Shopify · Shopify Privacy Policy

Controller vs. Processor Distinction

Medium severity
Share 𝕏 Share in Share

Why it matters

This distinction determines who is legally responsible for your data: if you're a shopper, your rights may need to be exercised with the merchant, not Shopify directly.

Consumer impact

Shopify collects a broad range of personal data β€” including contact details, payment information, browsing behavior, and purchase history β€” and may share it with third-party service providers, advertising partners, and affiliated companies. Consumer data may be transferred internationally, including to Canada and the US, with contractual safeguards in place for EEA and UK users. You can submit a data access, deletion, or portability request by visiting Shopify's dedicated privacy portal at https://privacy.shopify.com.

Applicable agencies

  • FTC
    The controller/processor distinction affects unfair or deceptive practices liability when consumers cannot easily identify who is responsible for their data.
    File a complaint →

Provision details

Document information
Document
Shopify Privacy Policy
Entity
Shopify
Document last updated
March 24, 2026
Tracking information
First tracked
March 15, 2026
Last verified
March 15, 2026
Record ID
CA-P-000804
Document ID
CA-D-00122
Evidence Provenance
Source URL
https://www.shopify.com/legal/privacy
Wayback Machine
View archived versions →
SHA-256
929225abb20671960ed1f40a6325a4c72cf5ea341e79aa8378056b3b66ef5708
Verified
✓ Snapshot stored   ✓ Change verified
How to Cite
ConductAtlas Policy Archive
Entity: Shopify | Document: Shopify Privacy Policy | Record: CA-P-000804
Captured: 2026-03-15 11:22:02 UTC | SHA-256: 929225abb2067196…
URL: https://conductatlas.com/platform/shopify/shopify-privacy-policy/controller-vs-processor-distinction/
Accessed: April 4, 2026
Classification
Severity
Medium
Categories
Privacy rights

Other provisions in this document