GDPR & consent

Audience: Merchant·Plan: free·Read: 5 min·Updated: 2026-05-10

In 30 seconds

• Every opt-in recorded with exact text shown, time, channel, source widget, page URL, IP region.
• Global unsubscribe propagates across all channels in < 10 seconds.
• Built-in DSAR pipeline — deletion < 24h auto, export via same pipeline as Shopify's mandatory webhooks.
• Free — foundation for marketing trust. Typical: −95% "unsubscribed but got it" tickets.

Why this matters for your business

Privacy regulation has stopped being optional. GDPR (EU), CCPA (California), India's DPDP, Brazil's LGPD, the UK's PECR — every major market now has rules about what consent looks like, how it must be recorded, how fast you must process deletion requests, and what you owe customers when they ask "what do you have on me?" The fines for getting this wrong are large enough to end small brands and embarrass large ones.

GDPR & consent on this platform is the built-in way to be compliant — not as a checkbox bolted on, but as the foundation every other feature reads from. Every opt-in is recorded with the exact text the customer saw, the time, the channel, the source widget, the page URL, and the IP-derived region. Every unsubscribe propagates globally within 10 seconds across all channels. Every customer can request export or deletion via the admin tab — same pipeline as Shopify's mandatory webhooks, full audit trail.

Beyond compliance, this is also a trust play. Customers notice when "unsubscribe" actually unsubscribes them everywhere. They notice when you can show them, on request, what data you hold. That trust compounds — your unsubscribe rate goes down, your opt-in rate goes up, and your sender reputation improves. The regulatory floor becomes a marketing advantage.

What this typically unlocks

Outcome	Typical result
Unsubscribe-to-actually-unsubscribed lag	< 10 seconds vs. days/never on disconnected tools
GDPR deletion request turnaround	< 24 hours automatic vs. weeks of manual work
Time spent on cross-tool consent reconciliation	0 hours — single source of truth
Consent audit findings (regulator review)	0 issues — every record has full context
"Unsubscribed but still got it" support tickets	−95% vs. industry average
Sender reputation score	+12 points (most large ESPs publish a score)

What you actually get

Four pillars of consent + privacy management:

Pillar	What it does
Opt-in records	Every consent capture is logged with text + time + source + channel + region
Send-time gauntlet	Every message checks consent + global unsubscribe + fatigue + quiet hours before going out
Global unsubscribe	One click flips every channel off; propagates < 10 sec
GDPR tools	Export, erase, preview, audit — both webhook-driven and merchant-initiated

How it powers every part of your store

Compliance scenario	What the platform does for you
New customer subscribes via a widget	Auto-records consent text, source, IP region, timestamp
Customer clicks unsubscribe in an email	Sets global unsubscribe; every channel stops within 10s
Customer emails support asking for deletion	One click in admin → full erase pipeline runs
Shopify fires customers/redact webhook	Same pipeline, automatic, no merchant action needed
Regulator asks "show me consent for customer X"	Customer detail tab → consent records with text
Customer asks "what data do you have on me?"	Export tab → JSON of every event, message, profile field
New region launches (e.g. Brazil LGPD)	Built-in regional consent rules; consent text customizable
Internal review: "are we storing PII we shouldn't?"	Data inventory tab shows full PII summary
Account uninstalls	30-day retention then auto-purge of all customer data

How it works (without the technical bits)

Consent capture — what gets recorded

Every opt-in capture creates an OptInRecord with:

• Channel (email / SMS / WhatsApp / push)
• Action (opt_in or opt_out)
• The exact consent text the customer saw at the moment of consent
• Source (which widget, which page URL)
• Region (derived from IP — used for regional consent rules)
• Timestamp (UTC)
• Customer ID (after identity resolution merges into Customer 360)
• Free-text notes (e.g. "consented at checkout", "verbal at POS")

This record is append-only — never edited, never deleted (except via GDPR erasure, where the record is anonymized in place preserving the audit chain).

Regional consent matrix

Different regions, different rules:

Region	Default opt-in stance	Marketing requires	Transactional requires
EU (GDPR)	Explicit opt-in only	Active consent	Legitimate interest OK
UK (PECR + GDPR)	Explicit opt-in only	Active consent	Legitimate interest OK
US (CAN-SPAM + state laws)	Implied consent post-purchase OK	Easy unsubscribe	Always
California (CCPA)	Implied + DNS option	Active consent	Always
India (DPDP)	Explicit opt-in	Active consent	Legitimate interest OK
Brazil (LGPD)	Explicit opt-in	Active consent	Legitimate interest OK
Australia (Spam Act)	Implied consent post-purchase OK	Easy unsubscribe	Always
Canada (CASL)	Express or implied with limits	Active consent	Always

The platform applies the strictest rule that might apply when in doubt — for cross-border customers where region is ambiguous, GDPR-grade consent is required.

The send-time gauntlet — every message, every time

A four-step gate that no message bypasses (covered in detail in Customer 360):

1. Channel opt-in? No → skip with no_opt_in.
2. Global unsubscribe? Yes → skip with globally_unsubscribed.
3. Cap hit? Yes → skip with daily_cap or channel_cap.
4. Quiet hours? Yes (and not email) → skip with quiet_hours.

Each skip is logged with the reason — your campaign analytics show why recipients were excluded, which is the difference between honest reporting and "we'll just send and hope for the best."

Transactional vs marketing — the legal distinction

Transactional messages (order confirmation, shipping notification, password reset) ride on legitimate interest — they don't require marketing opt-in. Marketing messages (newsletter, campaigns, promotional offers) require active consent.

The platform classifies every send. You can't accidentally route a marketing campaign through the transactional channel:

Message type	Required opt-in?	Subject to fatigue cap?
Order confirmation	✗ (transactional)	✗
Shipping update	✗ (transactional)	✗
Password reset	✗ (transactional)	✗
Cart recovery	✓ (marketing)	✓
Newsletter / campaign	✓ (marketing)	✓
Win-back journey	✓ (marketing)	✓
Review request	✓ (marketing — most regions)	✓
GDPR data export confirmation	✗ (regulatory)	✗

If you're unsure whether a message is transactional, ask: "would the customer expect to receive this regardless of marketing consent?" If yes, it's transactional.

Global unsubscribe — < 10 seconds across every channel

When a customer clicks "unsubscribe":

1. At T+0: Click hits unsubscribe handler.
2. At T+~50ms: unsubscribedAt is set on the customer profile.
3. At T+~100ms: All four optIn* flags are flipped off.
4. At T+~3s: Active flow enrollments transition to exited_unsubscribed.
5. At T+~5–10s: Any in-flight campaign send to this customer sees the change at next gauntlet check and skips.

Practically, no message can leave the platform addressed to an unsubscribed customer beyond the sub-10-second window. The "unsubscribed but still got it" tickets that plague disconnected marketing stacks become near-zero.

GDPR tools — built into the admin

Five tools in the GDPR tab:

Tool	What it does	Use when
Export	Generates a full data JSON for a single customer	Customer asks "what do you have?"
Preview erasure	Shows scope of an erase before you click	Pre-review for high-stakes deletions
Erase	Runs the redaction pipeline	Customer asks for deletion (direct)
Data inventory	Shop-wide PII summary	Quarterly compliance review
Request log	Every GDPR action ever taken	Regulator review

The webhook-driven path (Shopify customers/redact, customers/data_request, shop/redact) hits the same pipeline automatically, with the same audit trail. You can use either or both.

What gets erased vs. what stays

Field type	Erase action
Email, phone, names, address	Nulled
Web session IDs, marketplace IDs	Deleted
Order references	Anonymized (kept for revenue accounting)
Engagement events	Customer reference nulled, totals stay
Opt-in records	Customer reference nulled, audit chain preserved
Segment memberships	Deleted
Active journey enrolments	Exit with reason gdpr_erasure
Soft-delete marker	dataDeletedAt set on the profile

The Customer360 row stays — only PII is removed. This means:

• Your dashboards (revenue contribution, lifecycle distribution) stay accurate after redact.
• The audit trail stays intact for regulator review.
• A wrong-customer redact is reversible for 7 days (Enterprise: 30) by re-pulling from Shopify.

Real merchant scenarios

Scenario A — Founder gets a GDPR request via email

Setup. Founder gets an email: "Please delete my data — I no longer wish to be your customer." Pre-platform, this would mean: log into Klaviyo, search by email, delete profile (without audit). Log into Shopify, delete customer. Log into ESP, delete. And hope you got everything. ~30 minutes per request, no audit trail.

With the platform.

1. Open Customers → search by email → click GDPR tab → "Erase"
2. Preview shows: "Will null email/phone/names, delete 12 web sessions, exit 1 active flow, anonymize 8 attribution rows" — confirm
3. Click confirm → done in ~3 seconds

Total time: 90 seconds. Audit trail: complete. Risk: zero.

Scenario B — Regulator audits a brand for GDPR compliance

Setup. Mid-market brand audited under GDPR for consent record quality. Regulator picks 50 random customers from the last year and asks: "show me their consent."

With the platform. For each customer, the GDPR tab shows every OptInRecord:

Customer: customer_acb123
Records:
  2026-01-12 14:23 UTC — opt_in (email)
    Source: exit-intent widget on /products/coffee
    Region: GB (London IP)
    Consent text: "Get 10% off your first order — sign up
                   for our newsletter. We'll email you
                   occasionally with new products and
                   offers. Unsubscribe anytime."
  2026-01-12 14:24 UTC — opt_in (whatsapp)
    Source: post-checkout opt-in toggle
    Region: GB
    Consent text: "Receive order updates and offers via
                   WhatsApp. We'll respect your time —
                   unsubscribe with one tap."

Result. All 50 records had full context. Audit closed in 2 days with zero findings.

Scenario C — Cross-channel unsubscribe leakage at a competitor

Setup. Mid-market brand previously used Klaviyo for email + a separate WhatsApp provider + a separate SMS tool. When a customer unsubscribed from email, the WhatsApp tool didn't know; the customer kept getting WhatsApps; eventually filed a complaint.

Migration to platform. All channels now share one consent record. Unsubscribe is global by default. Result, 6 months in:

Metric	Before	After
"Unsubscribed but still got" complaints	4–6/week	0–1/week
Time spent on consent reconciliation	~5h/week	0
Risk of regulatory complaint	high	minimal
Net unsubscribe rate (across channels)	1.4%/quarter	0.7%/quarter

The unsub rate halving is significant — when customers trust the unsub button to actually work, fewer of them mark messages as spam (which is far more damaging to deliverability than clean unsubscribes).

Scenario D — Founder catches a leak via consent log

Setup. Brand notices opt-in rate dropped 40% in one week. Looking at the consent records, sees the source distribution shifted: a particular widget stopped recording opt-ins.

Investigation. Widget JS had broken on a deploy. Customers were toggling the opt-in checkbox but the API call was failing silently. Without the consent log, the brand would have acquired customers without consent records.

Fix shipped in 4 hours. Estimated ~340 customers affected; each had to be reconfirmed via a "did you mean to opt in?" follow-up email. ~280 confirmed (good). 60 didn't reconfirm — removed from list (correct).

The compliance win. Without consent logs, those 60 might have been the basis of a regulator complaint or fine. Caught in time.

Scenario E — Brand expands to a new region (Brazil)

Setup. US brand expanding into Brazil. LGPD compliance required from day one. Pre-platform, this would have meant a 2-month legal/engineering project to add a new consent flow.

With the platform.

1. Set Brazil shop in admin → region defaults applied
2. Customize consent text in Portuguese (template provided)
3. Done — every opt-in widget now uses LGPD-compliant text; data inventory respects LGPD retention rules; deletion pipeline includes LGPD-specific log entries

Total time: 4 hours. Legal cost: $0 (vs. ~$15K for a custom build).

Scenario F — High-stakes erasure with preview

Setup. Brand serves both retail customers and B2B accounts. A B2B account requests deletion — but they're a multi-million- dollar account with 8 active subscriptions, integration data, and a complex billing relationship.

Without preview. Click erase → ??? → unrecoverable.

With preview. Click "Preview erasure":

Will affect:
  Customer360: 1 row (anonymize)
  FunnelEvents: 4,820 rows (anonymize)
  Attributions: 86 rows (anonymize)
  ActiveJourneys: 8 (exit with gdpr_erasure)
  OptInRecords: 14 (delete)
  IdentityLinks: 6 (delete)
  Subscriptions: 8 (NOT TOUCHED — separate pipeline)
  BillingHistory: NOT TOUCHED

This will affect total revenue contribution analytics for $2.4M
in lifetime spend.

Are you sure you want to proceed?

Outcome. The 5-second preview prevented an irreversible accident. Brand realized the deletion needed coordination with the billing team first.

Best practices

✅ Customize consent text per widget, not generic boilerplate. "Get 10% off your first order in exchange for your email" beats "Sign up for our newsletter" both for opt-in rate and audit trail.

✅ Use easy-unsubscribe in every email, not just the required footer link. One-click in the message body is more respectful than a buried link.

✅ Run quarterly data-inventory reviews. The PII summary shows you exactly what you have. If there's a column you don't need (legacy field, unused custom field), remove it. Less data = less liability.

✅ Trust the global unsubscribe. Don't second-guess by running "did they really mean it?" win-backs. Customers who unsubscribe stay unsubscribed; respect that.

✅ Train support on the GDPR tab. Every support agent should be able to handle "delete my data" without escalating. The tool is one click; the time savings compounded across a year are significant.

✅ Localize consent text by region. US-style "by checking this box you agree to receive marketing" doesn't fly under GDPR. The platform provides region-specific templates.

❌ Don't run "we miss you" campaigns to globally-unsubscribed customers. Even though the platform won't send, the audit log will show you tried — and a regulator can see that.

❌ Don't rely on Shopify's customer record alone. Shopify doesn't track opt-in source, region, or text. The platform's OptInRecord is the audit-grade source.

❌ Don't bulk-delete records to "clean up the database". Especially OptInRecord — that's your audit chain. Use the GDPR pipeline if you need to remove customer data.

❌ Don't classify marketing as transactional to bypass opt-in. This is a fast track to deliverability damage and regulatory complaints.

Plan tiers

Capability	Free	Starter	Pro	Agency	Enterprise
Opt-in records (full audit)	✓	✓	✓	✓	✓
Send-time gauntlet	✓	✓	✓	✓	✓
Global unsubscribe (< 10s)	✓	✓	✓	✓	✓
GDPR export	✓	✓	✓	✓	✓
GDPR erase + preview	✓	✓	✓	✓	✓
Region-aware consent rules	—	✓	✓	✓	✓
Data inventory dashboard	—	—	✓	✓	✓
Custom consent text per widget	—	✓	✓	✓	✓
Reverse-erasure window	24h	7d	7d	30d	90d
Multi-shop GDPR audit roll-up	—	—	—	✓	✓
Custom retention policies	—	—	✓	✓	✓
DPO export reports	—	—	—	—	✓

Frequently asked

What if I don't have a DPO? You don't need one for the platform to work. The DPO export reports (Enterprise) are useful for regulated industries; most brands operate fine without them.

Are sub-processors documented? Yes — the DPA (Data Processing Addendum) lists every sub-processor (Shopify, AWS, message providers). Updated when sub-processors change.

Can a customer opt back in after unsubscribing? Yes — they can re-subscribe via the same widgets. The new opt-in creates a new OptInRecord; the previous unsubscribe is preserved in the audit chain. Their state is re-evaluated in real-time.

Does the platform comply with COPPA? No — the platform doesn't collect data on children under 13. If your business does, you have COPPA-specific obligations beyond what this platform handles.

What happens to consent records after a customer is erased? Anonymized — customer reference nulled but the record remains for audit (text, region, timestamp, action). Required for proving compliance to a regulator post-deletion.

How is consent handled at POS? Verbal opt-in at checkout creates an OptInRecord with source = pos. The platform captures the recorded reason text and the cashier ID. Same audit trail as web opt-ins.

What about the right to data portability? The export tool (admin tab) generates portable JSON. Customer can download or you can email it to them. Format is the same as Shopify's customers/data_request webhook output.

How fast is "unsubscribe everywhere" really? Median: ~3 seconds. P99: ~10 seconds. Beyond P99 is investigated and fixed within the SLA (4 hours for paid plans).

See also

• Customer 360 — the profile consent attaches to
• Communications — per-channel send rules
• Campaigns — send-time gauntlet in action
• Data export & GDPR (developer docs) — webhook contracts
• Internal: Security overview
• Sales engine overview