Shopify requires every app in its App Store to have a privacy policy. If your app accesses any merchant or customer data through Shopify APIs, you must provide a publicly accessible privacy policy URL in your Partner Dashboard. Your policy must disclose what data you access, how you use it, and how merchants or their customers can request data deletion. Apps submitted without a privacy policy will not pass review.
Shopify apps operate with direct access to merchant stores and their customer data. Through API scopes, your app can read orders, customer profiles, product catalogs, payment records, and store analytics. This level of access is why Shopify enforces strict privacy requirements for every app in its ecosystem.
The Shopify App Store review process checks for a valid privacy policy URL, proper GDPR webhook implementation, and accurate data handling disclosures. Shopify has significantly increased its enforcement of these requirements as privacy regulations like GDPR and CCPA have expanded. Apps that fail to meet these requirements are rejected during review or removed from the store.
This guide covers the Shopify App Store privacy requirements, which API scopes trigger data handling disclosures, how to distinguish between merchant and customer data, the mandatory GDPR webhooks, third-party service disclosure, and how to create a compliant privacy policy that passes the review process.
Shopify App Store Privacy Requirements
Shopify's Partner Program Agreement and API Terms of Service require every app to handle merchant and customer data responsibly. These are not guidelines. They are contractual obligations enforced through the app review process and ongoing compliance monitoring.
What Shopify Requires
- Privacy policy URL: A publicly accessible URL entered in the Partner Dashboard that links to your app's privacy policy. This URL is displayed on your app's listing in the Shopify App Store.
- Accurate data disclosures: Your policy must accurately describe what merchant and customer data your app accesses through Shopify APIs, how it uses that data, whether it shares data with third parties, and how data subjects can request deletion.
- GDPR webhook implementation: Your app must implement the three mandatory GDPR webhooks: customers/data_request, customers/redact, and shop/redact. These handle data access and deletion requests forwarded by Shopify.
- Minimum necessary scopes: Your app must only request API scopes it actually needs. Requesting broad access "just in case" will trigger additional review scrutiny and require more extensive privacy disclosures.
- Data retention limits: Your app must not retain merchant or customer data longer than necessary for the app's purpose. When a merchant uninstalls your app, you must delete their data within 48 hours unless you have a legal obligation to retain it.
Shopify reviews apps both when they are submitted and on an ongoing basis. Apps that violate these requirements can be removed from the App Store without warning. Partner accounts with repeated violations can be permanently suspended. Shopify has removed hundreds of apps for privacy and data handling violations.
Required
For all App Store listings
Public
Must be publicly accessible
Enforced
Rejection or removal
Did you know?
Shopify processes over $200 billion in annual gross merchandise volume across millions of stores worldwide. Every app in the ecosystem has the potential to access data from thousands of merchants and millions of their customers. This is why Shopify treats app privacy compliance as a top priority and has dedicated review teams that specifically check privacy policy accuracy and GDPR webhook implementation.
Enforcement Consequences
New Apps
Rejected
Will not pass review without a compliant privacy policy
Existing Apps
Removed
Can be taken down at any time for non-compliance
Types of Data Your Shopify App Accesses
Shopify apps access data through API scopes that are requested during the OAuth installation flow. Each scope grants access to specific types of merchant or customer data. Your privacy policy must disclose every category of data your app accesses, even if your app only reads the data without storing it.
| API Scope | Data Access | Data Category | Sensitivity |
|---|---|---|---|
| read_customers | Customer names, emails, addresses, phone numbers, order history | Personal data | High |
| read_orders | Order details, line items, shipping info, payment status, customer references | Transactional | High |
| read_products | Product titles, descriptions, prices, images, inventory levels | Business data | Medium |
| read_analytics | Store analytics, traffic data, conversion metrics, sales reports | Business data | Medium |
| read_shipping | Shipping zones, rates, carrier configurations, fulfillment details | Business data | Low |
| read_content | Blog posts, pages, articles, and other store content | Content data | Low |
| read_themes | Theme files, template code, store design assets | Business data | Medium |
| read_inventory | Inventory levels, locations, stock adjustments | Business data | Medium |
| write_checkouts | Checkout data, cart contents, payment details, customer checkout info | Personal + financial | Very High |
| read_shopify_payments | Payment transactions, payouts, disputes, balance info | Financial data | Very High |
The general rule is that any scope prefixed with "read_customers", "read_orders", or any scope that touches checkout or payment data will require detailed privacy disclosures. Even scopes like read_products, which seem benign, give your app access to proprietary business information that merchants expect to be kept confidential.
Write scopes (write_customers, write_orders, etc.) carry additional responsibility because your app can modify data, not just read it. Your privacy policy should clearly explain what modifications your app makes and why.
Did you know?
Shopify's API rate limiting is partially based on your app's requested scopes. Apps that request fewer scopes and demonstrate responsible data handling can receive higher API limits. This is another reason to only request the scopes your app actually needs. Your privacy policy should reflect only the scopes you request, making it easier to keep accurate and pass review.
Merchant Data vs Customer Data
One of the most important distinctions in Shopify app privacy is the difference between merchant data and customer data. These two categories have different owners, different rights, and different legal implications. Your privacy policy must address both clearly.
Merchant Data
Merchant data belongs to the store owner who installed your app. It includes the merchant's name, email address, store URL, business address, product catalog, pricing information, store configuration, theme files, and analytics data. The merchant is your direct customer, and they have consented to your app accessing their data by installing it.
However, consent through installation does not mean unlimited use. Your app may only use merchant data for the purposes described in your app listing and privacy policy. You cannot sell merchant data to third parties. You cannot use it for purposes unrelated to your app's functionality. When a merchant uninstalls your app, you must delete their data within 48 hours.
Customer Data
Customer data belongs to the people who shop at the merchant's store. It includes shopper names, email addresses, shipping addresses, phone numbers, order history, and browsing behavior. This data passes through Shopify to your app, but the data subjects are the shoppers, not the merchant.
Customer data carries additional legal obligations under GDPR, CCPA, and other privacy laws. These shoppers may not know your app exists, yet your app is processing their personal information. Under GDPR, you are typically a data processor acting on behalf of the merchant (the data controller). Your privacy policy should explain this relationship and how customers can exercise their data rights.
Q: Who is the data controller for customer data in my Shopify app?
The merchant is typically the data controller because they determine why and how customer data is processed. Your app acts as a data processor on their behalf. This means you process customer data according to the merchant's instructions and your app's stated purpose. Your privacy policy should clarify this controller-processor relationship.
Q: Can I use customer data for my own analytics or product improvement?
Only if you clearly disclose this in your privacy policy and the merchant agrees to it. Under GDPR, using customer data for your own purposes (beyond providing the app service) may make you a joint data controller, which brings additional obligations. Shopify's API Terms of Service restrict how you can use merchant and customer data. Always check the latest terms before using data for secondary purposes.
The Shopify App Review Process
Every public Shopify app must pass a review before it is listed in the App Store. The review process covers functionality, security, performance, and privacy. The privacy portion specifically checks your privacy policy, GDPR webhook implementation, and data handling practices.
What Reviewers Check
- Privacy policy URL is valid and public: The URL must load a publicly accessible page with your actual privacy policy. Broken links, login-required pages, or placeholder content will cause rejection.
- Policy matches requested scopes: Reviewers check that your privacy policy discloses the data categories that correspond to your requested API scopes. If your app requests read_customers but your policy does not mention customer data, it will be flagged.
- GDPR webhooks are implemented: Reviewers verify that your app responds correctly to the mandatory GDPR webhook endpoints. Your app must return proper HTTP status codes and actually process the requests, not just acknowledge them.
- Scopes are justified: If your app requests scopes that seem broader than its stated functionality, reviewers will ask you to justify why those scopes are needed. Your privacy policy should explain how each data type supports your app's functionality.
The review process typically takes several days for new apps. If your app is rejected for privacy issues, you will receive specific feedback about what needs to be fixed. You can resubmit after making the corrections. Repeated rejections for the same issues may result in longer review times for future submissions.
GDPR Requirements for Shopify Apps
Shopify serves merchants and customers in the European Union, which means GDPR applies to virtually every Shopify app. Even if you are based outside the EU, if your app processes data from EU-based shoppers, you are subject to GDPR requirements. Shopify enforces this by requiring all apps to implement mandatory GDPR webhooks.
Mandatory GDPR Webhooks
Shopify requires every app to implement three webhook endpoints that handle GDPR data subject requests. These webhooks are not optional. Your app will not pass review without them.
customers/data_request
Triggered when a customer requests access to their personal data. Your app must respond with all data it holds about that customer. This maps to GDPR's right of access (Article 15). Your response should include any customer data your app has stored, processed, or derived from Shopify data.
customers/redact
Triggered when a customer requests deletion of their personal data. Your app must delete all data it holds about that customer within 30 days. This maps to GDPR's right to erasure (Article 17). You must delete the data from your databases, backups, and any third-party services where you forwarded the data.
shop/redact
Triggered 48 hours after a merchant uninstalls your app. Your app must delete all data associated with that merchant's store, including any customer data accessed through that merchant's store. This ensures your app does not retain data from merchants who are no longer using your service.
Your privacy policy must disclose that your app implements these webhooks and explain how merchants and their customers can exercise their data rights. Include specific information about your response timeframes and the process for handling these requests.
Did you know?
Shopify sends GDPR webhook requests even if you have not explicitly registered for them. If your app's GDPR webhook endpoints return errors or do not exist, Shopify logs these failures. Accumulated failures can affect your app's standing in the App Store and may trigger a compliance review. Always ensure your GDPR endpoints are working, even if you receive few requests.
Third-Party Services Disclosure
Many Shopify apps rely on third-party services to function. Whether you use a cloud database, analytics platform, email service, payment processor, or AI API, any service that receives merchant or customer data from your app must be disclosed in your privacy policy.
For each third-party service, your privacy policy should explain what data is shared with that service, why it is shared, and link to the service's own privacy policy. Common third-party services in Shopify apps include:
- Cloud hosting providers: AWS, Google Cloud, or Azure where your app's backend runs and stores data
- Analytics services: Mixpanel, Amplitude, Google Analytics, or similar services tracking app usage
- Email and communication services: SendGrid, Mailchimp, or Twilio used to send notifications to merchants or customers
- AI and machine learning APIs: OpenAI, Google AI, or similar services that process merchant or product data
- Error tracking and monitoring: Sentry, Datadog, or LogRocket that may capture request data containing personal information
Under GDPR, when you share data with third-party services, you should have Data Processing Agreements (DPAs) in place with each service. Your privacy policy should mention that these agreements exist and that third parties are contractually bound to handle data in compliance with applicable privacy laws.
Where to Display Your Privacy Policy
Your Shopify app's privacy policy needs to be accessible in multiple locations, not just the App Store listing. Merchants and their customers should be able to find your policy wherever they interact with your app.
- Shopify App Store listing: The privacy policy URL in your Partner Dashboard is displayed on your app's public listing page. This is required by Shopify.
- Your app's website: If your app has a marketing website or landing page, include a link to your privacy policy in the footer. This is standard practice and expected by Shopify reviewers.
- Within the app interface: Add a link to your privacy policy somewhere accessible within your app's admin interface. A common placement is in the app's settings page or footer navigation.
- OAuth consent screen: When merchants install your app, the OAuth flow shows them what permissions your app requests. While Shopify controls this screen, some apps include a link to their privacy policy in the pre-install landing page.
- Storefront-facing elements: If your app adds widgets, popups, or forms to the merchant's storefront that collect customer data, those elements should link to your privacy policy or the merchant's privacy policy.
Q: Should my storefront widgets link to my privacy policy or the merchant's?
If your app collects customer data directly through a storefront widget (like a popup form or survey), best practice is to link to both. The merchant is the data controller, so their privacy policy is primary. But customers should also be able to see how your app handles their data. Discuss with your merchants how they want to handle this, and make sure your app's data collection is covered in the merchant's privacy policy as well.
Common Shopify App Privacy Mistakes
These mistakes are the most common reasons Shopify apps get rejected during review or removed from the App Store. Each one reflects a misunderstanding of Shopify's requirements or applicable privacy laws.
Mistake: "My app only reads products, so no privacy policy is needed"
Product data is proprietary business information that belongs to the merchant. Even if your app only reads product titles and prices, you are accessing merchant data through Shopify APIs. Shopify requires a privacy policy for all App Store listings regardless of which scopes you request. The policy must explain what data your app accesses and how it uses that data.
Mistake: "GDPR webhooks are just for EU merchants"
Shopify requires all apps to implement GDPR webhooks regardless of where the app developer or merchants are located. Shopify serves merchants globally, and any merchant could have EU-based customers. The webhooks are a platform requirement, not just a GDPR compliance feature. Your app will not pass review without functional GDPR webhook endpoints.
Mistake: "I can keep data after a merchant uninstalls"
When a merchant uninstalls your app, Shopify sends a shop/redact webhook within 48 hours. You must delete all data associated with that merchant's store, including customer data you accessed through their store. The only exception is data you are legally required to retain, such as financial records for tax purposes. Your privacy policy must clearly state your data retention and deletion practices.
Mistake: "The merchant's privacy policy covers my app"
The merchant's privacy policy covers their store and how they handle customer data. It does not cover your app's data handling practices. You are a separate entity processing data through Shopify APIs. You need your own privacy policy that explains how your app specifically handles the merchant and customer data it accesses. Shopify requires this as part of the app listing.
Mistake: "I do not need to disclose my hosting provider or analytics tools"
Every third-party service that receives merchant or customer data from your app should be disclosed in your privacy policy. This includes your cloud hosting provider, database service, analytics tools, error tracking services, and any APIs your app calls. Under GDPR, you need Data Processing Agreements with each of these services. Shopify reviewers check for third-party disclosure completeness.
How to Create a Privacy Policy for Your Shopify App (6 Steps)
Follow this process to create a privacy policy that satisfies Shopify App Store requirements, passes the review process, and complies with GDPR and CCPA.
Audit every API scope your app requests
Review your app configuration in the Partner Dashboard and list every API scope your app requests. For each scope, document what merchant or customer data it gives your app access to and whether your app reads, stores, or transmits that data. Remove any scopes you are not actively using. Fewer scopes means fewer disclosure requirements and a smoother review process.
Map all data flows from Shopify to your app
Trace how data moves from Shopify through your app. What data is received via webhooks? What is fetched through the Admin API or Storefront API? What is stored in your database? What is processed by third-party services? What is displayed back to merchants in your app interface? Document every flow.
Separate merchant data from customer data
Categorize the data your app handles into merchant data (store owner information, business details, store configuration) and customer data (shopper names, emails, addresses, order history). Each category has different disclosure requirements and different data subject rights under GDPR and CCPA. Your privacy policy must address both categories.
Implement your GDPR webhooks
Set up the three required GDPR webhook endpoints: customers/data_request, customers/redact, and shop/redact. Test them to ensure they return proper HTTP status codes and actually process the requests. Your privacy policy must reference these webhooks and explain the process for data access and deletion requests.
Generate your privacy policy
Use a privacy policy generator to create a policy tailored to your Shopify app's data handling. Include details about each API scope, data storage methods, third-party services, GDPR webhook handling, data retention periods, and merchant versus customer data distinctions. The policy must accurately reflect your app's actual behavior.
Add the URL to your Partner Dashboard
In the Shopify Partner Dashboard, navigate to your app listing and add your privacy policy URL in the App setup section. This URL must be publicly accessible and will be displayed on your app's listing in the Shopify App Store for merchants to review before installing your app.
Frequently Asked Questions
Does my Shopify app need a privacy policy?
Yes. Shopify requires every app listed in the App Store to have a privacy policy. This applies to free and paid apps, public and custom apps. If your app accesses any merchant or customer data through Shopify APIs, you must provide a publicly accessible privacy policy URL in your Partner Dashboard.
What data does Shopify consider personal information?
Shopify considers personal information to include any data that identifies or could identify an individual. This includes customer names, emails, addresses, phone numbers, order details, payment information, and browsing behavior. Merchant data like store owner contact details and business information also qualifies.
Where do I add my privacy policy URL?
In the Shopify Partner Dashboard, navigate to your app listing under Apps. In the App setup section, you will find a field for your privacy policy URL. This URL must be publicly accessible without requiring authentication. It will be displayed on your app's listing page in the Shopify App Store.
What happens if my app does not have a privacy policy?
Your app will not pass Shopify's review process and will not be listed in the App Store. Existing apps found to violate the Partner Program Agreement can be removed from the store. Your Partner account may face suspension for repeated violations. Shopify has increased enforcement significantly.
Do I need to handle GDPR data requests?
Yes. Shopify requires all apps to implement mandatory GDPR webhooks: customers/data_request, customers/redact, and shop/redact. These handle data access and deletion requests forwarded by Shopify from merchants and their customers. Failure to implement these webhooks will prevent your app from being approved.
Does my custom or private app need a privacy policy?
Custom apps are not reviewed the same way as public apps, but they still access merchant and customer data. You are bound by the Partner Program Agreement and applicable privacy laws. A privacy policy is strongly recommended and may be legally required depending on where your merchants and their customers are located.
What must my Shopify app privacy policy include?
Your policy must disclose what merchant and customer data your app accesses through API scopes, how it is used, whether it is shared with third parties, how it is stored and secured, how long it is retained, and how data subjects can request access or deletion. You must also disclose your GDPR webhook implementation.
Related Resources
Privacy Policy for Shopify Stores
Privacy policy requirements for Shopify store owners
Privacy Policy for Ecommerce
Complete guide to ecommerce privacy requirements
Privacy Policy for SaaS
Privacy requirements for software-as-a-service platforms
GDPR Privacy Policy Template
All 12 required GDPR sections with a compliant template
What Happens Without a Privacy Policy
Real consequences of operating without one
Privacy Policy for Apps
App store requirements for mobile and desktop applications
Is a Privacy Policy Legally Required?
When the law requires you to have a privacy policy
Generate Your Privacy Policy
Create a customized privacy policy in under 60 seconds
Ready to Submit Your Shopify App?
Do not let a missing privacy policy block your App Store submission. Generate a compliant policy that covers your API scopes, GDPR webhooks, data handling, and merchant rights. Takes under 60 seconds.
Covers GDPR, CCPA, and Shopify App Store requirements · Customized for apps · Just $4.99