This page is informational, not legal advice. Your store may have additional obligations depending on jurisdiction and business model. When in doubt, consult a qualified data-protection lawyer.
The controller / processor relationship
Three parties handle customer data in a Galantis-on-Shopify setup. Their roles matter because regulators (and customers exercising their rights) need to know who’s responsible for what.| Party | Role | Responsibility |
|---|---|---|
| You (the merchant) | Data controller for your customers | Decide why and how customer data is processed: what campaigns to send, what consent to capture, what segments to build |
| Galantis | Data processor on your behalf | Process customer data only on your instructions: sync from Shopify, send through Meta’s API, store consent and message history |
| Meta | Independent controller for WhatsApp data | Operate the WhatsApp Business Platform; retains message metadata per its own Privacy Policy |
| Shopify | Data processor on your behalf (for store data) | Provides the order, customer, and consent webhooks Galantis consumes |
Data deletion requests
Shopify is the intermediary for GDPR compliance requests. When a deletion request is submitted — either by a customer or by you on behalf of your store — Shopify fires a webhook to every installed app, including Galantis. Galantis handles two webhook topics:| Webhook | Trigger | What Galantis does |
|---|---|---|
customers/redact | A specific customer requests deletion of their personal data | The customer’s marketing_state is set to REDACTED; personal identifiers are scrubbed; message history is anonymised |
shop/redact | A merchant uninstalls Galantis and requests full shop data removal (typically 48 hours after uninstall) | All customer records, message history, and configuration for that workspace are erased |
The REDACTED state
When acustomers/redact webhook arrives, Galantis moves the affected customer’s marketing_state to REDACTED. From that moment:
- They’re removed from all campaign audience calculations
- They’re skipped in all automation message actions
- They don’t receive Back-in-Stock notifications, even if they had an active subscription
- They cannot be re-added to lists or segments for messaging
Verifying a deletion
A customer’smarketing_state is visible in Audience → Contacts → [Customer Name]. A REDACTED status confirms the deletion request was processed by Galantis. If you need a formal confirmation for the customer or for an audit log, support can issue a deletion receipt with the date, source webhook, and the data scrubbed.
Other data subject rights
GDPR (and similar regimes) grants customers several rights beyond deletion. Here’s how each is handled in a Galantis-on-Shopify setup:Right to access (Article 15 GDPR)
Right to access (Article 15 GDPR)
Customers can request a copy of the personal data you hold about them. In Galantis, this includes their contact profile, consent history, message history, and any segment membership. Export this from Audience → Contacts → [Customer Name] → Export. Combine with the equivalent export from Shopify for a complete view.
Right to rectification (Article 16)
Right to rectification (Article 16)
Customers can request correction of inaccurate data. Edit the customer profile directly in Audience → Contacts → [Customer Name]. Note: phone numbers used for WhatsApp routing are validated against Meta — invalid numbers won’t accept messages even if you save them.
Right to erasure (Article 17)
Right to erasure (Article 17)
Covered by the
customers/redact flow above. Customers can also request deletion directly through Shopify’s customer account or via your store’s privacy page.Right to portability (Article 20)
Right to portability (Article 20)
A machine-readable export of a customer’s data is available via the Export action on the customer profile. The export is JSON-formatted and includes all fields covered under the right to access.
Right to restriction (Article 18)
Right to restriction (Article 18)
A customer can request you stop processing their data without deleting it. In practice, set their
marketing_state to UNSUBSCRIBED to halt all marketing sends while keeping the record for legitimate purposes like order history.Right to object (Article 21)
Right to object (Article 21)
Customers can object to direct marketing. The customer’s STOP reply on WhatsApp, or an opt-out via Shopify’s marketing preferences, sets
marketing_state to UNSUBSCRIBED and stops marketing sends immediately.Cross-border data transfers
WhatsApp Business Platform infrastructure is operated by Meta primarily from the United States. Sending a WhatsApp message to a customer in the EU means EU personal data crosses to US infrastructure. For GDPR compliance, this transfer relies on:- Standard Contractual Clauses (SCCs) — the European Commission’s approved framework for EU → US data transfers, embedded in Meta’s terms and in the Galantis DPA
- Supplementary measures — encryption in transit (TLS) and at rest, access controls, and audit logging
- Transparency — informing your customers in your privacy notice that WhatsApp messages may transit via Meta’s US infrastructure
Data retention
Galantis retains your store’s data as long as the app is installed, plus a short grace period after uninstall to handle accidental re-installs. After theshop/redact webhook fires (typically 48 hours post-uninstall), all data is erased per our DPA.
Meta has its own retention for WhatsApp messages and metadata, governed by its Privacy Policy. Galantis cannot delete data Meta retains independently — but Meta also honors data deletion requests submitted through its own channels.
Other privacy regimes
GDPR is the most comprehensive framework, but customers in other regions are protected by similar regulations. The Galantis flow described above satisfies the deletion-and-access core of each:LGPD (Brazil)
Lei Geral de Proteção de Dados — closely modeled on GDPR. Same data-subject rights, similar consent rules. The
customers/redact flow handles deletion requests from Brazilian customers identically.UK GDPR
Post-Brexit, the UK retained GDPR with minor adjustments. Functionally identical handling: same DPA, same SCCs framework for transfers, same flow for deletion.
CCPA / CPRA (California)
California’s framework centers on the right to know, delete, and opt out of sale or sharing of personal information. Customer deletion via the standard
customers/redact flow covers the right to delete. Galantis does not sell or share customer data with third parties for cross-context behavioral advertising.Other regimes
Australia’s Privacy Act, Singapore’s PDPA, Turkey’s KVKK, South Africa’s POPIA, and others follow similar principles. The GDPR-aligned approach — explicit consent, audit trail, easy withdrawal, prompt deletion — satisfies the substantive requirements of most regimes.
What you should document on your side
Even with Galantis handling enforcement automatically, your store still needs visible documentation of how WhatsApp data is handled:- Privacy notice update: mention WhatsApp as a marketing channel, that Meta processes the messages on its infrastructure (US-hosted), and link to Meta’s privacy policy
- Opt-in language at point of capture: specific enough to be valid under GDPR (“Receive WhatsApp messages about orders and offers from [Store]” — not “Receive marketing”)
- DPA on file: keep a counter-signed copy of the Galantis DPA accessible
- Records of consent: Galantis stores these automatically — see Opt-in & consent
- Data subject request log: keep a log of access / deletion / portability requests and your response time (typically within 30 days under GDPR)
Opt-in & consent
Full reference for consent states and how they’re enforced across the platform.
Audience — consent & opt-outs
Managing consent at the audience level — bulk export, audit, and compliance reporting.
WhatsApp Privacy Policy
Meta’s policy for what they retain and how they handle data subject rights on their side.
Shopify privacy & GDPR
Shopify’s documentation on the data deletion webhooks Galantis consumes.