Consent & Privacy

Converlay integrates natively with Shopify's Customer Privacy API. There is no custom consent banner to install or maintain — consent is handled entirely by Shopify's native cookie banner (or any third-party banner that uses the Customer Privacy API).

How it works

1. The pixel's [customer_privacy] configuration declares it requires analytics and marketing consent
2. In consent-required regions (EU/EEA/UK), Shopify's Pixel Manager delays loading the pixel until the visitor grants consent
3. Shopify replays buffered events once consent is granted, so no data is lost
4. Inside the pixel, init.customerPrivacy provides initial consent state and customerPrivacy.subscribe() tracks live changes
5. Consent flags are mapped to Google Consent Mode v2 format and included in every event payload

Consent mapping

Shopify consent flags are mapped to Google Consent Mode v2 signals:

Consent in event payloads

Every event forwarded to destinations includes a consent_data object:

• analytics: true/false — whether analytics tracking is allowed
• marketing: true/false — whether marketing tracking is allowed
• ad_user_data: true/false — whether user data can be sent to ad platforms
• ad_personalization: true/false — whether personalized ads are allowed

Per-destination routing

Converlay uses consent signals to decide which destinations receive each event. For example, if a visitor has granted analytics consent but denied marketing consent, events will be sent to GA4 but not to Meta or TikTok.

GDPR & CCPA compliance

• GDPR — Events are only processed when consent is granted. In consent-required regions, the pixel doesn't load until the visitor accepts
• CCPA — Converlay respects do-not-sell signals. All PII is hashed before forwarding
• Data retention — Event data is retained for 90 days for dashboard display, then automatically deleted
• Data deletion — Uninstalling the app triggers deletion of all stored data for that shop