Skip to content

GDPR Compliance for Shopify B2B Apps: What EU Merchants Need to Know

Mar 10, 2026·Peer Jakobsen
shopifyb2bgdpr

Your B2B registration app is storing EU customer data somewhere. Company names. VAT numbers. Trade licenses. Contact details for every business that applies to your wholesale program.

Do you know where that data actually lives?

TL;DR: Most Shopify B2B apps store data in the US with no clear GDPR compliance. To be compliant, your registration app needs EU data residency, mandatory Shopify webhook handlers, a DPA, audit logging, and automatic data redaction on uninstall.

Most Shopify merchants think about GDPR in terms of cookie banners and email consent. But if you're running B2B registration through a third-party app, you have a separate compliance problem that nobody talks about.

B2B Registration Collects More Than You Think

A typical D2C customer account has an email and a name. Maybe an address.

A B2B registration form collects company name, business email, phone number, VAT or Tax ID, business address, and often uploaded documents like trade licenses, resale certificates, or tax exemption forms. Some forms collect company revenue ranges or the number of employees. If you're validating these tax IDs at registration time, that adds another layer of data processing — see How to Validate International Tax IDs on Shopify for the details.

All of this is personal data under GDPR. The tax ID identifies a specific business entity. The contact details identify the person submitting the form. The uploaded documents often contain both.

Every app that touches this data is a data processor under GDPR. You, the merchant, are the data controller. That makes you responsible for how your apps handle the data you collect through them.

The Problem Most Merchants Don't See

Cumulative GDPR fines hit six billion euros by September 2025. That number used to be a distant threat. It's not anymore. Enforcement is accelerating, and ecommerce businesses are increasingly in scope.

In 2024, a Shopify plugin vendor called Saara had an exposed database that leaked 25 gigabytes of customer data from over 1,800 stores. The data was sitting in a publicly accessible MongoDB instance. No breach. No hack. Just a database that was never locked down.

That's the kind of thing that happens when app vendors don't take data handling seriously. And you're the one who installed the app. Under GDPR, that makes it your problem too.

Here's what makes this worse for B2B: the data you're collecting is more sensitive than a typical D2C store. A leaked VAT number is a compliance issue. A leaked trade license is a business document that your customer trusted you to protect. And most B2B registration apps don't tell you anything about how they handle this data.

Try finding the data storage location for any of the major Shopify B2B apps. Or a Data Processing Agreement. Or details about what happens to customer data when you uninstall. Most of them don't mention any of this on their listing page, their website, or their documentation.

Six Things to Check Before You Install a B2B App

If you're evaluating B2B registration apps for your EU-facing store, here's what to look for. For a broader comparison of the apps themselves, see How to Set Up B2B Customer Registration on Shopify.

Where is the data stored?

Shopify itself now stores EU merchant data in Europe by default. But third-party apps have their own infrastructure. Your B2B app might store customer data on AWS in Virginia, on a server in Singapore, or anywhere the developer found cheapest.

Ask your app vendor directly: where is customer data stored? You want a specific answer. "AWS eu-central-1 (Frankfurt)" is a good answer. Silence is a bad one.

Does the app provide a Data Processing Agreement?

Under GDPR, every data processor needs a DPA with the data controller. Shopify provides its own DPA for the data it processes. But every third-party app that handles personal data needs one too.

Most Shopify app vendors don't provide a DPA unless you ask. Some don't provide one at all. If your B2B app collects customer data and doesn't have a DPA, you have a compliance gap.

How does the app handle data subject requests?

Shopify requires all App Store apps to implement three GDPR webhooks: one for customer data requests, one for customer data redaction, and one for shop data redaction. This is mandatory for listing approval.

But implementation quality varies. Some apps acknowledge the webhook and do nothing. Others only partially delete data. The 30-day deadline for completing a redaction request is real.

What happens when you uninstall?

This is the question nobody asks until it's too late. When you remove a B2B registration app, what happens to all the customer data it collected? The form submissions. The uploaded trade licenses. The VAT numbers.

Some apps retain data indefinitely after uninstall. Some delete it. Most don't say. For GDPR compliance, you need to know. And you need to be able to prove that data was handled properly.

Are uploaded documents cleaned up?

B2B registration often involves file uploads. Trade licenses, resale certificates, tax exemption documents. These files are stored on the app's infrastructure, usually in cloud storage like S3.

When a customer requests data deletion, those files need to go too. When you uninstall the app, the storage needs to be cleaned up. Ask whether this happens automatically or whether documents persist after uninstall.

Can you prove compliance?

GDPR doesn't just require you to be compliant. It requires you to demonstrate compliance. That means audit logs. Who accessed what data, when approvals happened, when data was created or modified.

If your B2B app doesn't keep audit logs, you have no way to respond to a regulator who asks you to show how customer data was processed. That's a gap you don't want to discover during an inquiry.

What Good Looks Like

A B2B registration app that takes GDPR seriously should be able to tell you, upfront, where data is stored, how long it's retained, what happens on uninstall, and provide a DPA without you having to chase them for it.

For B2B Onboard, we built GDPR compliance in from the start. All data is stored in the EU (Frankfurt, eu-central-1). We provide a full Data Processing Agreement. On uninstall, we run automatic data redaction and S3 cleanup. We keep audit logs with 7-year retention so you can demonstrate compliance if you ever need to.

We didn't build these things because they're marketable features. We built them because we're a European company and we know what happens when you don't.

The Question to Ask

Before you evaluate any B2B app on features, ask about data. Where it goes, how it's protected, and what happens when the relationship ends. The app with the longest feature list isn't necessarily the safest choice for your EU customers' data.

GDPR compliance isn't a checkbox. It's a question of whether you can look your B2B customers in the eye and tell them their business data is handled properly. Make sure your apps can back that up.

B2B Onboard is a B2B registration app for Shopify built with EU compliance at its core. Data stored in Frankfurt, full DPA provided, automatic data redaction on uninstall. If GDPR matters to your B2B operation, take a look.

Peer Jakobsen is the founder of Mentilead. He builds Shopify B2B apps from Denmark with a focus on clean architecture and EU compliance.

We use cookies for spam protection and analytics. Learn more