Shopify App Permissions: Collecting Feedback Without Extra Scopes

Most merchants click "Install" on a Shopify app without reading the permissions screen. That screen is the single most important thing you'll see before you hand an app the keys to your store. A survey tool that asks to read all your customer data, edit orders, and access your full product catalog is asking for far more than it needs to put a few questions in front of a buyer.

This post is about Shopify app permissions: what access scopes actually are, why over-permissioned apps create real risk, and how a survey can read the order context it needs without any of that. If you only remember one thing, make it this: a post-purchase survey does not need broad access to your store to do its job.

What Shopify access scopes actually are

When you install an app, Shopify shows you a list of permissions. Under the hood those are called access scopes. Each scope is a specific grant: read this, write that. Examples you've probably seen:

• read_customers / write_customers: see and edit customer records, including emails and addresses
• read_orders / write_orders: pull full order history or modify orders
• read_products: read your entire catalog
• read_all_orders: access to orders older than 60 days, which requires special approval

A scope is binary. If an app holds read_customers, it can read every customer in your store, not just the one who took a survey. There's no "only this person" version. Once granted, that access stays live until you uninstall the app or revoke it.

This is where the trouble starts. An app that requests read_customers and read_orders so it can technically run a survey is now sitting on a copy of your customer list and your order data. That data lives on the app's servers, syncs through its systems, and is only as safe as that vendor's security.

The real risk of over-permissioned apps

"It's just a survey app" is exactly the assumption that gets stores into trouble. Here's what broad scopes actually expose you to.

Your data leaves your store. Every app with read_orders typically pulls that data into its own database to function. You now have customer PII in a second system you don't control. If that vendor gets breached, your customers are part of it.

Compliance surface grows. Under GDPR and CCPA you're responsible for who processes your customers' data. Each over-permissioned app is another data processor you have to account for, document, and trust. Fewer scopes means a smaller list of places your customer data lives.

Quiet scope creep. Apps can request additional scopes in updates. The permission you approved at install may not be the permission the app holds six months later.

Harder offboarding. When you uninstall, Shopify revokes the app's token, but data already copied to the vendor's servers is governed by their retention policy, not yours.

None of this is hypothetical. It's the default behavior of any app built on the Admin API that needs order or customer data to run. The question is whether a survey app needs to work that way at all. It doesn't.

How native extensions read order context without broad scopes

Shopify has a second way to build apps that most merchants never hear about: UI extensions. Instead of calling the Admin API from a vendor's server, an extension runs inside Shopify's own surfaces (checkout, the order status page, customer accounts, POS) and receives the relevant context directly from Shopify at that moment.

The difference is structural:

	Admin API app	Native UI extension
Where it runs	Vendor's servers	Inside Shopify's surfaces
How it gets order data	Requests broad scopes, syncs your data out	Reads the current order context in place
Data access	Your whole store (all customers, all orders)	Just the order in front of the buyer
What you approve at install	A long permissions list	Little to no broad data access

A thank-you page extension already knows the order it's attached to, because Shopify is rendering it on that order's confirmation. It doesn't need read_orders across your store to know the order total or which products were bought. The context is handed to it for that one transaction.

This is the core point on Shopify app permissions: the permissions screen is long when an app has to reach into your store from the outside. When the app runs natively where the order already lives, that reaching mostly disappears.

What to check before installing any app

Use this before you click install on a survey tool or anything else.

1. Read the permissions screen, every time. If a survey app wants write_orders or read_customers, ask why. Surveys don't edit orders.
2. Match the scopes to the job. A tool should request the minimum it needs. Broad read access "to be safe" is a flag, not a feature.
3. Check whether it's built on extensions or the Admin API. App listings and docs usually say. Native checkout, customer-account, and POS extensions are a good sign.
4. Find the data retention and privacy policy. Where does response data live, how long is it kept, can you export and delete it?
5. Look at how you act on the data. Can you get responses out (CSV, webhook) without giving the app more access in return?

You don't need to be a developer to do this. The permissions screen tells you most of what you need in plain language.

The privacy and compliance benefits of fewer scopes

Choosing tools that request less is not just good hygiene, it's less work for you.

• Smaller breach blast radius. If a survey vendor never held your customer list, a breach there can't leak your customer list.
• A shorter processor list. Fewer apps with PII access means fewer entries in your GDPR records and fewer vendors to vet.
• Cleaner data residency story. When customer PII isn't being copied out to run a survey, you've removed a whole category of risk from your store.
• Easier merchant trust. Buyers are answering an honest question on your thank-you page, not feeding a data pipeline they didn't sign up for. That's the spirit of zero-party data: information customers share willingly, used for what they expect.

How OrderSurvey is built for this

OrderSurvey is built entirely on Shopify's native checkout, customer-account, and POS UI extensions. Because of that, it does not request broad data access scopes from your store. The surveys run where the order already lives, so the app reads the context it needs in place instead of pulling your customer and order data out to a separate system.

That architecture is what makes the targeting work without overreach. You can show or hide a survey based on order total, item quantity, specific products or variants, customer tags, shipping country, or currency, all evaluated in the native surface at the moment the order is shown. On Shopify POS, surveys target by location, because POS exposes only the order id, not the full order rules. The app works with what each surface gives it rather than demanding a master key to everything.

You still get the things you actually need from survey data:

• Survey surfaces on the thank-you page, the order status page, and Shopify POS
• Question types from NPS (0 to 10) and CSAT star ratings to single-select, multi-select, dropdown, and text
• Conditional branching and multi-question, paginated surveys
• Low-score alerts to a Slack webhook when NPS lands at or below your threshold
• CSV export of every response

Getting your data out (CSV export, a Slack alert on detractors) doesn't require granting more access. It's built into the surfaces you already approved. There's a free plan up to 100 responses per 30 days, and Pro is $49/month for unlimited responses, so you can confirm the permission model fits your store before committing.

The takeaway

Permissions are a design choice, not a formality. An app that needs broad scopes to run a survey has decided to copy your data out and work from the outside. An app built on native extensions reads the order in front of the buyer and leaves the rest of your store alone. Both can collect feedback. Only one keeps your customer data where it belongs.

If you're mapping out your feedback program, start with the complete guide to post-purchase surveys for Shopify, and if in-store matters to you, see how POS surveys work within the same permission-light model.