These guidelines illustrate how Shopify balances our legal obligations, the requesting party’s needs, and the interests of our Merchants, their Customers, or our Partners when we receive legal requests for information.
“Merchants” are the businesses who use Shopify’s platform or services to power their stores in any capacity.
“Customers” are people who visit or make a purchase from a Merchant's store using the Shopify platform or services.
“Partners” are third parties who provide services to Merchants, such as: developing apps or themes that can be used in a Merchant’s store; helping Merchants build or set up their stores; building third party integrations with other platforms; or referring potential entrepreneurs looking to become a Merchant.
If we change our practices for responding to legal requests for information, we will update these guidelines. For a more detailed explanation about Shopify’s approach to third-party requests for information, please review the Shopify Legal Requests for Information Whitepaper.
These are the principles that guide us when we respond to legal requests:
When a third party demands identifiable non-public information (such as personal or financial information about a Merchant), we will not share this information absent an enforceable legal request, and we will take appropriate steps to minimize the amount of information that we disclose to satisfy the legally enforceable request. We will generally refuse to disclose non-public information if the legal request or court order is directed to the wrong Shopify entity or address or is issued by a body that lacks jurisdiction over the Shopify entity that has custody and control over responsive information. If we object to a request, we will explain the problem and our view on how the issue could be resolved (if at all) to the requestor.
We will notify affected individuals and entities before we produce information about them, unless we are legally prohibited from doing so.
When a third party requests information, we will only provide information directly related to the activity addressed in the request. Legal requests and court orders must specifically identify the activity about which information is sought.
When a third party requests information about a Merchant’s Customers, we will first instruct the requestor to obtain that information directly from the Merchant, who is the controller of that data. We will not provide information about that Merchant’s Customers unless:
- the requestor cannot obtain the data directly from the Merchant due to the Merchant being under a criminal investigation that would be jeopardized by the Merchant being made aware of the request.
- the Merchant has terminated their account with Shopify and affirmatively requests that Shopify send the Merchant’s data to a third party.
- the Merchant has been terminated by Shopify for fraudulent activity or otherwise violating our Terms of Service and no longer has access to their Shopify account.
- the requestor has made significant, unsuccessful efforts to obtain the information from the Merchant, and Shopify, in its sole discretion, determines that the public interest in disclosure of the requested information outweighs the risk of harm to the Merchant and/or Merchant’s Customers.
How to Submit a Legal Request
Legal requests for information must be submitted online through our Legal Access Request Portal.
Our online portal will guide you through how to submit a request. You will need to:
Fill in the required fields (please see our Shopify Legal Requests for Information Whitepaper for more information about the types of information Shopify controls and which entity controls that information). Please note that Shopify will notify affected individuals and entities before we produce information about them unless you specify a statute, law, or regulation, or provide a court order that legally prohibits us from doing so.
Upload a copy of any relevant documents (for example, a copy of the subpoena or court order, or if you are a government official, a letter identifying the law expressly authorizing you to compel the production of the requested information, as well as any non-disclosure order you may have). Please note the original form only allows one document upload. If you have multiple documents, an additional link will be sent to your email where you can upload the remaining documents.
Verify your email address via the link sent to your email address.
Our online portal also allows you to add information, ask us questions, and download the information when it is available. Shopify does not maintain productions indefinitely -- it is your responsibility to download and safeguard the information that has been provided or notify Shopify of the length of time you request that Shopify maintain the production and the basis for your request.
Please note that submitting a legal request through our online portal does not waive your obligation to attach documentation compelling our response to your request nor does it waive Shopify’s right to object to the request after review.
Frequently Asked Questions
Broadly, what type of information does Shopify control?
Shopify has custody and control over certain information about Merchants, Customers, and Partners. We have provided a detailed explanation of the type of information we control in our Shopify Legal Requests for Information Whitepaper. Please note that Shopify does not control the flow of funds to a Merchant—this is done independently by the third-party payment processor used by the Merchant (even if they are using Shopify Payments, this is done by Stripe). As such, we cannot garnish receivables or apply liens or levies, even on money generated through Shopify Payments.
What Shopify entity should my request be directed to?
It depends on the information you are seeking. Most requests seek information about our Merchants or Partners, in which case your request should be directed to the Shopify entity that directly contracts with the Merchant or Partner. You can find the specific contracting entity in our Contracting Party Chart. For other information requests, you should consult our Shopify Legal Requests for Information Whitepaper to determine which Shopify entity controls the information you are seeking. You should contact the Merchant directly if you are seeking information about a Merchant’s Customer.
Shopify only stores a Merchant’s payment card information if they have subscribed to a paid Shopify service using a payment card.
What happens if my request does not comply with Shopify’s guidelines?
After submitting your request through the Legal Access Request Portal, we will review the attached document to confirm that you have (1) sought information from the correct entity and address, (2) provided a subpoena, court order, or other document that legally requires us to respond (i.e., jurisdiction exists and you have the right to obtain the information under applicable law), and (3) identified a statute, law, or regulation or provided a court order that legally prohibits disclosure if you specified that your request should be kept secret. If we determine that any of those things are missing, we will advise you of the problem and give you an opportunity to correct it. For additional information on how we view jurisdiction or why we may object to your request, you should consult our Shopify Legal Requests for Information Whitepaper.
These Guidelines are provided for informational purposes only. Its contents are subject to change over time. The information in these Guidelines do not modify any existing contractual arrangements and may not be construed as legal advice. Nothing in these Guidelines shall be construed as a waiver of any right or privilege and Shopify reserves the right to modify this document at any time.
Last updated: July 20, 2022
© 2023 Shopify Inc.