Legal
Cruxtab Age Verification

Privacy Policy

How CruxTab collects, uses, processes, discloses, safeguards, and retains information when you install, access, or use the Cruxtab Age Verification app on Shopify.

Last updated: April 17, 2026

CruxTab ("we," "us," "our," or "CruxTab") operates the Cruxtab Age Verification application ("App," "Service," or "Age Verification App") for the Shopify platform. This Privacy Policy ("Policy") describes in detail how we collect, use, process, disclose, safeguard, and retain information when you install, access, or use our App, as well as the rights and choices available to you regarding that information.

This Policy applies to all users of the App, including Shopify merchants who install the App on their stores ("Merchants," "you," or "your") and the visitors or end users who interact with the age verification popup on merchant storefronts ("Visitors" or "End Users").

By installing, accessing, or using the App, you acknowledge that you have read, understood, and agree to the collection, use, and disclosure of information as described in this Privacy Policy. If you do not agree with any part of this Policy, please uninstall the App and discontinue use of the Service.

1. About the app

Cruxtab Age Verification is a Shopify app that helps merchants verify the age of visitors to their online store by displaying a customizable age verification popup. The App supports verification through:

  • Date of birth input: Visitors enter their date of birth, which is evaluated against the age threshold configured by the Merchant.
  • Question-based verification: Visitors answer a simple question (such as confirming they are above a certain age) configured by the Merchant.
  • Customization options: Merchants can configure the popup's appearance, messaging, logo image, and behavior through the App dashboard.

Visitors who do not meet the configured age criteria are prevented from accessing the storefront, helping Merchants comply with legal and regulatory requirements for age-restricted products and content.

2. Scope of this policy

This Privacy Policy governs:

  • Information collected from Merchants who install and configure the App on their Shopify stores.
  • Information collected from Visitors who interact with the age verification popup on Merchant storefronts.
  • Information exchanged between the App and the Shopify platform through authorized access.
  • Any additional information voluntarily provided to us through support requests, feedback, or other communications.

This Policy does not apply to:

  • The Shopify platform itself, which is governed by Shopify's own privacy policy.
  • The Merchant's storefront beyond the age verification popup, which is governed by the Merchant's own privacy practices.
  • Third-party websites, applications, or services that you may link to or integrate with, each of which has its own privacy practices.

3. Information we collect

We collect information in several ways, as described below.

3.1 Information received from Shopify

When you install and authorize the App on your Shopify store, we receive the following information through Shopify's authorized interfaces, consistent with the access scopes granted during installation:

  • Store owner personal data: Name, email address, phone number, and physical address of the store owner, as provided by Shopify.
  • Store information: Your Shopify store domain, store name, store identifier, primary currency, time zone, and general store configuration relevant to the App's functionality.
  • Products and collections: Product and collection information accessible to the App, used to enable features such as applying age verification to specific products or collections.
  • Online Store theme: Limited theme information necessary to inject and display the age verification popup on your storefront correctly.
  • Shopify admin files: Access to upload and manage files (such as your logo or background image) within your Shopify admin.
  • Session and authentication data: Access tokens, session identifiers, and credentials required to keep the App connected and authenticate your session.
  • Shop metadata: Store plan information, installation and uninstallation events, and other operational data necessary for support and compliance.

3.2 Information you provide directly

  • Popup configurations: Age threshold, verification method (date of birth or question-based), question and answer sets, popup placement, and visibility settings.
  • Appearance settings: Logo image, background image or color, headline and message text, button text and colors, font choices, and other styling preferences.
  • Behavior settings: What happens when a visitor passes or fails verification, redirect URLs, cookie or session duration, and retry rules.
  • Template selections: Pre-built templates you select or customize for the verification popup.
  • Support communications: Content of messages, attachments, and contact details you share when you reach out.
  • Feedback and survey responses: Optional information you choose to share to help us improve the App.

3.3 Information collected from Visitors (End Users)

  • Verification input: The date of birth the Visitor enters, or the answer the Visitor selects for a question-based verification. This is used solely to evaluate whether the Visitor meets the Merchant's configured age criteria.
  • Verification result: Whether the Visitor passed or failed the verification, and a timestamp of the attempt.
  • Session or local storage data: A small flag stored in the Visitor's browser (such as in a cookie or local storage) to remember that the Visitor has already completed verification, so the popup does not reappear on every page load during the Merchant's configured duration.
  • Aggregate interaction data: Counts of verification attempts, passes, and failures used to populate the Merchant's dashboard. Wherever possible, this data is aggregated and does not identify individual Visitors.
  • Technical metadata: Basic information necessary for the popup to function and for security purposes, such as the storefront page where the popup was displayed and a timestamp.

Important: Dates of birth entered by Visitors are used only to evaluate the age criterion. We do not use this information to build profiles of individual Visitors, and we do not share it with advertisers or other merchants.

3.4 Information collected automatically

  • Usage data: Pages and features accessed within the App, actions taken, errors encountered, and time spent on features.
  • Technical information: Browser type and version, operating system, and general device characteristics.
  • Log information: Access logs and diagnostic information used for security, troubleshooting, and improvement.

3.5 Information we do not collect

  • We do not collect payment card numbers or financial account information from you or your Visitors.
  • We do not collect government-issued identification numbers, scanned ID documents, or biometric data from Visitors. The App performs age attestation based on self-reported information only; it is not an identity verification service.
  • We do not track Visitors across other websites or build advertising profiles.
  • We do not sell Visitor data to third parties.

4. How we use your information

4.1 To provide and operate the App

  • Authenticating your session and maintaining a secure connection to your Shopify store.
  • Saving, loading, displaying, and editing your popup configurations.
  • Injecting the age verification popup into your storefront according to your settings.
  • Evaluating Visitor input against the age criteria you have configured.
  • Remembering a Visitor's successful verification for the duration you configure, so the popup does not reappear unnecessarily.
  • Displaying dashboard analytics summarizing verification activity on your store.
  • Uploading and serving logo or background images you add to the popup.

4.2 To communicate with you

  • Responding to your support requests, questions, and feedback.
  • Sending service-related notices, updates, and security alerts.
  • Notifying you of planned maintenance or service interruptions.
  • Informing you about new features (you can opt out of non-essential communications at any time).

4.3 To improve and develop the App

  • Analyzing aggregated usage patterns to identify improvement opportunities.
  • Diagnosing technical issues, debugging errors, and improving reliability.
  • Researching and developing new features, enhancements, and templates.
  • Conducting internal testing and quality assurance.

4.4 To protect the App and our users

  • Detecting, preventing, and responding to fraud, abuse, spam, and security incidents.
  • Monitoring for unusual or suspicious activity.
  • Enforcing our Terms of Service and other agreements.

4.5 To comply with legal obligations

  • Meeting our obligations under applicable laws and regulations.
  • Responding to lawful requests from public authorities.
  • Protecting our rights, property, and safety, and those of our users and the public.

4.6 What we do not do

We do not:

  • Sell, rent, or trade your personal information or Visitor data to third parties.
  • Use your data or Visitor data for advertising or marketing purposes unrelated to the App.
  • Share Visitor verification data with other merchants or unrelated third parties.
  • Retain individual Visitor date-of-birth entries longer than reasonably necessary to perform the verification and record the outcome.
  • Train artificial intelligence or machine learning models on Visitor verification data without your explicit consent.

If you are located in the European Economic Area, the United Kingdom, or another jurisdiction that requires a legal basis for processing personal data, we rely on:

  • Performance of a contract: To provide the App and fulfill our obligations under our Terms of Service.
  • Legitimate interests: To improve the App, ensure security, prevent fraud, and communicate with you.
  • Legal obligation: To help Merchants comply with age-restriction laws applicable to their products, and to comply with laws applicable to us.
  • Consent: Where you have given explicit consent for specific processing activities (you may withdraw consent at any time).

For Visitor data collected through the age verification popup, the Merchant is the data controller and is responsible for establishing the appropriate legal basis for processing and for providing any required notices to Visitors. CruxTab acts as a data processor on behalf of the Merchant for this data.

6. Data storage and security

6.1 Storage practices

Your data is stored securely using industry-standard cloud infrastructure with appropriate safeguards. We use separate, access-controlled systems for structured records (such as configurations and verification logs) and for file assets (such as logo images uploaded for the popup).

6.2 Security measures

  • Encryption in transit: All data transmitted between Visitor browsers, your browser, our servers, and Shopify is encrypted using industry-standard secure transport protocols.
  • Encryption at rest: Sensitive data is encrypted when stored.
  • Access controls: Access to production systems is restricted to authorized personnel under the principle of least privilege.
  • Authentication and authorization: Multi-factor authentication and strong password requirements for internal access.
  • Monitoring and logging: Continuous monitoring of systems for security events, with audit logs maintained for accountability.
  • Regular updates: Software and infrastructure components are kept current with security patches.
  • Secure development practices: Code is reviewed and tested for security issues as part of our development process.
  • Incident response: We maintain procedures to respond to security incidents and notify affected parties as required by law.

6.3 Your role in security

While we take data security seriously, no method of electronic transmission or storage is 100% secure. You play an important role by:

  • Using strong, unique passwords for your Shopify account.
  • Enabling two-factor authentication on your Shopify account.
  • Limiting access to your Shopify store to trusted staff members.
  • Promptly removing access for staff who no longer require it.
  • Notifying us immediately if you suspect unauthorized access to your account or the App.

7. Data sharing and disclosure

7.1 With Shopify

As an App built for the Shopify platform, the App exchanges information with Shopify as necessary to function, including authentication, reading store and product data, and displaying the popup on your storefront. This exchange is governed by Shopify's platform requirements and terms.

7.2 With service providers

We work with trusted third-party service providers (cloud hosting, data storage, email delivery, error monitoring, customer support tools) who:

  • Have access only to the information necessary to perform their services.
  • Are contractually obligated to protect your data and use it only for the purposes we specify.
  • Are bound by confidentiality obligations.
  • Are selected based on their commitment to data protection and security.

7.3 For legal and safety reasons

We may disclose information if we believe in good faith that disclosure is necessary to:

  • Comply with a legal obligation, court order, subpoena, or other lawful governmental request.
  • Enforce our Terms of Service or other agreements.
  • Protect the rights, property, or safety of CruxTab, our users, or the public.
  • Detect, prevent, or address fraud, security, or technical issues.

7.4 In connection with a business transaction

If CruxTab is involved in a merger, acquisition, reorganization, sale of assets, financing, or bankruptcy, your information may be transferred as part of that transaction. We will notify you of any such change and provide you with options regarding your data where required by law.

7.5 With your consent

We may share information in other ways if you give us specific consent to do so.

7.6 Aggregated or de-identified information

We may share aggregated or de-identified information (which cannot reasonably be used to identify you or a Visitor) with third parties for research, analytics, reporting, or business purposes.

8. Data retention

8.1 Retention periods

  • Merchant account data: Retained for as long as the App is installed on your store.
  • Popup configurations and uploaded assets: Retained for as long as the App is installed and the configurations or assets exist in your account.
  • Visitor verification inputs (such as date of birth): Processed at the time of verification and not retained in identifiable form beyond what is needed to record the outcome and prevent re-prompting during the configured duration.
  • Verification outcome logs: Aggregate or anonymized records of verification attempts (such as pass/fail counts and timestamps) may be retained to populate your dashboard and for abuse prevention, for a reasonable period.
  • Browser-side flags: The flag stored in the Visitor's browser to remember successful verification persists for the duration you configure, and is controlled by the Visitor's browser (they may clear it at any time through their browser settings).
  • Session and authentication data: Authentication sessions expire automatically and are cleaned up regularly.
  • Support communications: Retained for a reasonable period to enable ongoing support.
  • Log data: Retained for a limited period for security, troubleshooting, and compliance purposes.

8.2 Retention after uninstallation

  • Your data will be retained for up to 30 days to allow for reinstallation without loss of configuration.
  • After this grace period, your data will be permanently deleted from our active systems.
  • Residual copies may persist in backup systems for a limited additional period, after which they are also purged.
  • Certain information may be retained longer where required by law, for dispute resolution, or in aggregated or de-identified form.

8.3 Your deletion requests

You may request earlier deletion of your data at any time by contacting us at the email address provided below. We will honor such requests subject to any legal retention obligations.

9. Your rights and choices

9.1 Rights that may apply

  • Right to access: Request confirmation of whether we process your personal data and obtain a copy of that data.
  • Right to correction: Request correction of inaccurate or incomplete personal data.
  • Right to deletion: Request deletion of your personal data, subject to certain legal exceptions.
  • Right to restriction of processing: Request that we limit how we process your data in certain circumstances.
  • Right to data portability: Request a copy of your data in a structured, commonly used, machine-readable format.
  • Right to object: Object to certain processing activities, including processing based on legitimate interests.
  • Right to withdraw consent: Where processing is based on consent, withdraw that consent at any time.
  • Right to lodge a complaint: File a complaint with a supervisory authority in your jurisdiction.

9.2 How to exercise your rights

To exercise any of these rights, please contact us at info@cruxtab.com. We may need to verify your identity before fulfilling your request, and we will respond within the time frames required by applicable law.

9.3 Rights of Visitors

If you are a Visitor who interacted with an age verification popup on a Merchant's storefront and you wish to exercise rights regarding your data, please contact the Merchant directly, as they are the controller of that data. We will assist Merchants in responding to such requests as a data processor.

9.4 Your choices

  • Email communications: You may opt out of non-essential email communications by following the unsubscribe instructions or contacting us directly. Essential service-related communications cannot be opted out of while you continue to use the App.
  • Uninstallation: You may uninstall the App at any time through your Shopify admin, which will stop our collection of new data from your store (subject to the retention periods described above).
  • Browser controls (Visitors): Visitors may clear the verification flag stored by their browser at any time through their browser settings; doing so will cause the popup to reappear on their next visit.

10. Merchant responsibilities

Because the age verification popup collects information from Visitors on your storefront, you have important responsibilities as a Merchant:

  • Legal compliance: You are responsible for determining what age threshold applies to your products and for ensuring that the verification method you configure meets the legal requirements in the jurisdictions where you operate.
  • Privacy notices: You should update your own storefront privacy policy to inform Visitors that an age verification popup is used and describe what information is collected.
  • Accuracy of configuration: You are responsible for configuring the popup accurately (including the age threshold, messaging, and behavior) and for keeping it up to date.
  • Responding to Visitor requests: As the controller of Visitor data, you are responsible for responding to any privacy requests Visitors make regarding data collected through your storefront.
  • Appropriate use: You must not use the App to collect information beyond what is necessary for age verification, or to mislead Visitors about the purpose of the popup.

Please note: the App provides an age attestation mechanism based on self-reported input. It is not a government-issued identity verification service and should not be relied upon where stronger identity assurance is legally required.

11. Third-party services and links

11.1 Shopify

The App operates within the Shopify platform and is subject to Shopify's Privacy Policy. We recommend reviewing Shopify's privacy practices to understand how Shopify handles your data.

11.2 External links

Our communications or the App interface may contain links to external websites that are not operated by us. We are not responsible for the privacy practices or content of these third-party sites.

12. Cookies and similar technologies

To make the age verification experience smooth, the App may use cookies or similar browser-side storage (such as local storage) in the Visitor's browser for the following purposes:

  • Remembering successful verification: A small flag is stored in the Visitor's browser so that the popup does not reappear on every page load during the duration configured by the Merchant.
  • Session cookies (admin): When you use the App's admin interface within your Shopify admin, session cookies are used to maintain your authenticated session.

The App does not use cookies for cross-site tracking, advertising, or profiling. Visitors can control cookies and similar storage through their browser settings, though disabling them may cause the popup to reappear on every page load.

Because the App operates within the Shopify ecosystem, Shopify may also place its own cookies, which are governed by Shopify's policies.

13. Children's privacy

The App is specifically designed to help Merchants prevent access by individuals below a chosen age. We do not knowingly collect personal information from children below the applicable age of consent in their jurisdiction (for example, under 16 in the European Economic Area, or under 13 in the United States under COPPA).

If a Visitor who is below the applicable age of consent provides personal information through the popup (such as a date of birth), that information is used solely to perform the age check and is not retained in identifiable form beyond what is necessary for that purpose and for preventing immediate circumvention.

If you believe a child has provided personal data through the App in a way that requires further action, please contact us at info@cruxtab.com, and we will take appropriate steps.

14. International data transfers

The App and its supporting infrastructure may be operated in, and your information may be transferred to, processed in, or stored in, countries other than the one in which you reside, including India (where CruxTab is based) and other countries where our service providers operate. These countries may have data protection laws that differ from those of your jurisdiction.

When we transfer personal data internationally, we take appropriate steps to ensure that your information receives an adequate level of protection, which may include:

  • Entering into standard contractual clauses approved by relevant authorities.
  • Ensuring that service providers and recipients adhere to recognized data protection frameworks.
  • Relying on other lawful transfer mechanisms as appropriate.

By using the App, you understand that your information may be transferred to and processed in such countries.

15. California privacy rights

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including:

  • The right to know what personal information we collect, use, disclose, and sell (we do not sell personal information).
  • The right to request deletion of your personal information.
  • The right to correct inaccurate personal information.
  • The right to opt out of the sale or sharing of personal information (not applicable, as we do not sell or share personal information as defined by these laws).
  • The right to limit the use of sensitive personal information.
  • The right to non-discrimination for exercising your privacy rights.

To exercise these rights, please contact us at info@cruxtab.com.

16. Other regional privacy notices

We comply with applicable privacy laws in the regions where we operate. If you are located in a jurisdiction with specific privacy regulations (such as the GDPR in the EEA, the UK GDPR, the LGPD in Brazil, PIPEDA in Canada, the DPDP Act in India, or similar laws), you may have additional rights. Please contact us for more information about your specific rights and how to exercise them.

17. Changes to this privacy policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

  • We will update the "Last Updated" date at the top of this Policy.
  • For material changes, we will take reasonable steps to notify you, such as by email, an in-App notice, or a prominent notice on our website.
  • Your continued use of the App after the effective date of the updated Policy constitutes your acceptance of the changes.

We encourage you to review this Policy periodically to stay informed about our data practices.

18. Contact us

If you have any questions, concerns, requests, or complaints regarding this Privacy Policy, our data practices, or your personal information, please contact us at:

Cruxtab Technologies Private Limited
Email: info@cruxtab.com
Location: Surat, Gujarat, India

We take your privacy seriously and will respond to your inquiries promptly. If you are not satisfied with our response, you have the right to contact your local data protection authority.

This Privacy Policy is provided to comply with Shopify App Store requirements and applicable data protection regulations. It should be read in conjunction with our Terms of Service.

Questions about your data?

We're happy to help clarify anything in this policy.

Email info@cruxtab.com