MRKT Mesh Protected Customer Data Use

MRKT Mesh provides server-side conversion tracking for Shopify merchants. The app receives browser and Shopify webhook events, deduplicates them, enriches events with attribution identifiers, and sends canonical conversion events to merchant-configured destinations such as Meta Conversions API, Google Ads Enhanced Conversions, GA4, Klaviyo, and TikTok Events API.

Data minimization

MRKT Mesh only requests customer fields required for event matching and attribution recovery. Raw protected customer fields are not displayed in the dashboard. Email and phone are normalized and SHA-256 hashed before persistence or destination delivery. Name and address are not required for the current release and are not requested, not processed, not persisted, not displayed, and not sent to destinations.

Email

  • Status: Requested
  • Function: Used to create hashed customer match parameters for server-side conversion event delivery to merchant-configured destinations such as Meta CAPI, Google Ads Enhanced Conversions, and TikTok Events API.
  • Handling: Normalized (lowercased and trimmed) and SHA-256 hashed at ingestion. Raw email is not displayed in the MRKT Mesh dashboard, not used for MRKT Mesh marketing, not sold, and not persisted after hashing.

Phone

  • Status: Requested
  • Function: Supplemental customer match identifier for server-side conversion event delivery where supported by merchant-configured destinations (Meta CAPI, Google Ads Enhanced Conversions, TikTok Events API).
  • Handling: Normalized (digits-only with optional leading +) and SHA-256 hashed at ingestion. Raw phone is not displayed in the MRKT Mesh dashboard, not used for MRKT Mesh marketing, not sold, and not persisted after hashing.

Name

  • Status: Not requested for current release
  • Function: Not required to provide MRKT Mesh server-side conversion tracking.
  • Handling: Removed from the protected field request. Any incidental name fields in webhook or browser payloads (e.g. first_name, last_name) are stripped or redacted and are not persisted, not displayed, and not sent to destinations.

Address

  • Status: Not requested for current release
  • Function: Not required to provide MRKT Mesh server-side conversion tracking.
  • Handling: Removed from the protected field request. Address fields (default_address, billing_address, shipping_address, address1, address2, city, province/state, zip/postal_code, country) are stripped or redacted and are not persisted, not displayed, not sold, and not sent to destinations.

Consent

Destination delivery respects the merchant and customer consent state. MRKT Mesh derives marketing consent from Shopify’s email_marketing_consent and sms_marketing_consent fields on order webhooks, and from the consent block sent by the MRKT Mesh data layer for browser events. Events with a denied marketing consent state are not delivered to marketing destinations.

Security

  • All ingestion and destination delivery happens over HTTPS/TLS.
  • Customer identifiers are SHA-256 hashed before persistence; raw email and phone are not stored in the application database, the event outbox, or the BigQuery raw payload table.
  • Destination credentials and Shopify access tokens are AES-256 encrypted at rest.
  • Production and test environments are separated by project.
  • Staff access is least-privilege and audited.
  • GDPR customers/redact requests null out stored hashed identifiers within the acknowledgement window.

Implementation evidence

The following code files implement and enforce this data minimization stance:

  • apps/server/src/lib/protected-customer-data.ts — normalization, hashing, redaction, and payload sanitization utility
  • apps/server/src/routes/web-events.ts — browser event ingestion sanitizes user_identity, hashes raw email/phone, and exports a redacted raw payload to BigQuery
  • apps/server/src/workers/web-events-processor.ts — persists only hashed identifiers
  • apps/server/src/workers/webhook-processor.ts — Shopify webhook processor sanitizes raw payload before BigQuery export and outputs only hashed identifiers
  • apps/server/src/lib/event-normalizer.ts — normalizes Shopify order webhooks into TrackingEvent with only hashed identifiers
  • apps/server/src/lib/shopify-webhooks.ts — subscribes only to orders/create, orders/updated, checkouts/create, and refunds/create. The customers/create webhook is not registered.
  • shopify.app.toml and apps/server/src/routes/shopify.ts — OAuth scope set does not include read_customers or write_customers.
  • apps/server/src/lib/bigquery.ts exportRawPayload defensively redacts protected customer fields before insertion
  • apps/server/src/connectors/meta-capi.ts, google-ads.ts, tiktok.ts, klaviyo.ts, custom-webhook.ts — deliver only hashed identifiers; Google Ads address_info matching is disabled.
  • apps/server/src/routes/shopify-gdpr.ts — GDPR customers/redact nulls Event.userIdentity matched on the snake_case shopify_customer_id path.