1. What the app is
The Go4whatsup Integration app on the Shopify App Store connects a merchant's Shopify store to the Go4whatsup WhatsApp Business API platform. Its purpose is to send order-related WhatsApp notifications to the store's customers on the merchant's behalf.
2. What data the app accesses
To send the notifications a merchant configures, the app accesses the following data from Shopify via Shopify's APIs and webhooks:
| Data | Why we need it | Shopify classification |
|---|---|---|
| Order details (order ID, line items, order status, fulfilment status, tracking number, refund status) | To compose accurate WhatsApp messages for order confirmation, payment, shipping, delivery, cancellation, and refund events | Order data |
| Customer name | To personalize the WhatsApp message ("Hi Sara,...") | Protected Customer Data |
| Customer phone number | To deliver the WhatsApp message to the customer | Protected Customer Data |
| Abandoned checkout data (product IDs, cart value, checkout URL, customer name + phone) | To send abandoned-cart WhatsApp reminders when the merchant has enabled that flow | Order data + Protected Customer Data |
| Shop-level metadata (store domain, currency, timezone) | To format messages and schedule sends correctly | Shop data |
What we do NOT access: product cost, supplier data, discount codes not attached to the order, staff account details, or any customer data beyond name + phone number. We do not read customer email addresses, physical addresses, or payment method details.
3. What we use the data for
Solely to compose and deliver the WhatsApp notifications the merchant has configured in the Go4whatsup dashboard. Concretely:
- Order confirmation messages (triggered on
orders/create) - Payment confirmation (triggered on
orders/paid) - Shipping / fulfilment updates (triggered on
fulfillments/create,fulfillments/update) - Delivery confirmation (triggered on delivery events)
- Cancellation notifications (triggered on
orders/cancelled) - Refund confirmations (triggered on
refunds/create) - Abandoned-cart reminders (triggered on
checkouts/createwhen the checkout is not completed within the merchant-configured window)
We do not sell, share, rent, or use Shopify Protected Customer Data for advertising, cross-store profiling, or model training.
4. How the data is stored + encrypted
All data received from Shopify is encrypted:
- In transit: TLS 1.2+ between Shopify, Go4whatsup, and Meta WhatsApp Business API
- At rest: AES-256-GCM in our database and any backup snapshots
- Access controls: Role-based access for internal engineers; audit logs for every access event; least-privilege enforced
5. Data retention
| Data type | Retention |
|---|---|
| Abandoned-cart records (name + phone) | Kept only as long as needed to send the reminder — purged automatically on a rolling retention window (typically 7 days from cart abandonment or once the reminder is sent + acknowledged, whichever is sooner) |
| Order + notification logs (metadata about which messages were sent) | Retained for the duration of the merchant's Go4whatsup subscription for audit + support purposes; purged on uninstall or redaction request |
| Shop-level metadata | Retained for the duration of the merchant's active integration; deleted on uninstall |
6. Shopify mandatory privacy webhooks
Go4whatsup honours all three of Shopify's mandatory compliance webhooks:
| Webhook | What we do |
|---|---|
customers/data_request | Compile the customer's data we hold (name, phone, WhatsApp send history for their orders) and provide it to the merchant within 30 days for their onward disclosure to the customer |
customers/redact | Permanently delete the specific customer's name, phone, and message history from our systems within 30 days of receipt |
shop/redact | Permanently delete all data associated with the shop — orders, customers, notification logs, tokens — within 30 days of receipt |
7. What happens when a merchant uninstalls the app
When a merchant uninstalls the Go4whatsup Integration app from their Shopify store:
- Shopify sends us the
app/uninstalledwebhook (and eventuallyshop/redactper Shopify's timeline) - We immediately revoke the OAuth access token so no further data can be accessed
- We erase the shop's data from our active systems within 48 hours
- Backup snapshots containing the shop's data are purged on the next scheduled backup rotation (maximum 30 days)
8. Data controller vs. processor
Under GDPR and comparable privacy regimes (UK Data Protection Act, UAE PDPL, Saudi PDPL, India DPDP, Brazil LGPD):
- The merchant is the data controller for their customers' data — they decide what notifications to send, what data to include, and what retention to configure.
- Go4whatsup is the data processor — we process the data solely on the merchant's instructions to deliver the configured notifications.
A Data Processing Agreement (DPA) is available on request for merchants who need it for their own compliance records. Contact us at the email below.
9. Sub-processors
To operate the Shopify integration, Go4whatsup uses the following sub-processors:
| Sub-processor | Purpose | Data shared |
|---|---|---|
| Meta Platforms Inc. (WhatsApp Business API) | Delivering the actual WhatsApp messages to customers | Customer phone number + message content |
| AWS (data hosting) | Encrypted storage of merchant + notification data | All data listed in Section 2 (encrypted) |
| Cloudflare (edge network + WAF) | Traffic routing + DDoS protection | Request metadata only (no customer PII in URLs) |
We do not add new sub-processors that receive customer PII without updating this page.
10. Security incidents
In the event of a security incident that affects a merchant's data, we will notify the affected merchant within 72 hours of confirming the incident, in line with GDPR Article 33 timelines. Merchants can then decide whether onward notification to their end-customers is required in their jurisdiction.
11. International data transfers
Our production data hosting is in AWS regions selected to minimize cross-border transfers for our largest customer bases (UAE, Saudi Arabia, India, EU). For merchants who require specific data residency, please contact us to discuss configuration.
Contact for privacy questions
For any question about this policy, a DPA request, a customer data request, or to report a concern:
Email: [email protected]
Data controller entity: INWIZARDS SOFTWARE TECHNOLOGIES L.L.C
Registered address: Office 401, Al Mankhool, Dubai, United Arab Emirates
Phone: +971 54 508 5552
This document forms part of Go4whatsup's disclosure to Shopify's app review team under the Shopify Protected Customer Data (PCD) requirements. It is versioned + published at a stable URL that Shopify may reference. When we materially change how the integration handles data, this page is updated + the "Last updated" date is bumped.