# What Shopify data SourceLoop stores and deletes

Exactly what SourceLoop accesses from your Shopify store, where it is stored, what is deleted when you uninstall, and how customer and shop data-deletion requests are handled.

Source: https://sourceloop.ai/help/shopify-data-deletion/
Updated: 2026-07-03

---

This article is the complete, plain-language record of what SourceLoop does with data from your Shopify store: what it reads, where it is kept, what happens when you uninstall, and how customer and shop deletion requests are handled. It exists so that you (and your data-protection officer, if you have one) have a clear answer to every reasonable privacy question, and so the integration meets Shopify's requirements for how apps handle protected customer data.

It is the companion to [How to set up marketing attribution tracking for Shopify](/help/marketing-attribution-for-shopify/).

## What SourceLoop accesses from Shopify

When you install the SourceLoop app and approve it, you grant **read-only** access to three areas of your store:

- **Orders**, to match each sale to the marketing source that drove it
- **Customers**, to roll repeat purchases up to the same person for LTV
- **Checkouts**, to understand completed and abandoned checkout activity

SourceLoop **never requests write access**. It cannot change products, prices, inventory, orders, fulfillment, or customer records in your Shopify admin. Its role is strictly to read, so it can attribute.

From those areas, the data actually stored in your SourceLoop workspace is:

- Order details: order value, line items, discounts, currency, status, and timestamps
- Customer identity: email and name from the Shopify customer record
- The marketing journey stitched to each order: source, medium, campaign, UTMs, ad click IDs, landing page, referrer, and pages browsed
- Refund and cancellation events, netted against the original order
- Device, country, and browser of the converting session

## Where it is stored and who can see it

- Imported Shopify data lives **only inside your own private SourceLoop workspace**.
- It is **not shared** with other SourceLoop customers, **not sold**, and **not used** for anything beyond producing your attribution reports and dashboards.
- Sensitive values, including your store's access token, are **encrypted at rest**.
- Only members you have invited to your SourceLoop workspace can view it.

## What happens when you uninstall

You can remove SourceLoop at any time from **Shopify Settings -> Apps and sales channels -> SourceLoop -> Uninstall**. The moment you uninstall:

- **Access ends immediately.** Shopify revokes the app's access token, and SourceLoop deletes its copy of that token. No further calls are made to your store.
- **Storefront tracking stops.** SourceLoop's app embed is disabled automatically when the app is uninstalled. Your theme is untouched because the embed was a toggle, not code, and nothing was ever pasted into it.
- **Your Shopify data is left exactly as it was.** SourceLoop has read-only access and never had the ability to delete or change anything in your store.

Uninstalling also **begins the deletion of the data SourceLoop imported**, described next.

## How deletion requests are handled

Shopify defines three standard privacy requests that every app must honor. SourceLoop handles all three automatically. You do not need to configure anything.

### 1. Shop data erasure (after you uninstall)

**48 hours after you uninstall** the app, Shopify notifies SourceLoop to erase your store's data. On receiving that notice, SourceLoop **permanently deletes** everything it imported from that store:

- All imported orders, customers, and checkouts
- The marketing journeys and attribution records tied to them
- The store connection record and any remaining tokens
- Operational logs associated with the connection

The 48-hour gap is Shopify's standard window; it exists so an accidental uninstall can be reversed by reinstalling. If you want your data removed **sooner**, email **hello@sourceloop.ai** and we process the erasure right away.

### 2. Customer data erasure (a shopper asks to be deleted)

When one of your shoppers asks you to delete their personal data, Shopify forwards that request to every installed app, including SourceLoop. On receiving it, SourceLoop **erases that individual's records** for your store: their contact, their orders, and their journey. This happens automatically and needs nothing from you.

Deletion on our side only removes the copy stored in your SourceLoop workspace. The original customer record in your Shopify admin is governed by Shopify and by your own store policy, not by SourceLoop.

### 3. Customer data access (a shopper asks for their data)

When a shopper requests a copy of the personal data held on them, Shopify forwards that request to SourceLoop as well. We **compile the records** associated with that customer for your store and make them available to you, the merchant, so you can provide them to the shopper.

## Data retention at a glance

| Data | When it is deleted |
| --- | --- |
| Store access token | Immediately on uninstall |
| Storefront tracking (app embed) | Disabled automatically on uninstall |
| Imported orders, customers, checkouts, journeys | Erased 48 hours after uninstall (or on request) |
| A specific shopper's records | Erased when that customer's deletion request is received |
| Connection record and logs | Purged as part of the shop erasure |

Nothing imported from Shopify is retained after the erasure completes. There is no long-term archive.

## Requesting deletion or a written record manually

Most deletion happens automatically through the flows above. For anything beyond that:

1. Email **hello@sourceloop.ai** with the subject "Shopify data deletion request" and your store's `.myshopify.com` domain.
2. Confirm your identity (we use the authenticated SourceLoop workspace owner email).
3. We acknowledge within 2 business days and complete the erasure within 30 days, confirming in writing.

For a data-protection review, we can also provide a **data-processing agreement (DPA)** and a written summary of exactly what was accessed, retained, and deleted for your specific store.

> **Not legal advice**
> This guide is general information about how SourceLoop handles Shopify data, not legal advice. Your obligations as a merchant depend on your jurisdiction and how you use the data. If you are unsure, check with a privacy professional for your specific situation.

## Frequently Asked Questions

### What happens the moment I uninstall SourceLoop from Shopify?

Access ends immediately. The store's access token is revoked and deleted on SourceLoop's side, and all further calls to your Shopify store stop. The SourceLoop app embed is disabled automatically when the app is uninstalled, so storefront tracking stops too. Nothing in your Shopify admin is changed or deleted by us.

### Does uninstalling delete the order and customer data SourceLoop already imported?

Uninstalling starts the deletion process. Shopify notifies SourceLoop to erase your store's data 48 hours after uninstall, and SourceLoop then permanently deletes the imported orders, customers, and checkouts for that store. If you need it removed sooner, email hello@sourceloop.ai and we process it right away.

### How does a customer's "delete my data" request work?

When a shopper asks a merchant to delete their data, Shopify forwards that request to every installed app, including SourceLoop. On receiving it, SourceLoop erases that individual's records (their contact, orders, and journey) tied to your store. This is automatic and requires nothing from you.

### Can a customer request a copy of the data you hold on them?

Yes. Shopify forwards data-access requests to SourceLoop the same way. We compile the records associated with that customer for your store and make them available to you as the merchant, so you can pass them to the shopper.

### What does SourceLoop never touch in my Shopify store?

SourceLoop holds read-only access to orders, customers, and checkouts. It cannot and does not modify products, prices, inventory, orders, fulfillment, or any customer records inside Shopify. Deletion on our side only affects the copies stored in your SourceLoop workspace, never the originals in Shopify.

### Where is the imported Shopify data stored?

Only in your own private SourceLoop workspace. It is not shared with other customers, not sold, and not used for any purpose beyond producing your attribution reports. Sensitive values such as access tokens are encrypted at rest.

### How do I get a written record for a data-protection review?

Email hello@sourceloop.ai. We can provide a data-processing agreement (DPA) and a written summary of exactly what was accessed, retained, and deleted for your specific store, suitable for a GDPR or SOC 2 review.
