Last updated: May 20, 2026
Ridgeline GDPR Mailchimp Sync ("the App", "we", "our") is a Shopify application that automates merchant compliance with data-deletion requests under GDPR, CCPA, and other applicable privacy regulations. The merchant who installs the App is the data controller; we operate solely as their data processor in accordance with their instructions.
We process the following categories of data only to fulfil compliance obligations:
We use the data we receive exclusively for the following purposes:
customers/redact webhook from Shopify, we look up the customer's email
in the merchant's connected Mailchimp audience and permanently delete the matching
subscriber record via Mailchimp's encrypted REST API (HTTPS/TLS).
customers/data_request webhook, we acknowledge the request and log
an anonymised audit entry for the merchant's records.
We do not store raw customer personal data (names, email addresses, phone numbers, or purchase history) in permanent storage at any point. Webhook payloads are processed in memory and immediately discarded after the Mailchimp API call resolves. Only the anonymised SHA-256 hash and outcome status are persisted to our audit database.
All data in transit — including Shopify webhook deliveries, Mailchimp API calls, and browser sessions — is encrypted using industry-standard TLS 1.2 or higher. Shopify webhooks are authenticated using HMAC-SHA256 signature verification on the raw request body before any processing occurs. Merchant credentials are stored encrypted at rest in our provisioned PostgreSQL database and are never exposed in logs or API responses.
When a merchant uninstalls Ridgeline GDPR Mailchimp Sync from their Shopify store, their Shopify access token and Mailchimp credentials are automatically scheduled for deletion. All merchant integration tokens are permanently purged from our systems within 48 hours of an uninstall event being received. Anonymised audit log entries are retained for the 12-month audit period and then deleted.
The App integrates with the following third-party platforms on the merchant's behalf:
We do not share merchant or customer data with any other third parties, do not use data for advertising or profiling, and do not sell data under any circumstances.
If you are a customer of a merchant who uses this App and wish to exercise your rights under GDPR (access, rectification, erasure, portability, objection) or CCPA (know, delete, opt-out), please contact the merchant directly. They are the data controller responsible for responding to your request. We will process any legitimate erasure instruction received via the merchant's Shopify store automatically.
The App uses a single, cryptographically signed HttpOnly session cookie
to maintain a merchant's authenticated browser session on the settings dashboard.
No third-party tracking cookies, analytics pixels, or advertising trackers are used.
We may update this Privacy Policy from time to time. Material changes will be communicated to merchants via the App's dashboard. Continued use of the App after the effective date of any update constitutes acceptance of the revised policy.
Questions about this policy?
If you have questions about how we handle data or wish to raise a privacy concern,
please contact us at:
Ridgeline GDPR Mailchimp Sync — Privacy Enquiries
Email: privacy@gdpr-redactor.replit.app