These guidelines illustrate how Shopify balances our legal obligations, the requesting party’s needs, and the privacy rights of our Merchants, their Customers, and Partners when we receive legal requests for information.
“Merchants” are the businesses who use Shopify’s platform to power their stores in any capacity.
“Customers” are people who visit or make a purchase from a Merchant using the Shopify platform or services.
“Partners” are third parties who provide services to Merchants, such as: developing apps or themes that can be used in a Merchant’s store; helping Merchants build or set up their stores; building third party integrations with other platforms; or referring potential entrepreneurs looking to become a Merchant.
If we change our practices for responding to legal requests for information, we will update these guidelines. For a more detailed explanation about Shopify’s approach to third-party requests for information, please review the Shopify Legal Requests for Information Whitepaper.
These are the principles that guide us when we respond to legal requests:
When a third party demands identifiable non-public information (such as personal or financial information about a Merchant or Customer), we will not share this information unless we are legally required to do so, and we will minimize the amount of information that we disclose to satisfy the legally enforceable demand. We will refuse to disclose non-public information if the legal request or court order is directed to the wrong Shopify entity or is issued by a body that lacks jurisdiction over the Shopify entity that has custody and control over responsive information. If we object to a demand, we will explain the problem and our view on how the issue could be resolved to the requestor.
We will notify affected individuals and entities before we produce information about them, unless we are legally prohibited from doing so.
When a third party requests information, we will only provide information directly related to the activity addressed in the demand. Legal requests and court orders must specifically identify the activity about which information is sought.
When a third party requests information about a Merchant’s Customers, we will first instruct the requestor to obtain that information directly from the Merchant, who is the controller of that data. We will not provide information about that Merchant’s Customers unless the requestor convinces us that they cannot obtain the data directly from the Merchant.
How to Submit a Legal Request
Legal requests for information must be submitted online through our Legal Access Request Portal.
Our online portal will guide you through how to submit a request. You will need to:
Fill in the required fields (please see our Shopify Legal Requests for Information Whitepaper for more information about the types of information Shopify controls and which entity controls that information).
Upload a copy of any relevant documents (for example, a copy of the subpoena or court order, or if you are a government official, a letter identifying the law expressly authorizing you to compel the production of the requested information).
Verify your email address.
Our online portal also allows you to add information, ask us questions, and download the information when it is available. Shopify does not maintain productions indefinitely -- it is your responsibility to download and safeguard the information that has been provided or notify Shopify of the length of time you request that Shopify maintain the production and the basis for your request.
Please note that submitting a legal request through our online portal does not waive your obligation to attach documentation compelling our response to your request or any objections Shopify may have after reviewing the request.
Frequently Asked Questions
Broadly, what type of information does Shopify control?
Shopify has custody and control over certain information about Merchants, Customers, and Partners. We have provided a detailed explanation of the type of information we control in our Shopify Legal Requests for Information Whitepaper. Please note that Shopify does not control the flow of funds to a Merchant—this is done independently by the third-party payment processor used by the Merchant (even if they are using Shopify Payments, this is done by Stripe). As such, we cannot garnish receivables or apply liens or levies, even on money generated through Shopify Payments.
What Shopify entity should my request be directed to?
It depends on the information you are seeking. Most requests seek information about our Merchants or Partners, in which case your request should be directed to the Shopify entity that directly contracts with the Merchant or Partner. You can find the specific contracting entity in our Contracting Party Chart. For other information requests, you should consult our Shopify Legal Requests for Information Whitepaper to determine which Shopify entity controls the information you are seeking. You should contact the Merchant directly if you are seeking information about a Merchant’s Customer.
Shopify only stores a Merchant’s payment card information if they have subscribed to a paid Shopify service using a payment card.
What happens if my request does not comply with Shopify’s guidelines?
After submitting your request through the Legal Access Request Portal, we will review the attached document to confirm that you have (1) sought information from the correct entity, and (2) provided a subpoena, court order, or other document that legally requires us to respond (i.e., jurisdiction exists and you have the right to obtain the information under applicable law). If we determine that either of those things are missing, we will advise you of the problem and give you an opportunity to correct it. For additional information on how we view jurisdiction or why we may object to your request, you should consult our Shopify Legal Requests for Information Whitepaper.
Last updated: December 8, 2021
© 2022 Shopify Inc.