A Shopify privacy policy must include: what customer data your store collects (names, emails, addresses, payment info), how you use that data for order processing and marketing, which third parties receive data (Shopify, payment processors, shipping carriers, apps), your cookie and tracking practices, how customers can access or delete their data, and your contact information. Stores selling to EU customers must also include GDPR sections covering legal basis for processing and data subject rights. Stores with California customers need CCPA disclosures about categories of personal information collected and the right to opt out.
Setting up a Shopify store is straightforward, but writing a privacy policy that covers all your data practices is not. Your store collects customer data through checkout, account registration, email signups, abandoned cart recovery, cookies, and every third-party app you install. Each of these data flows needs to be disclosed in your privacy policy.
This page provides a complete, free template built specifically for Shopify stores. It covers every section your store needs, including Shopify-specific data flows, payment processor disclosures, and app-by-app data disclosures. If you need the full context on why Shopify stores need privacy policies, read the complete Shopify privacy policy guide first.
If you run a Shopify app rather than a store, see the privacy policy for Shopify apps guide instead. The requirements for app developers are different from those for store owners.
What Your Template Must Include
Every Shopify store privacy policy needs to cover specific areas. Privacy laws require these sections, and customers increasingly look for them before making a purchase. Here is the complete checklist of required and recommended sections for Shopify stores.
Required Sections
- Customer data collection: What personal data you collect from customers, including names, email addresses, shipping addresses, phone numbers, payment information, and account details.
- Order processing data: How customer data is used to fulfill orders, process payments, calculate taxes, arrange shipping, and send order confirmations and tracking updates.
- Payment processor disclosures: Which payment processors handle customer financial data, including Shopify Payments, PayPal, Shop Pay, and any buy-now-pay-later services like Klarna or Afterpay.
- Third-party app disclosures: Every installed Shopify app that accesses customer data must be disclosed, including what data the app processes and why.
- Marketing and email practices: How you use customer data for email marketing, abandoned cart recovery emails, promotional campaigns, and how customers can opt out.
- Cookies and tracking: What cookies your store uses, including Shopify analytics, Google Analytics, Facebook Pixel, and any other tracking scripts installed on your store.
- Customer rights and data deletion: How customers can request access to their data, correct inaccurate information, or request deletion. Include your process for handling these requests.
- Contact information: A way for customers to reach you with privacy questions. An email address is the minimum requirement.
Recommended Additional Sections
- GDPR compliance section: Legal basis for processing, data retention periods, and EU customer rights including access, rectification, and erasure. Required if you sell to EU customers.
- CCPA compliance section: Categories of personal information collected, the right to know, the right to delete, and the right to opt out of data sales. Required if you sell to California residents.
- Data retention policy: How long you keep customer data after an order is fulfilled, how long account data is retained, and when data is deleted.
- Shipping carrier disclosures: Which shipping carriers receive customer names and addresses, and links to their privacy policies.
Did you know?
Shopify stores typically share customer data with between 5 and 15 third parties without the store owner realizing it. Every installed app, every payment processor, every shipping carrier, and every analytics or marketing tool is a separate third party that your privacy policy must disclose. Run an audit of your installed apps before writing your policy to avoid missing any.
Full Template Preview
Below is the complete privacy policy template with each section shown. Bracketed text like [Your Store Name] indicates placeholders you need to replace with your specific details. Remove any sections that do not apply to your store.
Privacy Policy for [Your Store Name]
Effective Date: [Date]
1. Introduction
This privacy policy describes how [Your Store Name] ("we," "us," or "our") collects, uses, stores, and shares personal data when you visit our online store at [yourstore.com], create an account, place an order, or interact with us in any way. Our store is built on the Shopify platform. By using our store, you agree to the data practices described in this policy.
2. Customer Data We Collect
We collect the following types of personal data:
- Name, email address, phone number, and shipping/billing address (provided during checkout or account creation)
- Payment information (processed securely by our payment processors; we do not store credit card numbers)
- Order history, product preferences, and shopping cart contents
- IP address, browser type, device information, and browsing behavior on our store
- Email marketing preferences and subscription status
- [Any additional data types specific to your store]
3. How We Use Your Data
We use the collected data for the following purposes:
- To process and fulfill your orders, including payment processing, shipping, and delivery updates
- To create and manage your customer account
- To send order confirmations, shipping notifications, and customer service communications
- To send marketing emails, promotional offers, and abandoned cart reminders (with your consent)
- To improve our store, products, and customer experience through analytics
- To comply with legal obligations including tax reporting and fraud prevention
4. Third-Party Data Sharing
We share customer data with the following categories of third parties:
- Shopify: Our ecommerce platform that processes and stores order data on our behalf
- Payment processors: [Shopify Payments, PayPal, Shop Pay, Klarna, Afterpay] to process transactions securely
- Shipping carriers: [USPS, UPS, FedEx, DHL] to deliver your orders
- Email marketing: [e.g., Klaviyo, Shopify Email] to send marketing communications
- Analytics: [e.g., Google Analytics] to understand store traffic and customer behavior
- Shopify apps: [List your installed apps that access customer data]
We do not sell your personal data to third parties.
5. Cookies and Tracking
Our store uses cookies and similar tracking technologies. Shopify sets essential cookies for store functionality, cart management, and checkout. We also use [Google Analytics, Facebook Pixel, or other tracking tools] to understand how customers interact with our store. You can manage cookie preferences through your browser settings. Disabling cookies may affect store functionality, including the ability to add items to your cart and complete checkout.
6. Data Storage and Security
Your data is stored on Shopify's secure servers. Shopify uses industry-standard encryption and security measures to protect your data. Payment information is processed through PCI-DSS compliant payment processors and is not stored on our servers. We retain your order data for [specify period, e.g., "7 years for tax and legal compliance"] and account data for as long as your account is active.
7. Your Rights and Data Deletion
You have the right to access, correct, or delete your personal data. To request a copy of your data, update inaccurate information, or request deletion, contact us at [your email]. We will respond to your request within 30 days. Note that we may need to retain certain data for legal compliance, such as order records for tax purposes.
8. GDPR Compliance (EU Customers)
If you are located in the European Union, we process your data under the legal basis of [contract performance for order fulfillment / legitimate interest for fraud prevention / consent for marketing emails]. You have the right to access, rectify, erase, restrict processing, and port your data. You also have the right to withdraw consent for marketing at any time. To exercise these rights, contact us at [your email].
9. Changes to This Policy
We may update this privacy policy from time to time to reflect changes in our data practices, new apps or services, or legal requirements. Changes will be posted on this page with an updated effective date. We encourage you to review this policy periodically.
10. Contact Us
If you have questions about this privacy policy or how we handle your data, contact us at: [your email address] or through our contact page at [yourstore.com/contact].
This template gives you the foundation. The sections below walk you through Shopify-specific data flows, payment processor disclosures, and app-by-app data disclosures you should add to customize the template for your store.
Q: Can I use Shopify's default privacy policy template instead of this one?
Shopify's built-in template in Settings > Policies is a starting point, but it is generic. It does not cover your specific apps, marketing tools, or payment processors. This template includes those Shopify-specific sections so you can disclose your actual data practices accurately. You can paste this template into the Shopify Policies field directly.
Q: Do I need a separate privacy policy if I already have terms and conditions?
Yes. Terms and conditions and privacy policies serve different legal purposes. Your terms of service govern the commercial relationship with customers, while your privacy policy governs how you handle their personal data. Privacy laws specifically require a separate privacy policy document. Combining them into one page is not recommended.
Shopify-Specific Data Flows
Understanding who collects what data in a Shopify store is critical for writing an accurate privacy policy. Data collection in a Shopify store is split between three parties: Shopify itself, you as the store owner, and third-party apps. The table below breaks down which party collects which data types.
| Data Type | Shopify (Platform) | Store Owner (You) | Third-Party Apps |
|---|---|---|---|
| Customer name and email | Stored in Shopify database | Collected via checkout and account forms | Accessed by email marketing and review apps |
| Shipping address | Stored for order fulfillment | Shared with shipping carriers | Accessed by fulfillment and dropshipping apps |
| Payment information | Processed via Shopify Payments (Stripe) | Never stored; handled by payment processor | Not accessible to third-party apps |
| Order history | Stored in Shopify database | Used for customer service and reporting | Accessed by analytics, review, and subscription apps |
| Browsing behavior | Tracked via Shopify analytics | Used for abandoned cart recovery | Tracked by analytics pixels and marketing apps |
| Email marketing data | Shopify Email stores subscriber lists | Managed through email signup forms | Synced to Klaviyo, Mailchimp, or similar |
| Cookies and device data | Essential cookies for cart and checkout | Configured through theme and settings | Set by Google Analytics, Facebook Pixel, etc. |
Your privacy policy needs to account for all three columns. Many store owners only disclose what they personally collect, forgetting that Shopify and installed apps also process customer data on their behalf. For a broader look at ecommerce privacy requirements, see the ecommerce privacy policy guide.
Payment Processor Disclosures
Every payment method you accept involves a third-party processor that handles sensitive financial data. Your privacy policy must disclose each payment processor and link to their privacy policy. Below are the most common payment processors used by Shopify stores.
Shopify Payments (powered by Stripe)
Data processed: Credit/debit card numbers, billing address, transaction amounts, and fraud detection data
Enabled by default on most Shopify stores. Shopify Payments is built on Stripe's infrastructure. Both Shopify's and Stripe's privacy policies apply.
PayPal
Data processed: Email address, name, billing address, and transaction details through PayPal's platform
Customers who choose PayPal are redirected to PayPal's site to complete payment. PayPal's own privacy policy governs data collected on their platform.
Stripe (direct integration)
Data processed: Card details, billing information, IP address, and device data for fraud prevention
Some stores use Stripe directly instead of through Shopify Payments. If you use both, disclose both.
Shop Pay
Data processed: Email, shipping address, and payment details stored in the customer's Shop account
Shop Pay is Shopify's accelerated checkout. Customer data is stored in their Shop account and shared with your store during checkout.
Klarna
Data processed: Name, address, email, date of birth, and financial assessment data for buy-now-pay-later decisions
Klarna performs its own credit assessment. Customers who choose Klarna share additional personal data directly with Klarna.
Afterpay
Data processed: Name, address, email, phone number, and payment schedule data for installment plans
Similar to Klarna, Afterpay collects additional data for installment payment eligibility. Their own privacy policy governs this collection.
Only include the payment processors that are active in your store. Check your Shopify Admin under Settings > Payments to see which providers are enabled. If you accept manual payment methods like bank transfers or cash on delivery, disclose how that data is handled separately.
Did you know?
Shopify Payments is powered by Stripe, which means two separate companies process your customers' payment data. Your privacy policy should reference both Shopify's and Stripe's privacy policies. Many store owners only mention Shopify and miss the Stripe disclosure, which can be a compliance gap under GDPR.
App Disclosures
Every Shopify app that accesses customer data needs to be disclosed in your privacy policy. Below are the most common Shopify apps and what customer data they typically access. Include the ones you use and remove the rest.
| App | Purpose | Customer Data Accessed | Privacy Note |
|---|---|---|---|
| Klaviyo | Email and SMS marketing | Email, name, order history, browsing behavior, cart contents | Syncs customer data for segmentation and automated flows |
| Oberlo / DSers | Dropshipping fulfillment | Customer name, shipping address, order details | Shares order data with AliExpress suppliers |
| Judge.me | Product reviews | Email, name, order history, review content | Sends review request emails to customers after purchase |
| ReCharge | Subscription management | Email, name, payment info (tokenized), order and subscription history | Manages recurring billing and stores subscription preferences |
| Privy | Pop-ups and email capture | Email, browsing behavior, cart contents | Tracks on-site behavior to trigger pop-ups and collect emails |
| Google Shopping | Product feed and ads | Product data, conversion tracking, customer purchase events | Sends purchase data to Google for ad optimization |
| Facebook Channel | Facebook and Instagram commerce | Product data, customer browsing events, purchase conversions | Installs Meta Pixel for tracking and shares catalog data |
This is not an exhaustive list. Go to your Shopify Admin > Apps and review every installed app. For each app, check its permissions to see what customer data it can access. If an app reads customer data, it belongs in your privacy policy. For more on Shopify app privacy requirements, see the privacy policy for Shopify apps guide.
Did you know?
Under GDPR, every third-party app that processes customer data on your behalf is considered a "data processor," and you are the "data controller." This means you are legally responsible for ensuring each app handles customer data appropriately. If a Shopify app mishandles customer data, your store is liable, not just the app developer. This is why disclosing every app in your privacy policy matters.
Where to Add in Shopify Admin
Once your privacy policy is ready, follow these steps to add it to your Shopify store so it is visible to customers during checkout and from your store footer.
Open Settings in your Shopify Admin
Log in to your Shopify Admin at yourstore.myshopify.com/admin. Click "Settings" in the bottom-left corner of the sidebar. This opens the store settings panel.
Navigate to Policies
In the Settings menu, scroll down and click "Policies." This page contains fields for your privacy policy, refund policy, shipping policy, and terms of service.
Paste your privacy policy
Click the "Privacy policy" field and paste your completed privacy policy. Shopify's editor supports rich text formatting, so your headings, lists, and links will render correctly. Review the formatting to make sure everything looks right.
Save and verify the auto-generated page
Click "Save" at the top of the page. Shopify automatically creates a page at yourstore.com/policies/privacy-policy and adds a link to your checkout footer. Visit this URL to confirm the policy renders correctly.
Add to your footer navigation
Go to Online Store > Navigation in your Shopify Admin. Click on your "Footer menu." Add a new menu item, select "Policies" as the link type, and choose your privacy policy. This ensures the link appears in your store footer on every page, not just at checkout.
Test from a customer perspective
Visit your live store as a customer. Check that the privacy policy link appears in the footer, on the checkout page, and in the account registration area. Click through to confirm the full text loads correctly with proper formatting.
Common Mistakes
These are the five most common privacy policy mistakes Shopify store owners make. Avoiding them will keep your store compliant and build customer trust.
Mistake: Not disclosing installed Shopify apps
Every Shopify app that accesses customer data is a third-party data processor. If you have Klaviyo sending emails, Judge.me collecting reviews, or DSers fulfilling dropship orders, each one must appear in your privacy policy. Customers and regulators expect to know who has access to their data. Failing to disclose apps is one of the most common GDPR compliance gaps for Shopify stores.
Mistake: Using a generic privacy policy not built for ecommerce
A generic website privacy policy does not cover order processing, payment processors, shipping carriers, abandoned cart emails, or Shopify app integrations. Shopify stores have unique data flows that a standard website template cannot address. Your privacy policy must reflect the specific way an ecommerce store collects, processes, and shares customer data.
Mistake: Forgetting to mention abandoned cart emails
Abandoned cart recovery emails use customer data (email address and cart contents) for marketing purposes. Whether you use Shopify's built-in abandoned cart feature or a third-party app like Klaviyo, this practice must be disclosed in your privacy policy. Under GDPR, sending abandoned cart emails without proper disclosure and legal basis can result in complaints and fines.
Mistake: Not updating the policy when adding new apps
Shopify store owners install and remove apps regularly. Every time you add an app that accesses customer data, your privacy policy must be updated to reflect the new data sharing. An outdated policy that does not mention your current apps is inaccurate, which violates transparency requirements under GDPR, CCPA, and other privacy laws. Review your policy whenever you install a new app.
Mistake: Claiming you do not collect data when Shopify does it for you
Some store owners think that because Shopify handles the technical data collection, they do not need to disclose it. Under privacy law, you are the data controller. Shopify processes data on your behalf. You are responsible for disclosing all data collection that happens through your store, even if Shopify's systems are doing the technical work. Your privacy policy must cover what Shopify collects in addition to what you collect directly. For more on this, see do I need a privacy policy for my Shopify store.
Frequently Asked Questions
Does every Shopify store need a privacy policy?
Yes. Every Shopify store collects personal data through checkout, account creation, email signups, and cookies. Privacy laws like GDPR, CCPA, and PIPEDA require any business that collects personal data to have a privacy policy. Shopify itself requires it in its Terms of Service. Even if you only sell domestically, you need a privacy policy that accurately describes your data practices.
What must a Shopify privacy policy include?
Your policy must include: what personal data you collect, how you use it, which third parties receive it (Shopify, payment processors, shipping carriers, apps), your cookie practices, how customers can access or delete their data, your retention periods, contact information, and the effective date. Stores with EU customers need GDPR sections. Stores with California customers need CCPA disclosures.
Does Shopify provide a default privacy policy?
Shopify provides a basic template in Settings > Policies, but it is generic. It does not cover your specific apps, marketing tools, payment processors, or third-party integrations. You need to customize it to reflect your actual data practices. This template provides the Shopify-specific sections that the default template lacks.
Do I need to list every Shopify app in my privacy policy?
You should disclose any app that processes customer personal data. This includes email marketing apps, review apps, subscription apps, and any app that tracks customer behavior or accesses order data. You do not need to list apps that only affect your admin experience and never touch customer data.
How do I add a privacy policy to my Shopify store?
Go to your Shopify Admin, then Settings, then Policies. Paste your privacy policy into the Privacy Policy field. Shopify automatically creates a page at yourstore.com/policies/privacy-policy and adds it to your checkout footer. Also add a link in your footer navigation under Online Store > Navigation.
Is a free Shopify privacy policy template legally valid?
A free template can be legally valid if you customize it to accurately describe your store's actual data practices. Legal validity depends on accuracy and completeness, not whether you paid for the template. Replace all placeholders, add your specific apps and integrations, and ensure every data flow is disclosed. Stores in heavily regulated industries should consider legal review.
How often should I update my Shopify store's privacy policy?
Update it whenever your data practices change: new apps, new payment processors, new marketing tools, new regions you sell to, or changes to your cookie setup. At minimum, review quarterly since Shopify apps update their data practices frequently. Always update the effective date when you make changes. See our guide on Shopify privacy policy requirements for ongoing compliance tips.
Related Resources
Privacy Policy for Shopify
Complete guide to Shopify store privacy requirements
Privacy Policy for Shopify Apps
Requirements for Shopify app developers
Do I Need a Privacy Policy for Shopify?
Why every Shopify store needs a privacy policy
Privacy Policy for Ecommerce
Ecommerce-specific privacy requirements and best practices
Ecommerce Privacy Policy Template
General ecommerce template for any online store platform
GDPR Privacy Policy Template
All 12 required GDPR sections with a compliant template
CCPA Privacy Policy Example
California Consumer Privacy Act compliance example
Generate Your Privacy Policy
Answer a few questions and get a custom policy in seconds
Want a Policy Customized for Your Shopify Store?
Skip the manual customization. Answer a few questions about your Shopify store, your apps, and your payment processors, and get a privacy policy tailored to your exact setup. Takes under 60 seconds.
Covers GDPR, CCPA, and Shopify requirements · Customized for your store · Just $4.99