Clarification on "View personal data" warning with read_all_orders scope

Hello everyone,

I have developed a custom app and am trying to understand the app installation message I’m seeing, as it seems to contradict my app’s functionality.

My app’s purpose is to analyze order data for internal analytics (e.g., product popularity, sales quantity). I do not need to access or store customer PII like names, emails, or addresses.

My app’s scopes are set to: read_all_orders, read_orders, read_inventory, read_locations, read_products

Despite this, when the merchant installs the app, they see the following warning message:

View personal data Customers Name, email address, phone number, physical address, geolocation, IP address, browser and operating system Store owner Name, email address, phone number, physical address

My question is this: Is this warning message an unavoidable part of requesting access to the orders resource, even if the app only uses non-PII data like product names and quantities from that resource?

I’m trying to be as transparent as possible with the merchant, and this message creates a slight disconnect since my app’s core purpose doesn’t involve viewing or storing personal data. Any clarification on why this message appears and whether there is a way to pull the non-PII order data without it would be greatly appreciated.

Thank you!

Hi,

Is this warning message an unavoidable part of requesting access to the orders resource, even if the app only uses non-PII data like product names and quantities from that resource?

Yes, because at this time the REST Admin API allows access to all of these fields by default as long as you have the orders scope enabled.

Therefore, you’ll need to apply for Protected Customer Data access through the app in your Shopify partner dashboard.

Even the orders webhook returns this data by default as well. So in general, if you’re touching order data then you’ll need this approval.

Yes — that warning is unavoidable. The orders API always includes customer PII fields, so Shopify flags those scopes with a “personal data” warning, even if your app only uses product/quantity info. There’s no way to request just the non-PII portions of an order; the access scope is all-or-nothing. The best you can do is explain to merchants that while Shopify shows that message, your app only uses non-PII data.