Mandatory webhooks help you manage the user data that an app collects.
The General Data Protection Regulation (GDPR) sets requirements for any party that collects, stores, or processes the personal data of individuals in Europe. However, Shopify mandates GDPR regulations for all user data, regardless of whether an individual is located in Europe.
You need to ensure that any app that you distribute through the Shopify App Store is GDPR-compliant, regardless of whether your app currently collects personal data. Shopify provides mandatory webhooks to help.
If you don't provide URLs for the mandatory webhooks, or your app doesn't respond to these webhooks as required, then your app will be rejected and you'll need to fix the identified problem before submitting your app for another review.
Mandatory webhooksAnchor link to section titled "Mandatory webhooks"
Every app that's distributed through the Shopify App Store must subscribe to the following webhook topics in the Partner Dashboard:
||Requests to view stored customer data|
||Requests to delete customer data|
||Requests to delete shop data|
Subscribe to mandatory webhooksAnchor link to section titled "Subscribe to mandatory webhooks"
You must subscribe to mandatory webhooks before publishing your app. To subscribe to mandatory webhooks, you need to register endpoints and then configure them in the Partner Dashboard.
Register an endpoint for each mandatory webhook. The endpoint must be an HTTPS webhook address. It requires a valid SSL certificate that can correctly process webhook event notifications. For more information, refer to Register an endpoint.
From your Partner Dashboard, go to Apps.
Click the app that you want to subscribe to mandatory webhooks.
Click App setup.
In the GDPR mandatory webhooks section, enter your endpoints.
Respond to mandatory webhooksAnchor link to section titled "Respond to mandatory webhooks"
When you receive one of the mandatory webhooks, you need to take the following actions:
Confirm that you've received the request by responding with a
200series status code.
Complete the action within 30 days of receiving the request. However, if you're unable to comply with a redaction request because you're legally required to retain data, then you shouldn't complete the action.
customers/data_requestAnchor link to section titled "customers/data_request"
Customers can request their data from a store owner. When this happens, Shopify sends a payload on the
customers/data_request topic to the apps that are installed on that store.
If your app has been granted access to customer or order data, then it will receive a data request webhook. The webhook contains the resource IDs of the customer data that you need to provide to the store owner. It's your responsibility to provide this data to the store owner directly. In some cases, a customer record contains only the customer's email address.
Anchor link to section titled "customers/data_request payload"
customers/redactAnchor link to section titled "customers/redact"
Store owners can request that data is deleted on behalf of a customer. When this happens, Shopify sends a payload on the
customers/redact topic to the apps installed on that store.
If your app has been granted access to the store's customer or order data, then it will receive a redaction request webhook with the resource IDs that you need to redact or delete. In some cases, a customer record contains only the customer's email address.
If a customer hasn't placed an order in the past six months, then Shopify sends the payload 10 days after the deletion request. Otherwise, the request is withheld until six months have passed.
Anchor link to section titled "customers/redact payload"
shop/redactAnchor link to section titled "shop/redact"
48 hours after a store owner uninstalls your app, Shopify sends a payload on the
shop/redact topic. This webhook provides the store's
shop_domain so that you can erase data for that store from your database.
Anchor link to section titled "shop/redact payload"
Test your configuration by manually triggering a webhook delivery using the Shopify CLI
webhook triggercommand. Manually triggering webhooks doesn't test your webhook subscriptions.
Learn how to manage webhooks for different API versions.
Learn about the available topics for REST Admin API webhooks.
Learn about the available topics for GraphQL Admin API webhooks.
Familiarize yourself with app privacy policies, data rights, and marketing as they relate to GDPR.