partners who develop apps for merchants to use, build stores on behalf of merchants, refer potential entrepreneurs to Shopify, or otherwise help merchants operate or improve their Shopify-powered business
Trust is the foundation of the Shopify platform and includes trusting us to do the right thing with your information. Three main values guide us as we develop our products and services. These values should help you better understand how we think about your information and privacy.
Your information belongs to you
We carefully analyze what types of information we need to provide our services, and we try to limit the information we collect to only what we really need. Where possible, we delete or anonymize this information when we no longer need it. When building and improving our products, our engineers work closely with our privacy and security teams to build with privacy in mind. In all of this work our guiding principle is that your information belongs to you, and we aim to only use your information to your benefit.
We protect your information from others
If a third party requests your personal information, we will refuse to share it unless you give us permission or we are legally required. When we are legally required to share your personal information, we will tell you in advance, unless we are legally forbidden.
We help merchants and partners meet their privacy obligations
Many of the merchants and partners using Shopify do not have the benefit of a dedicated privacy team, and it is important to us to help them meet their privacy obligations. To do this, we try to build our products and services so they can easily be used in a privacy-friendly way. We also provide detailed FAQs, documentation and whitepapers covering the most important privacy topics, and respond to privacy-related questions we receive.
Why we process your information
We generally process your information when we need to do so to fulfill a contractual obligation (for example, to process your subscription payments to use the Shopify platform), or where we or someone we work with needs to use your personal information for a reason related to their business (for example, to provide you with a service). European law calls these reasons “legitimate interests.” These “legitimate interests” include:
preventing risk and fraud
answering questions or providing other types of support
helping merchants find and use apps through our app store
providing and improving our products and services
providing reporting and analytics
testing out features or additional services
assisting with marketing, advertising, or other communications
We only process personal information for these “legitimate interests” after considering the potential risks to your privacy—for example, by providing clear transparency into our privacy practices, offering you control over your personal information where appropriate, limiting the information we keep, limiting what we do with your information, who we send your information to, how long we keep your information, or the technical measures we use to protect your information.
One of the ways in which we are able to help merchants using Shopify is by using techniques like “machine learning” (European law refers to this as “automated decision-making”) to help us improve our services. When we use machine learning, we either: (1) still have a human being involved in the process (and so are not fully automated); or (2) use machine learning in ways that don’t have significant privacy implications (for example, reordering how apps might appear when you visit the app store).
Your rights over your information
We believe you should be able to access and control your personal information no matter where you live. Depending on how you use Shopify, you may have the right to request access to, correct, amend, delete, port to another service provider, restrict, or object to certain uses of your personal information (for example, direct marketing). We will not charge you more or provide you with a different level of service if you exercise any of these rights.
If you buy something from a Shopify-powered store and wish to exercise these rights over information about your purchase, you need to directly contact the merchant you interacted with. We are only a processor on their behalf, and cannot decide how to process their information. As such, we can only forward your request to them to allow them to respond. We will of course help our merchants to fulfill these requests by giving them the tools to do so and by answering their questions.
Please note that if you send us a request relating to your personal information, we have to make sure that it is you before we can respond. In order to do so, we may ask to see documentation verifying your identity, which we will discard after verification.
If you would like to designate an authorized agent to exercise your rights for you, please email us from the email address we have on file for you. If you email us from a different email address, we cannot determine if the request is coming from you and will not be able to accommodate your request. In your email, please include the name and email address of your authorized agent.
If you are not happy with our response to a request, you can contact us to resolve the issue. You also have the right to contact your local data protection or privacy authority at any time.
Finally, because there is no common understanding about what a “Do Not Track” signal is supposed to mean, we don’t respond to those signals in any particular way.
Where we send your information
We are a Canadian company, but we work with and process data about individuals across the world. To operate our business, we may send your personal information outside of your state, province, or country, including to the United States. This data may be subject to the laws of the countries where we send it. When we send your information across borders, we take steps to protect your information, and we try to only send your information to countries that have strong data protection laws. If you would like more information about where your information might be sent, please contact us.
Transfers outside of Europe and Switzerland
If you are in Europe or Switzerland, your personal information is controlled by our Irish affiliate, Shopify International Ltd. Your information is then sent to other Shopify locations and to service providers who may be located in other regions, including Canada (where we are based) and the United States. When we send your personal information outside of Europe, we do so in accordance with European law.
If you are in Europe or Switzerland, when we send your personal information to Canada it is protected under Canadian law, which the European Commission has found will adequately protect your information. When we send your personal information directly to the United States, we do so under the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield programs, which set out standards for how we process your personal information in the United States if you are located in Europe or Switzerland. These programs require us to follow the Privacy Shield Principles of notice, choice, accountability for onward transfers, security, data integrity, and purpose limitation, access, recourse, enforcement, and liability. Because we participate in these two programs, we are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.
If you are located in Europe or Switzerland and believe we are not following the Privacy Shield Principles, please reach out to us. If you believe that we haven’t properly addressed your complaint, you can also contact the International Centre for Dispute Resolution®, the international division of the American Arbitration Association® (ICDR/AAA). ICDR/AAA provides independent dispute resolution services at no charge to you. If you feel that your concerns have not been resolved after reaching out to ICDR/AAA, you can request that your complaint be resolved through binding arbitration.
Finally, while we do what we can to protect your information, we may at times be legally required to disclose your personal information (for example, if we receive a valid court order). For information about how we respond to such orders, please review our Guidelines for Legal Requests.
How we protect your information
Our teams work tirelessly to protect your information, and to ensure the security and integrity of our platform. We also have independent auditors assess the security of our data storage and systems that process financial information. However, we all know that no method of transmission over the Internet, and method of electronic storage, can be 100% secure. This means we cannot guarantee the absolute security of your personal information. You can find more information about our security measures at https://www.shopify.com/security.
How we use “cookies” and other tracking technologies
How you can reach us
If you would like to ask about, make a request relating to, or complain about how we process your personal information, you can contact us by email at email@example.com, or at one of the addresses below. If you would like to submit a legally binding request to demand someone else’s personal information (for example, if you have a subpoena or court order), please review our Guidelines for Legal Requests.
ATTN: Chief Privacy Officer
150 Elgin St.
Ottawa, ON K2P 1L4
If you are located in Europe, the Middle East, South America, or Africa:
Shopify International Ltd.
Attn: Data Protection Officer
c/o Intertrust Ireland
2nd Floor 1-2 Victoria Buildings
Dublin 4, D04 XN32
If you are located in Asia, Australia, or New Zealand: