Customer API permissions in the Europe region

Europe

In the the Europe region, Clover has updated how much customer data is accessed by apps using the Customers endpoint. Every element in the Customers endpoint is considered personal identifiable information (PII).

PII collection, storage, and use is regulated by laws applicable to the regions in which the third-party developer apps and their partner merchants operate. This does not imply any changes to the format of the Customers API endpoint; only that region-based permissions must be in place to access data in apps, using the same calls.

Data minimization and required permissions

Permissions to access each data element in the Customers endpoint are as follows:

Customer records

Based on payment type and a customer's choice to share their data, Clover devices may create a customer record. This record may reveal email addresses, phone numbers, home/business addresses, purchase history, and other data points that directly or indirectly identify an individual.

Before we grant access to customer records, we want to ensure that this access is a necessity for each reviewed app.

Current permissions and limits

With our current CUSTOMERS_R and CUSTOMERS_W permission structure, your app has access to all customer data. If your app requires just these permissions, your app’s access to the Customer endpoint is reduced to the following subset of PII:

id (Customer UUID)
merchant.id (Merchant UUID)
firstName
lastName
customerSince

Required permissions

For the customer data elements not listed above, required permissions to the Customers endpoint are granted at the field-level. This level of granularity enables your app to retrieve only the PII it needs to function, helping both you and Clover minimize the data accessed and shared.

You must requestthe following permissions to receive field-level access to each respective data element of the Customers endpoint:

Element	Required permission
`addresses`	`CUSTOMERS_ADDRESS_R` `CUSTOMERS_ADDRESS_W`
`emailAddresses`	`CUSTOMERS_EMAIL_R` `CUSTOMERS_EMAIL_W`
`phoneNumbers`	`CUSTOMERS_PHONE_R` `CUSTOMERS_PHONE_W`
`cards`	`CUSTOMERS_CARDS_R` `CUSTOMERS_CARDS_W`
`marketingAllowed`	`CUSTOMERS_MARKETING_R` `CUSTOMERS_MARKETING_W`
`metadata.businessName`	`CUSTOMERS_BUSINESSNAME_R` `CUSTOMERS_BUSINESSNAME_W`
`metadata.dobYear` `metadata.dobMonth` `metadata.dobDay`	`CUSTOMERS_BIRTHDATE_R` `CUSTOMERS_BIRTHDATE_W`
`metadata.note`	`CUSTOMERS_NOTE_R` `CUSTOMERS_NOTE_W`

For example, if an app has just the CUSTOMERS_EMAIL_R permission, the response includes the customer’s email address and excludes all other fields in each Customer object.

Data rights

These changes do not directly affect you or your application/integration, nor affect your obligations under applicable data privacy legislation. For instance, you are required to respond to and facilitate data access requests that come to you from those Clover merchants, merchant employees, or customers of those merchants.

For more on data access requests, review information for:

United Kingdom (UK) (individual customer rights)
Rest of the European Union (EU) (Data protection under General Data Protection Regulation (GDPR))

Data retention

Clover disables access to a customer record after a fixed time of not having meaningful interactions with the customer or customer record.

Updated about 1 month ago