GDPR Mandatory Webhooks

To comply with data privacy regulations (like GDPR), every app on the SeloraX platform must provide endpoints to handle requests for customer data or data deletion.

These requests are initiated by merchants from the SeloraX dashboard and are delivered via the same webhook delivery system used for standard events.

customers/data_request

Fires when: A merchant requests an export of all data an app holds about a specific customer.

Your Action: You must provide a JSON export of all personal data your app has stored for this customer within 30 days.

Payload:

{
  "event_topic": "customers/data_request",
  "store_id": 42,
  "data": {
    "store_id": 42,
    "customer": {
      "id": 1234,
      "email": "[email protected]",
      "phone": "+88017XXXXXXXX"
    },
    "requested_at": "2026-04-02T14:30:00Z"
  }
}

customers/redact

Fires when: A merchant requests that an app delete all personal data held about a specific customer.

Your Action: You must permanently delete or anonymize all personal data for this customer in your app's database.

Payload:

{
  "event_topic": "customers/redact",
  "store_id": 42,
  "data": {
    "store_id": 42,
    "customer": {
      "id": 1234,
      "email": "[email protected]",
      "phone": "+88017XXXXXXXX"
    },
    "redact_requested_at": "2026-04-02T14:35:00Z"
  }
}

shop/redact

Fires when: A merchant deletes their store account, or 48 hours after an app is uninstalled.

Your Action: You must permanently delete all data your app has stored for this shop.

Payload:

{
  "event_topic": "shop/redact",
  "store_id": 42,
  "data": {
    "store_id": 42,
    "redact_requested_at": "2026-04-02T14:40:00Z"
  }
}

Security

Just like standard webhooks, GDPR requests are HMAC-signed with your app's signing_secret. You must verify the X-SeloraX-Signature header before processing the request.