Worth reading before you agree.
High confidence
Shopify collects a huge range of personal information from merchants, customers, and partners, including government IDs, credit history, purchase history, and browsing behavior. This data is shared with numerous third parties including payment processors, advertising networks, and AI companies like OpenAI and Anthropic. The legal terms include broad indemnification clauses, low liability caps, forced arbitration, and unilateral modification rights, giving you very limited control.
Moderate risk: notable concerns around data sharing, limited user controls, or vague language. Original assessment: Two or more critical findings (AI training on user data via third-party AI providers and collection of government-issued identification) trigger the mandatory grade cap, resulting in the lowest grade despite some positive features like account deletion options and opt-out for some services.
9 critical findings
This document contains terms that could seriously affect you. Read the watch-outs below before you agree.
You trade extensive personal and financial data including your name, address, payment card details, government-issued ID, credit history, browsing behavior, and purchase history. You also grant Shopify broad rights to use, share, and store this data, including sharing it with AI companies to train their models. In return, you get access to e-commerce tools to run your online store or shop conveniently. However, you also agree to legal terms that limit your ability to sue Shopify, require you to indemnify them, and allow them to change the terms at any time.
You can delete your account and request deletion of your personal data through the Shopify admin or privacy portal.
Shopify provides a built-in cookie banner tool that you can customize to collect consent for data collection.
You can opt out of Google Analytics tracking via instructions in the cookie policy.
If you use Shopify Payments, you can disable Managed Payment Features to control which payment methods are shown.
Shopify undergoes SOC 1 and SOC 2 compliance audits every 6 months and encrypts sensitive information.
You can opt out of Shopify Network Intelligence to prevent your customer data from being used for cross-merchant insights (though you lose access to some features).
Merchants can submit data subject requests through an online portal, and Shopify commits to responding within a reasonable time.
For Shopify Protect, there is a 60-day window to opt out of mandatory arbitration by writing to Shopify's Legal Department.
You can download your personal data from the Shopify admin for many account types.
The Shopify Data Processing Addendum (DPA) provides additional protections for merchants processing EU/UK customer data.
Your personal data, including anything you input into Shopify's AI assistant (Sidekick), can be sent to OpenAI, Anthropic, and Microsoft for AI model training and improvement. These third parties may use your data to train their own AI systems, and you have no control over that.
If anyone sues Shopify because of something related to your use of their service, you must pay for all of Shopify's legal costs and any damages, even if you didn't do anything wrong. This includes chargebacks, disputes with customers, and even claims against Shopify's payment partners.
Shopify collects your Social Security Number, driver's license, passport, and other government-issued IDs for payment processing and identity checks. This data is highly sensitive and could be exposed in a data breach, but the policies don't describe how it's protected.
Even if Shopify causes you significant financial harm through their fault, the most they will pay you is either $100 or the fees you paid in the last few months, whichever is less. This means you have almost no financial recourse.
Shopify can change these terms at any time without asking for your consent. If you keep using the service after the changes, you are considered to have accepted them, even if you never read the new terms.
Shopify combines your customer data with data from other merchants to generate insights and power features like targeted advertising and product recommendations. This means your customers' data is used to benefit other stores, and you can't fully control it.
In some agreements, you give up your right to sue in court or join a class action. Instead, you must resolve disputes through private arbitration, which is expensive and limits the evidence you can use.
Many Shopify policies don't specify how long they keep your personal data. This means your data could be stored indefinitely, even after you close your account, unless you specifically request deletion.
Identity verification, legal compliance (KYC/AML), payment processing
Credit checks to determine eligibility for Shopify Payments and Shopify Credit
Payment processing for purchases and subscription fees
Defined as sensitive personal data in the API terms, but not explicitly stated as actively collected for merchants
Voluntary disclosure for promoting diverse businesses in the Shop app
Account creation, order fulfillment, communication
Order processing, product recommendations, analytics
Analytics, advertising, improving services
Analytics, fraud prevention, location determination
Geolocation for local offers and analytics
Customer service, review by Shopify
Product improvement, using feedback without compensation
Your personal conversations with Shopify's AI assistant are processed by third-party AI companies that may train their own models on your data. There's no clear opt-out or deletion mechanism.
Your financial information is shared with multiple payment processors who may use it for fraud checks and risk management. You must agree to their separate terms.
Your activity on Shopify sites and merchant stores is tracked by advertising and analytics companies. They can use this data to show you targeted ads across the web.
Shopify pulls your credit report and uses third-party services to verify your identity. This data sharing cannot be opted out of if you use payment services.
Your data is stored on servers run by AWS and Google Cloud, which may have access to it for technical maintenance. Data may be held in the US, Canada, and other countries.
When you use Shopify Shipping, your order details are shared with third-party shipping providers to calculate rates and print labels.
Shopify can hand over your data and freeze your funds when it receives a legal order it considers valid, without necessarily challenging it. You may not be notified.
Your customer data is combined with data from other merchants to create insights for advertising and analytics. While raw data isn't shared, the insights benefit competing stores.
Installing an app gives the developer access to your Shopify data. Shopify is not responsible for how these third parties use your data.
What happens to your data if Shopify is acquired
Several documents mention that data may be shared in a merger or sale, but none specify what rights you have to object or delete your data after an acquisition.
Specific retention periods for many data types
Many policies say data is kept 'as long as needed' or 'while you have an account' without concrete timeframes, making it impossible to know when your data will be deleted.
How customers of merchants can exercise their privacy rights through Shopify
If you are a customer buying from a Shopify store, the merchant (not Shopify) controls your data. The policies don't clearly explain how you can ask Shopify to delete data the merchant shared.
Whether children's data is collected beyond age limits
Some documents set minimum ages (13 or 18) but none describe specific protections for children's data or how parents can exercise rights.
International transfer safeguards for most transfers
While some documents mention Standard Contractual Clauses for EU transfers, many others simply say data is transferred to the US or other countries without describing legal safeguards.
Breach notification procedures and timelines
No document clearly states how Shopify will notify users in case of a data breach or how quickly they must respond.
How to opt out of all cross-context behavioral advertising
While some opt-outs exist for specific services (Google Analytics), there is no global opt-out for all ad tracking across Shopify's ecosystem.
Assume the worst case: The governing law depends on which specific agreement applies to your use case. If multiple apply, the worst-case reading is that you may have to litigate in Ontario if you don't find a more specific clause.
Assume the worst case: The worst-case reading is that Shopify is not obligated to delete your data upon account closure despite some promises.
Assume the worst case: If you use Shopify Protect or USDC Rewards, you are likely bound to arbitration for those specific services, even if you don't agree to it for the core platform.
Assume the worst case: The worst-case cap is the lower of the two: $100 if you don't use paid services, or three months of fees if you do, though the $100 cap from the API terms may override for API-related claims.
Mixed
Grade A–EShopify's data posture is mixed. It offers strong security practices (SOC 2, breach notification in DPA) and user rights for merchants and consumers via a privacy portal. However, the scope of data collection is broad (government IDs, email content from connected inboxes, purchase history from third-party marketplaces), and the Enhanced Services/Shopify Network Intelligence feature aggregates customer data across merchants for targeted advertising, which is disclosed as potential 'sharing' under some US state laws. This cross-merchant data use is a material privacy impact that prevents a higher grade.
Status
Legacy risk index: 8/10
Shopify extensively collects shopper and merchant data, including for cross-merchant targeted advertising and AI services.
Shopify's Enhanced Services (Shopify Network Intelligence) aggregates customer data across merchants for targeted advertising, which may constitute a 'share' under some US state privacy laws—merchants can disable this in Settings > Customer Privacy but lose access to features like Shopify Audiences.
Merchant customer data is processed by AI providers including OpenAI, Anthropic, Microsoft for Shopify Sidekick, and Groq, Inc. which receives and processes 'all platform data' for artificial intelligence services—opt-out is unclear.
Shopify collects highly sensitive data including government-issued IDs (for Payments), copies of government IDs, and optionally racial/ethnic origin and sexual orientation (for Shop app listings).
Yes, sells your data
Tracks across sites
Self-service deletion
Personal data retained as long as necessary for business needs and legal requirements. Merchant store data retained for 2 years after closure before deletion begins. Deletion requests processed after a 90-day waiting period. Anonymized data retained indefinitely.
Mixed approach
How clearly they explain their practices
Shopify provides multiple role-specific privacy policies (merchants, consumers, partners, visitors) and a data processing addendum, clearly listing data types, purposes, and recipients. The cookie policy lists specific third-party cookies. However, some retention language is vague, and the full scope of AI service data flows (e.g., Groq processing 'all platform data') is only detailed in the subprocessors list, which is a separate document.
How much data they collect
Collection is extensive and includes high-sensitivity data: government-issued identification, Social Security Numbers (for Payments), optional racial/ethnic origin and sexual orientation (for Shop app), credit history, email content from connected inboxes, and purchase history from other marketplaces. This breadth goes well beyond what is necessary for core e-commerce functionality.
How much control you have over your data
Merchants and consumers have meaningful self-service controls: a privacy portal for access, correction, deletion, portability; in-app account deletion for Shop users; the ability to disable Shopify Network Intelligence; and a cookie banner. However, some controls are gated (government ID may be required for rights requests), and disabling Enhanced Services causes loss of app functionality.
How widely they share your data
Data is shared broadly with service providers, advertising and marketing vendors, merchants, and law enforcement. The DPA commits to not selling customer personal data, but the Enhanced Services feature can share customer interaction data with other merchants for targeted advertising, and the subprocessors page lists multiple AI providers (including Groq) processing 'all platform data'. Merchant data is shared with prospective acquirers in corporate transactions.
15 data vectors mapped
“Cloud hosting, content delivery, data processing, DDoS protection”
“Payment processing and settlement”
“Advertising and marketing”
“Analytics, product customization, advertising (cross-merchant)”
“Sales tax return generation and filing”
“Conversational AI services”
“Artificial intelligence services”
“Complying with legal requests (subpoenas, warrants, court orders)”
“Identity verification, risk assessment, eligibility determination”
“Due diligence and completion of corporate transactions”
“Interoperation with Shopify Services”
“Analytics, advertising, map services”
“Targeted advertising”
“Email and SMS transmission”
“Cryptocurrency payment processing”
“Merchant eligibility for cross-border commerce”
“Shop Pay Installments services”
Shopify's Privacy Policy clearly enumerates data types collected (name, email, government ID, payment info, browsing behavior) and ties each to specific legal bases (contract, legitimate interest, consent, legal obligation).
User rights are documented including access, correction, deletion, portability, restriction, and objection, exercisable through a privacy portal.
Sensitive personal data (government ID, racial/ethnic origin) is only processed with specific consent when required or as permitted by law.
International transfers to Canada rely on an EU adequacy decision; transfers to the US and other countries use Standard Contractual Clauses.
Data minimization principle is stated: 'Only request the merchant data you need to provide your service, nothing more.'
Machine learning use is partially addressed: Shopify states it either keeps a human in the loop or uses ML only for purposes without legal or significant effects.
A Data Processing Addendum (DPA) is referenced and available, providing additional contractual safeguards for merchants.
Cookie Policy provides detailed lists of cookies, categories, purposes, and durations.
SOC 1 and SOC 2 compliance audits are conducted every 6 months, providing independent security verification.
No specific data retention periods are defined for most data types; retention is described vaguely as 'as long as necessary' or 'while you use the service.'
No breach notification timeline or procedure is specified in the extracted documents.
Third-party sharing is broad and includes advertisers, analytics partners, and 'other third parties' without naming specific recipients in the main privacy policy.
The Enhanced Services / Shopify Network Intelligence feature involves cross-merchant data aggregation for advertising, which may constitute a 'sale' or 'sharing' under some interpretations, and the opt-out mechanism is not prominently described.
Government ID collection is required for KYC/AML compliance but the policy also allows requesting it from users exercising their data rights, creating a friction point.
The privacy policy defers key details to separate documents (Cookie Policy, DPA, Government Access Policy) without incorporating them by reference in a unified manner.
No explicit mention of Data Protection Impact Assessments (DPIAs) or a Data Protection Officer (DPO) contact in the extracted content.
AI/ML training on user data is not fully transparent; the policy states limitations but does not provide a clear opt-out for all AI processing.
Children's data collection is not addressed beyond a minimum age requirement; no special protections for minors are described.
Shopify explicitly states it does not 'sell' merchant customer data under CCPA definitions in the DPA.
Users can opt out of targeted advertising and sharing of personal data via the privacy portal.
Right to Know, Right to Delete, and Right to Non-Discrimination are documented in the consumer privacy policy.
Authorized agents can submit requests on behalf of consumers under US Privacy Laws.
The DPA includes specific CCPA commitments: Shopify will not retain, use, or disclose data outside the direct business relationship, will not combine data from other sources except as permitted, and will not sell or share data.
Global Privacy Control (GPC) signals are recognized as valid opt-out requests.
Shopify provides a dedicated consumer privacy policy (separate from the merchant policy) that addresses CCPA-specific rights.
The Enhanced Services feature may constitute a 'share' under CCPA, and the opt-out mechanism is not clearly described in the main policy.
No specific retention periods are provided for consumer data categories.
Third-party sharing with advertisers and marketing vendors is disclosed but not enumerated with specific recipient names.
The policy does not clearly distinguish between 'sale,' 'share,' and 'service provider' categories for all data flows.
No breach notification timeline specific to California residents is described.
The consumer privacy policy does not provide a clear 'Do Not Sell or Share My Personal Information' link as required by CCPA regulations.
Shopify identifies itself as a data processor for merchant customer data and as a controller for its own platform data, which aligns with PIPEDA's accountability principle.
Consent is obtained for marketing communications and sensitive data processing.
Individuals can access and correct their personal information through the privacy portal.
International transfers to Canada are covered by Canadian law, which the EU has found adequate.
The policy references a Data Processing Addendum that governs cross-border data flows.
No specific retention periods are defined for personal data, which is a PIPEDA requirement.
The policy does not clearly identify the individual accountable for compliance (Privacy Officer contact is referenced but not detailed in the extracted content).
Third-party sharing is broad and not limited to purposes that are reasonable and necessary.
No breach notification procedures or timelines are described, which PIPEDA now requires.
The cross-merchant data aggregation for Enhanced Services may not be covered by the original purpose of collection, raising concerns about proportionality.
Legal bases for processing are identified (contract, legitimate interest, consent, legal obligation), which aligns with LGPD requirements.
User rights including access, correction, deletion, and portability are documented.
Sensitive data processing requires specific consent, consistent with LGPD Article 11.
International transfer mechanisms (SCCs, adequacy decisions) are referenced.
No Data Protection Officer (DPO / Encarregado) is identified, which is mandatory under LGPD.
No specific retention periods are defined for personal data.
The policy does not address LGPD-specific rights such as confirmation of processing, anonymization, or blocking of unnecessary data.
No breach notification timeline or procedure is described, which LGPD requires.
The cross-merchant data sharing for advertising may not have a clear legal basis under LGPD's purpose limitation principle.
Children's data protections are not addressed beyond a minimum age, whereas LGPD has specific requirements for minors' data.
Shopify's terms require users to be at least 18 years old, which effectively excludes minors from creating accounts.
The policy does not target children as a user base.
No specific children's data collection policy or age-gating mechanism is described in the extracted documents.
No parental consent process is documented for any potential minor users.
The policy does not address whether Shopify collects data from children through merchant stores (e.g., if a merchant sells children's products).
No COPPA-specific compliance measures (such as FTC-approved parental consent mechanisms) are referenced.
The documents do not address HIPAA or health data processing. Shopify is not a covered entity or business associate under HIPAA based on the extracted content.