Processing GDPR data requests

The GDPR expands on an individual's right to access and control their personal data. This page includes:

  • A breakdown of those rights.
  • How you can use Shopify’s platform to address requests for each right.
  • What you may need to do independently from Shopify if you receive a request for each right.

Understand subject access and portability requests

The GDPR gives individuals the right, in certain circumstances, to request a copy of their personal data being processed by a company.

The GDPR therefore requires that you be able to provide your customers with a copy of their personal data in a format that is:

  • Common
  • Easily readable
  • Portable

This allows customers to use their data with a different service provider. Shopify allows you to export most data in CSV or Excel formats right from your admin (for example, order, payout, products, and customer information).

Generally, you should respond to a request within 30 days. Extensions are allowed if the request is exceptionally difficult to fulfill.

Process subject access and portability requests

If you receive an access or portability request, then you will first need to verify the identity of the requester (so that you do not inadvertently provide someone else your customer’s private personal information).


  1. From your Shopify admin, click Customers.

  2. Click the name of the customer you want to request a log for.

  3. Click Request customer data.

The customer's information is sent by email to the store owner. It's also available on the customer's profile page after you refresh the page. The store owner can then provide the information to the customer who made the request.

Article 15 of the GDPR will also require you to provide additional context around how you use the data you are providing, including:

  • The purposes for which the customer’s data was processed.
  • The third-parties that received this data.
  • Any relevant retention periods.
  • Where the information was collected from (if not directly from the customer).
  • Whether or not the data was used as part of any automated decision-making.

Additionally, you need to be able to ensure:

  • The customer’s right to request information be corrected or erased.
  • The customer’s right to object to how their information was processed.
  • The customer’s right to complain to a regulator.

Think about the following questions:

  • Are you able to provide all of the required context around a customer's data if they ask for it? Try to plan for a request in advance by maintaining a map of all of the personal data you (or the service providers you use, like Shopify) store about your customers.
  • Have you considered other service providers that you might use who may have access to your customers’ personal data? These could include third-party apps, channels, and payment gateways.
  • Do you have contact information for all of the third-party services you use that might store your customers’ personal data?

Process erasure requests

The GDPR gives individuals the right, in certain circumstances, to ask that their personal data be erased, or that a company restrict the processing of their personal data.

"Personal data" means any data that can be used to identify an individual, including:

  • Name
  • Address
  • Email
  • IP address
  • Credit card number.

Personal data does not include information that is purely financial and cannot be linked to an individual, such as:

  • How many times a specific product has sold
  • How much revenue your store has made

If you receive a request for erasure (sometimes called redaction or deletion), then you should first verify the customer’s identity. You should also make sure there is no reason you need to keep the customer's data (for example, if the customer is also an employee).


  1. From your Shopify admin, click Customers.

  2. Click the name of the customer you want to request an erasure for.

  3. Click Erase personal data.

After you request an erasure through your admin, Shopify will transmit your erasure request to all apps that you have installed at the time you make the request that might have access to that customer’s data.

Once you request an erasure within your admin, a 10 day buffer period will begin during which you can cancel the request in case you made the request accidentally. To cancel a pending erasure request, contact Shopify Support, and include your store information and the relevant customer ID.

When you request an erasure, Shopify will only redact personal information (such as name and address). Your anonymized order information will remain intact in case you need it for accounting purposes. Once the relevant personal data has been erased, we will send you a confirmation email.

By default, Shopify will not erase personal data if the customer has made an order in the last 6 months (180 days), in case a chargeback occurs. If a request for erasure is submitted in that time frame, then it will sit pending, and Shopify will action it once the appropriate time has passed. You do not need to submit another request.

If you would like to override this time delay (regardless of the risk of chargeback), contact Shopify Support.

Think about the following questions:

  • Are you storing any customer data on your own personal computers or in hard copy?
  • Are there other third parties, such as channels or payment gateways that you may need to contact to request they erase a customer's personal information?
  • Are there any local requirements, such as tax laws, that might require you to retain your customers’ personal information even if they request deletion? Consider consulting with a local lawyer familiar with data retention requirements to help answer this question.

Ready to start selling with Shopify?

Try it free