What information do we collect from our merchants’ customers and why?
- We collect our merchants’ customers’ name, email, shipping and billing address, payment details, company name, phone number, IP address, information about orders you initiate, information about the Shopify-supported merchant stores that you visit, and information about the device and browser you use.
- We use this information to provide our merchants with the Services, including supporting and processing orders, risk and fraud screening, authentication, and payments. We also use this information to improve our Services.
- If you opt into Shopify Pay, we store and use this information to pre-fill your checkout information. We additionally use this information to help customize and improve your experience when you visit a merchant store by presenting to you goods and service that are more likely to be of interest to you.
- We use some of the personal information you provide us to conduct some level of automated decision-making -- for example, we use certain personal information (for example, IP addresses or payment information) to automatically block certain potentially fraudulent transactions for a short period of time.
When do we collect this information?
- We collect this information when you use or access a store that uses our Services, such as when you visit a merchant’s site, place an order or sign up for an account on a merchant’s site.
- We also collect this information when you opt into Shopify Pay, or use Shopify Pay to pre-fill your checkout information.
- Additionally, we partner with third parties who provide us information about our merchants’ customers, for example, to help us screen out merchants associated with fraud.
When and why do we share this information with third parties?
- Shopify works with a variety of third parties and service providers to help provide our merchants with the Services and we may share personal information with them to support these efforts.
- We may also share your information in the following circumstances:
- to prevent, investigate, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Terms of Service or any other agreement related to the Services, or as otherwise required by law.
- If the merchant whose store you visit or access directs us to transfer this information (for example, if they enable a third party app that accesses customer personal information).
- to conform to legal requirements, or to respond to lawful court orders, subpoenas, warrants, or other requests by public authorities (including to meet national security or law enforcement requirements).
- Personal information may also be shared with a company that acquires our business or the business of a merchant whose store you visit or access, whether through merger, acquisition, bankruptcy, dissolution, reorganization, or other similar transaction or proceeding.
- Shopify is responsible for all onward transfers of personal information to third parties in accordance with the EU-U.S. Privacy Shield Framework, the Swiss-U.S. Privacy Shield Framework, and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
What information do we collect and why?
- As you visit or browse the Shopify websites, we collect information about the device and browser you use, your network connection, your IP address, and information about the cookies installed on your device. We also collect personal information submitted by you via any messaging feature available from any of our websites (“Messaging Feature”).
- We may also receive personal information when you purchase tickets or make other requests to Shopify via any of our websites.
- From telephone support users, we collect your phone number, call audio, and other personal information you provide us during our call. Pursuant to our Terms of Service, we may request additional documentation from you during our call to verify your identity.
- From chat support users, we collect your name, email address, information about the device and browser you use, your network connection, your IP address, chat transcript, and other personal information you provide us during our chat. Pursuant to our Terms of Service, we may request additional documentation from you during our chat to verify your identity.
- From forum users, we collect your name, email address, website URL, and other personal information you may post.
We use this information to verify your account, to provide and enhance our Services (including supporting or servicing your account, if applicable), and answer any questions you may have.
When do we collect this information?
- We collect this information when you visit the Shopify websites, use Services offered on our websites or engage with us either by email, web form, instant message, phone, or post content on or through our websites (including forums, blogs and via any Messaging Feature). We also collect any additional information that you might provide to us.
For how long do we retain your personal information?
- In general, we keep your personal information throughout your relationship with us. For merchants, this means we will keep your information as long as you maintain a store on your platform. For partners, this means we will keep your information until you inform us that you wish to terminate your partner relationship with us. For our merchants’ customers, we generally process your information solely as a data processor on behalf of our merchants, and it is up to the merchant to determine how long they will store your information in our systems.
- Shopify acts as a data processor on behalf of our merchants, except where personal data of merchants’ customers is used for the purposes specified for us in Section 3 ‘What do we use this data for?’ Purposes include for risk and fraud screening.
- Once you terminate your relationship with us, we generally will continue to store archived copies of your personal information for legitimate business purposes such as to defend a contractual claim or for audit purposes and to comply with the law, except when we receive a valid erasure request, or, if you are a merchant, you terminate your account and your personal information is purged pursuant to our standard purge process.
- If you use Shopify Pay, we keep your information as long as your Shopify Pay account remains active. If you would like to delete your Shopify Pay account, and for us to delete all of your personal information stored in connection with that account, please use the “Opt Out” toolbar at the bottom of our Shopify Pay website.
- We will continue to store anonymous or anonymized information, such as website visits, without identifiers, in order to improve our Services.
What we don’t do with your personal information
- We do not and will never share, disclose, sell, rent, or otherwise provide personal information to other companies (other than to specific Shopify merchants you are interacting with, or to third-party apps or service providers being used by the merchants you are interacting with) for the marketing of their own products or services.
- If you are a merchant using Shopify’s Services, we do not use the personal information we collect from you or your customers to independently contact or market to your customers. However, Shopify may contact or market to your customers if we obtain their information from another source, such as from the customers themselves (for example, if they use Shopify consumer-facing services like Arrive or Shopify Pay).
How do we keep your personal information secure?
- We follow industry standards on information security management to safeguard sensitive information, such as financial information, intellectual property, employee details and any other personal information entrusted to us. Our information security systems apply to people, processes, and information technology systems on a risk management basis.
- We perform annual audits to ensure our handling of your credit card information aligns with industry guidelines. We are certified as a PCI DSS Level 1 compliant service provider, which is the highest level of compliance available, and our platform is audited annually by a third-party qualified security assessor.
- No method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee the absolute security of your personal information.