shopify-data-handling

What this skill does

# Shopify Data Handling

## Overview

Handle customer PII correctly when building Shopify apps. Covers the mandatory GDPR webhooks, data minimization, and the specific privacy requirements Shopify enforces for App Store submission.

## Prerequisites

- Understanding of GDPR/CCPA requirements
- Shopify app with webhook handling configured
- Database for storing and deleting customer data

## Instructions

### Step 1: Understand What Data Shopify Shares

When a merchant grants your app access, you may receive:

| Data Type | Source | Sensitivity | Retention Obligation |
|-----------|--------|-------------|---------------------|
| Customer email, name, phone | `read_customers` scope | PII — encrypt at rest | Delete on `customers/redact` |
| Shipping addresses | `read_orders` scope | PII — encrypt at rest | Delete on `customers/redact` |
| Order details (amounts, items) | `read_orders` scope | Business data | Delete on `shop/redact` |
| Product data | `read_products` scope | Public | Delete on `shop/redact` |
| Shop owner email | `read_shop` scope | PII | Delete on `shop/redact` |

### Step 2: Implement Mandatory Privacy Webhooks

Shopify **requires** three GDPR webhooks for App Store apps. Your app will be **rejected** without them: `customers/data_request` (customer wants their data), `customers/redact` (delete a customer's PII), and `shop/redact` (delete all shop data 48h after uninstall).

See [GDPR Privacy Webhooks](references/gdpr-privacy-webhooks.md) for the complete implementation of all three handlers.

### Step 3: Data Minimization and PII Detection

Only fetch the fields you actually use in GraphQL queries. Add PII redaction middleware to prevent customer data from leaking into logs — detect emails, phone numbers, and credit card patterns.

See [Data Minimization and PII Detection](references/data-minimization-and-pii-detection.md) for query examples and redaction middleware.

### Step 4: Data Retention Policy

Automate cleanup with a daily cron job: delete API logs after 30 days, webhook logs after 90 days, and keep audit logs for 7 years (regulatory requirement).

See [Data Retention Policy](references/data-retention-policy.md) for the complete implementation.

## Output

- GDPR mandatory webhooks implemented and tested
- Data minimization in API queries
- PII redaction in all log output
- Retention policy with automatic cleanup

## Error Handling

| Issue | Cause | Solution |
|-------|-------|----------|
| App Store rejection for GDPR | Missing webhook handlers | Implement all 3 mandatory webhooks |
| Customer data not found | Data already deleted | Return empty response (not an error) |
| shop/redact not received | App reinstalled before 48h | Shopify cancels redact if reinstalled |
| PII in logs | Missing redaction | Add redaction middleware to all loggers |

## Examples

### Test GDPR Webhooks

```bash
# Simulate a customers/data_request webhook locally
curl -X POST http://localhost:3000/webhooks/gdpr/data-request \
  -H "Content-Type: application/json" \
  -H "X-Shopify-Topic: customers/data_request" \
  -H "X-Shopify-Shop-Domain: test.myshopify.com" \
  -d '{
    "shop_domain": "test.myshopify.com",
    "customer": {"id": 123, "email": "[email protected]", "phone": "+1234567890"},
    "orders_requested": [1001, 1002],
    "data_request": {"id": 999}
  }'
```

## Resources

- [Shopify Privacy Law Compliance](https://shopify.dev/docs/apps/build/compliance/privacy-law-compliance)
- [GDPR Webhook Requirements](https://shopify.dev/changelog/apps-now-need-to-use-gdpr-webhooks)
- Data Protection Best Practices