Shopify OAuth

What you authorize when clicking "Connect Shopify"

When the AI is ready to create your store, the chat shows a "Connect Shopify" button. Clicking it opens the official Shopify OAuth flow (on shopify.com, not on a disguised domain of ours) — you see exactly which permissions you're granting, and YOU click Install to accept. No tricks.

Shopify then sends us an access token via an HMAC-signed callback. We encrypt that token with AES-256-GCMat rest in our database (encryption key in a secret manager separate from the app), and we only use it for the API calls required by the actions you see happen in chat. No plaintext tokens, no logs that print them.

The exact scopes we request

These are all the OAuth scopes we ask for, nothing more:

• read_products, write_products — to import and manage products, prices, variants, and images.
• read_themes, write_themes — to install and localize the approved WooshStore fashion theme.
• read_content, write_content — to create and update essential pages: Privacy Policy, Returns, About, Shipping, Terms, FAQ.
• read_online_store_navigation, write_online_store_navigation — to update the main menu and footer in the selected language.
• read_locales, write_locales and read_translations, write_translations — to enable the store language and register translations.
• read_markets, write_markets — to configure the selected country's market.
• read_inventory, write_inventory — to create imported products with untracked inventory so they do not go offline by mistake.
• read_files, write_files — to upload product media and theme-related assets.

What we DON'T ask for: read_customers (zero access to your end-customer data), read_orders,read_all_orders, fulfillment, returns, discounts, marketing events, pixels, or script tags.

What we don't do

• We do not read your end-customer PII. Email, names, addresses, phones — all outside our perimeter. The read_customers scope isn't even in our request list.
• We do not sell, share, or pass data to third parties. There's no "data partner program", no mirror of your products on some analytics marketplace. You are our customer, not the product.
• We don't modify existing products without your OK in chat. If you already have a catalog, the AI explicitly asks "want me to rewrite the descriptions of X / Y / Z?" before touching anything. Default is additive (create new products), not destructive.
• We don't install hidden script tags or pixels. No sneaky Facebook Pixel, no third-party analytics, no A/B testing you don't know about.
• Everything is logged in our WooshStoreEvent database model. You see it as an audit log in your profile (/app/settings/audit) — every single API call we make to your store is logged with timestamp + scope + result.

Revoking access

Two ways, both immediate and GDPR-compliant. Pick whichever's handier:

• From our dashboard: go to /app/settings → Shopify connection section → "Disconnect Shopify" button. One click, immediate. We wipe the encrypted token on our side, uninstall the script tag, and send Shopify a DELETE /admin/api_permissions/current.json call to revoke the token on their side too.
• From your Shopify Admin: Settings → Apps and sales channels → WooshStore → Remove app. Shopify pings us via app/uninstalled webhook and we trigger the same automatic cleanup.

Important: in both cases your store stays live on Shopify. You don't lose products, pages, theme, orders, anything. We are only cancelling WooshStore's right to touch your store via API. It's like firing a freelancer — the site they built stays yours.

HMAC and GDPR webhooks

The OAuth callback is verified with HMAC-SHA256 using crypto.timingSafeEqual — not vulnerable to timing attacks. The same goes for all webhooks we receive from Shopify (orders/create, app/uninstalled, etc.): HMAC mandatory, no handler accepts unsigned payloads.

We implement the 3 mandatory GDPR webhooks required by Shopify (verified during partner review):

• customers/data_request — when one of your end-customers requests their data via you: we respond within 30 days with a report (in our case, "we have zero data on this customer" because we don't read customer PII).
• customers/redact — request to delete an end-customer's data: same as above, we return "no data on file".
• shop/redact — when a merchant uninstalls the app, Shopify pings us 48h later to delete ALL data related to that shop. We do it within 30 days per policy (in practice within 24h, but the policy SLA is 30 days).

What happens if you delete your WooshStore account

Full account deletion = complete cleanup. In sequence, automatic:

• We call DELETE /admin/api_permissions/current.json on your Shopify — the token is revoked on their side too, not just ours.
• The merchant.shopifyAccessTokenEnc row in our DB is wiped.
• All your projects, chat messages, audit log events are cascade-deleted (Postgres ON DELETE CASCADE).
• The WooshPayment script tag is removed from your Shopify.
• Database backups: the last 30 days remain for error-recovery (standard policy), then overwritten.

For total deletion (including wiping backups within 7 days instead of 30), email hello@wooshpayment.com from the email tied to the account with subject "GDPR — full account deletion". We confirm within 24h and send you the deletion certificate once the process is closed.