Solved! Go to the solution
This is an accepted solution.
1. OAuth is per shop. Your app is requesting permission to make requests to the API on that specific shop.
2. No only the shop: https://shopify.dev/docs/admin-api/rest/reference/store-properties
3. I cannot provide legal advice on the topic, however, we've put together some great resources: https://www.shopify.ca/partners/blog/gdpr-compliance