Personal data protection
To safeguard personal data, Instacart limits how long chat messages remain accessible. Additionally, we can remove shopper personal data from API responses and callbacks.
Chat message accessibility
After an order is either delivered or cancelled, any messages exchanged between the customer and the shoppers fulfilling that order remain accessible for 24 hours. This restriction applies to the get chat messages and get order messages APIs, as well as the Order Status Page’s chat feature.
Shopper information removal
By default, some Connect API responses and event callbacks contain personal data about the shoppers who help fulfill orders. After order completion, Instacart requires that you delete this personal data within a contractually specified amount of time.
However, if you’re unable to implement data deletion processes, Instacart can instead remove the shopper’s personal data before responding to your requests or sending you callbacks.
For each applicable operation, the following table explains what shopper data is redacted and the reason for doing so:
| Operation | Description |
|---|---|
| Get order handling information response | The shopper object is removed because it contains the shopper’s first name and avatar. |
| Get order location response | A successful response reveals the geographical coordinates of the shopper’s location. As a result, an error is returned instead. |
| Order location callback | The callback isn’t sent because its event_metadata object reveals the geographical coordinates of the shopper’s location. |
| Get chat messages response | A successful response potentially contains messages exchanged between shoppers and the customers, along with the shopper’s name and avatar. As a result, an error is returned instead. |
| Get order messages response | A successful response potentially contains messages exchanged between shoppers and the customers, along with the shopper’s name and avatar. As a result, an error is returned instead. |
| Customer acknowledged callback | The callback isn’t sent because its event_metadata object contains the shopper’s display name. |
| Delivered callback | The delivery_photo_url and certified_delivery_name fields are removed from the callback’s event_metadata object because both are potentially personal data. |
If you’re interested in enabling this feature, contact your Instacart representative.