Guidelines for Legal Requests for Information

Note: Due to office closures, we cannot accept service at any of our physical locations until further notice.

Legal requests should be directed to legal-orders@shopify.com until further notice.

Note: This guide does not cover individuals seeking access to their own information.
Please consult our Privacy Policy for more information about your right of access.

Introduction

Shopify supports more than a million merchants, who in turn interact with millions of customers across the globe. Some of these merchants (or customers) occasionally find themselves in legal disputes which might lead to a legal request for information about a particular merchant, store, or transaction. Shopify also receives requests from law enforcement or other government institutions for personal information in the context of an investigation or enforcement of applicable laws. These guidelines explain how we balance our legal obligations, the requesting party’s needs, and the privacy rights of our merchants and their customers.

These are the principles that guide us when we respond to legal requests:

  • When a third party demands identifiable non-public information (such as personal or financial information about a merchant or customer), we will not share this information unless we are legally required to do so;
  • We will notify affected individuals before we produce information about them, unless we are legally prohibited from doing so;
  • When a third party requests information about a merchant, we will not also provide information about the individual’s activity as a partner, customer, or a user of Shopify’s consumer-facing apps or services (such as Shop or Shop Pay) unless the legal request or court order specifically identifies and requests this additional information; and
  • When a third party requests information about a merchant, we will not provide information about that merchant’s customers. This information is in the merchant’s custody and control. If you are requesting information about a merchant’s customers, please send your request directly to the relevant merchant.

Shopify’s Terminology

To better understand Shopify records, it is helpful to be familiar with a few terms that we commonly use when talking about our business:

  • “Merchants” are individuals or businesses who use Shopify’s platform to power their stores in any capacity. We consider all individuals who access Shopify on behalf of a store (or multiple stores) to be a merchant—not just the listed account owners.
  • “Customers” are individuals who visit or make a purchase from a Merchant.
  • Partners” are third parties who provide services to Merchants, such as: developing apps or themes that can be used in a Merchant’s store; helping Merchants build or set up their stores; or referring potential entrepreneurs looking to become a Merchant.

What Do I Need to Submit?

Each request should include the following information to assist with processing your request and reduce the chance of a rejection:

  1. The name of the requesting body
    • For example, the court that issued the subpoena, or government agency that authorized the request
  2. The law or other authority that compels production
  3. The Shopify entity from which you are requesting records
    • Please see below for which entity controls the information you are seeking
    • We cannot respond to requests directed to “Shopify” or “shopify.com” - you must specify one of our corporate entities
  4. The subject of the request
    • For example, an individual’s name, email, business name, or website address
    • Shopify cannot identify individuals with a common name (eg: Jane Smith) without additional information
    • Please do not provide us with an individual’s SSN/SIN, other government identification number, or a bank account number, or payment card number
  5. The specific information requested
    • See ‘What Types of Information does Shopify Control?’ section below
  6. If the request must be kept secret, please: (1) enclose a non-disclosure or restraining order, or (2) identify the legal or regulatory basis for the requirement
    • We will not notify the subject upon receipt of a Grand Jury Subpoena
  7. If you require a Custodian of Records Affidavit or Certificate of True Copy, please let us know.
  8. Deadlines for production, where relevant
  9. Where Shopify should send the production
    • For example, email address of the requester
    • We strongly prefer to provide information electronically where feasible. Requiring physical production will delay our ability to respond.

What Types of Information Does Shopify Control?

In order for us to properly respond to your request, you must identify the type of information you require -- please use the specific defined categories below. This enables us to make sure that the proper Shopify entity is responding to your request, and that we respond in line with relevant laws. This also allows us to adopt different approaches depending on the sensitivity of the information requested. We break our information into four categories, as follows:

  • Store Information

    • This includes non-public information relating to a specific store, such as store revenues, countries into which a store has sold, invoices for Shopify services rendered, method of payment for Shopify services, connected bank account(s), product lists, store transactions (without customer information), payouts (if using Shopify Payments), tax documents, contracts between the store and Shopify, and apps installed on a store.
    • This information is generally protected under our contracts with our Merchants.
    • To request this information, please send a request to the Shopify entity which processes information in the merchant’s location. You can find the specific contracting entity in our Contracting Party Chart. We cannot respond to a request unless you make the request to the proper legal entity. Please ensure that the requesting body has jurisdiction to compel the Shopify entity to produce documentation (see ‘Jurisdiction’ section below for any questions).
  • Merchant or Partner Information

    • This includes information about the identity of a specific Merchant or Partner as an individual, such as their name, listed address, phone number, email address, IP addresses, and any staff members on their account.
      • Please note that Shopify does not control the flow of funds to a merchant—this is done independently by the third party payment processor used by the merchant (even if they are using Shopify Payments, this is done by Stripe). Merchants are not entitled to any revenues from transactions until their funds clear the credit card settlement process and their payment processor deposits them into a merchants’ bank account (with no involvement from Shopify). As such, we cannot garnish receivables or apply liens or levies, even on money generated through Shopify Payments.
    • This information is generally protected under applicable privacy and data protection laws.
    • To request this information, please send a request to the Shopify entity which processes information in the merchant’s location. You can find the specific contracting entity in our Contracting Party Chart. We cannot respond to a request unless you make the request to the proper legal entity. Please ensure that the requesting body has jurisdiction to compel the Shopify entity to produce documentation (see ‘Jurisdiction’ section below for any questions).
  • App Information

    • This includes information about users of Shopify’s consumer-facing apps and services, like Shop or Shop Pay. For these services, we hold information about how the individual uses the service, their account registration information, and when someone uses Shop Pay, their stored payment information.
      • We will not produce this information unless the request specifically identifies one of these services.
    • This information is generally protected under applicable privacy and data protection laws.
    • To request this information, please send a request to Shopify Inc. We cannot respond to a request unless you make the request to the proper legal entity. Please ensure that the requesting body has jurisdiction to compel the Shopify entity to produce documentation (see ‘Jurisdiction’ section below for any questions).
  • Other Information

    • We also store other information associated with specific Shopify services (such as Shopify Capital, Shopify Exchange, Kit, Oberlo, and 6 River Systems), or our corporate websites. Please contact us for more information if you require information relating to one of these services. We will not produce information about these additional services unless your request specifically identifies the service.

How do I serve my request on Shopify?

Each Shopify entity has its own service address (See the ‘Types of Information’ section for more details about which entity controls the information you seek). As discussed above, the proper entity might depend on the location of the specific merchant subject to your request. If you are unsure of the proper entity, or if you name the wrong entity, we can direct you to the appropriate Shopify entity that maintains the relationship with a particular merchant.

Additionally, in many cases we may be willing to accept service by email. To inquire about email service, please reach out to us via legal-orders@shopify.com. Service by email is for Shopify’s convenience only and does not waive any objections, including lack of jurisdiction, subpoena power, or improper service.

For service by mail, please see our contact information below:

Shopify Inc. ATTN: Legal/Privacy Team
151 O’Connor Street
Ground floor
Ottawa, ON K2P 2L8
Canada

Shopify International Ltd. ATTN: Legal/Privacy Team
c/o Intertrust Ireland
2nd Floor 1-2 Victoria Buildings
Haddington Road
Dublin 4, D04 XN32
Ireland

Shopify Commerce Singapore PTE. LTD. ATTN: Legal/Privacy Team
77 Robinson Road,
#13-00 Robinson 77,
Singapore 068896

Please note that our New York and San Francisco locations are not offices of the entities listed above and are not authorized to receive service on their behalf. We may object to requests that are improperly served, which may delay your receipt of information you are demanding.

Jurisdiction

We will produce information when the requesting body has legal authority to issue - and jurisdiction to enforce - the relevant request, subpoena, or court order. As States may only exercise their legal authority within their territorial borders, except when they have obtained legal authority through mutual legal assistance processes in another State, this may occur in two types of cases

  1. The requesting body is in the same jurisdiction as the Shopify entity that holds the data

    • A Shopify entity may respond to requests issued by courts or authorities in the country in which the entity is located. Since Shopify Inc. is a Canadian entity, it may provide any information it holds in response to an order issued by a Canadian court or a warrant issued by a Canadian authority.
    • If you are making a request from another jurisdiction, you will generally need to go through the Mutual Legal Assistance Treaty (“MLAT”) or Letters Rogatory process to have your request issued by an authority from the country in which the relevant entity is located, unless you fall into the category below.
  2. The requesting body is in the same jurisdiction as the data subject.

    • A Shopify entity may also respond to a court order from an authority in the same jurisdiction as the merchant, to the extent that it is legally permitted to do so. For example, even though Shopify International Limited is incorporated in Ireland, it may provide information about merchants with registered addresses in France in response to a valid request from a French authority.
      • Specific jurisdiction in the United States is determined on a state-by-state basis (see ‘Requests from the United States’ below).
    • If the merchant or partner is located outside of your jurisdiction, you will also have to go through the MLAT or Letters Rogatory process.

Requests from the United States

If you would like to make a request from the United States directed to a non-US entity, we treat jurisdiction on a state-by-state basis in accordance with American law. Accordingly, you will need to issue or domesticate the request in the particular state in which the relevant merchant(s) or partner(s) are located - unless the requesting body has statutory federal authority. For example, Shopify Inc. may only provide information about merchants who have registered for our services in New York in response to a request from a New York authority.

Please note that while we have a few subsidiaries incorporated in the US, those entities do not have control or custody of information that is likely to be responsive to legal requests. For example, Shopify (USA) Inc. is responsible for developing and maintaining distinct applications (eg: Kit and Ping) that our merchants may use to improve their marketing and customer service practices. It does not have control or custody over Store Information, Merchant or Partner Information, or Buyer Information. The one exception is Shopify Payments (USA) Inc., which does have access to certain Buyer Information and Merchant Information if the merchant is located in the United States.

Frequently Asked Questions

Does Shopify Hold or Control Merchant Funds On Deposit?

No. Shopify does not have control over a Merchant’s revenue, even if the Merchant uses Shopify Payments as a payment processing service. We offer Shopify Payments together with Stripe. and an acquiring bank that has a relationship with Stripe. Shopify Payments Merchants are not entitled to any funds associated with Merchant transactions until such funds clear the credit card settlement process and are deposited by Stripe and Stripe’s acquiring bank into a Merchant's bank account. At no time does Shopify hold these funds or control the bank account that deposits these funds. Accordingly, we do not have the ability to garnish receivables generated through Shopify Payments. Given this, any UCC liens, tax levies, garnishments, and other requests for Merchant money should be directed to Stripe.

Does Shopify Process Merchant Bank Account or Payment Card Numbers?

Sometimes. Shopify only stores a Merchant’s bank account number if the merchant has provided the number when setting up Shopify Payments or has agreed to receive Shopify Capital. Shopify does not store a bank account number if a Merchant is not using Shopify Payments or Shopify Capital.

Shopify only stores a Merchant’s payment card information if they have subscribed to a paid Shopify service using a payment card.

Will Shopify Notify Affected Merchants Before Disclosing Information?

Yes. Unless we are legally prohibited from doing so, we will notify the affected Merchant or Partner. You must notify us if there is a legal prohibition on notification, or if you have obtained or intend to obtain a court order preventing notification. If you do not notify us of any such order or prohibition, we will default to notifying the affected Merchant. If a Merchant informs us that they intend to seek a protective order, we will inform you of this.

Additionally, if in the course of responding to a request we conclude that a particular store may be violating Shopify’s policies, we may decide to terminate the store. Please inform us if doing so would jeopardize an ongoing matter or we should not do so for some other legal reason.

Does Shopify Charge Anything to Respond to a Legal Request?

Not usually. However, we reserve the right to seek reimbursement for the costs associated with responding to legal requests (where permitted by law).

How Does Shopify Handle Data Preservation Orders?

We generally keep shop data for the lifetime of a store, and do not require a preservation order to maintain this data while a store remains active. We purge personal information within 90 days of a store’s deactivation, after which the identifiable information is no longer capable of being recovered. If you require specific information to be preserved, please send us a preservation order with a discrete list of data to preserve. We are not able to archive an entire store or recreate how that store appeared to visitors on a given date.

Transparency Report

For data on how many requests for information we receive, please see our Transparency Report

Last updated: October 14, 2020
© 2020 Shopify Inc.