Privacy, export, deletion, and auditability
Supports compliance workflows for exporting or deleting visitor/user data and auditing sensitive operational actions.
Simple terms
Privacy endpoints help export or delete user/visitor data and keep records of sensitive changes.
Supports compliance workflows for exporting or deleting visitor/user data and auditing sensitive operational actions.
Routes
/api/v1/data-export/api/v1/data-deletion
For the merchant-facing privacy workflow, start with GDPR export and deletion, Consent and regional compliance, and Developer access and data.
Implementation behavior
- Public privacy endpoints accept authenticated server-to-server requests scoped by shop API key.
- Export looks up relevant visitor/user data across persisted records and analytics where supported.
- Deletion requests remove or anonymize records according to the implemented data path.
- Audit logs and operational records preserve changes to experiments and admin-sensitive workflows.
How to use it
- Use data export for access requests and data deletion for erasure workflows.
- Pass stable visitor/user identifiers so the request can find the right records.
- Keep privacy automation server-side with secret API keys.
- Check audit logs when reconstructing who changed experiment or integration state.
When not to use it
- Do not run privacy requests from browser code or public clients.
- Do not assume one identifier finds every record if visitors were anonymous or cookies changed.
- Do not skip audit review for sensitive admin or experiment changes.
Implementation source
- Public handlers live under
/api/v1/data-exportand/api/v1/data-deletion. - Privacy-related handlers use shop-scoped API key authentication.
- The implementation spans relational shop data and analytics/event identifiers, with retention limits depending on storage path.
Data and API
- Public APIs:
/api/v1/data-exportand/api/v1/data-deletion. - Internal privacy/admin APIs and audit-log models.
- Event data, visitor/session identifiers, experiment assignment data, and shop-scoped relational records.
Failure modes
- Request cannot find data: identifier mismatch or events not linked to a user ID.
- Partial deletion risk: analytics and relational stores have different retention paths.
- Do not run privacy workflows with client-exposed keys.