Tessera EU Age Gate — Shopify App Last updated: April 27, 2026
1. Who we are
Tessera EU Age Gate ("the App") is operated by Tessera ("we", "us"). The App enables Shopify merchants to verify the age of their customers using the European Digital Identity Wallet, in compliance with EU regulations. For questions about this policy, contact us at hello@tsera.io.
2. What the App does
When a customer needs to verify their age, the App initiates a verification session using the OpenID4VP protocol. The customer presents a credential from their EU Digital Identity Wallet (such as an mDoc age attestation). The only claim requested and processed is age_over_18 — a simple yes/no confirmation. We do not request or receive the customer's name, date of birth, address, photograph, or any other personal data.
3. Data we collect
From merchants (Shopify store owners):
Shopify store domain and access token (required for app functionality)
Age verification result only — a boolean value indicating whether the customer is over 18. No other personal data is collected, stored, or processed.
Verification session metadata: session ID, status (pending / verified / expired), and timestamp.
What we do NOT collect:
Name, date of birth, or government ID numbers
Biometric data or photographs
Location data, IP addresses of end customers, or device fingerprints
Browsing history or tracking cookies
4. How we use the data
Merchant data is used solely to operate the App within the merchant's Shopify store.
Verification results are used only to determine whether a customer meets the age requirement set by the merchant. Results are returned to the storefront in real time and stored as session records for the merchant's analytics.
We do not sell, rent, or share data with third parties for marketing or advertising purposes.
5. Data processing and storage
Verification sessions are processed via the Tessera platform API, hosted on infrastructure located in the European Union.
Merchant configuration and session metadata are stored in an encrypted database associated with the App.
Wallet credential data is processed transiently during the verification flow and is not persisted beyond the boolean result.
6. Data retention
Verification session records are retained for as long as the merchant has the App installed, to support analytics and record-keeping.
Upon app uninstallation, all merchant data and associated session records are deleted within 30 days.
7. Legal basis (GDPR)
We process data under the following legal bases:
Legitimate interest (Art. 6(1)(f) GDPR) — operating the age verification service as requested by the merchant.
Contract performance (Art. 6(1)(b) GDPR) — fulfilling our service agreement with the merchant.
Customer consent for the age verification is obtained through the explicit action of presenting their wallet credential. No data is collected without the customer actively initiating the verification.
8. Your rights
Under the GDPR, you have the right to access, rectify, erase, or restrict processing of your data, as well as the right to data portability and the right to object. To exercise these rights, contact us at hello@tsera.io.
Merchants can delete their data at any time by uninstalling the App from their Shopify store.
Keycloak — handles merchant authentication (OAuth2). No customer data passes through Keycloak.
10. Changes to this policy
We may update this policy from time to time. Material changes will be communicated via the App's admin interface. Continued use of the App after changes constitutes acceptance of the updated policy.