Hey Everyone,
I am working on an app that uses the order & customer entities.
However, as soon as I requested access to custom data, I started getting the permission denied error due to the data protection policy.
My Query: Since my app is an extension only, I will only use the GraphQL API to query customer data, not save the data to any external server, or use the data in any other way.
But the data protection questionnaire contains questions related to whether I encrypt data on my end, retention period, encrypt backup, etc., which I feel shouldn’t be applicable to me as I don’t store data on my end. I just queried the data to process further.
I feel the options to these Yes/No are confusing and I feel like both options doesn’t justify my usecase.
Also, if there are any chances that my app will not get approved since I am not actually doing any data encryption, retention, or so, then I’ll stop the development here only.
Looking for expert advice.
Thanks in advance.
Manish Kumar
Hey @mkdudeja 
thanks for reaching out.
Happy to take a look into this with you, but just would like to understand a bit more about your extension - specifically, what type of extension you’re building and how customer/order data is being used in your app flow if you’re not storing it externally?
Could you walk me through the specific process of how your app queries this data, what processing occurs, and how the data is used within your extension’s functionality? I’m guessing your using Shopify hosting since your app is extension only (just linking for reference) Just hoping to provide a bit more accurate guidance on how to approach the data protection questionnaire for your particular use case, since even apps that don’t store data may still need to address certain aspects of data handling.
I do think you’re right that this technically isn’t applicable to your app though if all the hosting is on our side.
Hope to hear from you soon!
Hi,
Thanks for the response of the query.
About Extension: Ability to generate thermal receipt with order details, which includes Shop Info, Customer Info, and Line items from the order detail page “print menu”.
Extension will add the new menu item, say Thermal Receipt, clicking on which extension’s code will be fired, which queries (GraphQL) the data about the order (customer info, line items, shop info) and will generate the print receipt.
Additional Question: If I plan to create another version of the extension that helps with bulk actions to generate receipts, then I’ll be making a hosted version of it. Again, in that format as well, my extension will just be querying data (list of orders and its details) and generating a receipt. I don’t think I’ll be saving the custom/ order/ details in my database. Only thing, that can be ever saved into the database will be some custom templates or other preferences. In that case, what will be the data protection policies for such an extension?
Thanks
Hey @mkdudeja - thanks for clarifying and for waiting on my response here. I’m going to look into this a bit further for you internally to see if we can confirm if your app would need to request customer data access.
My understanding is that if any app requests customer data at some point during its workflow, it would need to have access to protected customer data, but I’ll confirm that on my end and loop back with you once I have more info to share.