Guidelines for Legal Requests for Merchant or Buyer Data

Introduction

Shopify supports hundreds of thousands of merchants, who in turn work with millions of buyers across the globe--it is absolutely essential for us to maintain the trust of our merchants and their buyers. Some of these merchants (or buyers) occasionally find themselves in legal disputes, and some party or another might legitimately need information about a particular merchant, store, or transaction. These guidelines explain how Shopify handles such requests, and balances the needs of the requesting party with the privacy rights of our merchants and their buyers. Please note that if you are a merchant or a buyer seeking access to your own information, you do not need to follow these procedures -- please consult our Privacy Policy for more information about your right of access.

In these guidelines, we provide some information about Shopify (including our corporate structure--to make sure that you issue a request to the proper legal entity), the types of information we have, and the conditions under which we will disclose this information. But initially, some first principles:

  • When a third party requests non-public information (such as personal or financial information), we will not share this information absent an enforceable court order, subpoena or search warrant; and
  • We will notify affected users if we believe we are legally required to provide their personal or financial information to a requesting party, unless we are prohibited by law from doing so.
  • When a third party requests information about a merchant, we will not also provide information about the individual’s activity as a Buyer, Partner, or consumer using Shopify’s consumer-facing services (such as Shopify Pay, Frenzy, and Arrive), unless the legal request or court order specifically identifies this additional information.

Shopify’s Terminology

In order to understand what information we hold, and how to direct a legal request, you should understand a few terms that we commonly use when talking about our business:

  • “Merchants” are individuals who use Shopify’s ecommerce platform to power their stores in any capacity. When we talk about Merchants, we include all individuals who access the Shopify platform on behalf of a store (or multiple stores) -- not just the listed account owners.

  • “Buyers” are individuals who visit, engage with, or make a purchase from a store operated by a Merchant using the Shopify platform.

  • Partners” are individuals who work with and provide a wide variety of ancillary services to Shopify Merchants, such as: developing apps or themes that can be used in conjunction with a Merchant’s store; helping Merchants build or set up their stores, or with other web development services; referring potential entrepreneurs looking to start a store to the Shopify platform.

  • Shopify Payments” is one of many payments processing services available to Merchants setting up a store through the Shopify platform, and is currently offered through a partnership with Stripe Inc. Shopify Payments is only available in certain locations, and the workflow for the service is described in more detail below.

  • Shopify Capital” is a service made available to Merchants in certain locations, whereby Shopify will make available cash advances to help them build or operate their stores.

  • Shopify Exchange” is a service that allows existing Merchants to sell their stores through the Shopify platform.

  • Shopify App Store” is a portal powered by Shopify through which Merchants can browse and install third party apps developed by Partners that can supplement or augment their stores in certain respects (for example, helping with inventory management, marketing, taxes, shipping, etc.).

  • Kit” is an app available through the Shopify App Store that helps Merchants set up marketing campaigns through an easy-to-use chatbot.

  • Oberlo” is an app available through the Shopify App Store that helps Merchants locate and make available to their Buyers products produced by independent third parties.

  • Shopify Pay” is a service for Buyers that allows them to store their information for easy use on any store powered by Shopify.

  • Frenzy” is a consumer-facing app that allows Buyers to participate in and make purchases during “flash sales” set up by Merchants.

  • Arrive” is a consumer-facing app that allows Buyers to track the shipment status of outstanding orders (including orders placed outside of the Shopify platform).

Which Entity Do I Need to Subpoena?

Shopify provides services through a collection of different affiliates, depending on the precise services at issue. Each of these affiliates is a distinct corporate legal entity, and will have access to different types of information, and is subject to different sets of laws. This section is intended to ensure that if you do intend to submit a legal request for information, that you direct it to the proper entity which has control over the information you seek.

  • Shopify Inc. is a Canadian corporation with its principal place of business in Ottawa, Ontario. Shopify Inc. currently develops the Shopify platform available to all Merchants.

    • With the exception of European Merchant information, as detailed below, Shopify Inc. controls the following types of information: Merchant personal information; Merchant account information (including access records relating to use of the Shopify platform); Merchant revenue information (including aggregate revenues generated through third party payment processors); general information about orders placed through the Shopify platform; Merchant’s payment information (to pay Shopify subscription fees); Partner personal information; Partner account information; Partner revenue information.
    • Legal requests to Shopify Inc. should be directed to 150 Elgin St., 8th Fl., Ottawa, ON, Canada, K2P 1L4.
  • Shopify (USA) Inc. is a Delaware corporation with its principal place of business in San Francisco, California. Shopify (USA) Inc. does not directly provide services related to the Shopify commerce platform. Rather, Shopify (USA) Inc. provides the Kit marketing app, and is the successor-in-interest to Kit CRM Inc., which was acquired by Shopify in 2016.

    • The only business information which Shopify (USA) Inc. controls is information about Merchants’ use of Kit. Legal requests seeking information about general use of the Shopify platform should not be directed to Shopify (USA) Inc.
    • Legal requests to Shopify (USA) Inc. should be directed to 33 New Montgomery St., Ste 750, San Francisco, CA, 94105, USA.
  • Shopify Payments (Canada) Inc. is a Canadian corporation with its principal place of business in Ontario, Canada. Shopify Payments (Canada) Inc. provides the Shopify Payments service to Merchants located in Canada.

    • Shopify Payments (Canada) Inc. controls detailed information associated with individual transactions made on Canadian Merchant stores that use Shopify Payments, and information about Merchant revenues (including total amounts deposited into a Merchant’s bank account, and information about the Merchant’s bank account itself).
    • Please note that Shopify Payments is currently offered in partnership with Stripe, and Shopify generally does not have access to the actual payment card information used by Buyers to transact on a Merchant’s store -- this information is held by Stripe. Shopify Payments (Canada) Inc. also does not control the flow of funds to a merchant. Shopify Payments is a service that we provide working together with Stripe, Inc., who actually handles the transfers outside of our control or direction. More specifically, merchants are not entitled to any funds associated with merchant transactions until such funds clear the credit card settlement process and are deposited into a merchants’ bank account by Stripe – with no involvement from Shopify. As such, we do not have the ability to garnish receivables generated through the Shopify Payments Service.
    • Legal requests to Shopify Payments (Canada) Inc. should be directed to 150 Elgin St., 8th Fl., Ottawa, ON, Canada, K2P 1L4.
  • Shopify Payments (USA) Inc. is a Delaware corporation that provides the Shopify Payments service to Merchants located in the United States.

    • Shopify Payments (USA) Inc. controls detailed information associated with individual transactions made on U.S. Merchant stores that use Shopify Payments, and information about Merchant revenues (including total amounts deposited into a Merchant’s bank account, and information about the Merchant’s bank account itself).
    • Please note that Shopify Payments is currently offered in partnership with Stripe, and Shopify generally does not have access to the actual payment card information used by Buyers to transact on a Merchant’s store -- this information is held by Stripe. Shopify Payments (USA) Inc. also does not control the flow of funds to a merchant. Shopify Payments is a service that we provide working together with Stripe, Inc., who actually handles the transfers outside of our control or direction. More specifically, merchants are not entitled to any funds associated with merchant transactions until such funds clear the credit card settlement process and are deposited into a merchants’ bank account by Stripe – with no involvement from Shopify. As such, we do not have the ability to garnish receivables generated through the Shopify Payments Service.
    • Legal requests to Shopify Payments (USA) Inc. should be directed to Shopify Payments (USA) Inc.; ℅ Corporation Trust Center; 1209 Orange Street; Wilmington, Delaware 19801; USA.
  • Shopify Capital Inc. is a Virginia corporation that provides the Shopify Capital service, currently limited to Merchants located in the United States.

    • Shopify Capital Inc. holds information about any cash advances offered to a Merchant, and the outstanding balance and historical payments on a cash advance accepted by a Merchant.
    • Legal requests to Shopify Capital Inc. should be directed to 4701 Cox Road; Suite 285; Glen Allen, Virginia 23060-6802; USA.
  • Shopify International Limited is an Irish limited corporation. Among other things, Shopify International Limited initially processes all Merchant, Buyer, and Partner data from data subjects located in Europe.

    • Shopify International Limited . controls the following types of information for individuals located in Europe: Merchant personal information; Merchant account information (including access records relating to use of the Shopify platform); Merchant revenue information (including aggregate revenues generated through third party payment processors); general information about orders placed through the Shopify platform; Merchant’s payment information (to pay Shopify subscription fees); Partner personal information; Partner account information; Partner revenue information.
    • Legal requests to Shopify International Limited. should be directed to Shopify International Limited., ℅ Intertrust Ireland; 2nd Floor Victoria Buildings 1-2; Haddington Road, Dublin 4; D04 XN32; Ireland.

What Legal Process Should a Requesting Party Follow?

Criminal Matters Canadian courts, persons, or bodies with jurisdiction to compel the production of information may serve us with search warrants, preservation orders, or subpoenas relating to criminal matters.

We will also accept service from US bodies for criminal matters in cases where we are subject to the specific personal jurisdiction of US courts -- i.e., in matters concerning Merchants within the US. If you are submitting a request on behalf of an American court or agency for information on a Merchant that is not located in the US, we require that you follow the Mutual Legal Assistance Treaty process.

Finally, we accept service if the request comes from another country that has jurisdiction over Shopify with respect to the particular information sought. If you are submitting a request on behalf of a court or agency from a country that has no direct jurisdiction over a Shopify entity, we require that you follow the Mutual Legal Assistance Treaty process.

Civil or Regulatory Matters Canadian courts, persons, or bodies with jurisdiction to compel the production of information may serve us with subpoenas or similar orders relating to civil or regulatory matters.

We will also accept service from US bodies for civil or regulatory matters in cases where we are subject to the specific personal jurisdiction of US courts -- i.e., in matters concerning Merchants within the US. If you are submitting a request on behalf of an American court or agency for information on a Merchant that is not located in the US, we require that you follow the Hague Evidence Convention (Letters Rogatory process).

Finally, we accept service if the request comes from another country that has jurisdiction over Shopify with respect to the particular information sought. If you are submitting a request on behalf of a court or agency from a country that has no direct jurisdiction over a Shopify entity, we require that you follow the Hague Evidence Convention (Letters Rogatory process).

Once you have determined what information you need and which entity holds that information, Shopify may be served at the address provided for each entity above (although we may be willing to accept email service in certain circumstances -- to inquire about email service, please reach out to us via legal@shopify.com).

Does Shopify Hold or Control Merchant Funds On Deposit?

While Shopify Inc. does provide our commerce platform to our Merchants, it does not provide payments processing services that would involve control over the funds that a Merchant earns through the platform. Instead, independent Shopify affiliates are responsible for processing payments for Merchants that use Shopify Payments: including Shopify Payments Canada Inc. for Merchants in Canada, and Shopify Payments (USA) Inc. for Merchants in the United States. But, as described below, neither of these entities holds or directs the funds that Merchants earn through the platform -- rather the funds are directed and held by other third parties.

Shopify Payments is a service that we provide through our Shopify Payments entities working together with Stripe, Inc. and an acquiring bank that has a relationship with Stripe, Inc. Our Shopify Payments Merchants are not entitled to any funds associated with Merchant transactions until such funds clear the credit card settlement process and are deposited by Stripe and Stripe’s acquiring bank into a Merchant's bank account. At no time does Shopify hold these funds, and we do not control the relevant account with Stripe’s acquiring bank. Accordingly, we do not have the ability to garnish receivables generated through the Shopify Payments Service.

Given this, any UCC liens, tax levies, garnishments, and other requests for Merchant money should be sent to Stripe, Inc., as Shopify does not hold funds on behalf of Merchants.

Does Shopify Store or Process Merchant Bank Account or Credit Card Numbers?

Shopify will only retain Merchants’ bank accounts records if the Merchants have provided that information in connection with setting up Shopify Payments. In order to be eligible for Shopify Payments, Merchants must be in a supported country (currently, the US, Canada, the UK, Australia, New Zealand, Ireland, and Singapore).

Shopify will only retain Merchants’ credit card information if they have subscribed to a paid Shopify service.

Will Shopify Voluntarily Disclose Non-Public Information to a Requesting Party?

No. As noted above, in accordance with Canadian privacy law, Shopify will only disclose non-public information in response to an enforceable subpoena or court order from a body that has jurisdiction to compel Shopify to disclose that information.

Will Shopify Notify Affected Merchants Before Disclosing Information?

Yes, where permitted. Shopify is committed to the privacy of our Merchants and their Buyers, and we strongly believe that the individuals whose data we process should be informed when we are required to produce information in response to a legal request. Accordingly, we will notify the affected individual of the request (or, if we serve as the processor of the data, the affected data controller) so that they may seek to exercise their rights and prevent disclosure. The only circumstances in which we will not provide this notice is if we are prohibited from doing so by law or court order.

If you receive a notice that Shopify has been compelled to produce your personal information, you may seek a protective order from a court. If you are able to provide us with such a protective order, we will object to the production demanded by the subpoena.

Does Shopify Charge Anything to Respond to a Legal Request?

We may not always do so, but we reserve the right to seek reimbursement, to the extent permitted by law, for the costs associated with responding to legal requests for information.

How Does Shopify Handle Data Preservation Orders?

Preservation orders may capture two types of information: shop data, or metadata.

Shop data includes information such as data on a Merchant themselves, as well as a store’s customers, transactions, account ownership, and products. We generally keep shop data for the lifetime of a store, and do not require a preservation order to maintain this data. We purge personal data within 90 days of a store’s deactivation, after which the identifiable data is no longer capable of being recovered.

Metadata includes information such as who accessed a store and when, or if any calls to support were made regarding a store. Metadata is generally kept for no longer than one year. As such, depending on when a request for metadata is made, and the period of time for which the metadata is sought, we may no longer have the ability to produce the requested data.

Last updated: September 14, 2018
© 2018 Shopify Inc.