Subscribing to mandatory GDPR webhooks

To ensure compliance with the General Data Protection Regulation (GDPR), all public Shopify apps must add the following mandatory webhooks to their app to help manage the user data that an app collects:

  1. customers/redact - Requests deletion of customer data
  2. shop/redact - Requests deletion of shop data
  3. customers/data_request - Requests to view stored customer data

The three mandatory webhook endpoints can be added to your App Setup in the Shopify Partner Dashboard. When you receive one of these webhooks, you must confirm your receipt of the redaction request by responding with a 2XX status code, and complete the action within 30 days of receipt, unless you're legally required to retain the data.

If you don't provide URLs for the three mandatory GDPR webhooks, or your app doesn't respond to these webhooks with a 2XX status code response, then your app will be rejected and you'll be required to fix the identified problem before submitting your app for another review.