GDPR Compliance

If you serve customers in the European Union or European Economic Area, you need to comply with the General Data Protection Regulation (GDPR). This page explains how WandStore supports merchant GDPR workflows.

Lawful basis for processing

WandStore processes customer data for storefront personalization and related app features for eligible signed-in customers. Depending on your business and jurisdiction, merchants may rely on legitimate interest, consent, or another lawful basis advised by counsel. This processing is intended to be:

Proportionate — Data use is limited to what the app needs to provide personalization and related features.
Expected — Customers who sign in reasonably expect a personalized experience.
Minimal — Only data necessary for personalization is processed.

Check with your legal advisor for the best lawful basis for your store.

GDPR grants your customers several rights regarding their personal data. Here’s how WandStore supports each one:

Right to access

Customers can request to see what data you hold about them. For WandStore, the relevant data is:

Their customer profile data used by the app for personalization
Their personalized storefront (the generated HTML)

You can access this information through the WandStore dashboard or by contacting support.

Right to erasure (“right to be forgotten”)

When a customer requests data deletion:

Delete their data in Shopify using Shopify’s built-in customer data tools.
WandStore responds automatically — When Shopify processes a data deletion request, it sends a webhook notification. WandStore receives this and removes stored app data for that customer.
Customer data stays deleted — After the source data is removed from Shopify and the app’s stored data is deleted, WandStore no longer serves that customer’s stored personalized storefront content.

Right to rectification

If a customer needs to correct their data, they should update their account information in Shopify. WandStore uses Shopify as the system of record for merchant and customer data.

Right to data portability

Customers can export their Shopify account data through Shopify’s standard data portability tools. App-specific data that WandStore stores can be reviewed through the merchant’s GDPR and support workflows.

Right to object

Customers who don’t want personalization can simply not sign in to your store. Anonymous visitors see the store’s standard storefront with no WandStore customer personalization.

If a signed-in customer objects to personalization specifically, you can exclude them by contacting WandStore support.

Data Processing Agreement (DPA)

WandStore acts as a data processor on your behalf. You (the merchant) are the data controller responsible for your customers’ data.

Contact WandStore support to request a Data Processing Agreement if required by your GDPR compliance process.

Shopify webhooks for compliance

WandStore integrates with Shopify’s mandatory compliance webhooks:

Webhook	What happens
`customers/data_request`	WandStore returns app data associated with that customer for merchant review
`customers/redact`	WandStore removes all cached data for that customer
`shop/redact`	WandStore removes all data associated with your store

These webhooks are registered automatically when you install the WandStore app.

As a merchant using WandStore, ensure you:

Update your privacy policy to mention AI-powered personalization (see Privacy Practices for suggested language)
Document your lawful basis for processing customer data for personalization
Handle data requests through Shopify’s built-in tools — WandStore respects the Shopify data lifecycle
Request a DPA from WandStore support if needed for your compliance records
Review customer-account and consent requirements if required by your jurisdiction

Questions?

For specific GDPR questions or to request a DPA, see Getting Support.