This is Shopify's privacy policy, which explains what personal information Shopify collects about merchants, shoppers, and visitors, how it uses that information, and who it shares it with. If you use Shopify to run a store or shop on a Shopify-powered site, Shopify collects data such as your name, email, purchase history, browsing behavior, and payment details. You have rights to access, correct, or delete your data, and you can contact Shopify's privacy team to exercise those rights.
Technical Summary
Shopify's Privacy Policy governs the collection, use, disclosure, and retention of personal information across Shopify's merchant-facing platform, consumer-facing services (including the Shop App), and related products. The policy distinguishes between Shopify acting as a data controller (for merchant and visitor data) and as a data processor (for data merchants collect about their own customers). Key rights afforded to users include access, correction, deletion, portability, and objection to processing, with jurisdiction-specific provisions for GDPR (EEA/UK), CCPA/CPRA (California), and other regional frameworks. Notable provisions include cross-border data transfers with Standard Contractual Clauses as a safeguard, use of data for marketing and product improvement, sharing with third-party service providers and advertising partners, and retention of data for legal and fraud-prevention purposes even after account closure.
Institutional Analysis
The policy engages GDPR (with SCCs for cross-border transfers and dual controller/processor roles), CCPA/CPRA (with explicit California consumer rights disclosures), and Canada's PIPEDA. Compliance t…
The policy engages GDPR (with SCCs for cross-border transfers and dual controller/processor roles), CCPA/CPRA (with explicit California consumer rights disclosures), and Canada's PIPEDA. Compliance teams should note Shopify's distinction between its controller role (merchant and visitor data) and p…
🔒
Compliance intelligence locked
Regulatory exposure, material risk, and due diligence action items.
Shopify shares certain personal data, including browsing and purchase behavior, with advertising and analytics partners to serve targeted ads and measure marketing effectiveness.
Shopify acts as the 'controller' of data it collects directly (like merchant account info), but when merchants collect data about their own customers through Shopify, Shopify is just a 'processor' acting on the merchant's behalf.
Shopify may transfer your personal data to countries outside your home country, including Canada and the United States, using Standard Contractual Clauses and other legal mechanisms as safeguards.
Shopify retains some of your personal data even after you close your account, for purposes such as fraud prevention, legal compliance, and dispute resolution.
California residents have specific rights under state law, including the right to know what data is collected, the right to delete it, the right to opt out of its sale or sharing, and the right to non-discrimination for exercising these rights.
Users in the European Economic Area and the United Kingdom have the right to access, correct, delete, restrict, or port their data, and to object to certain types of processing, under GDPR and UK GDPR.
Shopify uses cookies, pixels, and similar technologies to track your browsing behavior across its properties and, through advertising partners, across other websites.
Shopify shares your personal data with third-party companies that help it operate its services, such as payment processors, cloud hosting providers, fraud detection services, and analytics firms.
When you shop at a Shopify-powered store, Shopify collects data about you — including your name, email, address, payment details, and purchase history — even though the store is run by a third-party merchant.
Shopify may send you marketing emails and other promotional communications, and you can opt out at any time by clicking 'unsubscribe' in any marketing email or updating your account preferences.