Quick Answer: What a Dropshipping Privacy Policy Must Cover
- Supplier data sharing: Customer name and shipping address shared with fulfillment partners
- Carrier disclosure: Shipping data shared with carriers (ePacket, DHL, USPS, etc.)
- Payment processing: How Stripe, PayPal, or Shopify Payments handles card data
- Order tracking: Third-party tracking systems and what they collect
- Marketing: Whether purchase data is used for retargeting or email campaigns
- International transfers: If suppliers are in China, this is an international data transfer under GDPR
What Makes Dropshipping Unique from a Privacy Perspective
Traditional ecommerce stores fulfill orders from their own warehouse and have direct control over customer data throughout the order process. Dropshipping is fundamentally different: the store owner acts as an intermediary, passing customer orders and personal data to a third-party supplier who ships directly to the customer.
This means a single purchase involves customer data being processed by at least four distinct parties: your store, your payment processor, your supplier, and the shipping carrier. Under GDPR, each of these is either a data controller or a data processor in relation to the customer's data, and the entire chain must be disclosed.
For EU customers, sending personal data to a Chinese supplier (as most AliExpress-based dropshippers do) may constitute an international data transfer, which has specific requirements under GDPR Chapter V. This is a dimension of dropshipping privacy compliance that most store owners overlook entirely.
Did you know?
Shopify's default privacy policy template does not automatically account for supplier data sharing. If you are using AliExpress, CJdropshipping, or any fulfillment partner, you must manually add language disclosing that order data is shared with fulfillment partners and the geographic location of those partners.
Customer Data Flow in Dropshipping
Understanding the data flow in your dropshipping operation is essential before you can write an accurate privacy policy. Here is how data typically moves through a dropshipping order:
Customer places an order on your store
Name, email address, shipping address, phone number, and payment information are collected. Your platform (Shopify, WooCommerce) stores this data.
Payment is processed
Card details go to your payment processor (Stripe, PayPal, Shopify Payments). The processor handles PCI DSS compliance; you typically never see raw card numbers.
Order is forwarded to the supplier
You (or your fulfillment app like DSers or AutoDS) sends the order to your supplier. This includes: customer name, shipping address, phone number, and product details.
Supplier ships the order
The supplier ships the item and shares the tracking number with the carrier. The carrier receives: customer name, address, phone number for delivery.
Post-purchase
You may send shipping confirmation emails, tracking updates, review requests, or marketing emails. Each of these involves additional processing of customer data.
Data Parties in a Typical Dropshipping Order
| Party | Role | Data Received | Must Disclose? |
|---|---|---|---|
| Your Shopify / WooCommerce store | Data Controller | All customer data | Yes - you are responsible |
| Shopify (platform) | Data Processor | All store data | Yes - name Shopify as a processor |
| Payment processor (Stripe, PayPal) | Data Controller (for payments) | Payment and billing data | Yes - disclose the processor used |
| Fulfillment supplier (AliExpress, CJdropshipping) | Data Processor | Name, address, phone, order details | Yes - critical for GDPR |
| Shipping carrier (DHL, USPS, ePacket) | Data Processor | Name, address, phone number | Yes - disclose the carrier(s) used |
| Email marketing (Klaviyo, Mailchimp) | Data Processor | Email, name, purchase history | Yes - if you use email marketing |
GDPR and CCPA Requirements for Dropshipping Stores
If your store ships to the EU, GDPR applies. If you have significant California traffic and meet the revenue or data volume thresholds, CCPA applies. Many dropshipping stores operate globally and technically fall under both.
GDPR Specifics for Dropshipping
The most important GDPR consideration specific to dropshipping is the international data transfer issue. When you send a customer's shipping address to a supplier based in China or another country without an EU adequacy decision, you are making an international transfer of personal data. GDPR requires you to either:
- Have a legitimate transfer mechanism in place (Standard Contractual Clauses with the supplier), or
- Rely on the Article 49 derogation for transfers necessary for contract performance
For most small dropshipping operations, the Article 49(1)(b) derogation - that the transfer is necessary for the performance of a contract between the data subject and the controller - is the most practical approach. Your privacy policy must explicitly state that data is transferred to suppliers outside the EU/EEA for order fulfillment purposes.
Did you know?
Under GDPR, you must have a signed Data Processing Agreement (DPA) with any processor that handles EU customer data - including Shopify, Klaviyo, and your email marketing platform. Most large platforms provide these automatically, but it is your responsibility to ensure they are in place. Some platforms require you to actively accept the DPA in your account settings.
CCPA Requirements for Dropshipping
If your dropshipping store meets the CCPA thresholds, your privacy policy must include: a list of categories of personal information collected, whether you sell personal information (note: sharing customer data with suppliers for fulfillment is typically not considered a "sale" under CCPA), and a description of California consumer rights.
AliExpress and CJdropshipping Supplier Privacy Considerations
AliExpress and CJdropshipping are two of the most popular supplier platforms for dropshippers, but they have different privacy implications.
AliExpress
When you place orders on AliExpress on behalf of customers, you are sharing your customers' shipping data directly with an AliExpress seller - who is a third-party business, not AliExpress itself. This means you are sharing data with potentially many different entities depending on how many suppliers you use. Your privacy policy should describe this as sharing with "order fulfillment partners" and note that these partners operate under their own privacy practices.
CJdropshipping and Other Integrated Platforms
CJdropshipping, Zendrop, Spocket, and similar platforms act as intermediaries with their own terms and privacy policies. When you connect these platforms to your store, customer order data is automatically forwarded to them. Your privacy policy must disclose these integrations and the data they receive.
| Platform | Data They Receive | Location | GDPR Transfer Consideration |
|---|---|---|---|
| AliExpress | Name, address, phone, order details | China | International transfer - requires disclosure |
| CJdropshipping | Name, address, phone, order details | China | International transfer - requires disclosure |
| Spocket | Name, address, phone, order details | US / EU suppliers | Depends on specific supplier location |
| Zendrop | Name, address, phone, order details | US (mostly US suppliers) | Lower risk but still requires disclosure |
Payment Data and PCI Compliance
Payment card data is among the most sensitive personal information you handle. Your privacy policy must explain how payment data is processed, but the good news is that most dropshipping store owners never actually handle raw card numbers - this is handled entirely by the payment processor.
Your policy should clearly state which payment processors you use (Stripe, PayPal, Shopify Payments, Apple Pay, Google Pay, etc.) and note that payment data is processed directly by these PCI DSS-compliant providers. You should also link to the payment processor's own privacy policy.
Do not claim PCI compliance for your store itself unless you have actually undergone a PCI assessment. The correct statement is that payment processing is handled by a PCI DSS-compliant processor, and that you do not store raw payment card data.
Returns and Refund Data
Returns in dropshipping are complicated because in most cases, customers cannot return items to the original overseas supplier economically. Many dropshippers handle returns by either providing a refund without requiring a return, or by asking customers to return items to a domestic address.
Either way, your privacy policy should address how return request data is handled. This includes: who the customer communicates with about the return (you, your customer service platform, or both), what documentation you may collect (photos of defective items), and how long you retain return-related data.
If you use a customer service platform like Gorgias, Zendesk, or Freshdesk, these are additional data processors that must be disclosed in your privacy policy. They receive customer emails, order information, and possibly dispute details.
Email Marketing to Dropshipping Customers
Email marketing is a major revenue driver for dropshipping stores - abandoned cart sequences, post-purchase flows, and win-back campaigns. But it creates specific data handling obligations that must be addressed in your privacy policy.
Under GDPR, you need a lawful basis to send marketing emails to EU customers. Transactional emails (order confirmation, shipping notification) can be sent under contract performance. Marketing emails require explicit consent in the EU - collecting an email at checkout and pre-checking a "subscribe me to marketing" box does not constitute valid GDPR consent.
Under CAN-SPAM (US) and CASL (Canada), commercial emails must include a functional unsubscribe mechanism, your physical mailing address, and must honor unsubscribe requests promptly.
Your privacy policy must name the email marketing platform you use (Klaviyo, Omnisend, Mailchimp, etc.) and explain what data is shared with them (email address, name, purchase history, browsing behavior on your store) and how customers can unsubscribe.
5 Common Dropshipping Privacy Policy Mistakes
Using Shopify's default policy template without customizing it for supplier data sharing
Shopify provides a policy template, but it does not mention your specific suppliers or the international data transfers that occur when sending orders to China-based fulfillment companies. This creates a gap between what your policy says and what actually happens with customer data.
Not disclosing international data transfers for EU customers
Sending customer shipping data to a Chinese supplier is an international data transfer under GDPR. Failing to disclose this in your privacy policy is a GDPR violation even if you have every other element right.
Claiming you never share customer data when you clearly do
Statements like 'we never sell or share your data' are inaccurate for a dropshipping business because you must share customer data with suppliers and carriers to fulfill orders. Use precise language: 'we share order fulfillment data with suppliers and carriers as necessary to deliver your order.'
Not addressing email marketing consent separately from transactional emails
Bundling marketing consent with the order confirmation email or pre-checking a newsletter signup at checkout is not valid GDPR consent. Your policy must clearly separate transactional and marketing communications and explain the legal basis for each.
Copying a competitor's privacy policy without adapting it to your actual tools and suppliers
If a competitor uses Klaviyo and you use Omnisend, or they use PayPal and you use Stripe, a copied policy contains false statements about your actual data practices. Regulators consider inaccurate policies to be deceptive documents.
Frequently Asked Questions
Does a dropshipping store need a privacy policy?
Do I need to disclose that I use AliExpress or CJdropshipping as my supplier?
Is Shopify responsible for my store's privacy policy?
What about shipping address data given to carriers like ePacket or DHL?
How does GDPR apply to a US-based dropshipping store that ships to Europe?
Generate a Dropshipping Privacy Policy in Minutes
Cover supplier data sharing, carrier disclosure, payment processing, and GDPR international transfers in one compliant document tailored to your dropshipping store.
Generate Your Privacy Policy Free