How To Make a Privacy Policy for Shopify Stores

Generate a Free Privacy Policy

Shopify is a fantastic resource for people to build ecommerce websites in a user-friendly, streamlined way. But if you’re using Shopify, you will need a privacy policy.

Not only are privacy policies legally required, but Shopify states directly in their Privacy for Merchants agreement that they collect personal information about your users to help power your business. At a minimum, they recommend you post one to your website.

So come along with me, and I’ll teach you how to make a Shopify store privacy policy, what information goes into it, and how to link it properly to your site.

Table of Contents
  1. How To Make a Shopify Privacy Policy
  2. Is a Shopify Store Privacy Policy Required?
  3. Which Laws Require You To Have a Shopify Privacy Policy?
  4. What Should You Include in Your Shopify Store’s Privacy Policy?
  5. How Do You Add a Privacy Policy Page to Your Shopify Store?
  6. How Can You Link to Your Shopify Store Privacy Policy?
  7. What Are Good Examples of Shopify Store Privacy Policies?
  8. Summary

How To Make a Shopify Privacy Policy

Now that you’re ready to make a privacy policy for your Shopify store let’s discuss how you can easily do so.

You can use a managed solution, manually fill out a free template, or write one yourself from scratch. Let’s discuss these solutions in a little more detail.

Managed Solution

The easiest and quickest way to make a privacy policy for your Shopify store is to use a managed solution, like our Privacy Policy Generator. It’s backed by our legal team and data privacy experts, complies with several data privacy laws from around the globe, and only takes a few minutes to fill out.

Instead of writing clauses from scratch, all you have to do is answer questions about how your business handles and uses your customers’ data.

See what it looks like in the screenshot below.


Use a Template

If you have more time on your hands, you can check out and use our privacy policy template.

This template has all the sections you need to create a privacy policy for Shopify. However, you’re not limited to what’s already in the template.

You can add, remove, and edit existing language and clauses in Microsoft Word or Google Docs so the policy says what you want it to say.

If you like what’s in the template, you don’t have to change, add, or remove anything.

Below, you can see what it looks like.


Do It Yourself

Finally, if you want complete control over the privacy policy creation process, consider adopting the do-it-yourself approach and writing a privacy policy yourself.

You’ll be able to create a privacy policy that says what you want it to say but remember, it needs to meet all applicable data privacy laws.

For this reason, I don’t typically recommend this approach unless you have extensive legal knowledge or access to a lawyer.

Is a Shopify Store Privacy Policy Required?

While Shopify doesn’t necessarily require you to have a privacy policy to use their service, you might need one to meet legal obligations outlined by any applicable data protection laws.

Plus, Shopify explains that they collect and process personal information from your consumers, as described in the highlighted text below.


So they recommend you post a privacy policy explaining what personal information you collect from consumers, how you use it, and who you share it with.

But there are several other essential reasons why you should have a privacy policy for Shopify, for example:

  • It builds customer trust: One of the best reasons you need a privacy policy — especially for Shopify stores — is to show your customers that you care about their safety and want them to know their rights. Having one indicates that you’re a transparent company prioritizing ethics and compliance over profits.
  • It limits your legal liability: You can get into legal trouble if you don’t have a valid privacy policy because various regulations worldwide require it.
  • It’s the right thing to do: Finally, having a privacy policy for your Shopify store is the right thing to do. Users deserve to know what you’ll be doing with their data and how they can modify, change, or delete information they’ve already given you.

Which Laws Require You To Have a Shopify Privacy Policy?

I mentioned that several data privacy laws obligate you to post a privacy policy on your website, and it’s very likely your business falls under one or more of these pieces of legislation.

To help you determine which ones may apply to your business, I’ve compiled a helpful table explaining the legal threshold for several of the most significant data protection laws worldwide that require entities to post privacy policies.

Data Privacy Law Legal Threshold
General Data Protection Regulation (GDPR) Any organization that collects, processes, or stores the personal data of individuals located in the European Union (EU) or European Economic Area (EEA).
The Data Protection Act (UK GDPR) Any organization offering goods or services to UK citizens that processes their personal data.
Amended California Consumer Privacy Rights Act (CCPA/CPRA) For-profit entities that do business in California and meet one of the following:

  • Earned $25 million in gross annual revenue as of January 1 from the previous calendar year
  • Annually buys, sells, or shares the personal data of 100,000 or more California consumers or households
  • Derived 50% or more gross annual revenue from selling or sharing personal information
California Online Privacy Protection Act (CalOPPA) Any website with California visitors falls under the threshold of this law.
Virginia Consumer Data Privacy Act (VCDPA) Entities doing business in Virginia or targeting Virginia residents who meet one of the following:

  • Controls or processes personal data from 100,000+ consumers
  • Derives 50% of gross revenue from the sale of personal data and processes information from at least 25,000 consumers
Connecticut Data Protection Act (CTDPA) Any data controller or processor who conducts business in Connecticut or produces products or services targeted at Connecticut consumers and any controller or processor who meets one or more of the following:

  • Processes the personal data of at least 100,000 consumers (excluding data processed solely for payment transactions), or
  • Processes the personal data of at least 25,000 consumers and derives more than 25% of their gross annual revenue from the sale of personal data
Colorado Privacy Act (CPA) Controllers that conduct business in Colorado or who produce or deliver commercial products intentionally targeted to Colorado residents that meet one (or both) of the following:

  • Controls pr processor personal data of 100,000 consumers per year or 
  • Derives revenue or gets a discount on the price of goods or services from the sale or personal data and controls or processes the personal data of at least 25,000 consumers
Children’s Online Privacy Protection Act (COPPA) Any website or online service that is directed to children under 13 that:

  • Collects, uses, or disclosed their personal information
  • Have actual knowledge that they’re collecting, using, or disclosing personal data from children under 13
  • Have actual knowledge that they’re collecting personal information from another source or website directed to children under 13
Personal Information Protection and Electronic Documents Act (PIPEDA) Any organization that collects and uses personal information in connection with commercial activities, including selling or sharing donors, membership, or fundraising lists, falls under PIPEDA.
Australia’s Privacy Act of 1988 Any Australian government entities or organizations that have annual gross revenue of $3 million and small businesses that make less than $3 million who meet any of the following:

  • Are private sector health service providers
  • Credit reporting bodies
  • Contracted service providers for an Australian Government contract
  • Employee associations registered under the Fair Work Act 2009
  • Businesses that hold accreditations under the Consumer Data Right System
  • Businesses that choose to opt-into the Privacy Act
  • Businesses related to businesses covered by the Privacy Act
  • Businesses prescribed by the Privacy Regulation 2013
New Zealand’s Privacy Act of 2020 Any person, organization, or business in the public or private sector that collects and holds personal information about other people.
South Africa’s Protection of Personal Information Act (PoPIA) Any entity registered to South Africa that processes personal data or people from any location.

And any entities located outside of the country who outsource their data processing to South Africa.

For more information about the specific privacy policy requirements outlined by these laws, check out the guides I’ve linked in the table.

What Should You Include in Your Shopify Store’s Privacy Policy?

You must cover several things in your Shopify store’s privacy policy, but the specifics of what any privacy policy requires depend on what data privacy laws apply to your business.

However, in the next section, I’ve attempted to summarize nearly every relevant clause related to Shopify stores.

What Personal Data You Collect

All privacy policies should explain what personal data your website collects from users in one of the first sections.

Mention what personal information you collect and how you collect this data.

To include all the information you gather from your users, go through your Shopify store’s registration process yourself and make a list of the pieces of information you’re required to fill in, such as:

  • Names
  • Email addresses
  • Billing addresses
  • Shipping addresses
  • Phone numbers
  • Credit card details

Your Shopify store also probably collects other personal information from visitors, such as:

  • Browser type
  • IP address
  • Device ID
  • Cookie data
  • What website led a user to your store

Some of this data may not strike you as particularly “personal,” but it is defined as “personal data” by the GDPR and other privacy legislation. As such, you need to research how Shopify processes and collects this kind of personal information on your behalf.

Below, see how the accessories company LeSportsac, a Shopify site, writes this clause in their privacy policy.

LeSportsac-Shopify site-privacy-policy

How and Why You Collect the Personal Data

You must also disclose how and why your website uses the personal information you collect to comply with laws like the GDPR, the CCPA, and others.

Discuss in detail why you collect your users’ personal information and make sure you’re only gathering data necessary to fulfill these purposes.

For example, you may be gathering personal information for the following reasons as an ecommerce shop:

  • Email addresses for updating customers on their orders and sending marketing emails
  • Shipping addresses for shipping customers’ orders
  • Payment card details, names, and billing addresses for processing payments
  • Cookie data for targeted advertising and security purposes

The GDPR doesn’t allow you to collect information unless it’s for a legal and specific reason.

See how Gymshark, a fitness company that uses Shopify, writes this clause in its privacy policy.


If You Share the Data With Third Parties

Most data privacy laws require you to explain in a privacy policy if you share personal information with any third parties, what categories of data you’re sharing, and what the categories of the third parties themselves are.

Guess what? If you’re using Shopify for your store, you must have this clause in your privacy policy because you are sharing data with a third party, in this case, Shopify.

Below, see the privacy policy from Allbirds, a sustainable shoe company using Shopify.


Your Consumer’s Privacy Rights

Almost all privacy laws require you to outline your customers’ privacy rights.

If you fall under more than one law, consider using appropriately named headers to create clauses specific to users protected by each rule so they can easily find this information.

You should also explain in this clause how your users can follow through on their privacy rights.

Allbirds follows this advice in their privacy policy, particularly for California-based consumers, as shown in the screenshot below.


Your Use of Cookies or Other Trackers

Under data privacy laws like the GDPR, the CCPA, the VCDPA, and others, internet cookies qualify as personal information, and your Shopify store relies on them.

This means you must explain your use of these types of cookies (or any other trackers) in a clause in your privacy policy.

Below, you can read how LeSportsac writes this clause in their privacy policy.

LeSportsac-Shopify site-privacy-policy-Use-of-Cookies-or-Other-Trackers

Your Data Retention Policy

If your Shopify store falls under laws like the GDPR, you must explain your data retention procedures in your privacy policy.

You can typically only store or keep data for as long as necessary to complete whatever purposes you present to users.

Below, check out another sample clause from Gymshark’s privacy policy.


Data Safety and Security

Many data protection laws require you to properly store personal information to protect it from data leaks, breaches, and unauthorized access.

So, explain what security measures you have to keep your users’ information safe in a clause in your Shopify store’s privacy policy.

You can see another example clause from LeSportsac’s privacy policy below.

LeSportsac-Shopify site-privacy-policy-Data-Safety-and-Security

Updates and Changes to the Policy

Your privacy policy must always reflect your current data processing practices, which means you need a plan in place for how you’ll update your privacy policy and inform your consumers about these changes.

Under privacy laws like the GDPR and the CCPA, you must inform users about the changes to give them a chance to determine if they still agree to it or not.

See how Allbirds handles this clause in their policy below.


Company Contact Information

You must include proper company contact information in a clause in your privacy policy. This allows consumers to easily reach the appropriate party if they have comments, questions, or concerns regarding your privacy protocols.

Below, you can see how Gymshark writes this clause in their privacy policy.


How Do You Add a Privacy Policy Page to Your Shopify Store?

Now, let’s walk through the steps for adding a privacy policy page to your Shopify store.

Fortunately, this is a straightforward process.

Step 1

To start, log into Shopify and click “Online Store” on the left navigation bar, as shown below.


Step 2

Next, click on “Pages.” Then, click the green “Add Page” button in the top right-hand corner. You can see an example in the screenshot below.


Step 3

Now, type “Privacy Policy” into the title field of the new page. Then, paste your privacy policy directly into the content field.

Again, there’s a screenshot for you to follow below.


Step 4

Finally, when you’re done, click “Save.”


You’ve successfully added your store’s privacy policy to your Shopify dashboard, which means you can now link to it throughout your shop.

Okay, you’ve added a privacy policy page to your Shopify store, so now let’s walk through the steps for linking it to different places throughout your site.

Fortunately, this is also a simple process. Just follow these easy steps!

Step 1

First, go to “Navigation” on the navigation bar in your Shopify dashboard, located on the left. I put a screenshot for you below.


Step 2

Then click “Footer menu” under “Menus.”

You should always add your privacy policy to your footer because this is where most users expect to find it.

Check out another helpful screenshot below.


Step 3

Now click “Add menu item”, like in the screenshot below.


Step 4

We’re at the final step!

At this point, a sidebar will pop up from the right. Simply type “Privacy Policy” as the name and search for your recently published privacy policy page.

Click “Add” at the bottom, and you’re done!


What Are Good Examples of Shopify Store Privacy Policies?

Next, let’s spend some time looking at real-life Shopify store privacy policies so you can reference them when you go to make your own.

Partake Foods

Our first Shopify store privacy policy example comes from Partake Foods. This snack company puts an easy-to-access link to their privacy policy in the footer of their website.

You can find it highlighted in the screenshot below.


Their privacy policy covers a lot of detailed information but presents it in a way that’s easy to absorb, with adequately labeled sections.

Below, see an example of their well-organized clause informing users about why and how their website collects personal information.


Like Partake Foods, ensure your Shopify store’s privacy policy is easy to locate and read. This helps your users find answers to their questions more efficiently and ensures you’re complying with applicable data protection laws.

Hiut Denim Co.

Check out the privacy policy for the Shopify store Hiut Denim Co., a UK-based clothing retailer.

As shown below, they have a minimalistic privacy policy that uses lists instead of sentences.


Listing out what personal data you collect is a great way to keep your users informed without overwhelming them with a giant wall of text.

Hiut Denim Co. uses similar simplicity and formatting when explaining their user rights under the GDPR, a legally required clause in their privacy policy. Check it out in the screenshot below.


Their privacy policy proves you can be compliant without being overly complicated.


Before you publish your Shopify store, ensure you have a valid privacy policy. Not only does Shopify recommend you have one, but it’s also required by data privacy laws worldwide, such as the GDPR, CalOPPA, the CCPA, and more.

Posting a privacy policy on your Shopify store is also the right thing to do. Your customers deserve to know what information you collect from them and what rights they have over how that data gets used.

Masha Komnenic CIPP/E, CIPM, CIPT, FIP
More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author

Related Articles

Explore more resources