Documentation Hub

Data Processing & Compliance

Shopify compliance webhook handling and data request workflow.

Data Processing & Compliance

Last updated: March 5, 2026

This document summarizes operational privacy compliance for Max AI: Google Feed Ascend and is intended for merchant and reviewer transparency.

1. Shopify Mandatory Compliance Webhooks

The app subscribes to Shopify mandatory compliance topics:

  • customers/data_request
  • customers/redact
  • shop/redact

Webhook configuration is declared in app configuration and processed through the compliance webhook route.

2. Request Handling Model

customers/data_request

  • webhook is authenticated via Shopify webhook verification
  • app acknowledges request
  • where no customer personal data is stored for the requested records, app returns success without extra payload storage

customers/redact

  • webhook is authenticated via Shopify webhook verification
  • app acknowledges request and executes redaction handling for applicable records

shop/redact

  • webhook is authenticated via Shopify webhook verification
  • app deletes shop-scoped records from primary persistence (including session/shop-linked records through relational deletion)

3. Authentication and Integrity

  • webhook requests are verified through Shopify webhook authentication
  • invalid authentication results in unauthorized handling according to platform behavior
  • only expected compliance topics are accepted in the compliance handler

4. Data Minimization

The app is designed around product feed generation and Merchant Center integration. It minimizes processing of customer personal data and focuses on store/product/feed operational data required for service delivery.

5. Security and Reliability Controls

Controls implemented in app services include:

  • bounded request timeouts for external API calls
  • retry with backoff for retryable upstream errors (such as 429/503)
  • queue/job controls for bounded retries and operational safety
  • deletion flows for uninstall/disconnect/compliance events

6. Merchant Request Channel

Privacy or deletion requests can be sent to: [email protected]

When requests originate through Shopify privacy tooling, webhook-based processing is the canonical workflow.

7. Important Note

This document is operational guidance, not legal advice. Merchants and partners should obtain legal counsel for jurisdiction-specific obligations (for example GDPR/CPRA/UK GDPR requirements).

Terms of Service

Terms governing use of Max AI Google Feed Ascend

On this page

Data Processing & Compliance1. Shopify Mandatory Compliance Webhooks2. Request Handling Modelcustomers/data_requestcustomers/redactshop/redact3. Authentication and Integrity4. Data Minimization5. Security and Reliability Controls6. Merchant Request Channel7. Important Note