Shopify Privacy Policy

This is Shopify's Privacy Policy explaining how Shopify collects and uses personal information from merchants who build stores on Shopify, shoppers who buy from those stores, and anyone who visits Shopify's website. The most important thing to know is that Shopify shares your personal data — including name, contact details, purchase history, device identifiers, and browsing behavior — with third-party app developers, payment processors, advertising partners, and other merchants in its network for purposes including fraud prevention, analytics, and marketing. If you are a shopper on a Shopify-powered store, you should contact the individual merchant directly to exercise data rights, as the merchant — not Shopify — is the controller of your purchase data.

This document is Shopify's global Privacy Policy governing the collection, use, storage, and disclosure of personal information from merchants, shoppers, partners, and visitors across Shopify's platforms, with legal basis rooted in contractual necessity, legitimate interests, consent, and legal obligation depending on jurisdiction. The policy creates obligations for Shopify to respond to data subject access requests, honor opt-out requests for marketing and certain data sharing, and maintain data transfer mechanisms for cross-border transfers including Standard Contractual Clauses for EU/EEA data. Notable provisions include Shopify's broad information sharing with third-party partners, app developers, and payment processors without granular consent requirements for operational sharing, as well as retention of aggregated or de-identified data indefinitely — a practice that carries re-identification risk not fully addressed in the document. The policy explicitly engages GDPR (including Chapter V transfer mechanisms), CCPA/CPRA, Canada's PIPEDA, and implicitly LGPD and other national frameworks given the 70+ jurisdiction-specific alternate URLs; Shopify acts as both a data controller (for merchant and visitor data) and a data processor (for end-customer data processed on behalf of merchants), creating a layered compliance obligation that requires careful role delineation. Material compliance considerations include ensuring merchant-customers have adequate processor agreements in place with Shopify, that consent mechanisms on merchant storefronts satisfy jurisdiction-specific standards, and that Shopify's use of shopper data across its merchant network for network-wide fraud prevention and analytics is disclosed and lawful under applicable frameworks.