Shopify merchants are independent data controllers when they use our services. This means that merchants, not Shopify, are responsible for their customers' data collected through their stores. Merchants are responsible for obtaining any necessary consents from their customers and for complying with applicable data protection laws.
This provision allocates primary data controller responsibility to individual merchants, which means the compliance quality of your data protection varies significantly depending on the merchant you buy from, and Shopify's protections may not fully extend to your data in a merchant-specific context.
Shopify collects a wide range of personal data including contact details, payment information, browsing behavior, device identifiers, and purchase history from both merchants and end consumers shopping at Shopify-powered stores. This data is shared with an extensive network of third parties including advertising platforms, fraud detection vendors, payment processors, and third-party app developers, meaning your shopping behavior across multiple stores may be aggregated and used for targeted advertising without your explicit awareness. You can opt out of cross-context behavioral advertising and exercise data access or deletion rights by visiting Shopify's privacy request portal at https://privacy.shopify.com/en/consumer.