SegOps Shopify App — GDPR / Privacy Compliance
This document describes how the SegOps app fulfills Shopify's three mandatory privacy webhooks. All three are HTTPS, HMAC-verified against the app secret, ack within 5 seconds, and complete within the 30-day SLA.
Endpoints#
| Webhook | URL | Handler |
|---|---|---|
customers/data_request | POST /shopify/gdpr/data_request | export_customer_data |
customers/redact | POST /shopify/gdpr/customer_redact | redact_customer_data |
shop/redact | POST /shopify/gdpr/shop_redact | redact_shop_data |
Declared in shopify.app.toml under [webhooks.privacy_compliance].
Flow#
- The webhook view verifies
X-Shopify-Hmac-SHA256against the app secret (constant-time). A bad/missing signature →401. - A
DataRequestrow is created withdue_at = now + 30 days, then the matching Celery task is enqueued. The view returns200immediately. - The task fulfills the request and stamps
completed_at. - An hourly beat task (
check_gdpr_sla) logsshopify.gdpr.sla_at_riskfor any request within 5 days of its SLA that is still incomplete (paging hook).
What each request does#
- customers/data_request — collects the customer's events (ClickHouse),
segment memberships, and identifications; packages them and makes them
available to the shop owner. Marks the
DataRequestcomplete. - customers/redact — deletes all of the customer's events from ClickHouse
(
ALTER TABLE … DELETE WHERE tenant_id AND user_id) and clears per-customer Postgres references. - shop/redact — fires ~48h after uninstall. Deletes the shop's events from
ClickHouse and hard-deletes the SegOps tenant (Postgres cascade). The
DataRequestaudit row survives the tenant deletion (its FK isSET_NULL) so there is durable proof the redaction ran.
Data retention on uninstall#
Uninstalling sets the installation inactive and wipes the access token but keeps
historical data until shop/redact arrives (Shopify's ~48h window), giving
accidental-uninstall recovery without violating GDPR.