Shopify · Shopify Privacy Policy

Shopify as Data Controller vs. Data Processor

Medium severity
Share 𝕏 Share in Share 🔒 PDF

What it is

Shopify acts as the controller of your data when you use Shopify's own website, but acts only as a processor (following merchant instructions) when you shop at a merchant's Shopify-powered store — meaning the merchant is responsible for your rights in that context.

Consumer impact (what this means for users)

If you want to access, correct, or delete data from a specific Shopify-powered store purchase, you must contact that merchant directly — Shopify may decline your request and redirect you, creating a practical barrier to exercising your data rights.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.
  • Delete Your Data
    For data held by Shopify directly (e.g., your Shopify account), submit a request at https://privacy.shopify.com/en. For purchase data from a specific merchant store, contact that merchant's customer service directly.

Cross-platform context

See how other platforms handle Shopify as Data Controller vs. Data Processor and similar clauses.

Compare across platforms →
Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

This role distinction determines who you must contact to exercise your privacy rights — exercising GDPR or CCPA rights related to a purchase must be directed to the merchant, not Shopify directly, which can be confusing and create accountability gaps.

View original clause language
When you visit a store powered by Shopify or make a purchase, Shopify acts as a data processor on behalf of the merchant. The merchant is the data controller for information collected through their store. When you interact directly with Shopify — such as visiting Shopify.com or signing up for a Shopify account — Shopify acts as the data controller.

Institutional analysis (Compliance & legal intelligence)

1) REGULATORY FRAMEWORK: GDPR Art. 4(7) (controller) and Art. 4(8) (processor) definitions; Art. 28 requires a written DPA between controller (merchant) and processor (Shopify); Art. 26 joint controller obligations apply where Shopify and merchant jointly determine purposes. CCPA §1798.140(d) (business) and §1798.140(v) (service provider) parallel this distinction. Enforcement: Ireland DPC, CPPA, ICO. 2)

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

  • FTC
    FTC Act Section 5 applies to deceptive or inadequate disclosure of data controller identity and consumer rights pathways.
    File a complaint →

Provision details

Document information
Document
Shopify Privacy Policy
Entity
Shopify
Document last updated
April 29, 2026
Tracking information
First tracked
April 28, 2026
Last verified
April 28, 2026
Record ID
CA-P-003997
Document ID
CA-D-00122
Evidence Provenance
Source URL
https://www.shopify.com/legal/privacy
Wayback Machine
View archived versions →
SHA-256
f007cdd0481f2eadfaff8041501f08fdc3e70dffbfff2515668b24ba05e31645
Verified
✓ Snapshot stored   ✓ Change verified
How to Cite
ConductAtlas Policy Archive
Entity: Shopify | Document: Shopify Privacy Policy | Record: CA-P-003997
Captured: 2026-04-28 10:00:11 UTC | SHA-256: f007cdd0481f2ead…
URL: https://conductatlas.com/platform/shopify/shopify-privacy-policy/shopify-as-data-controller-vs-data-processor/
Accessed: May 2, 2026
Classification
Severity
Medium
Categories
Unknown

Other provisions in this document