Using Shopify to help comply with GDPR

When using Shopify, you have access to tools and information that you can use to help you to comply with the General Data Protection Regulation (GDPR). Although using Shopify can help you with GDPR compliance, it's your responsibility to understand your own obligations under GDPR and to ensure that you configure and use the platform in a way that complies with the requirements set forth by GDPR and other applicable data protection laws.

Customer privacy

From your Shopify admin, go to Settings > Customer privacy to configure your privacy settings, such as your privacy policy, cookie banner, and data sales opt-out page, view installed privacy apps, and manage some of your marketing settings. Learn more about managing your customer privacy settings.

Data Processing Addendum

The Shopify Data Processing Addendum outlines the responsibilities between you and Shopify. When Shopify acts as a data processor or service provider, Shopify follows your instructions on how to handle your customer personal data. This agreement also helps to ensure that personal data is processed in accordance with European Data Protection Laws and other applicable global data protection laws.

In addition, Appendix E of the Shopify Data Processing Addendum outlines Shopify's role as a data controller or business if you use Enhanced Services.

Shopify Network Intelligence

If you've enabled Shopify Network Intelligence and you use Enhanced Services, then you have additional privacy compliance obligations under GDPR. You must:

Include a link to Shopify's Consumer Privacy Policy in your privacy policy and post a link to your privacy policy prominently in your store, for example on the bottom of your homepage.
Inform your customers in your terms of service and privacy policy that your store is hosted by Shopify, and that Shopify collects and processes your customers' personal data, for purposes including but not limited to providing Enhanced Services. You may describe these Enhanced Services as enabling you and Shopify to (i) provide customers with a more customized experience, (ii) serve your customers more relevant ads, and (iii) understand how customers interact with your Store and your ads.
Inform your customers that information about their activity on your store will be shared with Shopify as well as with third parties that might be located in other countries, in order to provide you and your customers with services, including but not limited to Enhanced Services.
Include a link to the method by which customers can opt out or object to Shopify processing their data for certain uses, depending on their jurisdiction: https://privacy.shopify.com.

Review the Additional Services Terms for an overview of your obligations when you have Shopify Network Intelligence enabled and receive Enhanced Services. You should also consult your own legal counsel to ensure that your business complies with applicable laws.

The GDPR requires that you inform your users of the legal bases on which you rely to process their personal data. Below is a sample legal basis disclosure describing common legal bases relied upon by online merchants. This text is provided for informational purposes only. Consult your own legal counsel to determine appropriate legal bases for your data processing.

We generally process your information when we need to do so to fulfill a contractual obligation (for example, to process your payments for goods or services), or where we, our partner Shopify, or someone else we work with needs to use your personal data for a reason related to their business (for example, to provide you with a service). Laws in the European Economic Area ("EEA") and in the United Kingdom ("UK") call these reasons "legitimate interests." These "legitimate interests" include:

preventing risk and fraud
answering questions or providing other types of support
helping merchants find and use apps through our app store
providing and improving our products and services
providing reporting and analytics
testing out features or additional services
assisting with marketing, advertising, or other communications

We process personal data for these "legitimate interests" only after considering the potential risks to your privacy and balancing any risks with certain measures—for example, by providing clear transparency into our privacy practices, offering you control over your personal data where appropriate, limiting the information we keep, limiting what we do with your information, who we send your information to, how long we keep your information, or the technical measures we use to protect your information. You may have the right to ask us to stop or restrict our processing of personal information for certain purposes.

We may also process your personal data where you have provided your consent. In particular, where we use your personal data to show customers personalized advertisements, where we cannot rely on an alternative legal basis for processing, or where we are required by applicable law to ask for your consent. At any time, you have a right to withdraw your consent by changing your preferences here [Note to merchant: insert a link to the relevant customer portal where your customers can exercise their rights to withdraw consent] or by contacting us.

When Shopify provides Enhanced Services, Shopify relies on consent to process personal data to show customers personalized advertisements.

Shopify also may rely on its own legitimate interests to:

provide and improve products and services
provide reporting and analytics
test out features or additional services
assist with marketing, advertising, or other communications

To make choices about how Shopify collects and uses your personal data, visit Shopify's Privacy Controls.

Data access and deletion

Upon request, Shopify offers tools that let you access, edit, and delete customer data. This helps you to fulfill a customer's rights to access, rectify, or erase their personal data as required by GDPR. Learn more about processing customer data requests.

In addition, if you have Shopify Network Intelligence enabled and receive Enhanced Services, then customers have direct rights with Shopify. You must make them aware of these rights and Shopify's processing as described in Shopify Enhanced Services.

Privacy policy templates

From your Shopify admin, go to Settings > Customer privacy to configure you your privacy policy. Learn more about how to add a privacy policy to your online store.

Alternatively, you can use automated privacy settings and customize pre-built policy templates offered by Shopify to communicate your data processing practices. If you use Shopify's automated privacy policy and your store or customers are based in the UK, EEA, or Switzerland, then you may need to include the following updates to the automated privacy policy (that we're not able to automate for you):

Include the legal basis for each of the purposes for which you process personal data. Please consult with legal counsel if you're unsure about the appropriate legal basis for processing personal data.
Include contact details for the data protection officer (DPO), if you've appointed one, and contact details of your representative in the EEA, UK, or Switzerland if you have no EEA, UK, or Switzerland establishment.

By customizing these templates, you can be transparent about how you collect, use, and protect your customer's personal data. Learn more about adding store policies.

Security measures

Shopify implements robust security measures to protect personal data, including encryption, firewalls, and regular security audits. Learn more about Shopify's security certifications and standards.