PII is never transmitted to our infrastructure. Minimization is structural, not procedural.
02
Encryption
All data is encrypted in transit using TLS 1.2 or higher, and encrypted at rest using managed database security standards.
03
Pseudonymization
Identifiers retained for abuse prevention are cryptographically one-way hashed before long-term storage, reducing linkability.
04
Access controls
Production access is restricted to authorized personnel under the principle of least privilege, protected by multi-factor authentication.
05
Backups & resilience
Databases are routinely backed up through managed cloud provider services to support rapid restoration in the event of an incident.
06
Incident response
We maintain an internal Incident Response Plan designed to detect, contain, and notify affected merchants within 72 hours of awareness.
07
Secure development
Code and infrastructure changes follow a documented release process.
08
Vendor management
Every sub-processor is evaluated for security and privacy practices before engagement, and reviewed regularly afterward.
§4 — Sub-processors
Who touches your data.
We use a small set of essential service providers to deliver Gatekeeper. We intentionally exclude advertising networks, third-party analytics services, session replay tools, and data brokers.
The full list and our change-notification commitments live on the dedicated sub-processors page.
§5 — What we are (and aren’t)
Honest about our scope.
We are careful about what we claim. Security theater and over-certification create as many risks as they solve. Here is where we stand:
✓ We do
- GDPR Article 28 compliance (our DPA satisfies its requirements)
- UK GDPR and Swiss FADP alignment
- Shopify Partner Program compliance (mandatory GDPR webhooks, secure OAuth)
- CCPA compliance for California merchants
- Industry-standard technical controls (encryption, MFA, pseudonymization)
✕ We do not claim
- SOC 2 Type II certification (not pursued)
- ISO 27001 certification (not pursued)
- HIPAA compliance (out of scope — we don’t touch health data)
- PCI DSS certification (out of scope — Shopify handles payments)
- FedRAMP, FISMA, or other federal standards
If your procurement process requires certifications we don’t hold, contact us before assuming it’s a blocker. Many merchants have found that our architecture addresses the underlying concern even without the certification.
§6 — Responsible disclosure
If you find a vulnerability, tell us.
We welcome reports from security researchers and we will engage with you in good faith. We do not currently run a paid bug bounty program, but serious reports receive public acknowledgement and our gratitude.
How to report
Email security@honeywired.com with a description of the issue, steps to reproduce, and any proof of concept. PGP encryption available on request.
We commit to:
• Acknowledging your report within 2 business days.
• Providing an initial assessment within 5 business days.
• Keeping you informed of our progress until resolution.
• Publicly crediting you, if you wish, once the issue is resolved.
In scope: Gatekeeper’s application, the Theme App Extension, and our APIs.
Out of scope: Issues in Shopify itself, hosting provider infrastructure, and the merchant’s own theme code.
We ask that you do not access data that isn’t yours, do not degrade service availability, and do not publicly disclose findings until we have had a reasonable opportunity to address them.