Privacy policy

By accessing or using and workshop website provided by Shopify you agree to be bound by our updated privacy Policy.

There’s no other action you need to take, but if you have any questions around the way we collect and process your data, you can contact us at

Please review the GDBR below carefully, and don't hesitate to contact our Compliance Manager Miss Harriet Williams

GDPR: ​General Data Protection Regulation UPDATE

We’ve updated our Privacy Policy in line with the new data protection regulations (GDPR) which come into effect on 25 May. We’ve also made it easier for you to understand all the information we collect and why we collect it.
Keeping your personal information safe and secure remains a top priority for us.

What data does the GDPR apply to?
The GDPR generally applies to the collection and processing of personal data. Under the GDPR, personal data means any information relating to a data subject. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as:
● Name
● Identification number
● Location data
● Online identifier (such as IP address or cookie ID)

The GDPR also gives certain rights to identified or identifiable persons (referred to as ​data subjects)​ , including buyers visiting our website. These include the right to request:
● Deletion (e​rasure​) of their personal data
● Correction (r​ ectification)​ of their data
● Access to their data
● An export of their data in a common (​portable)​ format
Controller vs. Processor status
The GDPR separates data protection responsibilities into two categories: controllers and processors.
Controller:​ The party that determines for what purposes and how personal data is processed.2 ( SEE)
1 G​eneral Data Protection Regulation, Article 4(1).
2 General Data Protection Regulation, Article 4(7).

Processor:​ The party that processes personal data on behalf of the controller.3
Under the GDPR, in most cases the merchant collects information from their buyers as a controller. Generally, Shopify acts as the processor for us with respect to the buyers personal data (or, if the merchant acts as a processor, Shopify acts as a subprocessor):

The one exception is for buyers with whom Shopify has a direct existing relationship. For example:
● Buyers who use Shopify's Frenzy flash-sale app to access a merchant's store
● Buyers who use Shopify Pay, which allows the buyer to store their payment information with Shopify for use across different Shopify stores
● Buyers who use Shopify’s Arrive app to track the status of orders made from a merchant’s store

Although in such cases the merchant may also separately be a controller of the buyer’s personal data.

Processor obligations
To comply with the GDPR, generally the processor may only process personal data when authorised to do so by the controller.

Where Shopify is a processor for a merchant, it processes personal data on documented instructions from merchants. For example, when a merchant clicks ​Fulfill items,​ they give Shopify the instruction to process the data necessary to perform that action.

Similarly, when a merchant selects a particular payment processor, or installs an application through the Shopify app store, they give Shopify the instruction to transmit data to the relevant party.

The GDPR also places several other responsibilities on the processor, discussed below:

Processors must notify and obtain consent from their controller when transmitting personal data to a subprocessor. Shopify uses a number of subprocessors to provide the service, including to:
● Store platform data
● Operate the forums and other portions of Shopify's website
● Respond to and manage support inquiries
When a merchant signs up for the Shopify service, they consent to allow Shopify to use subprocessors. A list of subprocessors is available upon request.

Personal data breach reporting

Processors must notify the controller after becoming aware of a personal data breach resulting from a breach of the processor’s security.
Shopify is committed to ensuring that its incident response program meets the requirements of the GDPR. The specifics of breach notification are handled through a merchant's contract with Shopify.

Posting a privacy notice
When personal data is collected from a data subject, controllers must provide certain minimum information about the intended processing of the personal data, as well as information about how to contact and identify the controller

Merchants are responsible for providing this information to their buyers. Shopify provides this information in the Shopify Privacy Policy where it is a controller, and encourages merchants to provide this information in their own privacy policies
Complying with marketing and cookie regulations
Controllers are responsible for making sure that they comply with marketing and cookie regulations in the jurisdictions in which they operate.
Merchants with EU buyers should make sure that they obtain appropriate consent for the use of cookies—the ePrivacy Directive generally requires some form of consent in order to use tracking technologies.
All merchants should similarly make sure that their email marketing practices comply with applicable e-marketing or anti-spam requirements.

Obtaining consent to process children’s data

When offering goods or services online directly to children under 16 years of age, the controller is responsible for obtaining verifiable consent from the child's parents for processing their data

Merchants are responsible for assessing whether they need to obtain a higher level of consent for certain buyers.

Legal basis for processing

Personal data cannot be processed except under a recognized legal basis (unless an exemption applies).
The GDPR sets out a list of possible legalbases under which personal data may be processed. These reasons include:
● Consent
● Contractual obligations
● Legal obligations
● The public’s interests
● Legitimate interests of the controller or third party, balanced
against the rights of the data subject.

Consent ​of the data subject means the data subject has agreed to the processing of their personal data with a clear affirmative action.
This agreement must be:
● Freely given
● Specific
● Informed
● Unambiguous
Merchants, as controllers of their buyers’ personal data, are responsible for ensuring they have a proper legal basis for doing so, including keeping evidence of consent when processing is based on consent

As its merchants’ processor, Shopify is not responsible for the merchants’ legal bases but only processes buyers’ personal data on behalf of and on the instructions of the merchant. In certain cases, however, the law may additionally require consent for certain types of processing (for example, when placing or retrieving cookies on a device). In such cases, the merchant is also responsible for obtaining appropriate consent.
Upon request, Shopify will provide merchants with any reasonable information they require to obtain consent (for example, information about the categories of cookies placed when a buyer visits a storefront).

Data transfers
Personal data of residents of the EEA can only be transferred to recipients outside the EEA if the recipient has adequate protections in place. These protections may include:
● Adherence to domestic laws that have been deemed adequate by the European Commission
● Negotiated agreements (such as the EU-U.S. Privacy Shield)
● Contractual protections
● Approved sets of internal policies (Binding Corporate Rules)
● Approved codes of conduct or certifications.

Within EEA
EEA personal data is received and initially processed by Shopify's Irish entity, Shopify International Ltd.
EEA to Canada

Data is exported from the EEA to Shopify’s Canadian parent entity, Shopify Inc. This export takes place within Shopify’s corporate structure.
Data within Shopify Inc. is protected under PIPEDA, Canada’s private sector privacy legislation, which is considered adequate under the GDPR.

Shopify Inc. uses a combination of data centers and cloud service providers to store this personal data in the United States and Canada.
When personal data is transferred to the United States, it is either done so through the EU-U.S. and Swiss-U.S. Privacy Shield, for Shopify’s own storage, or through contractual data protection addenda (DPAs) with third-party service providers. The EU-U.S. and Swiss-U.S. Privacy Shields are also considered adequate under the GDPR. Shopify’s Privacy Shield certification statement can be found on
Additionally, Shopify is in the process of applying for approval of Binding Corporate Rules (BCRs) by the Irish Data Protection Commissioner. After they are approved, Shopify will rely on these BCRs to protect the personal data that is transferred between Shopify’s corporate entities worldwide.

Disclosures to third parties
Shopify will never independently sell personal data for commercial purposes. However, Shopify does disclose personal data to third parties or allow third parties to access personal data to help provide services—for example, to:
● Store platform data
● Operate the forums and other portions of Shopify's website
● Respond to and manage support inquiries
Additionally, Shopify may provide personal data, where permitted, to prevent, investigate, or respond to:
● Potential fraud
● Illegal conduct
● Physical threats
● Violations of any agreements with Shopify
Shopify also provides information to third parties when legally required to do so. Where Shopify believes it is legally required to provide information, and not legally prohibited from disclosing the existence of the legal order, it will notify the data subject and give the data subject a chance to seek a protective order.
More information on when Shopify discloses personal data will soon be provided on Shopify's website under the heading Guidelines for Legal Requests for Merchant or Buyer Data.​

Data subject rights
The GDPR provides data subjects (in this case, buyers) with certain rights over their personal data. Generally, data subject requests must be addressed within one month, unless they are exceptionally complex or numerous.

Data subjects have the right to request that their personal data be erased in certain circumstances.
If a merchant receives a request from a buyer to delete their personal data, before forwarding the request to Shopify, the merchant should:
● Verify that the requester is the same as the data subject (that is, the requester is not asking to erase someone else’s personal data)
● Confirm there is no legal reason to preserve this data
If both conditions are satisfied, the merchant should forward the request to Shopify, either through Shopify's support system, or by emailing

If the buyer’s personal data cannot be erased for this reason, the merchant should re-submit the deletion request after the appropriate time has passed.
When processing a request for erasure, Shopify will anonymise the personal data of the buyer, but keep non-personal data such as revenue information and order details. Order details that are retained include the gateway used to process payment, time of sale, amount paid, currency, subtotal, shipping cost, taxes added, shipping method, item quantity, item name, SKU, and payment method.
If no data erasure requests are received, Shopify will keep data for the lifetime of a store, and purge personal data within 90 days after a store is closed.
Controllers must, upon request, explain to data subjects how their personal data is processed and provide access to this personal data.
If merchants cannot export data sufficient to fulfill the request from their admin, they can forward the request to Shopify. Similar to a request for erasure, if a buyer requests access to their personal data, the merchant should first validate the identity of the requester.The merchant can then reach out to Shopify, either through Shopify's supportsystem,or by emailing
When Shopify receives the request, it will:
● Confirm whether personal data about a buyer is being processed
by Shopify
Confirm what categories of data are being processed by Shopify
● Provide the buyer with the relevant information from Shopify
Data portability
Controllers who process data using automation must, in limited circumstances, provide data subjects with their personal data upon request. This data must be provided in a commonly used and machine-readable format.
Merchants may export some data directly from their store’s admin page. Many data types can be exported to common formats such as Excel or CSV with one click:
● Transaction histories
● Payouts
● Product lists
● Customer lists
In addition, if a merchant contacts Shopify to request copies of processed data, Shopify will make the data available in a common format.
Data subjects have the right to correct incomplete or inaccurate personal data held or processed by a controller.17
Shopify’s platform allows a merchant to change customer records directly from their store admin
Data protection and security
Under the GDPR, controllers and processors are required to implement appropriate technical and organisational measures
Shopify has implemented many of the controls and processes identified in the GDPR, including:
● Anonymising and encrypting personal data
● Ensuring confidentiality, integrity, availability, and resilience of
processing systems
● Restricting who may access personal data
● Ensuring availability and access to personal data in the event of a
physical or technical incident
● Performing regular testing, assessments, and evaluation of
technical and organisational security measures
Organisational measures
Shopify has a robust, cross-functional data protection program that is integrated with its information security program and includes several teams across the organisation. In particular, the data protection program includes a designated Data Protection Officer, who reports to senior management, as well as individuals from:
● Internal Security
● Legal
● Legal Operations
● Production Security
● Processing Integrity
Technological measures
Monitoring and logging
Controllers—and where applicable, their representative—must maintain records of the personal data processing activities for which they are responsible.

Security controls
Shopify encrypts data sent to and from merchants and buyers using the HTTPS protocol.
Shopify also encrypts any sensitive stored information, and salts and hashes merchant and buyer passwords using bcrypt.
Merchants can also set up additional security features. An account holder can take the following actions from their Shopify admin:
● Enable multi-factor authentication for staff
● Define, to a certain extent, what personal data is collected from
● View certain activity logs, including recent login activity by staff
● Set role-based permissions for staff accounts.


If you would like to: access, correct, amend or delete any personal information we have about you, register a complaint, or simply want more information contact our Privacy Compliance Officer at [Re: Privacy Compliance Officer]