Shopify transfers personal data from the EU, UK, and Switzerland to other countries (including the US) using Standard Contractual Clauses, which are legal contracts meant to ensure your data is protected even outside the EU.
If you are an EU, UK, or Swiss user, your personal data is transferred to countries outside those regions — potentially including the US — using legal contracts (SCCs) whose adequacy has been actively contested by European regulators, meaning your data protections may not be fully equivalent to EU standards.
How other platforms handle this
Your information, including Personal Data, may be transferred to — and maintained on — computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction. If you are located outside France and choo...
When you use Amazon Services, third-party service providers and sellers may receive information about your interactions to the extent necessary for them to fulfill their services. Third-party sellers who sell on Amazon's platform receive customer information necessary to fulfill orders, including na...
Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA) or the United Kingdom. Where we transfer your data outside the EEA or UK, we ensure appropriate safeguards are in place, such as standard contractual clauses approved by the European Commissi...
Post-Schrems II, the adequacy of SCCs for US transfers depends on supplementary measures, and multiple EU DPAs have found SCC-based transfers to US ad tech companies non-compliant — creating ongoing legal uncertainty for EU users whose data is transferred.
REGULATORY FRAMEWORK: International transfers are governed by GDPR Chapter V, specifically Articles 44–49, and equivalent UK GDPR provisions (UK ICO's International Data Transfer Agreement). The EU-US Data Privacy Framework (DPF, July 2023) may apply if Shopify is DPF-certified, but SCCs remain the primary stated mechanism. CJEU's Schrems II judgment (C-311/18) invalidated Privacy Shield and required supplementary measures for SCC-based transfers. Enforced by EU DPAs and ICO.
Compliance intelligence locked
Regulatory citations, enforcement risk, and due diligence action items.
Watcher: regulatory citations. Professional: full compliance memo.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.