GDPR Compliance
If you serve customers in the European Union or European Economic Area, you need to comply with the General Data Protection Regulation (GDPR). This page explains how WandStore supports merchant GDPR workflows.
Lawful basis for processing
Section titled “Lawful basis for processing”WandStore processes data to generate, render, version, and measure storefront widgets and homepage experiences. Depending on your business and jurisdiction, you may rely on legitimate interest, consent, or another lawful basis recommended by counsel.
Processing is intended to be:
- Proportionate - Limited to app operation, personalization, generation, and analytics.
- Expected - Used in the merchant’s own Shopify storefront experience.
- Minimal - Sensitive fields such as passwords, payment data, phone numbers, and full addresses are excluded from generation.
Check with your legal advisor for the right lawful basis for your store.
Customer rights under GDPR
Section titled “Customer rights under GDPR”Right to access
Section titled “Right to access”For WandStore, relevant app data may include:
- Customer profile metadata used for personalization
- Generated versions associated with a customer
- Analytics or attribution records associated with a customer or session
- Customer-account tokens when customer-account features are enabled
Contact support if you need help reviewing app-specific data.
Right to erasure
Section titled “Right to erasure”When a customer requests deletion:
- Process the request through Shopify’s built-in customer data tools.
- Shopify sends a compliance webhook to installed apps.
- WandStore removes stored app data associated with that customer.
- The customer no longer receives stored customer-specific WandStore experiences.
Right to rectification
Section titled “Right to rectification”Customer source data should be corrected in Shopify. WandStore uses Shopify as the system of record.
Right to data portability
Section titled “Right to data portability”Customers can export Shopify account data through Shopify’s standard tools. App-specific WandStore data can be reviewed through support and compliance workflows.
Right to object
Section titled “Right to object”Customers who do not want customer-specific personalization can avoid signing in. For signed-in customers who object specifically to WandStore personalization, contact support for exclusion options.
Data Processing Agreement
Section titled “Data Processing Agreement”WandStore acts as a data processor for the merchant. The merchant is the data controller responsible for customer data and legal basis.
Contact WandStore support to request a Data Processing Agreement if required.
Shopify compliance webhooks
Section titled “Shopify compliance webhooks”WandStore integrates with Shopify compliance and lifecycle webhooks:
| Webhook | What happens |
|---|---|
customers/data_request | WandStore prepares app data associated with that customer for merchant review. |
customers/redact | WandStore removes stored app data for that customer. |
shop/redact | WandStore removes stored app data for the shop. |
app/uninstalled | WandStore removes app data and stops serving generated experiences for the shop. |
Recommendations for merchants
Section titled “Recommendations for merchants”- Update your privacy policy to mention AI-powered storefront widgets and personalization.
- Document your lawful basis for processing.
- Handle data access and deletion requests through Shopify.
- Request a DPA from WandStore support if needed.
- Review customer-account and consent requirements for your jurisdiction.
Questions?
Section titled “Questions?”For GDPR questions or DPA requests, see Getting Support.