I've scoured the documentation and boards for the shop/redact hook, but I can't get a straight answer. Here's my starting place:
48 hours after a store owner uninstalls your app, Shopify sends you a shop/redact webhook. This webhook provides the store's shop_id and shop_domain so that you can erase the customer information for that store from your database.
This makes it sound like we only need to delete information surrounding any customers of a merchant's shop (e.g. people that buy from the merchant), but we don't need to delete any data around the merchant -- e.g. we can keep their Shopify url (xxxx-scott.myshopify.com), their Shopify owner email (email@example.com), and basically anything we'd get from the Shop API endpoint.
This also seems to be reiterated down the page:
> Are shop name and (xxx.myshopify.com) and email considered personal data?
No, this is customer data, not that of a Shopify Merchant.
Which again, makes it sound like we don't need to redact / delete the Merchant information, only the customer information.
On the flipside, because a merchant/store owner can be a customer of a Shopify app (e.g. they use our App), and many times documentation refers to "customers", "customer information for that store from your database" could be read to mean the data we (the app developers) store about our customer, the merchant / shop owner / Shopify site.
The quote above could also be interpreted to mean both "the shop name and shop email is customer data as well", and "the shop name and shop email is merchant data, not customer data", adding to the confusion.
We also have resources like:
...This means that not only do you need to have a process for retrieving and deleting merchant data upon request, you also need to be able to easily delete your merchant’s customer’s data from your app as well.
This makes me think the shop/redact webhook is not only about deleting a shop's customer data, but information about the merchant as well, but up until this point at least we could argue it was only talking about the merchant's customers.
Then we have Github issues like the below:
In this one the App user is deleting the entire Shop, meaning deleting the merchant data
This is not an official Shopify repo, but you can see this repo handles it again by deleting all the merchant data
Just trying to get clarity here. When we get a shop/redact request, should we be redacting:
1) The merchant's store data (Shopify store info, e.g. a Shopify store's website url / owner email / etc)
2) The merchant's customer data (any data related to customers who have purchased from the Shopify store in question)
I'm leaning towards just 2, but want to make sure we're doing this right.
Solved! Go to the solution
This is an accepted solution.
You're only required to redact the customer data, not the merchant. It would be good practice to also redact the PII of the merchant though, you can keep things like their settings mapped to a shop ID or myshopify URL without keeping their email (in case of re-install) but this is not a requirement.
As always, I'm not a lawyer and you should check data privacy laws for your country and any country you are operating in!