I for one just remove them from my database. If they try and use the App, the App will respond that no entry exists for the shop, so the oAuth sets up a whole new install. Now they can accept the App which in turn prompts for a subscription, which in turn can be accepted or declined. One thing to be aware of too is if you get an acceptance on the App install, and you authorize an API session (you have a valid token now, so why not), your App has a live session. Now if they decline to pay, but attempt to re-install the App, the session can be a mess.
When they do decline, I send them back to the store admin as if nothing happened.
There are some weird artifacts from this pattern though that occur when your App triggers background work upon App acceptance. I learned that when the merchant accepts the App it is still a bad time to do this kind of thing. It is better to rely on the subscription acceptance to trigger that kind of work.