Mandatory webhooks

Every public app must subscribe to the following webhook topics:

When you receive one of the mandatory webhooks, you need to take the following actions:

• Confirm that you've received the request by responding with a 200 series status code.

• Complete the action within 30 days of receiving the request. An exception is cases where you're unable to comply with a redaction request because you're legally required to retain data.

Learn more about how to receive and respond to webhooks.

You can configure mandatory webhooks in the Partner Dashboard before publishing your app.

Your endpoint must be an HTTPS webhook address. It requires a valid SSL certificate that can correctly process webhook event notifications. For more information, refer to Register an endpoint.

1. From your Partner Dashboard, go to Apps.

2. Click the app that you want to update.

3. Click App setup.

4. In the GDPR mandatory webhooks section, update your endpoints.

5. Click Save.

Customers can request their data from a store owner. When this happens, Shopify sends a payload on the customers/data_request topic to the apps that are installed on that store.

If your app has been granted access to customer or order data, then it will receive a data request webhook. The webhook contains the resource IDs of the customer data that you need to provide to the store owner. It's your responsibility to provide this data to the store owner directly. In some cases, a customer record contains only the customer's email address.

Store owners can request that data is deleted on behalf of a customer. When this happens, Shopify sends a payload on the customers/redact topic to the apps installed on that store.

If your app has been granted access to the store's customer or order data, then it will receive a redaction request webhook with the resource IDs that you need to redact or delete. In some cases, a customer record contains only the customer's email address.

If a customer hasn't placed an order in the past six months, then Shopify sends the payload 10 days after the deletion request. Otherwise, the request is withheld until six months have passed.

48 hours after a store owner uninstalls your app, Shopify sends a payload on the shop/redact topic. This webhook provides the store's shop_id and shop_domain so that you can erase data for that store from your database.

• Learn how to manage webhooks for different API versions.

• Learn more about how GDPR affects developers and Shopify.

• Familiarize yourself with app privacy policies, data rights, and marketing as they relate to GDPR.