Kōkua — Privacy Policy
Last updated: July 12, 2026
Kōkua is an accessibility scanner for Shopify stores, made by Kahakai (kahak.ai). This policy explains what data the app handles and why. Kōkua is read-only — it reads your public storefront to scan it and never changes your theme.
What we collect
- Your store domain and an access token. When you install the app, we store your store’s
myshopify.comdomain and an OAuth access token so the embedded app can authenticate with Shopify. - Accessibility scan results. When you run a scan, we load your public storefront pages, analyze them with the axe-core engine, and store the resulting report (the issues found, their severity, and the page URLs scanned).
- We do not collect your customers’ personal information. Kōkua does not read or store customer, order, or other personally identifiable data. Its only Shopify permission is
read_products, used to discover representative pages to scan. - Development-store password. If you enter a development store’s storefront password so the scan can reach the store, it is used in memory for that scan only and is never stored or logged.
How we use it
To run scans, show you reports, keep your scan history so you can track progress, and — on the Monitor plan — run scheduled re-scans and alert you when a previously-clean check regresses. We do not use your data for advertising, and we do not sell or rent it.
AI-generated fix suggestions
To help you fix issues, Kōkua may send the specific snippet of your storefront’s public HTML that failed a check — along with the technical description of the failure and your theme name — to our AI provider (Anthropic) to generate a suggested fix. This is public storefront markup only; it never includes customer data, and Kōkua’s access to your store remains read-only. Suggestions are guidance for you to review, not a guarantee of compliance.
Who we share it with
We don’t share your data except with the infrastructure providers needed to run the service:
- Shopify — the platform the app runs on and authenticates through.
- DigitalOcean — hosts the application and its database (United States region).
- Anthropic — generates the AI fix suggestions described above, from the public storefront markup that failed a check. No customer data is sent.
If you contact our team to remediate issues, you share your report with us by choice when you email us — that’s the only time a report leaves your admin.
Retention
- Scan results are retained for up to 24 months, or until you delete them.
- Your session and access token are deleted when you uninstall the app.
- When you uninstall, Shopify sends us a shop-redaction request about 48 hours later; at that point we delete your store’s remaining data (sessions and scans).
Your choices and rights
- Uninstall the app at any time to revoke its access and delete your session.
- Request deletion of your data at any time by emailing [email protected].
- We honor the data-request and deletion webhooks Shopify requires (GDPR/CCPA). Because we store no customer personal data, customer data requests have nothing to return; shop-deletion requests remove your store’s data.
Security
Data is transmitted over TLS. Access tokens are stored in an access-restricted database (reachable only by the application). The scanner is read-only and never modifies your store, and Kōkua never injects an accessibility overlay or widget.
Changes
We may update this policy; we’ll revise the “last updated” date above.
Contact
Kahakai — [email protected]