Foilgrass · Kept · Privacy policy

Privacy policy

Kept is built to store no shopper personal information. The returns quiz collects only anonymous, predefined selections plus a random browser identifier used to avoid double-counting.

Effective date: July 2026

Kept (“Kept”, “we”, “us”, “our”) is a Shopify application, operated by Foilgrass, that lets merchants run a return-prevention quiz on their storefront and route eligible returns to exchange or store credit before a refund. This policy explains what information Kept processes, why, and your choices.

We do not ask for or store shoppers' names, email addresses, postal addresses, phone numbers, payment details, order numbers, or order contents.

1. Who this policy covers

For any shopper information processed through the quiz, the merchant is the data controller and Kept acts as a data processor on the merchant's behalf and under the merchant's instructions.

2. Information we process

2.1 From merchants (on install and use)

Access scope requested: read_themes. Kept does not request access to your customers' personal data, orders, or products.

2.2 From shoppers (the returns quiz)

Kept collects only anonymous, non-identifying data:

2.3 Technical and operational data

As with any web service, our hosting and infrastructure providers may transiently process standard technical information (such as IP address and request metadata) to deliver, secure, and debug the service. We do not use this to identify shoppers or build shopper profiles.

2.4 Analytics (where enabled)

Kept may aggregate the anonymous quiz data above into merchant-facing metrics (for example, return-reason mix and deflection counts). These aggregates contain no personal information. Separately, if a merchant has Google Analytics (GA4) installed on their store, quiz-completion events may be mirrored to that merchant's own GA4 property; that data is governed by the merchant's and Google's policies, not this one.

3. How we use information

We do not sell personal information, and we do not use shopper data for advertising or cross-site tracking.

4. Sharing and subprocessors

We share information only with the service providers needed to run Kept:

We may disclose information if required by law or to protect our rights, users, or the public.

5. Data retention and deletion

6. Your rights

Depending on where you live (for example, under the EU/UK GDPR or California's CCPA/CPRA), you may have rights to access, correct, delete, or restrict the processing of your personal information, and to object to certain processing.

We do not discriminate against anyone for exercising these rights.

7. International transfers

Information is processed in the United States, where the service is hosted. Where personal information is transferred across borders, we rely on appropriate safeguards as required by applicable law.

8. Security

We protect access tokens and stored data using industry-standard measures, including encrypted transport and restricted access. No method of transmission or storage is completely secure, but we work to safeguard the information we hold.

9. Children

Kept is not directed to children and does not knowingly collect personal information from children.

10. Changes to this policy

We may update this policy from time to time. We will revise the effective date above and, for material changes affecting merchants, provide reasonable notice.

11. Contact

Foilgrass
Email: hello@foilgrass.com

This page describes Kept's data practices as built. Questions? We answer privacy mail first.