BigCommerce stores need a privacy policy that covers customer data, payment processing, installed apps, and multi-channel selling. BigCommerce collects order details, payment information through gateways like Braintree and Stripe, shipping addresses, customer account data, and analytics. If you sell on Amazon, eBay, Facebook, or Instagram through BigCommerce, your privacy policy must also disclose those data sharing relationships. Every installed app that handles customer data requires disclosure.
BigCommerce is a hosted ecommerce platform that powers online stores across industries, from small businesses to enterprise brands. Unlike self-hosted platforms, BigCommerce handles server infrastructure, security patches, and PCI compliance at the platform level. But this does not eliminate your obligation to maintain a privacy policy.
As a BigCommerce store owner, you are the data controller for all customer information your store collects. This includes checkout data, customer accounts, payment details sent to your gateway, shipping information shared with carriers, and data transmitted to every third-party app you have installed. BigCommerce itself is a data processor acting on your behalf, but you remain responsible for disclosing all data practices to your customers.
This guide covers exactly what data BigCommerce collects, how customer data flows through your store, payment gateway disclosure requirements, app-specific obligations, multi-channel selling considerations, and how to publish your privacy policy in the BigCommerce admin.
What BigCommerce Collects
BigCommerce collects data at multiple points throughout the customer journey. Some data is collected during checkout, some through customer accounts, some through storefront browsing, and some through connected apps and sales channels. Your privacy policy must address each category.
Under GDPR, the principle of transparency (Article 5(1)(a)) requires you to clearly inform users about every category of personal data you collect. Under CCPA, you must disclose the categories of personal information collected in the preceding 12 months. BigCommerce stores typically fall into multiple data categories that require individual disclosure.
Orders
Names, addresses, items, totals
Payments
Card data via payment gateway
Channels
Amazon, eBay, Facebook, Instagram
BigCommerce collects the following categories of data by default: customer names and email addresses from checkout and account registration, billing and shipping addresses, phone numbers, order details including items purchased and quantities, payment references and transaction IDs, customer account credentials and saved addresses, storefront analytics including page views and product interactions, and IP addresses for fraud detection and analytics.
The key distinction to understand is what BigCommerce stores on its platform versus what it sends to external services. Full credit card numbers are never stored in your BigCommerce store. They are processed directly by your payment gateway. BigCommerce stores transaction reference IDs and payment method type for order management purposes.
Did you know?
BigCommerce is a Level 1 PCI DSS certified platform, which means it meets the highest level of payment card industry security standards. This covers the platform infrastructure, but it does not cover your privacy policy obligations. PCI compliance protects card data security. Privacy compliance requires you to disclose what data you collect and why.
Customer Data Flow in BigCommerce
Understanding how customer data moves through your BigCommerce store is essential for writing an accurate privacy policy. Data does not stay in one place. It flows from your storefront to BigCommerce servers, then to payment gateways, shipping providers, marketing apps, and sales channels.
Here is how customer data flows through a typical BigCommerce store.
| Data Category | Specific Data Points | Where It Goes | GDPR Legal Basis |
|---|---|---|---|
| Order Data | Customer name, email, billing address, shipping address, phone, order items, quantities, totals | BigCommerce platform, shipping providers, tax services | Contract performance |
| Payment Data | Card number, expiry, CVV (processed by gateway), transaction ID, payment method (stored by BigCommerce) | Payment gateway (Braintree, Stripe, PayPal) | Contract performance |
| Account Data | Username, email, password hash, saved addresses, order history, wish lists | BigCommerce platform | Contract / Consent |
| Analytics Data | Page views, product interactions, conversion events, search queries, traffic sources | BigCommerce Analytics, connected analytics apps | Legitimate interest |
| Shipping Data | Shipping address, selected carrier, tracking number, package details, delivery status | Shipping providers (via ShipStation, ShipperHQ, or direct) | Contract performance |
| Channel Data | Product listings, order sync data, customer details shared with Amazon, eBay, Facebook, Instagram | Each connected sales channel platform | Contract performance / Consent |
| Marketing Data | Email addresses, marketing consent, campaign interactions, abandoned cart data | Email marketing apps (Klaviyo, Privy, Justuno) | Consent / Legitimate interest |
Your privacy policy must trace these data flows accurately. For each category, customers need to know what data is collected, why it is collected, where it goes, and how long it is kept. This is the core transparency requirement under both GDPR and CCPA.
Q: Does BigCommerce itself need to be listed as a data processor in my privacy policy?
Yes. BigCommerce hosts your store and processes customer data on your behalf. Under GDPR, BigCommerce is a data processor and should be disclosed. BigCommerce provides a Data Processing Addendum (DPA) as part of its terms of service for this purpose.
Q: What about guest checkout data?
Even when customers check out as guests without creating an account, BigCommerce still collects their name, email, billing address, shipping address, and payment details. Guest checkout data must be covered in your privacy policy just like registered customer data.
Payment Gateway Disclosures
BigCommerce integrates with multiple payment gateways that process sensitive customer financial data. Your payment gateway receives credit card numbers, billing addresses, and transaction details directly from customers during checkout. Under GDPR Article 13, you must identify each payment processor by name and explain what data it receives.
Here are the most common BigCommerce payment gateways and what data they handle.
| Gateway | Data Received | PCI Compliant | GDPR DPA Available |
|---|---|---|---|
| Braintree | Card number, expiry, CVV, billing address, email, IP address, device data for fraud detection | PCI DSS Level 1 | Yes |
| Stripe | Card number, expiry, CVV, billing address, email, IP address, device fingerprint for fraud prevention | PCI DSS Level 1 | Yes |
| PayPal | PayPal account email, transaction amount, billing address, shipping address, order details | PCI DSS Level 1 | Yes |
| Square | Card number, expiry, CVV, billing address, transaction amount, customer name, email | PCI DSS Level 1 | Yes |
| Authorize.net | Card number, expiry, CVV, billing name and address, transaction amount, IP address | PCI DSS Level 1 | Yes |
Your privacy policy must name the specific payment gateway you use. Saying "we use a third-party payment processor" is not sufficient under GDPR. You need to identify the processor by name, describe what data it receives, state the purpose (payment processing), and ideally link to their privacy policy.
If you accept multiple payment methods (for example, Braintree for credit cards and PayPal as an alternative), you must disclose each one separately. Each payment method represents a distinct data flow to a distinct processor.
Did you know?
BigCommerce offers a built-in payment solution called BigCommerce Payments, which is powered by Braintree (a PayPal company). If you use BigCommerce Payments, your privacy policy should mention both BigCommerce Payments and the fact that Braintree processes the actual card transactions. This is similar to how Shopify Payments operates through Stripe.
BigCommerce Apps That Collect Customer Data
Most BigCommerce stores rely on apps from the BigCommerce App Marketplace to add functionality: email marketing, reviews, shipping, analytics, and sales channel integrations. Many of these apps collect customer data or send data to external services. Each one is a data processor that your privacy policy must disclose.
Here are the most common BigCommerce apps and the data they handle.
| App | Category | Data It Collects or Transmits | Sends Data Externally |
|---|---|---|---|
| Klaviyo | Email Marketing | Customer email, name, order data, browsing behavior, cart abandonment, product views, purchase history | Yes (Klaviyo servers) |
| ShipStation | Shipping | Shipping address, customer name, order items, package weight and dimensions, carrier selection, tracking numbers | Yes (ShipStation servers, carrier APIs) |
| Yotpo | Reviews | Customer name, email, order data, review content, photos, star ratings | Yes (Yotpo servers) |
| Google Shopping | Sales Channel | Product data, pricing, inventory levels, order data synced from Google Shopping purchases | Yes (Google Merchant Center) |
| Sales Channel | Product catalog, order data, customer interactions, pixel tracking data, conversion events | Yes (Meta servers) | |
| Justuno | Conversion | Visitor behavior, email addresses from popups, browsing patterns, device data, conversion events | Yes (Justuno servers) |
| Privy | Email Capture | Email addresses, phone numbers from popups, cart data, browsing behavior, coupon usage | Yes (Privy servers) |
Review your installed apps in BigCommerce under Apps > My Apps. For each app, determine whether it collects customer data, sends data to external services, or adds tracking scripts to your storefront. If any of these are true, the app must be disclosed in your privacy policy.
Pay special attention to email marketing and conversion apps like Klaviyo, Justuno, and Privy. These apps often track browsing behavior across your entire store, collect email addresses through popups, and sync customer data to external servers. This represents a significant data transfer that requires explicit disclosure and, in many cases, consent.
Not sure which apps are collecting data? Start with a fresh, accurate policy generated from your current setup using a privacy policy generator.
Multi-Channel Selling and Privacy Implications
One of BigCommerce's key features is multi-channel selling. You can connect your BigCommerce store to Amazon, eBay, Facebook, Instagram, Google Shopping, and other marketplaces to sell products across platforms. This creates additional data flows that your privacy policy must address.
When you sell through multiple channels, customer data flows in both directions. Orders placed on Amazon sync back to BigCommerce for fulfillment. Product data from BigCommerce syncs out to each connected channel. Customer details from marketplace orders enter your BigCommerce database. Each of these data flows involves sharing personal information with a third-party platform.
Amazon Channel
When you connect BigCommerce to Amazon, order data (customer name, shipping address, order items) syncs between the two platforms. Amazon has its own privacy policy governing data it collects from buyers on its marketplace. Your privacy policy should note that orders placed through Amazon are also subject to Amazon's privacy policy, and that order data is shared between BigCommerce and Amazon for fulfillment purposes.
eBay Channel
Similar to Amazon, eBay order data syncs to BigCommerce. This includes buyer names, shipping addresses, and order details. eBay also collects its own data from buyers. Your privacy policy should disclose the data sharing relationship between your BigCommerce store and eBay.
Facebook and Instagram Channels
BigCommerce integrates with Facebook and Instagram for product catalog sync and social commerce. This involves sharing your product catalog with Meta, installing the Facebook Pixel on your storefront for conversion tracking, and syncing order data for purchases made through Facebook or Instagram Shops. The Facebook Pixel collects browsing behavior, device data, and conversion events from your storefront visitors, even those who do not purchase.
Did you know?
When you sell on multiple channels through BigCommerce, a single customer may appear in your database multiple times with slightly different data from each channel. BigCommerce does not automatically merge these records. This means you may hold more customer data than you realize, which increases your disclosure obligations and makes data subject access requests more complex to fulfill.
Q: Do marketplace channels have their own privacy policies that cover my customers?
Yes. Amazon, eBay, Facebook, and Instagram each have their own privacy policies that govern data they collect on their platforms. However, when order data syncs to your BigCommerce store, you become the data controller for that data in your system. Your privacy policy must cover how you handle data received from these channels.
Q: Do I need separate privacy policies for each sales channel?
No. A single comprehensive privacy policy can cover all your sales channels. However, it must mention each channel by name and explain what data is shared with each platform. The policy should be accessible from your BigCommerce storefront, and you should reference it in your marketplace seller profiles where possible.
How to Add a Privacy Policy in BigCommerce (6 Steps)
Follow this process to create and publish a comprehensive privacy policy for your BigCommerce store that covers all data flows, satisfies GDPR and CCPA, and is properly linked throughout your storefront.
Audit all data collection points in your store
Go through your entire BigCommerce checkout flow as a customer. Note every field on the checkout page, the registration form, and the account area. Check your BigCommerce Analytics settings, installed apps, and connected sales channels. Document every point where customer data is collected or transmitted.
Identify your payment gateway and installed apps
Check your payment settings in BigCommerce under Store Setup > Payments. Note which gateway is active (Braintree, Stripe, PayPal, or another). Then review Apps > My Apps to list every installed app that handles customer data. For each app, document what data it accesses and where it sends that data.
Document multi-channel connections
Check Channel Manager in your BigCommerce admin to see all connected sales channels. For each channel (Amazon, eBay, Facebook, Instagram, Google Shopping), document what customer data is shared with that platform. Include both outbound data (product listings) and inbound data (orders syncing back).
Generate your privacy policy
Use a privacy policy generator to create a policy based on your BigCommerce store's specific setup. Answer questions about your data practices, payment gateways, apps, multi-channel selling, and retention periods. This produces a customized policy covering all your ecommerce data flows.
Create a web page in BigCommerce
Go to Storefront > Web Pages in your BigCommerce admin. Create a new page titled "Privacy Policy" and paste your generated privacy policy content. Set the page URL to /privacy-policy/ for consistency. Make sure the page is visible and accessible from your navigation.
Link from footer, checkout, and enable consent
Add your privacy policy link to the site footer through your theme settings or footer script area. Enable the terms and conditions checkbox at checkout under Settings > General to reference your privacy policy. Verify that the cookie consent banner is active if you serve customers in the EU.
Common BigCommerce Privacy Policy Mistakes
These are the most frequent privacy mistakes made by BigCommerce store owners. Each one creates a compliance gap that could result in GDPR fines, CCPA penalties, or customer trust issues.
Mistake: "BigCommerce is PCI compliant so I do not need to worry about data privacy"
PCI DSS compliance covers payment card security, not privacy. BigCommerce being PCI compliant means card data is handled securely at the infrastructure level. But your store still collects names, email addresses, physical addresses, phone numbers, order histories, and account data. You are the data controller for all of this, and you need a privacy policy that discloses every category.
Mistake: "I do not mention my installed apps because they are internal tools"
BigCommerce apps are not internal tools. Apps like Klaviyo, ShipStation, and Yotpo are third-party services that receive customer data from your store. When Klaviyo syncs your customer list, that is a data transfer to an external processor. When ShipStation receives shipping addresses, that is another. Each app must be named as a data processor in your privacy policy.
Mistake: "My multi-channel sales are covered by each marketplace's own privacy policy"
While Amazon, eBay, and Facebook have their own privacy policies for their platforms, when order data syncs to your BigCommerce store, you become the data controller for that data. Your privacy policy must disclose that you receive customer data from these channels, explain what you do with it, and note the data sharing relationship between your store and each marketplace.
Mistake: "I copied a privacy policy from another BigCommerce store"
Every BigCommerce store has a unique combination of payment gateways, installed apps, sales channels, and data practices. A privacy policy copied from another store will not accurately reflect your data collection. It may list apps you do not use, omit apps you do use, name the wrong payment gateway, or miss your multi-channel connections. An inaccurate privacy policy is worse than a generic one because it actively misleads customers.
Mistake: "I do not need to update my policy when I add new apps or channels"
Every time you install a new BigCommerce app that handles customer data, connect a new sales channel, or change your payment gateway, your privacy policy becomes outdated. Under GDPR, your privacy policy must accurately reflect your current data practices at all times. A policy that was accurate six months ago may not cover the apps and channels you have added since then.
Frequently Asked Questions
Does my BigCommerce store need a privacy policy?
Yes. BigCommerce stores collect customer names, emails, billing and shipping addresses, payment details, order histories, and account data. Privacy laws including GDPR, CCPA, and PIPEDA require you to disclose this data collection. BigCommerce does not provide a compliant privacy policy for you. Store owners are responsible for creating their own.
What customer data does BigCommerce collect?
BigCommerce collects order data (name, email, addresses, phone, items), payment data (processed through your gateway), account data (username, password hash, order history), storefront analytics (page views, conversion events), and marketing data if you use email tools or connected apps. The exact data depends on your checkout configuration and installed apps.
Do I need to disclose BigCommerce apps in my privacy policy?
Yes. Any BigCommerce app that collects, processes, or transmits customer data is a data processor under GDPR and must be disclosed. This includes email marketing apps like Klaviyo, shipping apps like ShipStation, review apps like Yotpo, and sales channel apps for Google Shopping and Facebook.
Does BigCommerce store credit card numbers?
No. BigCommerce does not store full credit card numbers. Card data is processed by your payment gateway (Braintree, Stripe, PayPal, or another provider) and handled according to PCI DSS standards. BigCommerce stores transaction IDs and payment method type for order reference. Your privacy policy should clarify this and name your specific gateway.
How does multi-channel selling affect my privacy policy?
When you sell on Amazon, eBay, Facebook, or Instagram through BigCommerce, customer data flows between your store and each channel. Your privacy policy must disclose each sales channel, explain what data is shared, and note that each channel has its own privacy policy. Multi-channel selling creates additional data processor relationships requiring disclosure.
How do I add a privacy policy to my BigCommerce store?
In BigCommerce, go to Storefront > Web Pages and create a new page for your privacy policy. Add the link to your site footer through theme settings. Enable a terms and conditions checkbox at checkout under Settings > General. Make sure the privacy policy is accessible from every page via your footer navigation.
Does BigCommerce have built-in GDPR compliance tools?
BigCommerce provides a cookie consent banner, the ability to export and delete customer data, and checkout consent options. However, these tools do not replace a comprehensive privacy policy. You are still responsible for disclosing all data collection, naming processors and apps, specifying retention periods, and providing contact information for privacy requests.
Related Resources
Privacy Policy for Ecommerce
General ecommerce privacy requirements and best practices
Privacy Policy for Shopify
Shopify-specific privacy obligations and disclosures
Privacy Policy for WooCommerce
WooCommerce orders, payments, and plugin disclosures
Do I Need a Privacy Policy for an Online Store?
Legal requirements for ecommerce privacy policies
GDPR Privacy Policy Template
All 12 required GDPR sections with a compliant template
What Happens Without a Privacy Policy
Real consequences of operating without one
Privacy Policy for Stripe
Payment processing disclosures for Stripe users
Privacy Policy for Google Analytics
Analytics tracking disclosure requirements
Get Your BigCommerce Privacy Policy
Your BigCommerce store is collecting customer data, payment details, and order information across multiple channels. Generate a customized, compliant privacy policy that covers everything. Takes under 60 seconds.
Covers GDPR, CCPA, and CalOPPA · Customized for BigCommerce · Just $4.99