Topics covering webhook creation & management, event handling, Pub/Sub, and Eventbridge, in Shopify apps.
1. In order to meet Shopify's requirements for mandatory webhooks (specifically the "customer/redact" topic, do shipping information for orders need to be deleted as well? We may require shipping information in order to process any returns received on orders.
To clarify/confirm, would shipping information fall under the branch of information that needs to be deleted through the customer/redact request?
---
In regards to the processing time of the redact request, at the earliest, would order details essentially be deleted between the 6th month and 7th month of order placement? For example, if a customer had requested their information be deleted to a Shopify store three months after order placement, the Shopify store would put in the redact request to all the apps the store uses. Would Shopify withhold this redact request until 6 months have been passed since the order placement in case of chargebacks on the Shopify store? When the redact request is finally submitted to all the apps, would the apps have 30 days from that date to process the redact request?
The time periods noted in the example situation are from below:
On the Shopify store owners' side, it seems they can retain information for 6 months in case of a chargeback.
"By default, Shopify will not erase personal data if the customer has made an order in the last 6 months (180 days), in case a chargeback occurs. If a request for erasure is submitted in that time frame, then it will sit pending, and Shopify will action it once the appropriate time has passed. You do not need to submit another request." (https://help.shopify.com/en/manual/your-account/privacy/GDPR/processing-gdpr-data-requests)
On Shopify dev, it seems that once a customer/redact request is received by the app, we must delete all information within 30 days.
"Complete the action within 30 days of receiving the request. An exception is cases where you're unable to comply with a redaction request because you're legally required to retain data." (https://shopify.dev/apps/webhooks/configuration/mandatory-webhooks#mandatory-webhooks)
-------
2. If we do not have anything to delete with webhooks, what should we do? Do we simply respond with a 200 series status code?