Back to Developer changelog

Apps now need to use GDPR webhooks

API

Effective May 25, 2018

Action required

In response to the General Data Protection Regulation (GDPR), we've introduced some important changes to our platform to help you properly handle the privacy and security of customers’ personal information.

Two new mandatory webhooks are available to every public app:

  • customers/redact: When a buyer requests deletion of their personal information from a store owner, Shopify will send a HTTP POST request for the customers/redact topic to all apps installed on that shop that have been granted access to customers or orders data. Upon receipt of the webhook, the app should delete the customer’s personal information associated to that shop specifically.
  • shop/redact: 48 hours after a shop uninstalls your app, Shopify will send an HTTP POST request for the shop/redact topic. Upon receipt of the webhook, the app must delete all customers’ personal information associated with that shop.

These webhook subscriptions can be managed from your Partner Dashboard, in the App Info tab of your apps settings. Going forward, all public apps must subscribe to the new mandatory webhooks and confirm the receipt of each redaction request by responding with a 200 series status code.

GDPR Resources

We’ve added a number of resources on Data and user privacy under GDPR. This includes a sample Privacy Policy Template as well other guidance to help you better understand your privacy choices as a Shopify app developer.

Other resources we’ve released include a new partner blog post What App Developers Need To Know About GDPR, and the Shopify GDPR Whitepaper.