WooCommerce Integration

DPOKit integrates with WooCommerce out of the box. When WooCommerce is active, DPOKit automatically:

Includes orders, addresses, and customer notes in DSAR data exports
Enforces retention policies on order data (default: 7 years for tax compliance)
Adds WooCommerce data flows to your data map

Requirements

WooCommerce 7.0 or later
DPOKit Pro or Agency licence

What data is collected for DSARs

When an access or portability request is processed for a given email address, DPOKit collects:

Data source	Fields included
`wc_orders`	Order ID, status, date, line items, totals, payment method
Billing address	Name, company, address, city, postcode, country, phone
Shipping address	Name, company, address, city, postcode, country
Customer notes	Order notes visible to the customer
Account fields	Registered email, display name, registration date

Sensitive fields such as payment card numbers are never stored by WooCommerce and are therefore not included.

Retention enforcement

The default retention policy for WooCommerce orders is 7 years, reflecting common tax record-keeping obligations. This is enforced as a legal hold that prevents shorter custom policies from deleting order data prematurely.

Changing the WooCommerce retention period

// Override the default 7-year retention for WooCommerce orders.
// Use with caution — ensure this complies with your local tax law.
add_filter( 'pv_retention_policy_woocommerce_orders', function( $policy ) {
    $policy['default_days'] = 1825; // 5 years
    return $policy;
} );

Customising the anonymisation fields

By default, DPOKit anonymises the following fields when an order exceeds its retention period (or when a deletion DSAR is fulfilled):

Billing/shipping name → Anonymised
Email → anonymised@example.com
Phone → empty string
Address fields → empty strings

To change which fields are anonymised:

add_filter( 'pv_woocommerce_anonymise_fields', function( $fields ) {
    // Add a custom order meta field to the anonymisation list
    $fields[] = '_my_custom_order_field';
    return $fields;
} );

Handling deletion requests

When a DSAR deletion request is processed, DPOKit evaluates each order:

Within legal hold window → order retained; reason logged in deletion confirmation record
Outside legal hold window → order anonymised; confirmation logged

Guest orders (no WordPress account) are matched by billing email address.

// Hook into the deletion process to handle custom order meta
add_action( 'pv_woocommerce_order_deleted', function( $order_id, $email ) {
    // Custom cleanup for related records
    delete_post_meta( $order_id, '_my_custom_meta' );
}, 10, 2 );
 
add_action( 'pv_woocommerce_order_anonymised', function( $order_id, $email ) {
    // Custom anonymisation for related records
    update_post_meta( $order_id, '_my_custom_meta', 'anonymised' );
}, 10, 2 );

Data map entries

DPOKit adds the following entries to your data map when WooCommerce is detected:

Vendor	Purpose	Legal basis
WooCommerce (self-hosted)	Order processing and fulfilment	Contract
Payment gateway (detected)	Payment processing	Contract
Shipping provider (if integrated)	Delivery fulfilment	Contract

You can edit these entries at Data Map → WooCommerce to reflect your specific setup.

WooCommerce Subscriptions

If WooCommerce Subscriptions is active, DPOKit also collects subscription records (status, renewal dates, plan) in DSAR exports and applies retention policies to subscription data separately from one-off orders.

Troubleshooting

Orders are not appearing in DSAR data exports

Ensure the requestor's email matches the billing email on the order. Guest orders placed with a different email address will not be matched. You can manually add data from the DSAR case detail view.

Retention job is skipping orders

Check Retention → Legal Holds — a legal hold may be preventing deletion. If you believe the hold is incorrect, review the hold configuration at Retention → Legal Holds → Edit.