Shopify app permissions and data access

Cancevia asks for order access so a withdrawal request can be matched with Shopify order context where possible. Matching can use details such as order number, customer email, order date, selected line items, fulfillment context, and order status.

The read_all_orders scope is used because some withdrawal reviews may involve orders outside Shopify’s default recent-order window. When a match is unclear, the request remains available for merchant review instead of being silently accepted or rejected.

The withdrawal form collects customer-provided details such as email, order reference, selected items, and optional name or reason fields depending on merchant settings. Cancevia also uses Shopify customer context where available to help match the request and show useful review information.

Customer email is required for the confirmation receipt and for matching a submitted request with the most likely order. The merchant still controls how the request is reviewed and handled after it appears in the inbox.

Product access helps Cancevia show line-item context, product titles, variants, quantities, and product identifiers when a customer submits a partial withdrawal. This is especially useful for orders with several items or mixed product types.

Professional workflows can also use product tags for exclusion rules. That gives merchants a technical control for products they want to review differently, while final legal handling remains the merchant’s responsibility.

Cancevia needs storefront-related access to provide a customer-facing withdrawal entry and route submissions through the app workflow. This can include a theme app extension, app proxy path, footer or navigation entry, and a dedicated withdrawal page.

Theme and navigation access are used to help merchants publish or manage the visible entry point without building a custom theme workflow for every store. Merchants can still choose where the entry should appear and can remove or change placements later.

Locale access helps Cancevia understand the store’s published language context and choose appropriate customer-facing defaults for the withdrawal form and confirmation email templates.

Cancevia separates language surfaces: embedded Admin UI resources, customer-facing form templates, and customer confirmation email templates are different surfaces. Merchants should review final wording for their market and products.

Cancevia keeps withdrawal request records so merchants can review submissions, statuses, timestamps, confirmation email status, order context, exports, and evidence history. Retention controls and deletion workflows are part of the merchant data-handling setup.

Shopify requires public apps to handle mandatory privacy compliance webhooks. Cancevia configures those compliance topics and documents data handling through privacy, DPA, subprocessor, and security materials.

Permission access should not be read as a legal conclusion. Cancevia provides the technical withdrawal workflow and records, but merchants remain responsible for legal wording, product exceptions, refund policy, and final handling decisions.

Cancevia also does not replace a returns management app, customer support platform, or legal review process. It focuses on the EU withdrawal request workflow: customer entry, no-account form, confirmation receipt, order context, status handling, and evidence records.