GDPR requirements

The General Data Protection Regulation (GDPR) goes into effect as of May 25, 2018. GDPR clarifies and imposes new obligations on any party that collects, stores, or processes personal data of individuals located in Europe. Shopify will, however, mandate these regulations for all user data.

This document outlines some of the endpoints that Shopify has built to help you maintain good data practices as an app developer. To learn more about app privacy policies, data rights, and marketing as it relates to GDPR, you can view our Data and user privacy documentation.

This document is not intended to provide you with legal advice. It is intended to provide you with information about changes that Shopify is making to the platform to help prepare for GDPR, and to help you start to think about your data practices in the way that GDPR requires.

Mandatory webhooks

Two mandatory webhooks are being added to every public app, shop/redact and customers/redact. These webhook subscriptions will be manageable from your partner dashboard, in the App Info tab of your app settings.

Gdpr webhooks

When you receive one of these webhooks, you must confirm your receipt of the redaction request by responding with a 200 series status code.

Webhook topics

customers/redact

When a buyer requests deletion of their data from a store owner, Shopify will send a payload on the customers/redact topic to installed apps. If your app has been granted access to customers or orders, then you will receive a redaction request webhook with the resource IDs that you need to redact or delete.

Webhook payload
{
  "shop_id": "<ID>",
  "shop_domain": "<domain>",
  "customer": {
    "id": "<ID>",
    "email": "<email>",
    "phone": "<phone>"
  },
  "orders_to_redact": ["<order ID>", "<order ID>", "<order ID>"]
}

shop/redact

48 hours after a shop uninstalls your app, we will attempt to send you a shop/redact webhook. This webhook will provide the shop_id and shop_domain so that you can redact their data from your database.

A sample shop/redact webhook payload can be found below :

Webhook payload
{
    "shop_id": "<ID>",
    "shop_domain": "<domain>"
}