Hi,
Context - we have an app that collects order information and send it to our SaaS. The ultimate purpose - independent ad tracking and conversion attribution.
Our app reads customer data data from order details.
- We hash is to SHA256 before processing and it is not associated with personal record. The only connection is non-human readable id, ex. 615b05403eb8670001e65675
- That is part of the order details in Shopify and can be used to find hashed value in our database (that is just part of the record about the event and is not tied to any personal profile)
- In our data base it is a part of information about the click - that can be associated with ad campaign click, but not with personal record or any PII information
Since we do not store or process PII data, but we do read it before hashing - what is the correct way to ensure compliance with Mandatory GDPR webhooks - that was a request from App review team.
I was advised by support team to ask the question here.
Thank you
Shopify Discussion
Partners and Developers