failing App Store review for GDPR compliance webhooks
My Shopify app is failing App Store review for GDPR compliance webhooks. The review says 'Your app needs to use mandatory compliance webhooks for customer privacy.' I have the webhooks implemented and working in my app, but Shopify's review system can't verify them. How do I make GDPR webhooks visible to Shopify's review when using include_config_on_deploy = false?
10 Replies
Hello,
GDPR webhook URLs are set for you and written in your connection configs (but should also be included in your toml if it was generated by the Gadget platform).
To actually apply those GDPR URLs to the application you need to run the the Shopify CLI and deploy the configs.
Make sure to add use_legacy_install_flow = true to the toml if you aren't using Shopify-managed installs. Shopify managed installs are defined by having the scopes defined in your toml. Here's a thread tha talked about this previously: https://discord.com/channels/836317518595096598/1435130264492834907/1435281779417419907
Thanks @[Gadget] Antoine
Here’s where things stand now:
We confirmed the app is Gadget-managed (use_legacy_install_flow = true, include_config_on_deploy = false) and removed all webhook subscriptions from the TOML.
Deployed to production, verified that the GDPR endpoints (customers/data_request, customers/redact, shop/redact) are active in the Shopify connection and responding with 200 OK + gdpr_hmac=pass in logs.
Ran end-to-end tests in dev; all three handlers executed correctly and shop/redact performed full data deletion.
Despite that, Shopify’s automated review still fails with:
❌ Provides mandatory compliance webhooks
❌ Verifies webhooks with HMAC signatures
Partner Dashboard shows only app/uninstalled deliveries — no GDPR deliveries yet.
In the mean time I've reached out to Shopify's support for a manaul review
Did you add the webhook url for GDPR webhooks to your toml?
We’ve updated the TOML to include:
[webhooks]
api_version = "2025-10"
uri = "/api/webhooks/shopify"
Used the relative path so Gadget expands it to the full prod URL.
Deployed and verified 200 OK responses.
Can you confirm this is the right setup for use_legacy_install_flow = true?
The toml should look similar to this one:
The important part I'm trying to convey here is the webhook subscriptions
Thanks @[Gadget] Antoine again for the help earlier! I’ve updated and deployed my shopify.app.toml exactly as you suggested:
[webhooks]
api_version = "2025-10"
[[webhooks.subscriptions]]
compliance_topics = ["customers/data_request", "customers/redact", "shop/redact"]
uri = "https://shop-siren.gadget.app/api/webhooks/shopify"
After deployment, I uninstalled and reinstalled the app on my test shop, but Shopify’s automated review still fails both checks:
❌ Provides mandatory compliance webhooks
❌ Verifies webhooks with HMAC signatures
Could you confirm if there’s any additional step needed to make the compliance_topics section register correctly with Shopify?
This is the full toml
Learn more about working with Shopify TOML files with Gadget at https://docs.gadget.dev/guides/plugins/shopify/advanced-topics/shopify-app-toml
client_id = "d94f37a5e83dfbefb1291a954ed6c3d2"
name = "simply-monitor"
application_url = "https://shop-siren.gadget.app/api/shopify/install-or-render"
embedded = true
[access_scopes]
use_legacy_install_flow = true
[build]
include_config_on_deploy = false
[auth]
redirect_urls = ["https://shop-siren.gadget.app/api/connections/auth/shopify/callback"]
[webhooks]
api_version = "2025-10"
[[webhooks.subscriptions]]
compliance_topics = ["customers/data_request", "customers/redact", "shop/redact"]
uri = "https://shop-siren.gadget.app/api/webhooks/shopify"
It may take some time for the review to rerun, I don't think that its automatic
As long as you have the correct URLs, they should be pinging with 200s
Note that we don't handle the actual meat of the request for you though. You'll need to add some handling logic in the
shopifyGdprRequest model's create action
There there's a switch case that splits the handling into the 3 topicsYes, the shopifyGdprRequest model handles all three topics and returns 200 OK.
You wrote "It may take some time for the review to rerun" doesn't this happen in real time when I hit the Run button ?
Thanks again for the help
I'm not really sure how their process works tbh. I've only semi attempted app review once when testing some things for a blog post.
Do you see all the correct configurations in the Dev Dashboard for the production application?
If not, it might have been the command that you ran. You might just be deploying the development app for example
You may need to be using the
yarn run shopify:deploy:production commandDo you like this answer?