shopify-data-handling

Handle Shopify customer PII, implement GDPR/CCPA compliance, and manage data retention with Shopify's mandatory privacy webhooks. Trigger with phrases like "shopify data", "shopify PII", "shopify GDPR", "shopify customer data", "shopify privacy", "shopify CCPA", "shopify data request".

1,868 stars

byjeremylongshore

View on GitHub Installation ↓

Best use case

shopify-data-handling is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Teams using shopify-data-handling should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/shopify-data-handling/SKILL.md --create-dirs "https://raw.githubusercontent.com/jeremylongshore/claude-code-plugins-plus-skills/main/plugins/saas-packs/shopify-pack/skills/shopify-data-handling/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/shopify-data-handling/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How shopify-data-handling Compares

Feature / Agent	shopify-data-handling	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

Related Guides

Best AI Skills for Claude

Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.

ChatGPT vs Claude for Agent Skills

Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.

SKILL.md Source

# Shopify Data Handling

## Overview

Handle customer PII correctly when building Shopify apps. Covers the mandatory GDPR webhooks, data minimization, and the specific privacy requirements Shopify enforces for App Store submission.

## Prerequisites

- Understanding of GDPR/CCPA requirements
- Shopify app with webhook handling configured
- Database for storing and deleting customer data

## Instructions

### Step 1: Understand What Data Shopify Shares

When a merchant grants your app access, you may receive:

| Data Type | Source | Sensitivity | Retention Obligation |
|-----------|--------|-------------|---------------------|
| Customer email, name, phone | `read_customers` scope | PII — encrypt at rest | Delete on `customers/redact` |
| Shipping addresses | `read_orders` scope | PII — encrypt at rest | Delete on `customers/redact` |
| Order details (amounts, items) | `read_orders` scope | Business data | Delete on `shop/redact` |
| Product data | `read_products` scope | Public | Delete on `shop/redact` |
| Shop owner email | `read_shop` scope | PII | Delete on `shop/redact` |

### Step 2: Implement Mandatory Privacy Webhooks

Shopify **requires** three GDPR webhooks for App Store apps. Your app will be **rejected** without them.

```typescript
// 1. customers/data_request — Customer requests their data
// Shopify sends this when a customer asks the merchant for their data
async function handleCustomerDataRequest(payload: {
  shop_domain: string;
  customer: { id: number; email: string; phone: string };
  orders_requested: number[];
  data_request: { id: number };
}): Promise<void> {
  // Collect all data you store about this customer
  const customerData = await db.customerRecords.findMany({
    where: {
      shopDomain: payload.shop_domain,
      shopifyCustomerId: String(payload.customer.id),
    },
  });

  const orderData = await db.orderRecords.findMany({
    where: {
      shopDomain: payload.shop_domain,
      shopifyOrderId: { in: payload.orders_requested.map(String) },
    },
  });

  // You have 30 days to respond
  // Email the data to the merchant (or make it available via your app)
  await sendDataExport({
    requestId: payload.data_request.id,
    shop: payload.shop_domain,
    customer: customerData,
    orders: orderData,
  });
}

// 2. customers/redact — Delete specific customer's data
async function handleCustomerRedact(payload: {
  shop_domain: string;
  customer: { id: number; email: string; phone: string };
  orders_to_redact: number[];
}): Promise<void> {
  // Delete ALL personal data for this customer
  await db.customerRecords.deleteMany({
    where: {
      shopDomain: payload.shop_domain,
      shopifyCustomerId: String(payload.customer.id),
    },
  });

  // Anonymize order records (keep for accounting, remove PII)
  for (const orderId of payload.orders_to_redact) {
    await db.orderRecords.update({
      where: { shopifyOrderId: String(orderId) },
      data: {
        customerEmail: null,
        customerName: null,
        shippingAddress: null,
        // Keep: orderId, total, line items, timestamps
      },
    });
  }

  // Log the deletion (keep audit record)
  await db.auditLog.create({
    data: {
      action: "CUSTOMER_DATA_REDACTED",
      shop: payload.shop_domain,
      customerId: String(payload.customer.id),
      timestamp: new Date(),
    },
  });
}

// 3. shop/redact — Delete ALL data for a shop (48h after uninstall)
async function handleShopRedact(payload: {
  shop_id: number;
  shop_domain: string;
}): Promise<void> {
  // Delete EVERYTHING related to this shop
  await db.customerRecords.deleteMany({
    where: { shopDomain: payload.shop_domain },
  });
  await db.orderRecords.deleteMany({
    where: { shopDomain: payload.shop_domain },
  });
  await db.sessions.deleteMany({
    where: { shop: payload.shop_domain },
  });
  await db.appSettings.deleteMany({
    where: { shopDomain: payload.shop_domain },
  });

  console.log(`All data deleted for ${payload.shop_domain}`);
}
```

### Step 3: Data Minimization in API Queries

```typescript
// BAD: Fetching all customer fields when you only need the name
const ALL_FIELDS = `{
  customer(id: $id) {
    id firstName lastName email phone
    addresses { address1 city province country zip phone }
    orders(first: 100) {
      edges { node { id name totalPrice shippingAddress { ... } } }
    }
    metafields(first: 20) { edges { node { key value } } }
  }
}`;

// GOOD: Only fetch what you actually use
const MINIMAL_FIELDS = `{
  customer(id: $id) {
    id
    displayName
    numberOfOrders
    amountSpent { amount currencyCode }
  }
}`;
```

### Step 4: PII Detection in Logs

```typescript
// Prevent customer PII from leaking into logs
const PII_PATTERNS = [
  { name: "email", pattern: /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g },
  { name: "phone", pattern: /\+?\d{10,15}/g },
  { name: "credit_card", pattern: /\b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b/g },
];

function redactPII(text: string): string {
  let result = text;
  for (const { name, pattern } of PII_PATTERNS) {
    result = result.replace(pattern, `[REDACTED:${name}]`);
  }
  return result;
}

// Use in logging middleware
function safeLog(message: string, data: any): void {
  const safeData = JSON.parse(redactPII(JSON.stringify(data)));
  console.log(message, safeData);
}
```

### Step 5: Data Retention Policy

```typescript
// Automatic cleanup — run daily via cron
async function enforceRetentionPolicy(): Promise<void> {
  const now = new Date();

  // Delete API request logs older than 30 days
  await db.apiLogs.deleteMany({
    where: { createdAt: { lt: new Date(now.getTime() - 30 * 86400000) } },
  });

  // Delete webhook event logs older than 90 days
  await db.webhookLogs.deleteMany({
    where: { createdAt: { lt: new Date(now.getTime() - 90 * 86400000) } },
  });

  // Keep audit logs for 7 years (regulatory requirement)
  // Never auto-delete audit records

  console.log("Retention policy enforced");
}
```

## Output

- GDPR mandatory webhooks implemented and tested
- Data minimization in API queries
- PII redaction in all log output
- Retention policy with automatic cleanup

## Error Handling

| Issue | Cause | Solution |
|-------|-------|----------|
| App Store rejection for GDPR | Missing webhook handlers | Implement all 3 mandatory webhooks |
| Customer data not found | Data already deleted | Return empty response (not an error) |
| shop/redact not received | App reinstalled before 48h | Shopify cancels redact if reinstalled |
| PII in logs | Missing redaction | Add redaction middleware to all loggers |

## Examples

### Test GDPR Webhooks

```bash
# Simulate a customers/data_request webhook locally
curl -X POST http://localhost:3000/webhooks/gdpr/data-request \
  -H "Content-Type: application/json" \
  -H "X-Shopify-Topic: customers/data_request" \
  -H "X-Shopify-Shop-Domain: test.myshopify.com" \
  -d '{
    "shop_domain": "test.myshopify.com",
    "customer": {"id": 123, "email": "test@example.com", "phone": "+1234567890"},
    "orders_requested": [1001, 1002],
    "data_request": {"id": 999}
  }'
```

## Resources

- [Shopify Privacy Law Compliance](https://shopify.dev/docs/apps/build/compliance/privacy-law-compliance)
- [GDPR Webhook Requirements](https://shopify.dev/changelog/apps-now-need-to-use-gdpr-webhooks)
- [Data Protection Best Practices](https://shopify.dev/docs/apps/build/compliance)

## Next Steps

For enterprise access control, see `shopify-enterprise-rbac`.

Related Skills

generating-test-data

1868

from jeremylongshore/claude-code-plugins-plus-skills

Generate realistic test data including edge cases and boundary conditions. Use when creating realistic fixtures or edge case test data. Trigger with phrases like "generate test data", "create fixtures", or "setup test database".

managing-database-tests

1868

from jeremylongshore/claude-code-plugins-plus-skills

Test database testing including fixtures, transactions, and rollback management. Use when performing specialized testing. Trigger with phrases like "test the database", "run database tests", or "validate data integrity".

encrypting-and-decrypting-data

1868

from jeremylongshore/claude-code-plugins-plus-skills

Validate encryption implementations and cryptographic practices. Use when reviewing data security measures. Trigger with 'check encryption', 'validate crypto', or 'review security keys'.

scanning-for-data-privacy-issues

1868

from jeremylongshore/claude-code-plugins-plus-skills

Scan for data privacy issues and sensitive information exposure. Use when reviewing data handling practices. Trigger with 'scan privacy issues', 'check sensitive data', or 'validate data protection'.

windsurf-data-handling

1868

from jeremylongshore/claude-code-plugins-plus-skills

Control what code and data Windsurf AI can access and process in your workspace. Use when handling sensitive data, implementing data exclusion patterns, or ensuring compliance with privacy regulations in Windsurf environments. Trigger with phrases like "windsurf data privacy", "windsurf PII", "windsurf GDPR", "windsurf compliance", "codeium data", "windsurf telemetry".

webflow-data-handling

1868

from jeremylongshore/claude-code-plugins-plus-skills

Implement Webflow data handling — CMS content delivery patterns, PII redaction in form submissions, GDPR/CCPA compliance for ecommerce data, and data retention policies. Trigger with phrases like "webflow data", "webflow PII", "webflow GDPR", "webflow data retention", "webflow privacy", "webflow CCPA", "webflow forms data".

vercel-data-handling

1868

from jeremylongshore/claude-code-plugins-plus-skills

Implement data handling, PII protection, and GDPR/CCPA compliance for Vercel deployments. Use when handling sensitive data in serverless functions, implementing data redaction, or ensuring privacy compliance on Vercel. Trigger with phrases like "vercel data", "vercel PII", "vercel GDPR", "vercel data retention", "vercel privacy", "vercel compliance".

veeva-data-handling

1868

from jeremylongshore/claude-code-plugins-plus-skills

Veeva Vault data handling for enterprise operations. Use when implementing advanced Veeva Vault patterns. Trigger: "veeva data handling".

vastai-data-handling

1868

from jeremylongshore/claude-code-plugins-plus-skills

Manage training data and model artifacts securely on Vast.ai GPU instances. Use when transferring data to instances, managing checkpoints, or implementing secure data lifecycle on rented hardware. Trigger with phrases like "vastai data", "vastai upload data", "vastai checkpoints", "vastai data security", "vastai artifacts".

twinmind-data-handling

1868

from jeremylongshore/claude-code-plugins-plus-skills

Handle TwinMind meeting data with GDPR compliance: transcript storage, memory vault management, data export, and deletion policies. Use when implementing data handling, or managing TwinMind meeting AI operations. Trigger with phrases like "twinmind data handling", "twinmind data handling".

supabase-data-handling

1868

from jeremylongshore/claude-code-plugins-plus-skills

Implement GDPR/CCPA compliance with Supabase: RLS for data isolation, user deletion via auth.admin.deleteUser(), data export via SQL, PII column management, backup/restore workflows, and retention policies. Use when handling sensitive data, implementing right-to-deletion, configuring data retention, or auditing PII in Supabase database columns. Trigger: "supabase GDPR", "supabase data handling", "supabase PII", "supabase compliance", "supabase data retention", "supabase delete user", "supabase data export".

speak-data-handling

1868

from jeremylongshore/claude-code-plugins-plus-skills

Handle student audio data, assessment records, and learning progress with GDPR/COPPA compliance. Use when implementing data handling, or managing Speak language learning platform operations. Trigger with phrases like "speak data handling", "speak data handling".