Skip to content

GDPR Data Requests

GDPR data requests let a logged-in customer exercise their data-protection rights — asking the store to delete their account data or to update the personal data held about them. Every request is created, listed, viewed, revoked and deleted by the customer who owns it; a customer can only ever see and act on their own requests.

Authentication

All GDPR endpoints require an authenticated customer — provide the storefront key and a customer Bearer token. See the Authentication page for how to obtain and send them.

GDPR must be enabled by the store

Every GDPR endpoint first checks whether GDPR data requests are switched on in the store's admin configuration. If GDPR is turned off, the call fails with HTTP 400 and this message:

json
{
  "message": "GDPR data requests are disabled. Please enable GDPR from the admin configuration."
}

When you see this message, the feature has been disabled on the admin side — it must be re-enabled in the store's admin configuration before any GDPR request can be raised, listed, revoked or deleted.

Request lifecycle

A GDPR request moves through these statuses:

StatusMeaning
pendingThe request was just raised and is awaiting review.
processingThe store has started working on the request.
declinedThe store reviewed and declined the request.
approvedThe store reviewed and approved (fulfilled) the request.
revokedThe customer withdrew the request before it was finished.

A customer raises a request (pending), can revoke it while it is still pending or processing, and can delete the request record entirely.

Request type

TypeMeaning
deleteRequest the store to delete the customer's account data.
updateRequest the store to update the personal data held about the customer.

Endpoints

OperationMethod & PathDescription
List own requestsGET /api/shop/gdpr-requestsPaginated list of the customer's own GDPR requests.
View one requestGET /api/shop/gdpr-requests/{id}A single request the customer owns.
Raise a requestPOST /api/shop/gdpr-requestsRaise a new delete or update request.
Revoke a requestPOST /api/shop/gdpr-requests/{id}/revokeWithdraw a pending / processing request.
Delete a requestDELETE /api/shop/gdpr-requests/{id}Remove a request record.

Released under the MIT License.