Hey Everyone,
I am working on an app that uses the order & customer entities.
However, as soon as I requested access to custom data, I started getting the permission denied error due to the data protection policy.
My Query: Since my app is an extension only, I will only use the GraphQL API to query customer data, not save the data to any external server, or use the data in any other way.
But the data protection questionnaire contains questions related to whether I encrypt data on my end, retention period, encrypt backup, etc., which I feel shouldn’t be applicable to me as I don’t store data on my end. I just queried the data to process further.
I feel the options to these Yes/No are confusing and I feel like both options doesn’t justify my usecase.
Also, if there are any chances that my app will not get approved since I am not actually doing any data encryption, retention, or so, then I’ll stop the development here only.
Looking for expert advice.
Thanks in advance.
Manish Kumar
Hey @mkdudeja 
thanks for reaching out.
Happy to take a look into this with you, but just would like to understand a bit more about your extension - specifically, what type of extension you’re building and how customer/order data is being used in your app flow if you’re not storing it externally?
Could you walk me through the specific process of how your app queries this data, what processing occurs, and how the data is used within your extension’s functionality? I’m guessing your using Shopify hosting since your app is extension only (just linking for reference) Just hoping to provide a bit more accurate guidance on how to approach the data protection questionnaire for your particular use case, since even apps that don’t store data may still need to address certain aspects of data handling.
I do think you’re right that this technically isn’t applicable to your app though if all the hosting is on our side.
Hope to hear from you soon!
Hi,
Thanks for the response of the query.
About Extension: Ability to generate thermal receipt with order details, which includes Shop Info, Customer Info, and Line items from the order detail page “print menu”.
Extension will add the new menu item, say Thermal Receipt, clicking on which extension’s code will be fired, which queries (GraphQL) the data about the order (customer info, line items, shop info) and will generate the print receipt.
Additional Question: If I plan to create another version of the extension that helps with bulk actions to generate receipts, then I’ll be making a hosted version of it. Again, in that format as well, my extension will just be querying data (list of orders and its details) and generating a receipt. I don’t think I’ll be saving the custom/ order/ details in my database. Only thing, that can be ever saved into the database will be some custom templates or other preferences. In that case, what will be the data protection policies for such an extension?
Thanks