App permissions and personal information

Permissions control what types of information from your store an app can access or modify for the functions it performs.

Personally identifiable information (PII) is information that alone or combined can uniquely identify an individual. Apps that you install from the Shopify App Store can access different types of PII when they use information about your store, customers, orders, or other business data.

Learn more about privacy and security.

Personally identifiable information that apps can access

Every app that you install has access to PII about your Shopify account, including your contact information and location. Depending on the function it performs, an app can require additional types of information.

An app might access the following types of PII:

  • Customer personal information, which includes contact information such as name, email address, phone number, and address. Apps that deal with orders, fulfillment, or shipping also require access to location information (such as IP address and geolocation), and user agent information (such as browser and operating system).
  • Shopify store owner personal information, which includes all contact information for the store owner, including name, email address, phone number, and addresses of all locations.
  • Staff personal information, which includes all contact information for staff, including name, email address, and phone number.
  • Content provider personal information, which includes information about blog authors or commenters (including email address and IP address), and user agent information (such as browser and operating system).

For example, an app that manages or fulfills orders requires access to order information that includes customer PII, such as customer addresses and other contact information. When you install an app that uses data from orders, the app might request permission to access recent orders or all orders. An app with permission to access recent orders can access data from only the last 60 days of orders. An app with permission to access all orders can access data from any past and future orders. Shopify reviews the apps that request access to all orders to make sure that the data is required for the app to work.

For information about how an app accesses, uses, and erases data, contact the app developer or view the app listing in the Shopify App Store for a link to the privacy policy.

Review an app's privacy details and permissions

During the installation of an app, you can review the permissions that app has and the type of PII that it needs to access before you confirm the installation.

After installation, you can review the permission details in the app's details page in your Shopify admin.

Steps:

  1. From your Shopify admin, go to Settings > Apps and sales channels.

  2. From the list of apps and sales channels, find the app that you want to review permissions for and click ... > View details.

  3. Review the Privacy details section for a list of what PII the app can access in your store.

  4. Review the Permission details section for a list of what the app has permission to do in your store.

Revoke access to data from an app

You can revoke access to data by uninstalling the app. After 48 hours, the developer is sent a request to erase all of your customers’ personal information the app collected while it was installed. If you request to erase an individual customer’s personal data from your store, then the same request is sent to every app you have installed that might have that customer’s information.

To confirm that the requested data was deleted, you need to check with the app's developer directly.

Can’t find the answers you’re looking for? We’re here to help.