Managing Data Subject Requests to Delete or Access Subscriber Data

Who gets this? Shops on all Postscript plans have the ability to submit subscriber requests to delete or access their personal information in Shopify. In order to submit data subject requests via API endpoints, brands need to be on the Professional or Enterprise plans. Learn more about Postscript Plans.

Under some privacy laws, including the California Consumer Privacy Act (CCPA) for California residents and the General Data Protection Regulation (GDPR) for EU residents, subscribers have rights to access or delete their personal information. When subscribers exercise these rights, it is often called a “data subject request”, specifically a “deletion request ”(i.e. an “erasure request”) or an “access request”. When brands respond to data subject requests, they must make sure that all of their service providers, like Postscript, can assist to complete the request.

Under applicable laws, when responding to a deletion request, Postscript may retain information required for a brand to comply with other laws, like the Telephone Consumer Protection Act (TCPA) and state telemarketing laws. In that case, Postscript will redact any information that is not required for a brand’s compliance records. For example, Postscript will redact the subscriber’s name, and may retain the relevant phone number and records of opt ins and opt outs, which are necessary to demonstrate the brand’s compliance with TCPA requirements to obtain express written consent from subscribers.

Postscript offers two solutions for submitting deletion (i.e. erasure) and access requests. In this article, we'll outline both ways to fulfill deletion and access requests.

Respond to Subscriber Deletion (Erasure) Requests in Shopify


Postscript's deep integration with Shopify allows you to submit subscriber deletion (erasure) requests directly in your Shopify admin.

Before beginning, there is key information to know about using this method to delete (erase) or redact subscriber data:

  • In order for Shopify to send Postscript a webhook prompting the redaction, that Shopify customer must have an associated subscriber record that exists in Postscript.
  • By default, Shopify won't delete personal data when the customer has made an order in the last 180 days in case a chargeback occurs (more information from Shopify here). If a deletion request is submitted during that window, then the request will remain in a pending state until the required time has passed. After the required time has passed, Shopify sends Postscript a webhook signaling to delete (erase) the subscriber data. Postscript will automatically respond to the request by deleting or redacting the subscriber data at that time.

shopify_erasecustomerdata.gif

  1. From your Shopify admin, select Customers.
  2. From the customer list, find and select the customer profile for the individual who submitted a deletion (erasure) request.
  3. Select More actions, then select Erase personal data.

Respond to an Access Request in Shopify


If you receive an access request from a customer, Shopify’s deep integration with Postscript will also allow you to request a customer’s data. In this section, we outline how to port this information from Postscript.

  1. From your Shopify admin, select Customers.
  2. From your customer list, find and select the customer profile that you want to request data for.
  3. Select More actions, then select Request customer data.
  4. By default, the primary contact listed in your Postscript account will receive an email from Postscript to begin the access request process by submitting a web form. This process can take 5-7 business days.

Erase Data via Compliance API Endpoints


Postscript offers public API endpoints that allow merchants to automate workflows for responding to data subject requests and/or integrate with third-party Data Privacy Management apps. These endpoints include:

  • /redact: Specify a Postscript subscriber id, Shopify customer id, phone number, or email address. This endpoint will redact the personal information of subscribers who make a deletion (erasure) request. If that individual is currently opted in to your SMS program, they will automatically be unsubscribed. Postscript retains information required for brands to comply with the TCPA and state telemarketing laws, including phone numbers and records of opt ins and opt outs.
  • /unsubscribe: Specify a Postscript subscriber ID or phone number to unsubscribe an SMS subscriber. You can also unsubscribe a subscriber directly in the Postscript app.

Create an API Key

In order to start making API calls, you need to generate an API key in your Postscript account and use the private key as the Auth Header.

  1. Select your Shop Name in the side menu of your Postscript dashboard, then select API.
  2. Select Create Security Key Pair on the right side of the page, then confirm your action by selecting Yes
  3. Add a label to your API key so you can track where this API key is being used.
  4. Select Show in the Private Key column to reveal your API key. Copy this key or write it down.

Making Calls to Compliance API Endpoints

  1. Navigate to Postscript's Developer documentation
  2. Select Compliance in the left-side panel
  3. Under the Compliance page, you will see two PATCH endpoints; Unsubscribe and Redact
  4. With your Private API key and subscriber ID or phone number, you can start making redaction requests via Postman, Zapier, Retool, or cURL. 
  5. You can also use these API’s to connect with third party apps that handle data privacy.
   Important! If you are using an automation tool or script to make these API calls, please ensure you abide by our API rate limit. Learn more here.

Key Information


  • Postscript securely deletes all subscriber data except for the subscriber's phone number, which is retained by Postscript solely for legal purposes as outlined in our Privacy Policy. Importantly, this number is not associated with any specific customer or subscriber.

Get Support


Have questions? Please feel free to reach out to our wonderful Support team at support@postscript.io or via live chat. You can also submit a support request here!

Need ongoing channel strategy guidance? Please fill out this form and we'll connect you to one of our certified partners.

Was this article helpful?
0 out of 0 found this helpful