We're building an app on the Shopify platform and as a part of app submission, we're required to provide mandatory endpoints for GDPR purposes (customer data request, customer data erasure, and shop data erasure). The app that we're building only serves US merchants and also only accesses shop data. I found out from another forum post that even in this case we need to submit all three endpoints as they are mandatory.
My question is : Can all these endpoints be the same? Ex: "https://myappname.com/redact" . Since the request is made with specific JSON parameters, we can recognize the data received and act on the specific request appropriately. In each of the three cases (customer data request, customer data erasure, and shop data erasure), that endpoint will return 200s meeting Shopify platform's requirement on Webhooks.
Solved! Go to the solution
This is an accepted solution.
Absolutely, you can have the same endpoint serving all three requests. Doing that for more than a year now, so no worries.