LumenLumen Docs
Privacy & Data

GDPR compliance

How Lumen complies with GDPR and handles data subject requests.

Lumen is built to comply with the General Data Protection Regulation (GDPR) and Shopify's mandatory privacy requirements.

Shopify mandatory webhooks

Lumen implements all three of Shopify's mandatory GDPR webhooks:

Customer data request

When a customer requests their data from your store, Shopify notifies Lumen. We respond with any data we hold about that customer (which is limited to chat session transcripts, if any exist within the retention window).

Customer data erasure

When a customer requests deletion of their data, Shopify notifies Lumen. We delete all chat sessions associated with that customer immediately, without waiting for the standard auto-deletion period.

Shop data erasure

When a merchant uninstalls Lumen and requests data erasure, we delete all store configuration and remaining chat session data.

Data minimization

Lumen follows the principle of data minimization:

  • We only access Shopify data needed to answer order tracking queries
  • We don't store customer email addresses in our database
  • Chat sessions are automatically deleted after the retention period
  • We don't collect any data beyond what's needed for the service to function

Lawful basis for processing

Lumen processes data under the following lawful bases:

  • Legitimate interest — Order tracking queries are initiated by the customer, and the processing is necessary to provide the service they've requested.
  • Contract performance — The merchant has installed Lumen to provide order tracking to their customers.

Customer rights

Under GDPR, customers have the right to:

  • Access their data — Fulfilled through Shopify's customer data request webhook
  • Erasure of their data — Fulfilled through Shopify's customer data erasure webhook
  • Portability — Chat transcripts can be exported by the merchant via CSV export

Data protection

Lumen uses the following security measures:

  • HTTPS encryption for all data in transit
  • Encrypted database storage for data at rest
  • Shopify OAuth for secure authentication
  • Minimal API scopes (read-only access only)
  • No storing of sensitive customer information (emails, payment data)

Questions

If you have questions about Lumen's privacy practices or need to make a data request, contact us at support@ironmint.studio.

For Lumen's full privacy policy, visit lumenapp.dev/privacy.

Data handling

How Lumen handles, stores, and deletes customer and order data.

Support

Next Page

On this page

Shopify mandatory webhooksCustomer data requestCustomer data erasureShop data erasureData minimizationLawful basis for processingCustomer rightsData protectionQuestions