Track 1 platform and get the weekly governance digest. No credit card required.
This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology
This document establishes Shopify's data collection, processing, and sharing practices for merchants, buyers, and website visitors across its platform. Shopify collects names, email addresses, payment card data, purchase history, device identifiers, IP addresses, browsing activity, and location data, and authorizes disclosure to advertising networks, analytics providers, payment processors, and service providers. The policy specifies that California residents and EU users may submit data access, correction, deletion, and opt-out requests through https://privacy.shopify.com.
This document is Shopify's Privacy Policy, governing the collection, use, storage, and disclosure of personal information by Shopify Inc. and its affiliates in connection with Shopify's platform, products, and services, with legal bases including contractual necessity, legitimate interests, consent, and legal obligation depending on jurisdiction. The policy states that Shopify collects identifiers, contact information, financial and payment data, device and browser information, browsing and clickstream activity, location-related data, communications content, and inferred preferences from merchants, buyers, and visitors, and the terms authorize sharing this information with service providers, business partners, advertising and analytics vendors, payment processors, and third parties in the context of business transfers or legal compliance. The policy's disclosure of data collection through cookies, pixels, and tracking technologies across third-party merchant storefronts is operationally notable, as Shopify acts both as a data controller for its own platform and as a data processor on behalf of merchants, creating a layered data relationship that the policy addresses but that may warrant scrutiny in specific jurisdictions; the agreement asserts broad data use for product improvement, marketing, and fraud prevention, though applicable law may constrain certain uses, particularly for EU and California residents. The policy engages GDPR and the UK GDPR for EEA and UK users, the California Consumer Privacy Act as amended by the CPRA for California residents, Canada's PIPEDA and provincial equivalents, and various other national privacy frameworks given Shopify's global operational footprint; compliance considerations include cross-border data transfer mechanisms, the distinction between controller and processor obligations across merchant and buyer data flows, and the adequacy of consent mechanisms for cookie-based tracking.
Institutional analysis available with Professional
Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.
Start Professional free trialMonitoring
Shopify has updated this document before.
Watcher includes same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
Professional Governance Intelligence
Need provision-level monitoring and regulatory mapping?
Professional includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.
Start Professional free trialCross-platform context
See how other platforms handle Advertising and Analytics Data Sharing and similar clauses.
Compare across platforms →Governance Monitoring
Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.