2019 Report

Compelled Disclosure

In 2019, Shopify received a total of 245 information requests. We objected to 146 (56% of these requests). We could notify data subjects in 51% of the cases where we produced.

This report includes data from January 1, 2019 to December 31, 2019.

Our Guiding Principles

Shopify is committed to protecting the privacy of our merchants, customers, partners, and everyone who entrusts us with their personal information. We believe that merchants own their personal information and the personal information of their customers. We are publishing this Transparency Report to:

  • Make commerce better for everyone by building consumer confidence through transparency, as recommended by the Office of the Privacy Commissioner of Canada.
  • Support an informed public debate on privacy rights by joining other members of our industry in reporting on government and other legal requests for access to data.
  • Comply with the spirit of and the principles underlying PIPEDA (the Canadian federal private sector privacy law), the GDPR (the European Union’s data protection regulation), and the CCPA (the California Consumer Privacy Act).

Our Process

To protect the privacy of our merchants, customers, and partners, we follow the below process upon receipt of a request to produce information about a merchant, a merchant’s customer, or a partner:

  • We will refuse to disclose personal information without a subpoena or court order issued by a body that has jurisdiction over Shopify.
  • Legal requests must be addressed to the correct Shopify entity (such as Shopify Inc. or Shopify International Limited).
  • We will always notify affected individuals before we disclose information, unless prohibited by law, and minimize the amount of personal information that we disclose.

We review the following factors to ensure that each order is legally and procedurally valid, broken down by heading below:

  • Jurisdiction and authority of requester
  • Type of legal request
  • Shopify entity and type of information requested

Information requests by country

Information requests by country

In 2019, we received legal requests for information from twelve countries.

As outlined in our Guidelines on Legal Requests for Information, we will only respond to enforceable subpoenas or court orders issued by: (a) bodies that have jurisdiction over the specific Shopify entity from which information is being requested; and (b) the authority to compel the production of information.

If the requesting body does not have jurisdiction over the relevant Shopify entity, we require that they follow the Mutual Legal Assistance Treaty or Hague Evidence Convention (“Letters Rogatory”) processes.

2019 received requests by country
Information Requests by Country Requests Received
Australia 1
Belgium 1
Brazil 3
Canada 5
France 34
Germany 26
India 3
Italy 5
Poland 1
Spain 10
UK 2
USA 154

Types of information requests

Types of information requests

In 2019, we received different types of legal requests for information, including Grand Jury Subpoenas, Summons, Preservation Orders, Information Subpoenas, and Certifications of Trustee in Bankruptcy. We did not receive any national security letters, FISA orders, or other classified requests in 2019.

2019 received requests types
Type of Data Request Number received
Certification of Trustee in Bankruptcy 1
Civil Investigative Demand 12
Demand to Furnish Information 1
Grand Jury Subpoena 38
Information Injunction 2
Law Enforcement Request 54
Preservation Order 2
Production Order 5
Regulatory Request 18
Search Warrant 2
Subpoena 93
Summons 54
Other 13

Individual Rights

Individual Rights

Shopify strongly believes that individuals should have control over their personal information. In this spirit, and in accordance with our Privacy Policy, we respond directly to requests from our merchants, partners, and app users to access or delete their personal information. That said, when it comes to personal information about our merchants’ customers, we do not control that information - we only process that information as a “data processor” or a “service provider” for our merchants.

As a result, we are not permitted to respond to requests from a merchant’s customer directly. Instead, we relay these requests to the relevant merchant, and have built tools for our merchants to enable them to act on them in our platform.

In 2019, we fulfilled these data subject requests:

Access

2019 Individual Access Rights
Merchants 14
Partners 2

Deletion

2019 Individual Deletion Rights
Merchants 450
Partners 78