Updated March 2, 2023
Privacy Policy
How Shopify handles your data
Introduction
In our mission to make commerce better for everyone at Shopify, we collect and use information about you, our
- merchants using Shopify to power your business
- customers who shop at a Shopify-powered business
- partners who develop apps for merchants to use, build stores on behalf of merchants, refer potential entrepreneurs to Shopify, or otherwise help merchants operate or improve their Shopify-powered business
- users of Shopify apps and services like Shop or Shop Pay
- visitors to Shopify’s websites, or anyone contacting Shopify support
This Privacy Policy will help you better understand how we collect, use, and share your personal information. If we change our privacy practices, we may update this privacy policy. If any changes are significant, we will let you know (for example, through the Shopify admin or by email).
Our values
Trust is the foundation of the Shopify platform and includes trusting us to do the right thing with your information. Three main values guide us as we develop our products and services. These values should help you better understand how we think about your information and privacy.
Your information belongs to you
We carefully analyze what types of information we need to provide our services, and we try to limit the information we collect to only what we really need. Where possible, we delete or anonymize this information when we no longer need it. When building and improving our products, our engineers work closely with our privacy and security teams to build with privacy in mind. In all of this work our guiding principle is that your information belongs to you, and we aim to only use your information to your benefit.
We protect your information from others
If a third party requests your personal information, we will refuse to share it unless you give us permission or we are legally required. When we are legally required to share your personal information, we will tell you in advance, unless we are legally forbidden.
We help merchants and partners meet their privacy obligations
Many of the merchants and partners using Shopify do not have the benefit of a dedicated privacy team, and it is important to us to help them meet their privacy obligations. To do this, we try to build our products and services so they can easily be used in a privacy-friendly way. We also provide detailed FAQs and documentation covering the most important privacy topics, and respond to privacy-related questions we receive.
Why we process your information
We generally process your information when we need to do so to fulfill a contractual obligation (for example, to process your subscription payments to use the Shopify platform), or where we or someone we work with needs to use your personal information for a reason related to their business (for example, to provide you with a service). Laws in the European Economic Area (“EEA”) and in the United Kingdom (“UK”) call these reasons “legitimate interests.” These “legitimate interests” include:
- preventing risk and fraud
- answering questions or providing other types of support
- helping merchants find and use apps through our app store
- providing and improving our products and services
- providing reporting and analytics
- testing out features or additional services
- assisting with marketing, advertising, or other communications
We only process personal information for these “legitimate interests” after considering the potential risks to your privacy and balancing any risks with certain measures—for example, by providing clear transparency into our privacy practices, offering you control over your personal information where appropriate, limiting the information we keep, limiting what we do with your information, who we send your information to, how long we keep your information, or the technical measures we use to protect your information.
We may also process your personal information where you have provided your consent. In particular, where we cannot rely on an alternative legal basis for processing, where you direct us to transfer information to a third party, where we receive your data from a third party is sourced and it already comes with consent or where we are required by law to ask for your consent (including in the context of some of our sales and marketing activities). At any time, you have a right to withdraw your consent by changing your communication choices, opting out from our communications or by contacting us.
Depending on whether you are a merchant, customer, partner, user or visitor, please refer to our supplemental privacy policies, as relevant, to understand our purposes for processing, categories of recipients and legal basis for processing for each type of personal data.
Your rights over your information
We believe you should be able to access and control your personal information no matter where you live. Depending on how you use Shopify, you may have the right to request access to, correct, amend, delete, port to another service provider, restrict, or object to certain uses of your personal information. We will not charge you more or provide you with a different level of service if you exercise any of these rights. Please note that a number of these rights apply only in certain circumstances, and all of these rights may be limited by law.
If you buy something from or otherwise provide your information to a Shopify-powered store and wish to exercise these rights over information about your purchase or interaction, you need to directly contact the merchant you interacted with. We are a processor and process information on their behalf. We will of course help our merchants to fulfill these requests to the extent required by law, such as by giving them the tools to do so and by answering their questions.
If you are a merchant, partner, Shop user, Shopify employee, website visitor or other individual that Shopify has a direct relationship with, please submit your data subject request through our online portal. Please note that if you send us a request relating to your personal information, we have to make sure that it is you before we can respond. In order to do so, we may use a third party to collect and verify identification documents. Further information about rights available to US residents can be found below under the header “United States Regional Privacy Notice”.
If you are not happy with our response to a request, you can contact us to resolve the issue. If you are located in the EEA or UK, you also have the right to lodge a complaint with your local data protection or privacy authority at any time.
Finally, because there is no common understanding about what a “Do Not Track” signal is supposed to mean, we don’t respond to those signals in any particular way.
Where we send your information
We are a Canadian company, but we work with and process data about individuals across the world. To operate our business, we may send your personal information outside of your state, province, or country, including to the United States. This data may be subject to the laws of the countries where we send it. We take steps to protect your information when we send your information across borders.
Depending on whether you are a merchant, customer, partner, user or visitor, please refer to our supplemental privacy policies, as relevant.
Transfers outside of Europe and Switzerland
If you are located in the EEA, the UK, or Switzerland, your personal information is controlled by our Irish affiliate, Shopify International Ltd. Your information is then sent to other Shopify locations and to service providers who may be located in other regions, including Canada (where we are based) and the United States. When we send your personal information outside of the EEA, UK or Switzerland, we do so in accordance with applicable law.
If you are in the EEA, the UK, or Switzerland, when we send your personal information to Canada it is protected under Canadian law, which the European Commission has found adequately protects your information. If we then send this personal information outside of Canada (for example, when we send this information to our Subprocessors), this information is protected by contractual commitments that are comparable to those provided in the Standard Contractual Clauses.
Finally, while we do what we can to protect your information, we may at times be legally required to disclose your personal information (for example, if we receive a valid court order). For information about how we respond to such orders, please review our Guidelines for Legal Requests.
How long do we retain your information
We will retain your personal data only for as long as necessary to fulfill the purposes for which we have collected it. To determine the appropriate retention period, we consider the amount, nature and sensitivity of your personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means and the applicable legal requirements. We will also retain and use your personal information to the extent necessary to comply with our legal obligations, resolve disputes and enforce our policies. If you stop using our services or if you delete your account with us, we will delete your information or store your information in an aggregated and anonymized format.
Depending on whether you are a merchant, customer, partner, user or visitor, please refer to our supplemental privacy policies, as relevant, for further details on the retention of your personal information.
Our use of Machine Learning
One of the ways in which we are able to help merchants using Shopify is by using techniques like “machine learning” (some laws, including certain EEA and UK laws, may refer to this as “automated decision-making”) to help us improve our services. When we use machine learning, we either: (1) still have a human being involved in the process (and so are not fully automated); or (2) use machine learning in ways that don’t have legal or similarly significant effects (for example, reordering how apps might appear when you visit the app store).
How we protect your information
Our teams work tirelessly to protect your information, and to ensure the security and integrity of our platform. We also have independent auditors assess the security of our data storage and systems that process financial information. However, we all know that no method of transmission over the Internet, and method of electronic storage, can be 100% secure. This means we cannot guarantee the absolute security of your personal information. You can find more information about our security measures at /sg/security.
How we use “cookies” and other tracking technologies
We use cookies and similar tracking technologies on our website and when providing our services. For more information about how we use these technologies, including a list of other companies that place cookies on our sites, a list of cookies that we place when we power a merchant’s store, and an explanation of how you can opt out of certain types of cookies, please see our Cookie Policy.
How you can reach us
If you would like to ask about, make a request relating to, or complain about how we process your personal information, please contact Shopify Support, or mail us at one of the addresses below. If you would like to submit a legally binding request to demand someone else’s personal information (for example, if you have a subpoena or court order), please review our Guidelines for Legal Requests.
If you are a merchant, partner, Shop user, Shopify employee, website visitor or other individual that Shopify has a direct relationship with and you are located in the EEA or UK, Shopify International Ltd is the controller of your personal data. If you buy something from or otherwise provide your information to a Shopify-powered store, the merchant is your data controller and we are acting as a processor on their behalf.
If you have questions about how a merchant or store processes your personal information, you should contact the merchant or visit their privacy policy.
Shopify Commerce Singapore Pte. Ltd.
Attn: Data Protection Officer
77 Robinson Road,
#13-00 Robinson 77,
Singapore 068896
If you are located in the EEA, the UK, the Middle East, South America, or Africa:
Shopify International Ltd.
Attn: Data Protection Officer
c/o Intertrust Ireland
2nd Floor 1-2 Victoria Buildings
Haddington Road
Dublin 4, D04 XN32
Ireland
If you are located in Asia, Australia, or New Zealand:
Shopify Commerce Singapore Pte. Ltd.
Attn: Data Protection Officer
77 Robinson Road,
#13-00 Robinson 77,
Singapore 068896
United States Regional Privacy Notice
This United States Regional Privacy Notice (“US Notice”) supplements our Privacy Policy and all supplemental privacy policies on www.shopify.com (together, the “Shopify Privacy Policies”).
This US Notice is for individuals residing in certain US states and is designed to help you better understand how we collect, use, and disclose your personal information and, depending on how you use Shopify and where you reside, how to exercise available rights under various applicable privacy laws in the US, specifically the California Consumer Privacy Act, the Colorado Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, the Utah Consumer Privacy Act, and the Virginia Consumer Data Protection Act (collectively, the “US Privacy Laws”).
What information we collect and share about you
To provide our apps and services to you, we must process information about you, including personal information.
We do not “sell” your personal information as that term is defined under US Privacy Laws.
Here is a summary of the categories of personal information we may have collected about you over the past 12 months and with whom we may have disclosed that information to, depending on how you use Shopify.
Categories of personal information collected | Recipients of personal information |
---|---|
|
|
Why we collect and share your Personal Information
We use and share your personal information for the purposes set out in the Shopify Privacy Policies. For categories of sensitive personal information that we collect, we only use or disclose such information either with your specific consent when required, or as otherwise permitted by law.
Sources of Personal Information
To make commerce better for everyone at Shopify, we collect and use personal information provided by:
- You: We collect the information you provide when you use our platform, including when you sign up for Shopify as a merchant, visit a Shopify-powered store, fill in order information, visit one of Shopify’s websites or contact Shopify support. We collect account and payment information you provide to us (including information about your business if you are a merchant), Shopify stores or items you save to favorites, purchases you make, reviews you post, and how you otherwise interact or communicate with stores or other users on our apps or services. We also collect information about how you browse through our apps and sites, including search terms you may enter.
- Your device(s): We collect information from and about the devices you use, including computers, phones, and other web-connected devices you use to access our apps or services, and we combine this information across different devices you use.
- Third parties: We receive information from partners who help us provide you with our services including the following:
- Email providers. If you use the Shop App and you connect your third party inboxes, such as Gmail or Outlook (according to their terms and policies and as permitted by applicable law), we receive information to identify shopping-related emails and display within Shop information about specific orders you have made, stores you have engaged with in the past, and other related information.
- Service Providers. We receive information from our service providers, who help us provide services to our merchants, like reviewing accounts for fraud or other concerns.
- Marketplaces. If you use the Shop App, we receive information about purchases you have made from other marketplaces or platforms, such as Amazon, that you choose to connect through Shop. This information helps us to provide and improve Shop, to personalize your experience using our apps and services, and to determine if you are eligible for specific offers or payment methods.
- Subprocessors. We work with third party subprocessors for cloud hosting, content delivery, data analysis, internal logging, fulfillment services and email transmission, among others, to provide you with our services. For more information, see Shopify’s subprocessors.
- Analytics and cookie providers. We receive information through our use of cookies, social plugins (such as the Facebook “like” button), pixels and tags for business purposes, such as providing information to help measure how users interact with our website content. For more information about how we use these technologies, see our Cookie Policy.
How long we keep your information
Because we need your personal information to provide Shopify services, we generally keep your personal information, including sensitive personal information, while you use Shopify products or services or until you tell us to delete your information. We may also keep personal information to comply with legal obligations or protect our or other’s interests.
If you are a merchant operating a Shopify-powered store, and you close the store, stop paying your subscription fees, or we terminate your account, we retain store information for two years before we begin the deletion process.
When you visit or make a purchase from a merchant’s Shopify-powered store, we act as a service provider or processor for the merchant, and the merchant, not Shopify, decides how long your information is retained.
Your rights over your information
Depending on where you live, how you use Shopify, and subject to certain exceptions, you may have some or all of the following rights:
- Right to Know: The right to request that we disclose to you the personal information we collect, use, or disclose about you, and information about our data practices.
- Right to Request Correction: The right to request that we correct inaccurate personal information that we maintain about you.
- Right to Request Deletion: The right to request that we delete personal information that we have collected about you.
To exercise your rights, including the “right to know” and “right to delete,” please submit a request through our online portal. If you use Shop or Shop Pay, please visit https://shop.app/delete-account for instructions on how to request deletion of your information.
If you have visited or made a purchase from a merchant’s Shopify-powered store, please contact the specific merchant directly. If you make a request to us, we will forward your request to the relevant merchant.
Please note that to protect your information and the integrity of our products and services, we may need to verify your identity before processing your request. In some cases we may need to collect additional information to verify your identity, such as your email address or a government issued ID.
Under US Privacy Laws, you may also designate an authorized agent to make these requests on your behalf. If you use an authorized agent to submit a request, we may need to collect additional information, such as a government issued ID, to verify your identity before processing your request to protect your information.
For information on the CCPA requests we have received, please see here. In certain states, you may have the right to appeal our decision regarding a request related to these rights. If you wish to appeal a decision, please contact Shopify Support.
We will not discriminate against you for exercising any of these rights.
How you can reach us
If you would like to ask about or have concerns about how we process your personal information, please contact Shopify Support. If you want to make a request relating to your personal information, please contact us using the methods set out in the section immediately above.