Privacy Policy for Shopify Stores

Privacy Policy for Shopify Stores

If you run a Shopify store or you're planning to set one up, you need to create a Privacy Policy to let your customers know how you use their personal information.

Complying with global privacy laws might not be on the top of your "to-do" list, but don't neglect this important aspect of your business.

We've produced a step-by-step guide to creating a Shopify store Privacy Policy. We're also going to look at some of the additional legal requirements you might need to comply with. Finally, we'll tell you how to post your Privacy Policy to your Shopify Store.


Do I Need a Privacy Policy For My Shopify Store?

Yes, all Shopify merchants (businesses that use Shopify to sell their products) need a Privacy Policy.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your website. Just follow these steps:

  1. Click on the "Privacy Policy Generator" button.
  2. At Step 1, select the Website option and click "Next step":
  3. TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  4. Answer the questions about your website and click "Next step" when finished:
  5. TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  6. Answer the questions about your business practices and click "Next step" when finished:
  7. TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  8. Enter your email address where you'd like your policy sent, select translation versions and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.

Not only is posting a Privacy Policy a legal requirement, but it's also a requirement of your agreements with Shopify.

As a Shopify merchant, you agree to Shopify's Terms of Service, which incorporates its Privacy Policy.

Take a look at this section of Shopify's Privacy Policy:

Shopify Merchant Privacy Policy: Privacy Policy section of Customers Information clause

There it is: a clear requirement that every Shopify merchant must post a Privacy Policy on its website.

If you fail to comply with Shopify's Terms of Service and Privacy Policy, Shopify can terminate your account. Obviously, this would be a disaster for your business.

What to Include in Your Shopify Store Privacy Policy

What to Include in Your Shopify Store Privacy Policy

We're going to look at how to create a Privacy Policy that fulfills Shopify's requirements and the legal requirements of some major markets.

Shopify's Requirements

Let's take another look at what Shopify requires from your Privacy Policy:

Shopify Merchant Privacy Policy: Privacy Policy section of Customers Information clause - large version

This paragraph states that, as a Shopify merchant, you must post a Privacy Policy that:

  • Identifies the personal information you collect
  • Describes how you collect and use your customers' personal information
  • Describes how Shopify collects and processes your customers' personal information on your behalf
  • Discloses the third-parties with whom you share your customers' personal data

How You Collect Personal Information

In this section of your Privacy Policy, you can satisfy two of Shopify's requirements:

  • Identifying what personal information you collect
  • Explaining how you collect personal information

You can start by considering what personal information your customers (and potential customers) provide voluntarily, for example:

  • Name
  • Email address
  • Phone number
  • Username
  • Password
  • Shipping address
  • Payment card details
  • Billing address

Here's how Shopify merchant Rebecca Minkoff explains the types of personal information its customers provide voluntarily:

Rebecca Minkoff Privacy and Security Policy: Shopping clause

Rebecca Minkoff also identifies the types of personal information it collects from customers who set up an account:

Rebecca Minkoff Privacy and Security Policy: My Account clause

You probably also collect some technical information from visitors to your website automatically, with or without their prior knowledge. For example:

  • IP address
  • Cookie data
  • Browser type
  • Device ID
  • Referral data (i.e. the website they most recently visited that led them to your store)

You might be surprised to learn that these types of data qualify as "personal information." However, personal information is a very broad concept.

Increasingly, personal information is defined as any information that relates to an identifiable individual. Therefore, you should be as transparent as possible, and disclose all types of data that you collect from your customers and visitors to your website.

Here's how Shopify merchant Uproot Wines identifies the types of personal information it collects automatically from visitors to its website:

Uproot Privacy Policy: Automatic data collection clause

You should also disclose if your website uses cookies, pixels, or web beacons. These advertising and analytics tools can reveal personal information.

Some businesses post a separate Cookies Policy explaining what cookies do, how the business uses them, and how to prevent the website from setting them.

Here's an example of part of a Cookies Policy from Shopify merchant Gymshark. First, Gymshark explains what cookies are and why they are used:

Gymshark Cookie Policy: Intro clause

Further down the Policy, Gymshark explains how to block cookies on various web browsers:

Gymshark Cookie Policy: Disabling cookies clause

Note that it's not necessary to post a separate Cookies Policy. You can simply dedicate a section of your main Privacy Policy to cookies if you prefer.

How You Use Personal Information

In addition to explaining what personal information you collect, you must explain how you use personal information.

You should have a clear purpose for collecting personal information. It's bad practice to collect personal information unless you need it for a specified purpose. In fact, under EU law, it is unlawful to collect personal information unless you have a "lawful basis."

As an ecommerce retailer, you're likely to use personal information in some of the following ways:

  • Email address:

    • To confirm a customer's order
    • To update a customer on their order's shipping status
    • To send marketing emails
  • Name, payment card details, billing address:

    • To process payments
  • Shipping address:

    • To ship a customer's order
  • Cookie data:

    • To improve website functionality
    • For security purposes
    • To deliver targeted advertising

Here's an example from Shopify merchant Pixi Beauty UK:

Pixi Beauty UK Privacy Policy: Communications to Serve You clause

This paragraph describes how Pixi Beauty uses personal information to send transactional emails (such as company announcements, customer service emails, and welcome emails).

How Shopify Collects and Processes Personal Information on Your Behalf

Shopify collects personal information on your behalf as a "service provider" or "data processor." You must disclose this in your Privacy Policy. However, remember that you, as the merchant, are ultimately responsible for your customers' personal information.

Shopify offers a number of services that involve the collection and processing of your customers' personal information, including:

  • Web hosting
  • Abandoned cart recovery
  • Fraud screening
  • Marketing
  • Payment processing
  • Point-of-sale

Whatever Shopify services you use, you must explain how Shopify collects and uses the personal information of your customers and the visitors to your website.

Cosmetics company ColourPop uses Spotify as a payment processor. Here's how ColorPop discloses this in its Privacy Policy:

ColourPop Privacy Policy: Processing Your Payment clause

Note that ColourPop provides a link to Shopify's Privacy Policy.

Craft goods store Leif uses Shopify as a web host. Here's how Leif explains this to its customers:

Leif Privacy Policy: Shopify clause excerpt

Third Parties With Whom You Share Personal Information

Shopify requires that you disclose the third parties with whom you share personal information.

As an ecommerce retailer, you'll probably be sharing personal information with quite a lot of other companies in addition to Shopify.

For example, you might share personal data with:

  • Website hosts
  • Third-party payment processors such as PayPal or Stripe
  • Mail carriers
  • Marketing companies such as Mailchimp

You should be upfront about any third parties with whom you share or might share personal information.

Here's an example from Shopify merchant Bluebella:

Bluebella Security Policy Notice: Sharing Your Information clause

First Bluebella reassures its customers that sharing personal information doesn't mean selling personal information. Practically every business needs to share some personal information with third parties.

Note that Bluebella names some of the specific third parties with whom it shares personal information, such as Shopify and Amazon Pay. In other cases, it simply identifies the types of third-party companies with whom it shares personal information, such as "marketing agencies" and "social media sites." This is likely to be acceptable in most contexts.

Legal Requirements

Shopify's requirements cover the bare minimum of what you should include in your Privacy Policy. You'll also have to meet the requirements of at least one privacy law.

Most major economies have a privacy law that requires businesses to post a Privacy Policy on their website. These laws also require businesses to include certain information in their Privacy Policies.

The difficulty that these privacy laws all have different requirements for what a Privacy Policy must contain.

And to make things even more complicated...you have to comply with whatever privacy laws apply wherever your customers live.

United States

U.S. federal privacy law is pretty weak unless your business is aimed at children. Otherwise, if you have customers in the US, your main task is to comply with the privacy laws protecting California residents.

If your website is accessible in California, you need to comply with the California Online Privacy Protection Act (CalOPPA).

CalOPPA requires a commercial website to include the following information in its Privacy Policy:

  • The categories of personal information you collect
  • The categories of third parties you share personal information with
  • A description of any system you operate that allows users to access or modify the personal information you hold about them
  • Your process for informing consumers about changes to your Privacy Policy
  • The Privacy Policy's effective date
  • Whether your website honors "Do Not Track" signals
  • A disclosure of whether you use tracking cookies

For an in-depth look at how to create a Privacy Policy to satisfy any applicable California privacy law, including the California Consumer Privacy Act (CCPA), and the California "Online Eraser" Law, see our article Sample California Privacy Policy Template.

European Union and United Kingdom

If you have customers in the EU, and/or the UK, you must comply with the EU General Data Protection Regulation (GDPR).

The GDPR's requirements are extensive. At a minimum, your Privacy Policy must contain:

For more information, see our article GDPR Privacy Policy.

Canada

If you have customers in Canada, you'll need to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA).

Under PIPEDA, your Privacy Policy must contain at least the following information:

  • Contact details for your Privacy Officer
  • Information about exercising "the right of access"
  • A list of the types of personal information you hold and your uses for that personal information
  • A copy of any relevant company policies
  • A disclosure of how you share personal information with third parties and subsidiaries

For more information, see our article Privacy Policy for Canada.

Other Locations

There are many other major markets which require businesses to publish a Privacy Policy, or that are developing new privacy laws that include this requirement:

Check out our article that covers more privacy laws by country.

How to Add a Privacy Policy Page for Shopify

How to Add a Privacy Policy Page for Shopify

Once you've created your Privacy Policy, here's how you can add it to your Shopify store.

Here's a short presentation with the steps. They're also included after the presentation so you can skip to that section if you want:

Log into your Shopify account. On the side menu of the Shopify dashboard, choose "Online Store."

Shopify dashboard: Pages highlighted

On the "Pages" page, select "Add page."

Shopify dashboard: Pages - Add Page button highlighted

On the "Add page" page, enter "Privacy Policy" in the "Title" field, then paste your Privacy Policy into the "Content" field.

Shopify dashboard: Add Page - Title and text field highlighted

Once your Privacy Policy is added to your Shopify dashboard, you'll be able to link it to areas of your Shopify store. Here's how to add it to your footer, which is the most common placement area.

How to Link to your Privacy Policy in Shopify

In the "Online Store" menu, select the "Navigation" option. On the Navigation page, choose "Footer menu."

Shopify dashboard: Navigation and footer menu highlighted

On the "Footer menu" page, click "Add menu item."

Shopify dashboard: Footer menu - Add menu item highlighted

Add the link to your Privacy Policy page.

Shopify dashboard: Add menu item - Link highlighted

Summary of Your Shopify Store Privacy Policy

The key sections of your Shopify store Privacy Policy include:

  • The types of personal information you collect and how you collect it
  • How you use personal information
  • How Shopify collects and uses personal information on your behalf
  • The third parties with whom you share personal data

You must also provide any additional information that is legally required in your customers' countries of residence.

Don't forget to add your Privacy Policy to your Shopify store and add a link to your Privacy Policy in your store's footer.

Robert B.

Robert B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.