Public App Rejected for GDPR Webhooks? How to Solve It?

GDPR stands for “General Data Protection Regulation”. It is a law in Europe that aims to protect the personal data of website users. The law defines the rules to manage the personal data of the European population by all those websites that are operating in Europe. It is one of the toughest privacy and security laws in the world.

The most important element of the GDPR is that it allows the regulators in European countries to penalize the businesses that don’t comply with the Law to process an individual’s data in a prescribed way.

Shopify has gone a step further by applying this law to all the partners that are operating on its platform uniformly. All the apps being built on the Shopify platform must be compliant with the GDPR norms set up by Shopify (even if your app is not collecting any personal data).

Shopify enforces strict security and data protection standards for all public apps. Developers are expected to stay aligned with ongoing regulatory and platform-level compliance requirements. For more details on how security and compliance updates are handled, refer to our Security & Compliance Updates page.

• Customer’s Data View Request: customers/data_request
• Customer’s Data Delete Request: customers/redact
• Delete the shop’s data request: shop/redact

You can configure these 3 webhooks from your partner’s dashboard. Navigate to the “apps-> your app -> GDPR Mandatory webhooks” section.You can know more about these webhooks here:

https://shopify.dev/apps/webhooks/configuration/mandatory-webhooks

1. Why was my Shopify public app rejected because of GDPR webhooks?

Your app was likely rejected because it did not implement the mandatory GDPR compliance webhooks required by Shopify for all public apps. These webhooks (e.g., customers/data_request, customers/redact and shop/redact) must be present and correctly configured, even if your app doesn’t directly collect personal customer data.

2. What are the mandatory GDPR webhooks required by Shopify?

Shopify mandates that every public app subscribe to three specific GDPR compliance webhooks:

• customers/data_request – for responding when a customer requests their data.
• customers/redact – for when a customer asks that their personal data be deleted.
• shop/redact – for when shop data must be removed, typically after uninstall.

These ensure compliance with GDPR requirements for data access and deletion.

3. How can I fix GDPR webhook rejection during the app review?

To solve the rejection, you need to configure and respond to the mandatory GDPR webhook endpoints properly. Ensure your app:

• Subscribes to all three GDPR webhooks.
• Handles incoming webhook POST requests with correct JSON and headers.
• Verifies webhook authenticity (e.g., validating Shopify’s HMAC signature).
• Returns appropriate HTTP status codes and handles events per Shopify requirements.

4. Do I need GDPR webhooks if my app doesn’t collect customer data?

Yes. Shopify requires all public apps to implement GDPR compliance webhooks, even if your app doesn’t store or process customer personal data. This ensures that apps can handle any potential GDPR-related requests if needed.

5. Where can I configure these GDPR mandatory webhooks?

You can configure GDPR webhooks through your Shopify Partner Dashboard under your app settings, by entering valid HTTPS URLs for each required webhook. You can also configure them in your app configuration file (shopify.app.toml) so they are automatically subscribed when your app is deployed.