Customer consent, GDPR, CCPA, opt-in
Every customer record carries a consent_state. Keepface only sends marketing outreach (referrals, UGC requests, NPS) when consent is granted; revocations are append-only and instant.
Consent states
| State | Meaning |
|---|---|
unknown | Default for imported customers; cannot send marketing yet |
granted | Customer explicitly opted in (via your post-purchase flow, magic link, etc.) |
revoked | Customer opted out, never sent again |
Where consent is recorded
The Consents page logs every state change with timestamp, channel, and source. This is your audit trail for GDPR/CCPA inspections.
How to capture consent
- Add a checkbox to your Shopify checkout that POSTs to Keepface’s consent endpoint
- Send a one-time consent request from Keepface, customer clicks a magic link to grant
- Import a CSV with a
consent_granted_atcolumn if you already have a legal opt-in record
Revocation
Customer-facing magic links include a one-click revoke. Revokes are append-only, we never delete the original grant, only add a revoke event on top.