@Donal-Shopify Another problem with identifying users via the online access token is that it doesn’t guarantee data freshness. If a user changes their email, there’s no way to know unless they open the app and trigger another token exchange.
Getting the contact email for the true Shopify Plus organization owner is also challenging, since shop.accountOwner is protected by the same read_users scope. I wrote more about this here: Shop.email isn't the shop owner email - any way to access shop.accountOwner?