WooCommerce stores need a privacy policy that goes beyond standard WordPress requirements. WooCommerce collects order data, payment details through gateways like Stripe and PayPal, shipping addresses, customer account information, and purchase history. Your privacy policy must disclose each data category, name your payment processor, list data-collecting plugins, and explain retention periods for financial records.
WooCommerce powers over 5 million online stores worldwide. It is the most popular ecommerce platform built on WordPress, and it transforms a standard WordPress site into a full online store with product listings, shopping carts, checkout flows, customer accounts, and order management.
This transformation also fundamentally changes the data your site collects. A standard WordPress blog might collect names and emails through comment forms. A WooCommerce store collects billing addresses, shipping addresses, phone numbers, payment card details (through your gateway), order histories, customer account credentials, and potentially much more depending on your plugins.
This guide covers exactly what data WooCommerce collects, how to handle payment gateway disclosures, which popular plugins create additional obligations, how to use WooCommerce's built-in privacy tools, and how to create a comprehensive privacy policy that covers all of it.
Why WooCommerce Needs Its Own Privacy Policy Section
If you already have a WordPress privacy policy, you might assume it covers your WooCommerce store. It does not. WooCommerce collects fundamentally different categories of data that a standard WordPress privacy policy does not address.
A WordPress privacy policy typically covers comments, cookies, embedded content, and basic analytics. A WooCommerce store needs all of that plus dedicated sections for order processing, payment handling, customer accounts, shipping data, purchase history, and the specific plugins you use to run your store.
Under GDPR, the principle of transparency (Article 5(1)(a)) requires you to clearly inform users about every category of personal data you collect and every purpose for which you process it. Under CCPA, you must disclose the categories of personal information collected in the preceding 12 months. Ecommerce data creates multiple new categories that your WordPress policy does not cover.
There is also a legal basis issue. Different WooCommerce data categories are processed under different GDPR legal bases. Order fulfillment falls under contract performance (Article 6(1)(b)). Financial record retention falls under legal obligation (Article 6(1)(c)). Marketing emails may require consent (Article 6(1)(a)) or legitimate interest (Article 6(1)(f)). Your privacy policy must identify the correct legal basis for each processing activity.
Orders
Names, addresses, items, totals
Payments
Card data via payment gateway
Accounts
Credentials, history, preferences
Q: Can I just add WooCommerce sections to my existing WordPress privacy policy?
Yes, that is a valid approach. You do not need a separate document. But you do need to add dedicated sections covering order data, payment processing, customer accounts, and all ecommerce-specific data flows. The WooCommerce sections should be substantial, not just a sentence or two.
Q: I only sell a few products. Do I still need all these disclosures?
Yes. Whether you sell 3 products or 3,000, the data collection is the same. Every order processes the same categories of personal data: name, address, email, payment details, and order contents. The privacy requirements scale with the type of data collected, not the volume of sales.
What WooCommerce Collects
WooCommerce collects data across multiple categories. Some is stored directly in your WordPress database. Some is passed to external services like payment gateways. Some is generated automatically through sessions and analytics. Understanding the difference is critical for writing an accurate privacy policy.
| Data Category | Specific Data Points | Stored In | GDPR Legal Basis |
|---|---|---|---|
| Order Data | Customer name, email, billing address, shipping address, phone number, order items, quantities, totals, tax amounts, shipping method | WordPress database | Contract performance |
| Payment Data | Card number, expiry, CVV (processed by gateway), transaction ID, payment method type, last 4 digits (stored by WooCommerce) | Payment gateway (Stripe, PayPal, etc.) | Contract performance |
| Account Data | Username, email, password hash, display name, saved addresses, order history, account creation date | WordPress database | Contract / Consent |
| Session Data | Cart contents, recently viewed products, session token, applied coupons | WordPress database + cookies | Legitimate interest |
| Analytics Data | Revenue, order count, products sold, customer segments, conversion rates (WooCommerce Analytics) | WordPress database | Legitimate interest |
| Tax Records | Transaction amounts, tax rates applied, customer location for tax determination, invoice data | WordPress database | Legal obligation |
| Shipping Data | Shipping address, selected carrier, tracking number, package weight and dimensions, delivery status | WordPress database + shipping provider | Contract performance |
The key distinction to understand is what WooCommerce stores in your database versus what it passes to external services. Full credit card numbers are never stored in your WordPress database. They are sent directly to your payment gateway for processing. WooCommerce only stores a transaction reference ID and the last four digits for display purposes.
Your privacy policy must be clear about this distinction. Customers need to know that their card details are handled by Stripe, PayPal, or whichever gateway you use, and that those details are subject to that gateway's privacy policy and security standards.
Did you know?
WooCommerce stores order data as custom post types in your WordPress database. Starting with WooCommerce 8.2, High-Performance Order Storage (HPOS) moves order data to dedicated database tables for better performance. Regardless of which storage method you use, the same personal data is collected. Your privacy policy does not need to mention the technical storage method, but it must disclose the data categories.
Payment Gateway Disclosures
Your payment gateway is one of the most important data processors to disclose in your privacy policy. It receives sensitive financial data from your customers, including credit card numbers, billing addresses, and transaction amounts. Under GDPR, you must identify each data processor that handles personal data on your behalf.
Here are the most common WooCommerce payment gateways and what data they receive.
| Gateway | Data Received | PCI Compliant | GDPR DPA Available |
|---|---|---|---|
| Stripe | Card number, expiry, CVV, billing address, email, IP address, device fingerprint for fraud detection | PCI DSS Level 1 | Yes |
| PayPal | PayPal account email, transaction amount, billing address, shipping address, order details | PCI DSS Level 1 | Yes |
| Square | Card number, expiry, CVV, billing address, transaction amount, customer name, email | PCI DSS Level 1 | Yes |
| Authorize.net | Card number, expiry, CVV, billing name and address, transaction amount, IP address | PCI DSS Level 1 | Yes |
| WooCommerce Payments | Same as Stripe (built on Stripe infrastructure), plus dispute and chargeback data | PCI DSS Level 1 | Yes |
Your privacy policy must name the specific payment gateway you use. Saying "we use a third-party payment processor" is not sufficient under GDPR Article 13. You need to identify the processor by name, describe what data it receives, state the purpose (payment processing), and ideally link to their privacy policy.
If you accept multiple payment methods (for example, both Stripe for credit cards and PayPal as an alternative), you must disclose each one. Each payment method is a separate data flow to a separate processor, and each must be individually disclosed.
Did you know?
WooCommerce Payments is built on Stripe's infrastructure but is operated by Automattic (the company behind WordPress.com). This means your privacy policy should mention both WooCommerce Payments and the fact that it is powered by Stripe. Customer card data is processed by Stripe on behalf of WooCommerce Payments, creating a sub-processor relationship that ideally should be disclosed.
Q: Do I need a Data Processing Agreement with my payment gateway?
Under GDPR Article 28, yes. You need a DPA with every data processor. Most major payment gateways have a standard DPA available on their website that you can accept. Stripe, PayPal, and Square all offer GDPR DPAs. Some apply automatically when you agree to their terms of service.
Q: What if I switch payment gateways?
You must update your privacy policy immediately to reflect the new payment processor. Remove references to the old gateway and add the new one. If the switch represents a material change to how payment data is handled, consider notifying existing customers.
Popular WooCommerce Plugins That Collect Data
Most WooCommerce stores rely on multiple plugins to add functionality: email marketing, analytics, SEO, security, subscriptions, and shipping. Many of these plugins collect customer data or send data to external services. Each one is a data processor that your privacy policy must disclose.
Here are the most common WooCommerce plugins and the data they handle.
| Plugin | Category | Data It Collects or Transmits | Sends Data Externally |
|---|---|---|---|
| Mailchimp for WooCommerce | Email Marketing | Customer email, name, purchase history, cart data, product interests, marketing consent | Yes (Mailchimp servers) |
| Klaviyo | Email Marketing | Customer email, name, order data, browsing behavior, cart abandonment, product views | Yes (Klaviyo servers) |
| Yoast SEO | SEO | Site usage data if tracking is enabled, structured data generation from product pages | Optional (Yoast tracking) |
| Jetpack | Security / Stats | Visitor IPs, page views, browser data, login attempts, brute force protection data | Yes (WordPress.com servers) |
| WooCommerce Subscriptions | Recurring Billing | Subscription status, renewal dates, payment tokens, billing history, failed payment data | Via payment gateway |
| Google Analytics (via plugin) | Analytics | Page views, sessions, enhanced ecommerce data (product views, add to cart, purchases), demographics | Yes (Google servers) |
| WooCommerce Shipping | Shipping | Shipping address, package dimensions, weight, selected carrier, tracking number | Yes (carrier APIs) |
| Wordfence | Security | IP addresses, login attempts, firewall logs, malware scan results | Yes (Wordfence threat network) |
Review your Plugins page in WordPress admin and check every active plugin. For each one, ask: does this plugin collect customer data? Does it send data to an external service? If the answer to either question is yes, your privacy policy needs to mention it.
Pay special attention to email marketing plugins like Mailchimp and Klaviyo. These sync your entire customer list, including names, emails, purchase history, and behavioral data, to external servers. This is a significant data transfer that requires explicit disclosure. If these services are based in the US and your customers are in the EU, international data transfer provisions under GDPR also apply.
Not sure which plugins are collecting data? Start with a fresh, accurate policy generated from your current setup using a privacy policy generator.
WooCommerce's Built-In Privacy Tools
Since WordPress 4.9.6, WordPress has included built-in privacy tools that WooCommerce extends with ecommerce- specific functionality. These tools help you comply with GDPR data subject rights, but they are not a substitute for a proper privacy policy.
Personal Data Export
Under GDPR Article 20, users have the right to receive their personal data in a portable format. WordPress provides a personal data export tool under Tools > Export Personal Data. When you enter a customer's email and confirm the export, WordPress generates a ZIP file containing all data associated with that email address. WooCommerce adds order data, customer account data, and billing/shipping addresses to this export.
Personal Data Erasure
Under GDPR Article 17, users have the right to erasure (the "right to be forgotten"). WordPress provides a personal data erasure tool under Tools > Erase Personal Data. WooCommerce integrates with this tool but handles it carefully: it anonymizes order data rather than deleting it entirely, because you may need to retain financial records for tax compliance.
When you process an erasure request in WooCommerce, customer names and addresses in orders are replaced with "Anonymized" text. The order itself and its financial details (items, totals, tax) are preserved for accounting records. This balances the customer's right to erasure with your legal obligation to maintain financial records.
Privacy Policy Page
WordPress provides a dedicated Privacy Policy page feature under Settings > Privacy. When you set a page as your privacy policy, WordPress links to it automatically from the login and registration pages. WooCommerce extends this by linking to your privacy policy from the checkout page and adding a consent checkbox option.
WooCommerce also provides suggested privacy policy text that you can add to your page. This suggested text covers basic WooCommerce data handling but is generic. It does not cover your specific payment gateway, plugins, or business practices. It should be used as a starting point, not as your complete policy.
Did you know?
WooCommerce allows you to configure automatic data retention settings. Under WooCommerce > Settings > Accounts & Privacy, you can set how long inactive accounts are retained, how long pending orders are kept, and whether to anonymize completed orders after a set period. These settings should match the retention periods disclosed in your privacy policy.
WordPress Privacy Tools vs What Your Policy Still Needs
| GDPR Requirement | WordPress/WooCommerce Tool | What You Still Need |
|---|---|---|
| Right to data portability | Personal Data Export tool | Disclose this right in your policy |
| Right to erasure | Personal Data Erasure tool | Explain anonymization vs deletion |
| Privacy policy page | Settings > Privacy page | Write actual, customized policy content |
| Consent at checkout | WooCommerce privacy checkbox | Specify what consent covers in policy |
| Data processor disclosures | No built-in tool | Name every processor in your policy |
| Data retention periods | WooCommerce retention settings | Disclose exact periods in policy |
Common WooCommerce Privacy Mistakes
These are the most frequent privacy mistakes made by WooCommerce store owners. Each one creates a compliance gap that could result in GDPR fines, CCPA penalties, or customer trust issues.
Mistake: "My payment gateway handles all the sensitive data"
While your payment gateway processes the card numbers, WooCommerce still collects and stores extensive personal data: customer names, email addresses, physical addresses, phone numbers, order histories, and transaction references. You are the data controller for all of this data. The fact that card numbers go through Stripe does not absolve you of responsibility for the other personal data your store collects.
Mistake: "WordPress has a built-in privacy page so I am covered"
WordPress provides a privacy policy page feature and WooCommerce suggests some generic text for it. But this suggested text is a template, not a complete policy. It does not include your specific payment gateway, your specific plugins, your actual data retention periods, or your contact information. Using the suggested text without customization is like using a blank form without filling it in.
Mistake: "I only sell digital products so I collect less data"
Digital product stores still collect customer names, email addresses, billing addresses, and payment details through the checkout process. WooCommerce creates customer accounts, tracks download history and download counts, and stores IP addresses associated with downloads for license enforcement. The privacy obligations are nearly identical to physical product stores, just without the shipping address component.
Mistake: "My WooCommerce theme came with a privacy policy"
Some WooCommerce themes include a placeholder privacy policy page. Like template policies on other platforms, these are generic text that does not reflect your specific store setup, payment gateways, plugins, or business details. A compliant privacy policy must be customized to your actual data practices. A theme's placeholder policy is nearly guaranteed to be inaccurate for your store.
Mistake: "I do not need to disclose plugins"
Every plugin that collects, processes, or transmits customer data is a data processor under GDPR. If Mailchimp for WooCommerce syncs your customer list to Mailchimp servers, that is a data transfer to a third-party processor. If Jetpack sends visitor data to WordPress.com servers, that is another. If your Google Analytics plugin sends ecommerce event data to Google, that is a third. Each must be named in your policy.
How to Create a Privacy Policy for WooCommerce (7 Steps)
Follow this process to create a comprehensive privacy policy for your WooCommerce store that covers all data flows, satisfies GDPR and CCPA, and works with WordPress's built-in privacy tools.
Audit all data collection points in your store
Go through your entire WooCommerce checkout flow as a customer would. Note every field on the checkout page, the registration form, and the account area. Check your WooCommerce settings for additional data collection: customer accounts, guest checkout, marketing consent checkboxes, and analytics tracking.
Identify your payment gateway and its data handling
Check WooCommerce > Settings > Payments to see which payment methods are active. For each gateway, document what customer data it receives and review its privacy policy and DPA. If you use multiple gateways (such as Stripe and PayPal), each one needs separate disclosure.
List all plugins that handle customer data
Review every active plugin in your WordPress admin under Plugins > Installed Plugins. For each one, determine whether it collects customer data, sends data to external services, or modifies how WooCommerce handles data. Email marketing, analytics, security, and shipping plugins are the most common ones that require disclosure.
Determine your data retention periods
Check your WooCommerce > Settings > Accounts & Privacy page for retention settings. Determine how long you need to keep order records for tax purposes (typically 5-7 years in most jurisdictions). Document how long you keep customer accounts, abandoned carts, and marketing consent records. These periods must be stated in your privacy policy.
Generate your privacy policy
Use a privacy policy generator to create a policy based on your WooCommerce store's specific setup. Answer questions about your data practices, payment gateways, plugins, and retention periods. This produces a customized policy that covers all your ecommerce-specific data flows.
Publish using WordPress privacy tools
Create a new page in WordPress and paste your generated privacy policy content. Then go to Settings > Privacy and select this page as your privacy policy page. WordPress and WooCommerce will automatically link to it from login, registration, and checkout pages.
Add links to checkout and verify privacy tools
Verify that your privacy policy link appears on the checkout page, in your site footer, and on the registration page. Enable the privacy policy checkbox at checkout if required by GDPR. Test the Personal Data Export and Personal Data Erasure tools to make sure they work correctly with your WooCommerce setup.
Frequently Asked Questions
Does my WooCommerce store need its own privacy policy?
Yes. A standard WordPress privacy policy does not cover the ecommerce-specific data that WooCommerce collects: order details, payment information, shipping addresses, customer account data, and purchase history. Your privacy policy must specifically address all of these data categories and identify your payment processor.
What data does WooCommerce collect from customers?
WooCommerce collects order data (name, email, addresses, phone, order items), payment data (processed through your gateway), customer account data (username, password hash, order history), session data (cart contents), and analytics data. The exact data depends on your checkout fields and enabled features.
Do I need to disclose my payment gateway?
Yes. Your payment gateway is a data processor that receives sensitive financial data. Under GDPR, you must name each processor, explain what data it receives, and link to its privacy policy. Saying "we use a third-party processor" without naming it is not sufficient.
Does WooCommerce store credit card numbers?
No. WooCommerce does not store full credit card numbers. Card data is processed by your payment gateway (Stripe, PayPal, etc.) and never stored in your WordPress database. WooCommerce only stores transaction IDs, payment method type, and the last four digits for display purposes. Your privacy policy should clarify this distinction.
How long should I keep WooCommerce order data?
Tax laws in most jurisdictions require you to retain financial transaction records for 5 to 7 years. You cannot delete order data immediately upon customer request if doing so would violate tax law. Your privacy policy must disclose these retention periods and explain why some data is kept after account deletion.
Do WooCommerce plugins need to be in my privacy policy?
Yes. Any plugin that collects, processes, or transmits customer data is a data processor under GDPR and must be disclosed. This includes email marketing plugins, analytics tools, shipping integrations, security plugins, and any plugin that connects to an external service with customer data.
Does WooCommerce have built-in privacy tools?
Yes. WordPress provides personal data export and erasure tools that WooCommerce extends with ecommerce data. There is also a privacy policy page feature and suggested privacy policy text. However, these tools help with GDPR compliance processes, not with writing your actual privacy policy. You still need a customized policy that describes your specific data practices.
Related Resources
Privacy Policy for WordPress
WordPress-specific privacy requirements and data handling
Privacy Policy for Ecommerce
General ecommerce privacy requirements and best practices
Privacy Policy for Shopify
Shopify-specific privacy obligations and disclosures
GDPR Privacy Policy Template
All 12 required GDPR sections with a compliant template
CCPA Privacy Policy Example
What a compliant California privacy disclosure looks like
Cookie Policy for Websites
GDPR cookie consent requirements and rules
What Happens Without a Privacy Policy
Real consequences of operating without one
How Often to Update Your Privacy Policy
Update frequency requirements under GDPR and CCPA