Everything You Need in Your Shopify Privacy Policy Template
Table of Contents
In this guide, we’ll take you through everything you need to know about create an eCommerce privacy policy for your Shopify Store.
Want to skip ahead, and add a quick and easy privacy policy to your store? Try Enzuzo's Free Shopify Privacy Policy Generator!
As consumers, we’re pretty much in agreement that it’s great to know who holds your personal data and what they do with it.
As ecommerce sellers, it can often feel like a nightmare trying to navigate areas like writing a Shopify privacy policy while you’re trying to run a business.
We’ll take a look at why you need one, what to include in it, and share an easy way to create an effective Shopify privacy policy in minutes.
What is a Shopify Privacy Policy?
Why You Need One
While you need a privacy policy for any website, it’s even more essential for a Shopify store as you’re handling personal data like names, addresses, and contact details.
Let’s take a look at why a privacy policy is a must-have for any Shopify store owner.
It’s a Legal Requirement
First up, having a privacy policy is a legal requirement in most countries around the world. People need to know what you’re doing with their data, and that’s backed up by legislation worldwide.
While most places agree that consumers need to understand how their personal data is captured, stored, and used, there’s no one consensus on what’s required in a privacy policy. This means there are several different pieces of law to get your head around as an ecommerce seller — especially if you sell to customers worldwide.
Here’s an overview of the different privacy policy requirements by location.
United States
There’s no real law at a federal level that requires you to have a privacy policy for your online store, but you do need to be mindful of California privacy laws — notably the California Online Privacy Protection Act (CalOPPA) and California Consumer Privacy Act (CCPA).
While these laws only apply to California residents, you never know where your next customer is coming from — so it pays to be proactive and cover all your bases.
The CalOPPA requires you to have a privacy policy displayed clearly on your website that covers the categories of personal information you collect, as well as how it’s used, stored, and shared. You also need to include a disclosure on whether or not you respect ‘do not track’ signals, and whether you use tracking cookies — commonly used to track user activity in order to display personalized ads.
California’s CCPA goes one step further and requires you to make consumers aware of this with a notice before their personal information is captured. This notice needs to feature a link to your privacy policy, so people can easily decide whether or not to engage with your website further.
Canada
In Canada, users’ data is protected by the Personal Information Protection and Electronic Documents Act (PIPEDA). This country-wide law helps inform people about the data that’s collected on them and how it may be used.
Compared to some data protection legislation, the requirements of what you need to include in your privacy policy are quite simple. You need to explain which personal information you capture and hold about someone and what it’s used for, and whether or not it’s shared with any third parties. You also need to let users know how they can get in touch with you about their personal data, and how to exercise their right of access over it.
Europe
Consumers in Europe and the UK benefit from the widely talked-about and often disliked General Data Protection Regulation (GDPR). While some people feel that GDPR is too complicated and difficult to understand, it does provide individuals with strong control over their personal data.
To comply with GDPR for Shopify, you need to cover several areas within your privacy policy. You need to detail the types of personal information you process, along with your lawful basis for processing that data.
You also need to explain your safeguards for transferring that data outside the EU — which is especially applicable if you’re based in another country, or you use third-party services that are. It’s also important to cover your data retention policy and let people know how they can request and update personal information.
Rest of World
Outside of the US, Canada, and Europe, other legislation may influence your need for a privacy policy and what it should contain. Countries such as Australia, India, and Brazil all have their own data protection legislation that sets out what their residents need to see in an effective privacy policy.
The best way to meet legal requirements is to offer a simple yet comprehensive privacy policy disclaimer that covers how you capture, use, store, and share personal data.
To help you out, we’ve created a guide below that covers everything you should need. Plus, you can easily create a privacy policy that meets key legislation like GDPR, CCPA, PIPEDA, and LGPD (Brazil’s Lei Geral de Proteção de Dados) with Enzuzo.
Shopify Requires You to Have One
If the legal requirement isn’t reason enough, Shopify also specifies that you should display a clear privacy policy to your customers and website visitors.
In their own Privacy Policy, Shopify states that:
“Because you decide how the personal information of your customers will be used, you need to make sure your customers understand how you (and how we on your behalf) collect and process their personal information. You should do this by, at a minimum, posting a privacy policy on your store that describes the information you collect, how you use it, and who you share it with.”
Seeing as Shopify’s Terms of Service state that they can “modify, cancel, or refuse the service at any time”, it makes sense to make sure you have a valid Shopify privacy policy. If you don’t, you could run the risk of your account being closed and losing your ecommerce store.
What to Feature in Your Shopify Privacy Policy
With so many different laws and requirements to consider, getting started on your Shopify privacy policy can feel tough — especially if you’re starting with a blank slate.
To help you craft a meaningful, effective privacy policy, we’ve pulled together our best expertise on what to feature in your Shopify privacy policy. Here you’ll find inspiration on what to include, grouped by category to make it easy to write, check, and publish.
Want to just skip ahead and get your privacy policy sorted?
Your Identity and Contact Information
This section of your Shopify privacy policy is all about identifying yourself. A potential or returning customer needs to know who holds the information about them, and how to get in touch with them if they need to.
In this section you’ll want to feature the following information:
- Business name
- Business address
- Phone number
- Email address
If you have any other relevant business contact details, include them here too. This might include the specific email address for data requests, or further business addresses for different regions you serve.
Some privacy legislation (such as the GDPR) requires you to state whether or not you’re a data controller. A data controller is someone that “determines the processes and means of processing personal data”. If that’s the case, you’ll want to state clearly that you’re the data controller.
Personal Data Collection Categories
The type of personal data you collect can look very different depending on the products or services you offer. Within your privacy policy you’ll need to be clear about the type of information that’s collected, so your website visitors can decide whether or not they want to make this available to you.
Some of the most popular types of personal data collected include:
- Names
- Email addresses
- Phone numbers
- Payment information or credit card details
- Billing and shipping addresses
Outside of this, you’ll also have ecommerce-specific data that you collect. If you offer the opportunity for people to create an account with you, you’ll be storing usernames and passwords. It’s also likely that you collect more technical personal data — like IP addresses, browser type, device type, and referral data.
Before you finalize your privacy policy, make sure every type of personal data that you collect is covered here. Don’t forget to consider the third-party tools that you use for marketing, analytics, or advertising, and understand which data they collect too.
How You Collect Personal Data
It’s not enough for people to simply know which information about them you collect, they also need to know how it falls into your hands in the first place.
Most Shopify store owners gather personal data in two main ways — through the user providing you with this information at checkout, or through collection by third-party tracking cookies from tools like the Facebook Pixel or Google Analytics. You might also collect personal data through a mobile app, if you have one.
You’ll often gain key personal data like names, addresses, email addresses, and payment details directly from your customer or user. Examples of this include:
- Signing up to an email list
- Contacting support or sales with a query
- Making a purchase through checkout
Personal data can also be collected by third parties, usually through tracking cookies. This type of data is often more technical and relates to an individual’s device, browsing preferences, or history. Examples of how this can be collected include:
- Clicking through to your Shopify store from a Facebook Ad
- Discovering your product page from a Pinterest pin
- Taking an action on your site — e.g. visiting a product page
It’s worth keeping in mind that personal data doesn’t always come directly from the individual. Someone can easily supply you with another individual’s address — for example, if they’re buying one of your products to be shipped to them as a gift.
How and Why You Process Personal Data
Another key area to feature in your Shopify privacy policy is how and why you process personal data. This is often the area that your customers are most interested in, as it sets out how you use the information that you hold on them.
Here are some key reasons why you might process personal data:
- To fulfil orders and shipments
- To provide customer service and support
- To send out marketing materials (with consent)
- To personalize a user’s shopping experience with you
- To inform users of updates to your privacy policy
- To perform market research or obtain feedback
You also need to tell people how you process their personal data. In practice, this can look like:
- Sending text updates about orders
- Sending emails with promotional offers
- Sharing your delivery address and contact details with your fulfilment partner
- Targeting personalized ads on Facebook or Instagram
Some legislation, like the GDPR, requires you to have a ‘legitimate interest’ to hold and process data. You might find it helpful to detail your legitimate interest for doing this alongside each use within a table. This makes it really clear to people how their data is used, and why you believe you have the right to do this.
Who You Share Personal Data With
When it comes to running a Shopify store, you’re often making use of third-party tools to provide an amazing experience for your customers. Whether that’s to offer a more personalized experience by tailoring social media advertising, or analyzing how customers use your website so you can make future improvements.
Examples of popular third service providers for Shopify users include marketing tools and payment processors, including:
- Google Analytics
- Hotjar
- Stripe
- ConvertKit
- Klaviyo
As using third-party tools often means you share data with them, you need to cover this in your privacy policy. In this section, you should list the third-party tools and services you use, and confirm which data is shared with them.
With some legislation, like GDPR, these third parties will be known as ‘data processors’ — and it’s your responsibility to make sure they too have robust privacy policies and treat your customers’ data appropriately.
Sale of Personal Information
Most Shopify store owners don’t sell personal information. Indeed, it’s likely a very bad idea, as it’s forbidden in most countries — including those covered by the GDPR.
While most places consider this a no-no, you can do this within the United States. In this case, you need to clearly state the following as per the CCPA:
- A disclosure of the sale
- Who you sold the data to
- An opportunity for users to opt-out of the sale
Seeing as you most likely won’t be selling personal data, you can instead use this section as an opportunity to confirm that to your customers. Without a statement, either way, they may assume their data could end up being sold to the highest bidder.
Incentives Programs
Most data protection laws don’t cover incentives programs, but in the US the CCPA does. This means that if you offer incentives to users, you need to include the following details:
- Information on your incentives program
- How to opt-in or opt-out of the incentives program
Wider marketing-related consent also comes into play here, as the GDPR requires users to explicitly provide their consent for marketing. This means it makes sense to include a statement about your incentives program and how it works, even if you’re not sure if CCPA applies to you.
Data Retention
It makes good sense to only hold on to the data you need to keep, for as long as you need to keep it. In this section, outline your approach to personal data retention. Make it clear how long data is held for, and any set timescales you have for this.
Sometimes you’ll need to keep hold of data, like invoices and transactions, in order to fulfil your own accounting, business, or legal requirements. In most cases, you’ll want to retain data for as long as you have an ongoing relationship with the individual — so that you can provide services, ship orders, and provide communication.
Data Transfers
Ecommerce lets us operate from anywhere in the world, using services from any country. This means that customer data is often transferred from one location to another.
Some data protection legislation, like GDPR, requires you to share information about data transfer and make sure that any data is properly looked after wherever it goes. This can include stating which countries data is transferred to, and confirming that there are suitable contracts in place to safeguard it.
Data Subject Rights
People will often willingly give you their information and need to in order to do business with you. That’s not the end of the transaction though, as they always have the right to access, change, or request the deletion of their data that you hold.
Someone’s exact data subject rights vary depending on location, but your privacy policy should give people the opportunity to:
- Understand the data that you hold on them
- Access their personal data
- Know about data processing
- Object or consent to data processing
- Opt-out of the sale of data, if applicable
- Make a request to edit or delete some or all of the data you hold
You also need to make it clear how someone can make a subject access request, or enquire about any of the above. Include the contact details here and information on how they can do this. Want to make this step even easier? Our free privacy policy page tool for Shopify includes a built-in data request form.
Children’s Rights
In most cases, the people buying your products or handing over their personal data are adults. If you sell to children though, this needs to be stated and covered in your privacy policy. For data protection purposes, in most locations children are defined as someone below the age of 16.
Most Shopify store owners don’t hold the personal data of children. If that includes you, include a statement here that confirms that to be the case. If you do collect personal data on children, you need to make sure you comply with the Children’s Online Privacy Protection Rule (COPPA). This requires you to confirm how their data is used, and places other requirements on you like collecting parental consent.
Privacy Policy Updates
Like anything in business, your privacy policy will evolve and change over time. You’ll need to review and update it if anything major changes, or even if you start using a new third-party tool that collects additional personal data.
In this section, set out how you’ll inform individuals of any updates to your privacy policy. Most companies choose to do this through email. You can also share the date that your privacy policy was last updated, so users can get a feel for whether anything’s changed since they last visited.
How to Create a Shopify Privacy Policy the Easy Way
Your Shopify privacy policy needs to be comprehensive, but that doesn’t mean you need to spend hours or days agonizing over it. Instead, use a Shopify privacy policy template to simplify everything.
With Enzuzo, you can have a dedicated policy ready in minutes using our free Shopify privacy policy generator. This means you can spend less time building a custom privacy policy page, and more time on the things that matter most to running your ecommerce store.
You won’t have to sit and read through various applicable laws to understand what you need to include, or how to reference it correctly. Our free Shopify privacy policy generator does it all for you, and displays it in a way that’s easy for people to understand. Plus, we’ll keep it updated to the latest changes in privacy law. To see how it looks in practice, take a look at LAC Swim’s privacy policy.
How to Add an Enzuzo Privacy Policy to Your Shopify Store
To get started, simply check us out in the Shopify App Store. From there, you can add our app to your store and start creating a simple, effective Shopify privacy policy. We have a free plan available with all the essentials, or you can upgrade for extra customization and language options.
Get a Comprehensive Shopify Privacy Policy in Minutes!
Data privacy is a priority, but it doesn’t have to be complicated. We want to help you create a user-friendly yet comprehensive Shopify privacy policy in minutes — so you can stay compliant, and focus on delivering amazing products and customer service to your buyers.
You could write your own privacy policy from scratch, or you could use our free Shopify privacy policy generator to have one up and running on your store in no time at all. To make it happen, head to the Shopify App Store and get connected.
Nicola Scoon
Nicola is a freelance content writer for HR tech & SaaS. She's written for Polly, Zapier, Pyn & more and is passionate about remote work, employee wellbeing & productivity.