Anonymizer App
The Anonymizer App removes personal data from customers and their orders, checkouts, and gift cards directly from the Saleor Dashboard. It is built for two recurring needs:
- Fulfilling a GDPR / "right to be forgotten" request — erase a single customer's personal data across their orders, checkouts, and gift cards, then delete their account, while keeping the order records (numbers, line items, totals) intact for accounting and reporting.
- Sanitizing a production snapshot — when you copy a production database into a staging or development environment, bulk-anonymize every order and delete every customer, checkout, and gift card so that developers never work with real personal data.
The app runs entirely in the browser inside the Dashboard iframe. It has no backend, no database, and stores no data or tokens. Every action uses the standard Saleor GraphQL API with the token the Dashboard provides, so all changes go through the same mutations (orderUpdate, customerDelete, checkoutDelete, giftCardBulkDelete) you could call yourself.
The app only erases data exposed through the standard orders, customers, addresses, checkouts, and gift cards APIs. It does not inspect or erase custom PII stored elsewhere — metadata, plugins/extensions, external systems, exports, or third-party integrations such as payment providers.
Features​
- Anonymize a single customer by email — look up a customer and all their orders, scramble personal data on each order, delete the customer's checkouts and gift cards, then delete the customer account. The classic GDPR removal flow.
- Delete gift cards by email — delete the gift cards that hold a customer's email, for erasure requests.
- Bulk anonymization — scan the whole store, then anonymize every order and delete every (non-staff) customer and every checkout in one pass. Intended for cleaning up production snapshots.
- Delete all gift cards — wipe every gift card in the store when sanitizing a copied database.
How anonymization works​
Anonymizing an order does not delete it. The order keeps its number, line items, and totals; only the personal data attached to it is overwritten:
| Field | What happens |
|---|---|
| First name / last name (on order and addresses) | Cleared (set to an empty value). |
| Phone | Cleared. Saleor accepts an empty phone and skips validation, whereas a fake number would fail validation and would not be truly anonymous. |
Email (order's userEmail) | Replaced with a random UUID-based address under a configurable domain, e.g. f47ac10b-...@example.com. It stays unique but unusable. |
| Street address (line 1) | Replaced with the constant placeholder Anonymized. |
| Street address line 2, company name, district (city area) | Cleared. These are free-text fields that can hold personal data, so they are explicitly wiped. |
| City, postal code, country area, country | Kept intact, so the address stays geographically meaningful and valid. |
Both the billing and shipping addresses on each order are processed the same way.
Saleor treats omitted address fields as "no change", so the app sends the cleared free-text fields explicitly to make sure they are wiped. The non-identifying fields (city, postal code, country, country area) are kept so the address remains valid and analytics that rely on region still work.
After all of a customer's orders are anonymized and their checkouts deleted, the customer account itself is deleted (customerDelete). A registered customer with no orders can still be deleted; guest-checkout orders have no linked account, so there is nothing to delete in that case.
Anonymization is irreversible. Scrambled personal data cannot be recovered, and deleted customer accounts, checkouts, and gift cards cannot be restored. Deleting a gift card also permanently destroys its remaining balance. Every flow asks for explicit confirmation before running.
Checkouts​
Abandoned carts (checkouts) hold personal data too — email, billing and shipping addresses, a linked user, and metadata. Deleting a customer does not cascade to guest checkouts, so the app removes checkouts explicitly with checkoutDelete.
- A checkout is deleted whole; there is no in-place scramble.
- Saleor refuses to delete a checkout that has attached payment transactions. Those are reported as failures (not retried automatically) rather than aborting the run.
checkoutDelete was added in Saleor 3.23. The app reads the connected store's version at runtime and only enables checkout deletion on 3.23+ — on older stores the step is skipped and the UI shows a note. (The rest of the app works on 3.22, which is why the manifest still only requires 3.22 rather than bumping the minimum for everyone.)
Gift cards​
A gift card's personal data — createdByEmail, usedByEmail, the linked users, and the gift card events (which can hold a "send to customer" recipient email) — is read-only in Saleor and cannot be scrubbed in place. Removing it therefore means deleting the card, which also permanently destroys its remaining balance.
Because of that, gift card deletion is never bundled into the customer/order flow above — it is exposed as separate, explicitly triggered, confirmation-gated actions. Before deleting, the app shows the balance at risk, aggregated per currency (e.g. 1250.00 USD, 300.00 EUR), so you can see how much redeemable value the deletion will destroy.
Anonymize a single customer (GDPR removal)​
This is the flow for an individual "right to be forgotten" request.
- Enter the customer's email and click Fetch User and Orders.
- The app loads the customer, all of their orders, and (on Saleor 3.23+) all of their checkouts, paginating through every page so customers with more than 100 records are fully covered. Orders are matched by the order's email; checkouts are matched on the checkout's own
emailfield (case-insensitive), which catches both registered and guest checkouts. - Review the records that will be affected.
- Confirm. The app scrambles every order, deletes the matched checkouts, then deletes the customer account.
If a customer has no orders, you can still delete just the account (and any checkouts/gift cards). If only orders or checkouts exist (guest, no account), those are processed and there is nothing to delete.
Deleting a customer's gift cards​
Gift card deletion is a separate action so its destructive effect on balances stays explicit:
- Enter the customer's email in the Gift cards section and fetch the matching cards.
- The app scans every gift card and matches on
createdByEmailorusedByEmailor a recipient email stored on a gift card event — so it covers cards the customer bought, redeemed, or was sent. (Saleor has no server-side filter forusedByEmail, hence the client-side scan.) - Review the per-currency balance at risk.
- Confirm to delete the matched cards.
Bulk anonymization (sanitizing a snapshot)​
The bulk section processes the entire store. The typical use case is a fresh copy of production data in a non-production environment that must be cleaned before developers use it.
- Scan — the app walks every order and every customer and reports how many records will be processed. The scanned payloads are kept in memory, so the actions below run without re-fetching.
- Anonymize orders — scrambles every order that has not already been anonymized (see the idempotency note below). Each order is flagged after a successful scramble.
- Delete customers — deletes every non-staff customer account. Staff accounts are never counted or deleted, even if they have placed orders.
- Delete checkouts — deletes every checkout in the store, removing all of its PII. Requires Saleor 3.23+ (disabled with a note otherwise). Checkouts with attached payment transactions cannot be deleted and are reported as failures.
To wipe gift cards in a snapshot, use Delete all gift cards in the Gift cards section below.
A progress bar shows how many records have been processed. Records that fail to process do not abort the run — they are collected and listed afterwards. Orders and customers are shown as links that open the record in a new Dashboard tab; checkouts have no Dashboard detail page, so they are listed as plain text.
Idempotency and retries​
When a bulk order anonymization succeeds, the app writes a public metadata flag to the order:
saleor-anonymized: true
The scan skips any order that already carries this flag. This makes bulk runs safe to repeat:
- Already-anonymized orders are not touched again.
- The flag is written only after a successful scramble, so an order that failed mid-run stays unflagged and is retried on the next run.
After an Anonymize orders run finishes, the app automatically re-scans so the counts and in-memory lists reflect the new state and any failures can be retried.
Saleor cannot filter orders by the absence of a metadata key, so the scan reads every order and skips the already-flagged ones client-side. On large stores this means the scan walks the full order list. Orders are scanned sorted by order number (which is immutable), so the pagination cursor stays stable even while records are being updated mid-run.
Concurrency​
Bulk operations process records in batches. The batch size — i.e. how many orders, customers, or checkouts are processed concurrently — is controlled by the NEXT_PUBLIC_BULK_CONCURRENCY environment variable (default: 5).
Delete all gift cards​
For sanitizing a copied database, the Gift cards section offers a Delete ALL gift cards action that removes every gift card in the store via giftCardBulkDelete. The per-currency balance at risk is shown first, and the action is confirmation-gated.
This deletes every gift card in the store and destroys all their balances. It is intended for non-production environments only. Use at your own risk.
Assumptions & limitations​
- The app runs only in the browser. The Dashboard page must stay open for the duration of any operation; closing it stops the run.
- There is no backend, no database, and no persisted state. The app stores no tokens and registers no webhooks.
- The app only touches data exposed by the standard orders, customers, addresses, checkouts, and gift cards APIs. It does not erase custom PII in metadata, plugins/extensions, external systems, exports, or third-party integrations (e.g. payment providers).
- Anonymization and deletion are irreversible — there is no undo and no audit log of the original values.
- Orders are anonymized, not deleted. Order numbers, line items, and totals are preserved; only personal data is scrambled.
- Checkouts and gift cards are deleted, not scrambled (their PII is read-only and cannot be edited in place). Deleting a gift card destroys its remaining balance.
- Checkout deletion requires Saleor 3.23+ and is disabled with a note on older stores. Checkouts with attached payment transactions cannot be deleted.
- The non-identifying parts of an address (city, postal code, country, country area) are intentionally preserved.
- Bulk delete customers never deletes staff accounts.
- Anonymized emails use a single configurable domain, so all anonymized orders share that domain but remain individually unique (random UUID local part).
Permissions required by the app​
MANAGE_ORDERS— to read and update (scramble) orders.MANAGE_USERS— to read and delete customer accounts.MANAGE_CHECKOUTS— to read and delete checkouts.MANAGE_GIFT_CARD— to read and delete gift cards.
Configuration​
The app exposes a small set of environment variables:
| Variable | Default | Description |
|---|---|---|
NEXT_PUBLIC_CUSTOMER_SCRAMBLE_DOMAIN | example.com | Domain used to build anonymized emails (e.g. <uuid>@example.com). Exposed to the browser. |
NEXT_PUBLIC_BULK_CONCURRENCY | 5 | How many orders/customers the bulk operations process concurrently. Exposed to the browser. |
ALLOWED_DOMAIN_PATTERN | — | Regex tested against the Saleor API URL, controlling which Saleor instances the app may be installed on. |
Development​
To run the application locally, follow the Running Saleor Apps locally article.