When we transfer personal information outside of Europe, we use a variety of legal mechanisms to safeguard the transfer, including Standard Contractual Clauses approved by the European Commission.
Post-Schrems II, Standard Contractual Clauses alone are insufficient without a Transfer Impact Assessment demonstrating equivalent protection in the destination country — failure to conduct this assessment exposes both Shopify and merchants to GDPR enforcement action.
Shopify collects a wide range of personal data including contact details, payment information, browsing behavior, device identifiers, and purchase history from both merchants and end consumers shopping at Shopify-powered stores. This data is shared with an extensive network of third parties including advertising platforms, fraud detection vendors, payment processors, and third-party app developers, meaning your shopping behavior across multiple stores may be aggregated and used for targeted advertising without your explicit awareness. You can opt out of cross-context behavioral advertising and exercise data access or deletion rights by visiting Shopify's privacy request portal at https://privacy.shopify.com/en/consumer.