Guidelines for Legal Requests for Merchant or Buyer Data

Introduction

Shopify supports hundreds of thousands of merchants, who in turn work with millions of buyers across the globe—it is absolutely essential for us to maintain the trust of our merchants and their buyers. Some of these merchants (or buyers) occasionally find themselves in legal disputes, which might create a need for need information about a particular merchant, store, or transaction. These guidelines explain how we handle these requests, and how we balance our legal obligations, the needs of the requesting party, and the privacy rights of our merchants and their buyers. Please note that if you are a merchant or a buyer seeking access to your own information, you do not need to follow these procedures—please consult our Privacy Policy for more information about your right of access.

In these guidelines, we provide some information about Shopify’s corporate structure, the types of information we have, and the conditions under which we will disclose this information. But initially, some first principles:

  • When a third party requests non-public information (such as personal or financial information), we will not share this information absent an enforceable court order, subpoena or search warrant;
  • We will notify affected users if we believe we are legally required to provide their information to a requesting party, unless we are prohibited by law from doing so;
  • When a third party requests information about a merchant, we will not also provide information about the individual’s activity as a Buyer, Partner, or consumer using Shopify’s consumer-facing services (such as Shopify Pay, Frenzy, and Arrive), unless the legal request or court order specifically requests this additional information;
  • When a third party requests information about a merchant, we generally will not also provide information about that merchant’s customers. We consider this information to be in the control and custody of the merchant, who is the controller of this information. If you are requesting information about a merchant’s customers, please send your request directly to the relevant merchant; and
  • Shopify will narrowly construe the language of the request.

Shopify’s Terminology

In order to understand what information we hold, you should understand a few terms that we commonly use when talking about our business:

  • “Merchants” are individuals who use Shopify’s ecommerce platform to power their stores in any capacity. When we talk about Merchants, we include all individuals who access Shopify on behalf of a store (or multiple stores)—not just the listed account owners.

  • “Buyers” are individuals who visit, engage with, or make a purchase from a store operated by a Merchant.

  • Partners” are individuals who work with and provide a wide variety of ancillary services to Merchants, such as: developing apps or themes that can be used in conjunction with a Merchant’s store; helping Merchants build or set up their stores, or with other web development services; referring potential entrepreneurs looking to become a Merchant.

  • Shopify Payments” is one of many payments processing services available to Merchants, and is currently offered through a partnership with Stripe Inc. Shopify Payments is only available in certain locations, and the workflow for the service is described in more detail below.

  • Shopify Capital” is a service made available to Merchants in certain locations, whereby Shopify will make available cash advances to help them build or operate their stores.

  • Shopify Exchange” is a service that allows Merchants to sell their stores through Shopify.

  • Shopify App Store” is a portal powered by Shopify through which Merchants can browse and install third party apps developed by Partners that can supplement or augment their stores (for example, helping with inventory management, marketing, taxes, shipping, etc.).

  • Kit” is an app available through the Shopify App Store that helps Merchants set up marketing campaigns through an easy-to-use chatbot.

  • Oberlo” is an app available through the Shopify App Store that helps Merchants locate products produced by other parties.

  • Shopify Pay” is a service for Buyers that allows them to store their information for easy use on any store powered by Shopify.

  • Frenzy” is a consumer-facing app that allows Buyers to participate in and make purchases during “flash sales” set up by Merchants.

  • Arrive” is a consumer-facing app that allows Buyers to track the shipment status of outstanding orders (including orders placed outside of Shopify).

Which Entity Do I Need to Subpoena?

Shopify provides services through a collection of different affiliates, depending on the location of the data subject and the precise services at issue. Each of these affiliates is a distinct corporate legal entity, and will have access to different types of information, and is subject to different sets of laws. This section is intended to ensure that if you do intend to submit a legal request for information, that you direct it to the proper entity which has control over the information you seek.

  • Shopify Inc. is a Canadian corporation with its principal place of business in Ottawa, Ontario. Shopify Inc. currently develops the Shopify platform available to Merchants.

    • Shopify Inc. has access to the following types of information: Merchant personal information; Merchant account information (including access records relating to use of Shopify); Merchant revenue information (including aggregate revenues generated through third party payment processors); information about orders placed through Shopify; Merchant’s payment information (to pay Shopify subscription fees); Partner personal information; Partner account information; Partner revenue information.
    • Shopify Inc. also has access to information associated with individual transactions made on Merchant stores that use Shopify Payments, and information about Merchant revenues (including total amounts deposited into a Merchant’s bank account, and information about the Merchant’s bank account itself).

      • Please note that Shopify Payments is currently offered in partnership with Stripe, and Shopify generally does not have access to the actual payment card information used by Buyers to transact on a Merchant’s store—this information is held by Stripe. Shopify Inc. also does not control the flow of funds to a merchant—this is done independently by Stripe. More specifically, merchants are not entitled to any revenues from transactions until their funds clear the credit card settlement process and Stripe deposits them into a merchants’ bank account (with no involvement from Shopify). As such, we cannot garnish receivables or apply liens or levies on money generated through Shopify Payments.
    • Legal requests to Shopify Inc. should be directed to 150 Elgin St., 8th Fl., Ottawa, ON, Canada, K2P 1L4, Attn: Legal/Privacy Team or to privacy@shopify.com.

  • Shopify International Limited is an Irish limited corporation. Among other things, Shopify International Limited initially processes all Merchant, Buyer, and Partner data from individuals located in Europe, the Middle East, South America, and Africa.

    • Shopify International Limited controls the following types of information for individuals located in Europe, the Middle East, South America, and Africa: Merchant personal information; Merchant account information (including access records relating to use of Shopify); Merchant revenue information (including aggregate revenues generated through third party payment processors); general information about orders placed through Shopify; Merchant’s payment information (to pay Shopify subscription fees); Partner personal information; Partner account information; Partner revenue information.

      • Shopify International Limited also controls information associated with individual transactions made on European, Middle Eastern, South American, and African Merchant stores that use Shopify Payments, and information about Merchant revenues (including total amounts deposited into a Merchant’s bank account, and information about the Merchant’s bank account itself).
      • Please note that Shopify Payments is currently offered in partnership with Stripe, and Shopify generally does not have access to the actual payment card information used by Buyers to transact on a Merchant’s store -- this information is held by Stripe. Shopify International Limited also does not control the flow of funds to a merchant. More specifically, merchants are not entitled to any funds associated with merchant transactions until such funds clear the credit card settlement process and are deposited into a merchants’ bank account by Stripe (with no involvement from Shopify). As such, we do not have the ability to garnish receivables or to apply liens or levies on money generated through Shopify Payments.
    • Legal requests to Shopify International Limited should be directed to Shopify International Limited., ℅ Intertrust Ireland; 2nd Floor Victoria Buildings 1-2; Haddington Road, Dublin 4; D04 XN32; Ireland, Attn: Legal/Privacy Team or to privacy@shopify.com.

  • Shopify Commerce Singapore PTE. LTD. is a Singaporean corporation. Among other things, Shopify Commerce Singapore PTE. LTD. initially processes all Merchant, Buyer, and Partner data from individuals located in Asia, Australia, and New Zealand.

    • Shopify Commerce Singapore PTE. LTD. controls the following types of information for individuals located in Asia, Australia, and New Zealand: Merchant personal information; Merchant account information (including access records relating to use of Shopify); Merchant revenue information (including aggregate revenues generated through third party payment processors); general information about orders placed through Shopify; Merchant’s payment information (to pay Shopify subscription fees); Partner personal information; Partner account information; Partner revenue information.

      • Shopify Commerce Singapore PTE. LTD. also controls information associated with individual transactions made on Asian, Australian, and New Zealand stores that use Shopify Payments, and information about Merchant revenues (including total amounts deposited into a Merchant’s bank account, and information about the Merchant’s bank account itself).
      • Please note that Shopify Payments is currently offered in partnership with Stripe, and Shopify generally does not have access to the actual payment card information used by Buyers to transact on a Merchant’s store—this information is held by Stripe. Shopify Commerce Singapore PTE. LTD. also does not control the flow of funds to a merchant—this is done independently by Stripe. More specifically, merchants are not entitled to any revenues from transactions until their funds clear the credit card settlement process and Stripe deposits them into a merchants’ bank account (with no involvement from Shopify). As such, we cannot garnish receivables or apply liens or levies on money generated through Shopify Payments.
    • Legal requests to Shopify Commerce Singapore PTE. LTD. should be directed to Shopify Commerce Singapore PTE. LTD., 77 Robinson Road, #13-00 Robinson 77, Singapore, 068896, Attn: Legal/Privacy Team or to privacy@shopify.com.

  • Shopify (USA) Inc. is a Delaware corporation with its principal place of business in San Francisco, California. Shopify (USA) Inc. does not directly provide services related to the Shopify commerce platform. Rather, Shopify (USA) Inc. provides the Kit and Ping apps, and is the successor-in-interest to Kit CRM Inc., which Shopify acquired in 2016.

    • The only business information which Shopify (USA) Inc. controls is information about Merchants’ use of Kit and Ping. Legal requests seeking information about general use of Shopify should not be directed to Shopify (USA) Inc.
    • Legal requests to Shopify (USA) Inc. should be directed to 33 New Montgomery St., Ste 750, San Francisco, CA, 94105, USA, Attn: Legal/Privacy Team or to privacy@shopify.com.
  • Shopify Capital Inc. is a Virginia corporation that provides Shopify Capital, which is currently limited to Merchants located in the United States.

    • Shopify Capital Inc. holds information about any cash advances offered to a Merchant, and the outstanding balance and historical payments on a cash advance accepted by a Merchant.
    • Legal requests to Shopify Capital Inc. should be directed to 100 Shockoe Slip, 2nd Floor, Richmond, VA, 23219, USA, Attn: Legal/Privacy Team or to privacy@shopify.com.
  • If you have questions about other Shopify entities, please email privacy@shopify.com.

What Legal Process Should a Requesting Party Follow?

Criminal Matters For criminal matters, we will respond to requests issued by Canadian courts with jurisdiction to compel us to produce the requested information.

We will also respond to requests from US courts in cases where we are subject to the specific personal jurisdiction of the particular US court—i.e., in matters concerning Merchants within the US state in which a request is issued. We will only produce information regarding individuals within the jurisdiction of the requesting authority.

If you are submitting a request on behalf of a US court for information on a Merchant that is not located in the United States, we require that you follow the Mutual Legal Assistance Treaty process.

Finally, we will respond to a request from any other country that has jurisdiction over Shopify with respect to the particular information sought. If you are submitting a request from a country that does not have jurisdiction over a Shopify entity, we require that you follow the Mutual Legal Assistance Treaty process.

Civil or Regulatory Matters For civil or regulatory matters, we will respond to requests from Canadian courts with jurisdiction to compel us to produce the requested information.

We will also respond to requests from US courts in cases where we are subject to the specific personal jurisdiction of the particular US court (i.e., in matters concerning Merchants within the US state in which a request is issued). We will only produce information regarding individuals within the jurisdiction of the requesting authority.

If you are submitting a request on behalf of a US court for information on a Merchant that is not located in the United States, we require that you follow the Hague Evidence Convention (Letters Rogatory process).

Finally, we will respond to requests from any other country that has jurisdiction over Shopify with respect to the particular information sought. If you are submitting a request from a country that does not have jurisdiction over a Shopify entity, we require that you follow the Hague Evidence Convention (Letters Rogatory process).

Once you have determined what information you need and which entity holds that information, Shopify may be served at the address provided for each entity above (although we may be willing to accept email service in certain circumstances—to inquire about email service, please reach out to us via privacy@shopify.com).

Service by email is for Shopify’s convenience only and does not waive any objections, including lack of jurisdiction, subpoena power, or improper service.

What information do I need to provide in the court order?

Please provide enough information to uniquely identify the merchant or individual. Unique identifiers include the URL of a Shopify store or an email address.

A common name is not usually enough to identify an individual. Please do not provide us with an individual’s SSN/SIN, other government identification number, bank account number, or payment card number.

Does Shopify Hold or Control Merchant Funds On Deposit?

While Shopify does provide our commerce platform to our Merchants, it does not directly provide payments processing services that give it control over a Merchant’s revenues. Shopify Payments is a separate service that we offer together with Stripe, Inc. and an acquiring bank that has a relationship with Stripe, Inc. Shopify Payments Merchants are not entitled to any funds associated with Merchant transactions until such funds clear the credit card settlement process and are deposited by Stripe and Stripe’s acquiring bank into a Merchant's bank account. At no time does Shopify hold these funds or control the bank account that deposits these funds. Accordingly, we do not have the ability to garnish receivables generated through Shopify Payments. Given this, any UCC liens, tax levies, garnishments, and other requests for Merchant money should be sent to Stripe, Inc., as Shopify does not hold funds on behalf of Merchants.

Does Shopify Store or Process Merchant Bank Account or Credit Card Numbers?

Shopify will only retain a Merchant’s bank accounts records if they have provided them while setting up Shopify Payments. In order to be eligible for Shopify Payments, the Merchant must be in a supported country (currently, the US, Canada, the UK, Australia, New Zealand, Ireland, Singapore, Hong Kong, Japan, Germany, Spain, the Netherlands, and Denmark).

Shopify will only retain a Merchant’s payment card information if they have subscribed to a paid Shopify service.

Will Shopify Voluntarily Disclose Non-Public Information to a Requesting Party?

No. Shopify will only disclose non-public information in response to an enforceable subpoena or court order from a court with jurisdiction to compel Shopify to disclose that information.

Will Shopify Notify Affected Merchants Before Disclosing Information?

Yes. We strongly believe that any individual should be informed when we are required to produce their information in response to a legal request. We will notify the affected individual of the request (or, if we serve as the processor of the data, the affected Merchant) so that they may pursue legal action and prevent disclosure. The only circumstances in which we will not provide this notice is if we are legally prohibited from doing so.

If you receive a notice that Shopify has been compelled to produce your personal information, you may seek a protective order from a court. If you are able to provide us with such a protective order, we will object to the production demanded by the subpoena.

Does Shopify Charge Anything to Respond to a Legal Request?

We reserve the right to seek reimbursement for the costs associated with responding to legal requests (where permitted by law).

How Does Shopify Handle Data Preservation Orders?

Preservation orders may capture two types of information: shop data, or metadata.

Shop data includes information such as data on a Merchant themselves, the Merchant’s communication with Shopify, as well as a store’s customers, transactions, account ownership, and products. We generally keep shop data for the lifetime of a store, and do not require a preservation order to maintain this data. We purge personal information within 90 days of a store’s deactivation, after which the identifiable information is no longer capable of being recovered.

Metadata includes information such as who accessed a store and when, and actions that a Merchant performed on a store. Metadata is generally kept for a short period of time—in some instances for only 12 days. As such, depending on when a request for metadata is made, and the period of time for which the metadata is sought, we may no longer have the ability to preserve or produce the requested data.

Transparency Report

For data on how many requests for information we receive, please see our Transparency Report.

Last updated: September 11, 2019
© 2019 Shopify Inc.