Mandatory GDPR webhooks for all apps

Shopify Staff
Shopify Staff
257 1 63

Hi Shopify Devs,


In response to the General Data Protection Regulation (GDPR), we've introduced some important changes to our platform to help you properly handle the privacy and security of customers’ personal information.


New mandatory webhooks

Two new mandatory webhooks are available to every public app:

  1. customers/redact: When a buyer requests deletion of their personal information from a store owner, Shopify will send a HTTP POST request for the customers/redact topic to all apps installed on that shop that have been granted access to customers or orders data. Upon receipt of the webhook, the app should delete the customer’s personal information associated to that shop specifically.

  2. shop/redact: 48 hours after a shop uninstalls your app, Shopify will send an HTTP POST request for the shop/redact topic. Upon receipt of the webhook, the app must delete all customers’ personal information associated with that shop.

These webhook subscriptions can be managed from your partner dashboard, in the App Info tab of your apps settings. Going forward, all public apps must subscribe to the new mandatory webhooks and confirm the receipt of each redaction request by responding with a 200 series status code.


GDPR Resources

We’ve added a number of resources on Data and user privacy under GDPR.  This includes a sample Privacy Policy Template as well other guidance to help you better understand your privacy choices as a Shopify app developer.

Other resources we’ve released include a a new Partner’s Blog post What App Developers Need To Know About GDPR (4 minute read), and the Shopify GDPR Whitepaper.


If you have any questions or concerns, please don’t hesitate to comment in the thread below.

Shopify Apps Team

Developer Experience @ Shopify
1 Like
48 0 10

Hey Ryan,

Thanks for the update! I do have a few GDPR related questions :)

1. App store retargeting - today Shopify serves apps' AdRoll and Google remarketing pixels when visitors hit the app listing page. To my understanding, the GDPR requires explicit consent from a user to place a retargeting cookie. Will Shopify be adding such a consent-collection tool? You can find relevant posts from both AdRoll and Google here:




2. I just want to verify that the shop/redact webhook will not be sent if the store re-installed the app within 48 hours.



Yoni from Loox

58 0 5

@Yoni  That's an excellent question regarding the shop/redact webhook being cancelled if a shop reinstalls the app within 48 hours.




Developing Ecommerce Apps Since 2011
Shopify Staff
Shopify Staff
257 1 63

Hi Yoni, Joel,

The webhook will not be sent if the app is re-installed within 48 hours.  Checking into your other question!



Developer Experience @ Shopify
Shopify Expert
701 0 65

Ryan! Re:


When a buyer requests deletion of their personal information from a store owner, Shopify will send a HTTP POST request


How does a buyer or store owner actually initiate this request?



I'm a million different people
1 Like
Shopify Partner
26 0 7

Hey there,

Related and unrelated question at the same time: Are there any test tools to immediately call the GDPR redactions in a test shop, including to see how it looks on the admin side, app developer/webhook side, and how it looks to the individual requesting a deletion? In the latter, even if they get no notifications, what happens when they attempt to login, etc.

I want to see what the whole process looks like. :)

636 0 87

What will happen if we try to load an order for which the customer requested deletion.

Will order.customer be null? Or will it be non null with a customer id and all other fields null?

98 0 15

When will the mandatory webhooks really become mandatory?

It's not that everybody can implement it right away. But for many of us the procedure is to plan for it to be done in near future. Thinking of scheduling it in a sprint, plan, develop, test and release ... it can take up two to four weeks.

Will the webhooks send the same HTTP_X_SHOPIFY_SHOP_DOMAIN and HTTP_X_SHOPIFY_HMAC_SHA256 fields for authorization? (Asking because the payload contains the shop id and domain, according to the documentation)
33 0 2

How do we test these webhooks ?  

Reward yourself and your Customers.
1 Like
98 0 15

You could at least test it by using a development shop or a test app and send request to the webhook endpoints using POSTMAN or a similar tool.