Do I need a privacy policy for my Shopify store?

Yes. Shopify's Terms of Service require every store to have one. Beyond that, every jurisdiction you ship to requires it — CCPA in California (if you exceed the thresholds, which are loose for e-commerce), GDPR for EU customers, PIPEDA for Canada, and the Australian Privacy Act. Even a small Shopify store typically triggers at least one of these.

Can I just use Shopify's default privacy policy?

You can — Shopify generates one for you — but it is a template designed to be the legal minimum across thousands of stores. It often misses things specific to your store (the apps you installed, the pixels you run, the marketing lists you built). A customised policy is more defensible and reads better to customers who actually check.

What apps do I need to disclose in the privacy policy?

Any app that processes customer data — analytics (Google Analytics 4, PostHog), email (Klaviyo, Mailchimp), reviews (Loox, Judge.me), retargeting (Meta Pixel, Google Ads, TikTok Pixel), customer support (Gorgias, Zendesk), helpdesk (Intercom). The generator asks for your declared apps and includes them automatically.

Do I need a separate CCPA "Do Not Sell or Share" link?

If you run any retargeting pixels (Meta, Google Ads, TikTok) for California users, yes. CPRA classifies those as "sharing" personal information for cross-context behavioural advertising. The opt-out link must be visible in the footer, not just inside the privacy policy.

Home / Privacy Policy / Privacy Policy for Your Shopify Store

Privacy Policy for Your Shopify Store

A privacy policy that covers shipping data, payment, retargeting pixels, and the marketing-email consent flows Shopify stores actually use.

Generate my Shopify privacy policy → Free preview · No signup · 2 minutes

Shipping data + address-handling disclosure
Retargeting-pixel section with opt-out paths users can actually find
Marketing-email consent + double-opt-in flow documented

Shopify gives you a privacy policy template, but it is a generic one designed to be the legal minimum across thousands of stores. It often misses things specific to how you actually run yours — the apps you installed, the retargeting pixels firing, the marketing-email lists you built, the regions you ship to. A privacy policy customised to your store covers the real data flows. It also reads better to a customer who actually clicks "Privacy" before checking out, which (rare as it is) is the kind of customer who decides on the spot whether to trust you.

What your Shopify store privacy policy needs to cover

Disclosures that matter for Shopify store.

Categories of data you collect

Names, email addresses, shipping and billing addresses, phone numbers (optional), order history, browsing behaviour. Each one should be listed with its source. "Personal information" as a single bucket fails CCPA §1798.130(a)(5).

Payment-processor disclosure

You do not see card numbers — Shopify Payments / Stripe / PayPal do. Say that explicitly. Mention that you receive a tokenised reference and the last-four digits for refund purposes.

Shipping-data flow

Customer addresses flow to your carriers (USPS, UPS, FedEx, DHL) and, for international orders, customs authorities. Name the categories of recipients, not just "our shipping partners".

Retargeting and advertising pixels

Meta Pixel, Google Ads conversion tracking, TikTok Pixel. Each one is a "sharing" under CPRA. List them, explain what they do, and link to how users can opt out. Also requires a CCPA "Do Not Sell or Share My Personal Information" link in the footer.

Marketing-email consent flow

How users opt in (checkbox at checkout, popup, post-purchase), how they confirm (double opt-in is best practice), how they unsubscribe (one-click required under CAN-SPAM and GDPR). Klaviyo and similar tools handle most of this; the policy needs to describe what they do.

International shipping + transfer safeguards

If you ship internationally, you transfer customer data to carriers and customs authorities outside your home country. For EU customers, name your transfer mechanism (typically Standard Contractual Clauses).

Common mistakes

Where Shopify store policies usually go wrong.

Using Shopify's generic template as-is

The template lists generic data categories ("we may collect information") that are not actually accurate for most stores. It also rarely lists the specific apps and pixels you installed. Both are CCPA / GDPR issues.
Saying "we don't sell your data" while running ad pixels

Under CPRA, running a Meta Pixel or Google Ads conversion tag counts as "sharing" personal information for cross-context behavioural advertising. The CCPA opt-out applies. Many Shopify policies miss this.
No "Do Not Sell or Share" link in the footer

Required under CPRA for any business that "shares" personal information (which most Shopify stores do, via ad pixels). The link must be visible in the footer, not buried in the privacy policy.
Missing the cookie banner

Ad pixels are non-essential cookies. EU users have to opt in BEFORE they fire. If your store has EU customers and the pixels load on page load, you have an ePrivacy violation. Pair the policy with a consent banner.