2021 Report

Compelled Disclosure

In 2021, Shopify received a total of 770 requests. We objected to 355 (46.1% of these requests).

This report includes data from January 1, 2021 to December 31, 2021.

Our Guiding Principles

Shopify is committed to protecting the privacy of our merchants, customers, partners, and everyone who entrusts us with their personal information. We believe that merchants own their personal information and the personal information of their customers. We are publishing this Transparency Report to:

  • Make commerce better for everyone by building consumer confidence through transparency, as recommended by the Office of the Privacy Commissioner of Canada.
  • Support an informed public debate on privacy rights by joining other members of our industry in reporting on government and other legal requests for access to data.
  • Comply with the spirit of and the principles underlying PIPEDA (the Canadian federal private sector privacy law), the GDPR (the European Union’s data protection regulation), and the CCPA (the California Consumer Privacy Act).

Our Process

To protect the privacy of our merchants, customers, and partners, we follow the below process upon receipt of a request to produce information about a merchant, a merchant’s customer, or a partner:

  • We will refuse to disclose personal information without a subpoena or court order issued by a body that has jurisdiction over Shopify.
  • Legal requests must be addressed to the correct Shopify entity (such as Shopify Inc. or Shopify International Limited).
  • We will always notify affected individuals before we disclose information, unless prohibited by law, and minimize the amount of personal information that we disclose.

We review the following factors to ensure that each order is legally and procedurally valid, broken down by heading below:

  • Jurisdiction and authority of requester
  • Type of legal request
  • Shopify entity and type of information requested

Information requests by country

In 2021, we received legal requests for information from twenty countries.

As outlined in our Guidelines on Legal Requests for Information, we will only respond to enforceable subpoenas or court orders issued by: (a) bodies that have jurisdiction over the specific Shopify entity from which information is being requested; and (b) the authority to compel the production of information.

If the requesting body does not have jurisdiction over the relevant Shopify entity, we require that they follow the Mutual Legal Assistance Treaty or Hague Evidence Convention (“Letters Rogatory”) processes.

2021 received requests by country
Information Requests by Country Requests Received
Argentina 18
Australia 8
Belgium 6
Brazil 6
Canada 8
Catalonia (Spain) 2
China 3
France 367
Germany 54
Greece 1
Hungary 1
Iceland 1
India 13
Israel 1
Italy 8
Japan 5
Lithuania 2
Malta 1
Mexico 1
New Zealand 1
Pakistan 1
Poland 2
Scotland 1
Singapore 6
Spain 26
UK 9
USA 218

Types of information requests

In 2021, we received different types of legal requests for information, including Grand Jury Subpoenas, Summons, Preservation Orders, Information Subpoenas, and Certifications of Trustee in Bankruptcy. We did not receive any national security letters, FISA orders, or other classified requests in 2021.

2021 received requests types
Type of Data Request Number received
Buyer Complaint 11
Court Order 30
Grand Jury Subpoena 51
Information Subpoena 192
Injunction (Preliminary or Permanent) 6
Law Enforcement Request 161
No Valid Order Attached 19
Preservation Order 10
Regulator/Consumer Protection Request 238
Search Warrant 5
Summons 9
Takedown Request 14
Temporary Restraining Order (TRO) 24

Individual Rights

Shopify strongly believes that individuals should have control over their personal information. In this spirit, and in accordance with our Privacy Policy, we respond directly to requests from our merchants, partners, and app users to access or delete their personal information. That said, when it comes to personal information about our merchants’ customers, we do not control that information - we only process that information as a “data processor” or a “service provider” for our merchants.

As a result, we are not permitted to respond to requests from a merchant’s customer directly. Instead, we relay these requests to the relevant merchant, and have built tools for our merchants to enable them to act on them in our platform.

In 2021, we fulfilled these data subject requests:

Individual access

2021 Individual Access Rights
Merchant access 10
Partners access 0
Shop access 10
Employee access 5

Deletion

2021 Individual Deletion Rights
Merchant deletion 1,616
Partner deletion 158
Shop opt-out 104,838
Employee deletion 0