If you run a Shopify store or you're planning to set one up, you need to create a Privacy Policy to let your customers know how you use their personal information.

We've produced a step-by-step guide to creating a Shopify store Privacy Policy. We're also going to look at some of the additional legal requirements you might need to comply with. Finally, we'll tell you how to post your Privacy Policy to your Shopify Store.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



Do I Need a Privacy Policy For My Shopify Store?

Yes, all Shopify merchants (businesses that use Shopify to sell their products) need a Privacy Policy.

Not only is posting a Privacy Policy a legal requirement, but it's also a requirement of your agreements with Shopify.

As a Shopify merchant, you agree to Shopify's Terms of Service, which incorporates its Privacy Policy.

Take a look at this section of Shopify's Privacy Policy:

Shopify Merchant Privacy Policy: Privacy Policy section of Customers Information clause

There it is: a clear requirement that every Shopify merchant must post a Privacy Policy on its website.

If you fail to comply with Shopify's Terms of Service and Privacy Policy, Shopify can terminate your account. Obviously, this would be a disaster for your business.

What to Include in Your Shopify Store Privacy Policy

What to Include in Your Shopify Store Privacy Policy

We're going to look at how to create a Privacy Policy that fulfills Shopify's requirements and the legal requirements of some major markets.

Shopify's Requirements

Shopify requires that you disclose what information you collect, how you use it and who you share it with:

Shopify Merchant Privacy Policy: Privacy Policy section of Customers Information clause - large version

This paragraph states that, as a Shopify merchant, you must post a Privacy Policy that:

  • Identifies the personal information you collect
  • Describes how you collect and use your customers' personal information
  • Describes how Shopify collects and processes your customers' personal information on your behalf
  • Discloses the third-parties with whom you share your customers' personal data

How You Collect Personal Information

In this section of your Privacy Policy, you can satisfy two of Shopify's requirements:

  • Identifying what personal information you collect
  • Explaining how you collect personal information

You can start by considering what personal information your customers (and potential customers) provide voluntarily, for example:

  • Name
  • Email address
  • Phone number
  • Username
  • Password
  • Shipping address
  • Payment card details
  • Billing address

Here's how Shopify merchant Rebecca Minkoff explains the types of personal information its customers provide voluntarily:

Rebecca Minkoff Privacy and Security Policy: Shopping clause

Rebecca Minkoff also identifies the types of personal information it collects from customers who set up an account:

Rebecca Minkoff Privacy and Security Policy: My Account clause

You probably also collect some technical information from visitors to your website automatically, with or without their prior knowledge. For example:

  • IP address
  • Cookie data
  • Browser type
  • Device ID
  • Referral data (i.e. the website they most recently visited that led them to your store)

You might be surprised to learn that these types of data qualify as "personal information." However, personal information is a very broad concept.

Increasingly, personal information is defined as any information that relates to an identifiable individual. Therefore, you should be as transparent as possible, and disclose all types of data that you collect from your customers and visitors to your website.

Here's how Shopify merchant Uproot Wines identifies the types of personal information it collects automatically from visitors to its website:

Uproot Privacy Policy: Automatic data collection clause

You should also disclose if your website uses cookies, pixels, or web beacons. These advertising and analytics tools can reveal personal information.

Some businesses post a separate Cookies Policy explaining what cookies do, how the business uses them, and how to prevent the website from setting them.

Here's an example of part of a Cookies Policy from Shopify merchant Gymshark. First, Gymshark explains what cookies are and why they are used:

Gymshark Cookie Policy: Intro clause

Further down the Policy, Gymshark explains how to block cookies on various web browsers:

Gymshark Cookie Policy: Disabling cookies clause

Note that it's not necessary to post a separate Cookies Policy. You can simply dedicate a section of your main Privacy Policy to cookies if you prefer.

How You Use Personal Information

In addition to explaining what personal information you collect, you must explain how you use personal information.

You should have a clear purpose for collecting personal information. It's bad practice to collect personal information unless you need it for a specified purpose. In fact, under EU law, it is unlawful to collect personal information unless you have a "lawful basis."

As an ecommerce retailer, you're likely to use personal information in some of the following ways:

  • Email address:

    • To confirm a customer's order
    • To update a customer on their order's shipping status
    • To send marketing emails

  • Name, payment card details, billing address:

    • To process payments

  • Shipping address:

    • To ship a customer's order

  • Cookie data:

    • To improve website functionality
    • For security purposes
    • To deliver targeted advertising

Here's an example from Shopify merchant Pixi Beauty UK:

Pixi Beauty UK Privacy Policy: Communications to Serve You clause

This paragraph describes how Pixi Beauty uses personal information to send transactional emails (such as company announcements, customer service emails, and welcome emails).

How Shopify Collects and Processes Personal Information on Your Behalf

Shopify collects personal information on your behalf as a "service provider" or "data processor." You must disclose this in your Privacy Policy. However, remember that you, as the merchant, are ultimately responsible for your customers' personal information.

Shopify offers a number of services that involve the collection and processing of your customers' personal information, including:

  • Web hosting
  • Abandoned cart recovery
  • Fraud screening
  • Marketing
  • Payment processing
  • Point-of-sale

Whatever Shopify services you use, you must explain how Shopify collects and uses the personal information of your customers and the visitors to your website.

If you use Spotify as a payment processor, here's an example of how you can disclose this in your Privacy Policy:

ColourPop Privacy Policy: Processing Your Payment clause

Note that this clause provides a link to Shopify's Privacy Policy.

Craft goods store Leif uses Shopify as a web host. Here's how Leif explains this to its customers:

Leif Privacy Policy: Shopify clause excerpt

Third Parties With Whom You Share Personal Information

Shopify requires that you disclose the third parties with whom you share personal information.

As an ecommerce retailer, you'll probably be sharing personal information with quite a lot of other companies in addition to Shopify.

For example, you might share personal data with:

  • Website hosts
  • Third-party payment processors such as PayPal or Stripe
  • Mail carriers
  • Marketing companies such as Mailchimp

You should be upfront about any third parties with whom you share or might share personal information.

Here's an example from Shopify merchant Bluebella:

Bluebella Security Policy Notice: Sharing Your Information clause

First, Bluebella reassures its customers that sharing personal information doesn't mean selling personal information. Practically every business needs to share some personal information with third parties.

Note that Bluebella names some of the specific third parties with whom it shares personal information, such as Shopify and Amazon Pay. In other cases, it simply identifies the types of third-party companies with whom it shares personal information, such as "marketing agencies" and "social media sites." This is likely to be acceptable in most contexts.

Legal Requirements

Global privacy laws require a Privacy Policy if your Shopify store collects any personal information, such as mailing addresses and financial information.

Shopify's requirements cover the bare minimum of what you should include in your Privacy Policy. You'll also likely have to meet the requirements of at least one privacy law.

Most major economies have a privacy law that requires businesses to post a Privacy Policy on their website. These laws also require businesses to include certain information in their Privacy Policies.

The difficulty that these privacy laws all have different requirements for what a Privacy Policy must contain.

And to make things even more complicated...you have to comply with whatever privacy laws apply wherever your customers live.

United States

U.S. federal privacy law is pretty weak unless your business is aimed at children. Otherwise, if you have customers in the U.S., your main task is to comply with the privacy laws protecting California residents since these are the most strict laws that affect anyone doing business with residents of this large state.

If your website is accessible in California, you need to comply with the California Online Privacy Protection Act (CalOPPA).

CalOPPA requires a commercial website to include the following information in its Privacy Policy:

  • The categories of personal information you collect
  • The categories of third parties you share personal information with
  • A description of any system you operate that allows users to access or modify the personal information you hold about them
  • Your process for informing consumers about changes to your Privacy Policy
  • The Privacy Policy's effective date
  • Whether your website honors "Do Not Track" signals
  • A disclosure of whether you use tracking cookies

You'll also need to comply with the California Privacy Rights Act (CPRA), which also requires a Privacy Policy if you collect personal information from individuals in California.

For an in-depth look at how to create a Privacy Policy to satisfy any applicable California privacy law, including the California Consumer Privacy Act (CCPA), and the California "Online Eraser" Law, see our article Sample California Privacy Policy Template.

European Union and United Kingdom

If you have customers in the EU, and/or the UK, you must comply with the EU General Data Protection Regulation (GDPR).

The GDPR's requirements are extensive. At a minimum, your Privacy Policy must contain:

For more information, see our article GDPR Privacy Policy.

Canada

If you have customers in Canada, you'll need to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA).

Under PIPEDA, your Privacy Policy must contain at least the following information:

  • Contact details for your Privacy Officer
  • Information about exercising "the right of access"
  • A list of the types of personal information you hold and your uses for that personal information
  • A copy of any relevant company policies
  • A disclosure of how you share personal information with third parties and subsidiaries

For more information, see our article Privacy Policy for Canada.

Other Locations

There are many other major markets which require businesses to publish a Privacy Policy, or that are developing new privacy laws that include this requirement:

Check out our article that covers more privacy laws by country.

How to Add a Privacy Policy Page for Shopify

Once you've created your Privacy Policy, here's how you can add it to your Shopify store. You can download these instructions as PDF file.

  1. Log in to your Shopify Store.

  2. Go to Online Store:

    TermsFeed Shopify: Editor - Online Store highlighted

  3. Click on Pages and Add page button on the upper right corner:

    TermsFeed Shopify: Online Store - Pages and Add Page button highlighted

  4. Type "Privacy Policy" in the page title field and click on the code icon button in the content field menu to show the HTML:

    TermsFeed Shopify: Pages - Add Page Title Privacy Policy highlighted

  5. Add the text for your Privacy Policy page.

    If you do not have a Privacy Policy, you can use our Privacy Policy Generator and create it within minutes.

  6. Once you have the Privacy Policy created by TermsFeed, let's get the policy text. Under the Copy your Privacy Policy section, click on Copy this to clipboard:

    TermsFeed App: Privacy Policy Download page - Copy your Privacy Policy section highlighted

  7. Go back to the Shopify Store page. Paste the HTML code into the Content editor field and click on Save button:

    TermsFeed Shopify: Pages - Paste Privacy Policy HTML code into Content field and click on Save button highlighted

  8. You're done!

Once your Privacy Policy is added to your Shopify dashboard, you'll be able to link it to areas of your Shopify store.

Here's how to add a Privacy Policy URL to your website footer, which is the most common placement area. You can download these instructions as PDF file.

  1. Log in to your Shopify Store.

  2. Go to Online Store:

    TermsFeed Shopify: Editor - Online Store highlighted

  3. Click on Navigation and then on Footer menu:

    TermsFeed Shopify: Editor - Online Store with Navigation and Footer Menu highlighted

  4. In Footer Menu under Menu items, click on Add menu item:

    TermsFeed Shopify: Editor - Online Store with Navigation and Footer Menu - Add menu item highlighted

  5. When the Add menu item editor opens, name your menu "Privacy Policy:"

    TermsFeed Shopify: Navigation - Footer Menu - Add menu item - Name your menu Privacy Policy highlighted

  6. In order to get the Privacy Policy URL link, go to the TermsFeed Privacy Policy Generator to create the Privacy Policy and get the hosted Privacy Policy URL.

    Once you have the Privacy Policy created by TermsFeed, click Copy from the Link to your Privacy Policy section to copy the URL:

    TermsFeed Generators App: Privacy Policy Download Page - Link to hosted Privacy Policy URL copy option highlighted

  7. Go back to Shopify Footer menu and paste the Privacy Policy URL in the Link field:

    TermsFeed Shopify: Navigation - Footer Menu - Add menu item - Paste Privacy Policy URL into Link field highlighted

  8. Click the Add button at the bottom of the Add menu item editor.

  9. Then click on Save Menu:

    TermsFeed Shopify: Footer Menu - Privacy Policy menu item added with Save menu button highlighted

  10. You're done!

How to Add Legal Policies to Shopify Store Checkout Page

  1. Log in to your Shopify Store.

  2. Go to Settings:

    TermsFeed Shopify: Editor - Settings highlighted

  3. Scroll down to and click on the Policies section:

    TermsFeed Shopify: Editor - Settings - Policies highlighted

  4. An editor will open with fields where you can add your policies:

    TermsFeed Shopify: Editor - Settings - Policies - Store policies highlighted

  5. Add the text for your Privacy Policy page.

    If you do not have a Privacy Policy, you can use our Privacy Policy Generator and create it within minutes.

  6. Once you have the Privacy Policy created by TermsFeed, let's get the policy text. Under the Copy your Privacy Policy section, click on Copy this to clipboard:

    TermsFeed App: Privacy Policy Download page - Copy your Privacy Policy section highlighted

  7. Go back to the Shopify Store policies, click on code icon on the right side of editor and paste the Privacy Policy HTML:

    TermsFeed Shopify: Editor - Settings - Policies - Store policies - Paste Privacy Policy HTML highlighted

  8. Click Save in the upper right corner.

  9. You're done!

To see how the policies look on your checkout pages, follow these instructions:

  1. Go to checkout:

    TermsFeed Shopify: Editor - Settings - Checkout highlighted

  2. Under Checkout style, click the Customize checkout button:

    TermsFeed Shopify: Editor - Settings - Checkout - Style - Customize checkout button highlighted

  3. Your store policies will appear in the footer of your Checkout page:

    TermsFeed Shopify: Editor Checkout page with Store policies added in the footer highlighted

  4. You're done!

Summary of Your Shopify Store Privacy Policy

The key sections of your Shopify store Privacy Policy include:

  • The types of personal information you collect and how you collect it
  • How you use personal information
  • How Shopify collects and uses personal information on your behalf
  • The third parties with whom you share personal data

You must also provide any additional information that is legally required in your customers' countries of residence.

Don't forget to add your Privacy Policy to your Shopify store and add a link to your Privacy Policy in your store's footer.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy