Do Shopify Apps Collect Your Customers Data?

From providing a customer-friendly live chat function to engaging pop-ups or streamlining shipment and payment processes, third-party apps available in the Shopify store can help scale your business to new heights. 

In this article, we will talk about:

• What personal data third party Shopify apps collect;
• What are the main privacy law issues to be concerned about;
• Best practices you should follow to ensure GDPR compliance.

Before you get click-happy, adding dozens of apps to your store, it's essential to highlight the implications of adding plugins to your Shopify store. 

One of the most common mistakes new Shopify owners make is installing too many Shopify Apps and spending the time to evaluate them for trust, useability and cost. 

Shopify App Permissions

Most third-party Shopify apps collect your customers' data, which could include the following: 

• IP address
• device ID
• email address
• customer account information (mailing address, phone number, etc.) 
• credit card data and more

When third-party Shopify apps access and use your customers' data, you are legally responsible under the GDPR to ensure that personal data is collected and used in compliance with the GDPR.

Every Shopify app you install in your store relies on different data points to provide services. This can include features such as live chat, a marketing automation tool, or a personal recommendation app. 

For example, an email marketing tool may need access to email addresses and customer locations to function properly, while a personalized recommendation app may request additional personal data such as an IP address, device ID, geolocation and last purchase details to build a more accurate customer profile. 

Think about Klaviyo, a top-rated eCommerce marketing tool that you can use to send personalized and automated emails and SMS messages, for instance.

Klaviyo’s Privacy Policy collects Shopify Stores’ customers’ shopping history, demographic data, contact details, and behavioral data about how they interact with marketing communications.

Another example is Smile, a platform that helps boost sales by building a reward and loyalty program. Their Privacy Policy explains that the app collects personal information from customers such as their shopping history, names, addresses, postal code and previous email communication content to deliver rewards like points, referral bonuses and more. In both instances, this data is relevant to the services being offered.

However, consider for example an app that solely creates heat maps. This is a web design diagnostic tool that allows you to determine the most popular sections of an active website or page. By seeing where page abandonment occurs, or where potential customers are spending most of their time, you can make design adjustments to optimize your site.

If this app were to request more personal information such as IP addresses, geolocation tracking, and personally identifiable information for every previous customer transaction, such access would be invasive and unnecessary for the primary service being provided. In this scenario, installing this app onto your store would increase your liability not just with GDPR but almost every major domestic and international privacy law.
 

Shopify IP Requests: Who's Responsible for Data Collection?

As a Shopify Store owner, you decide what type of customer data is collected, the purposes for which it can be used, and how it will be processed. Therefore, you are considered the data controller under the GDPR. However, because some apps require specific data points to function properly, you’ll need to consider what data you’re comfortable sharing, and whether the app is critically necessary to improve store functionality.

Another aspect to keep in mind is that while Shopify formally lists itself as a data processor and subprocessor, it has subsidiaries around the world. At a minimum, any customer data collected by the ecommerce giant is potentially processed by two of its subsidiaries in two different jurisdictions. This is because the brand explicitly states that all customer personal data is initially processed by Shopify International Limited which is located in Ireland. Then, depending on what other services are leveraged by the merchant and the store’s location, any of Shopify’s eight other subprocessors might also access such data.

The Shopify platform and the third-party app provider are considered data processors, as they only process personal data on behalf of your business. Also note that Shopify adheres to both GDPR guidelines and US Data Protection Laws (a blanket term that includes federal and various state regulations) when processing data, and this is clearly stated in the company’s Data Processing Addendum. Additionally, Shopify outlines what data is being collected depending on the customer location and the applicable regulations for that jurisdiction.

Note that third-party app owners can also be data controllers if they choose to collect and use your customer and store data. However, you’ll always need to check what data is being collected and why, how it’s stored, for how long, and how it’s deleted by any third-party app you install.
 
While Shopify takes a proactive stance to adhere to GDPR and other major privacy laws, it's your responsibility to guarantee that the third-party app providers you're using are also compliant. Ultimately, it will be you that  GDPR first approaches if data is being collected, managed, and destroyed improperly

4 Privacy Considerations With Shopify Apps

1. What categories of personal data third-party apps collect

Depending on the functionality a third-party app provides, collecting some types of data may be excessive and unnecessary, exposing you to the risk of GDPR violation. 

For example, suppose you install a simple app to design the sidebar of your Shopify store. In that case, it is unlikely that the third-party app needs access to your customers' contact details for the smooth functioning of the app itself. 

On the other hand, an email service platform like Privy would need access to customer data to offer personalized marketing campaigns such as a win-back campaign or abandoned cart. To leverage all of Privy's beneficial features, they will need to access your customer data.

Whether the third-party app provider collects the personal data of your customers as a data controller or processor, it will have to comply with the GDPR standards. 

When third-party apps gain access to customers' data, it imposes a higher burden on you for GDPR compliance because now you also have to ensure that the third-party provider complies with the GDPR standards. 

2. How long third-party apps retain personal data

Data retention periods must be proportionate to the data use and should not be stored longer than needed under the GDPR. If the third-party apps retain customers’ data for longer than necessary or keep it indefinitely, you will risk legal action for non-compliance. It’s in your — and the app provider’s — best interest to adhere to timelines outlined by regulators to avoid getting slapped with a noncompliance complaint or fine. 

3. If the third-party app transfers data to third countries

This is a murky area for data privacy that trips up major and small U.S.-based firms alike. Because of surveillance concerns surrounding U.S. counterintelligence agencies and the wide-reaching data access such organizations leverage, many European nations are very specific in how and what consumer data can be transferred to the U.S. Once known as the EU-US Privacy Shield, the guidelines for how U.S. firms must handle international consumer data originating from the EU is now regulated under the Trans-Atlantic Data Privacy Framework. 

The new framework essentially follows the GDPR, but simply affirms that U.S. commercial enterprises are culpible for failing to adhere to the guidelines. If you own a Shopify store, given that the platform follows GDPR, you can be reasonably assured that you’re unlikely to be exposed to liabilities directly because of Shopify’s actions. However, for U.S. merchants using third-party apps, this means that it’s your responsibility to ensure that the desired plugin follows the Trans-Atlantic Data Privacy Framework if you’re collecting data from EU citizens. 

4. How third-party apps protect personal data

As a data controller, you will have to guarantee that the third-party app provider implements technical and organizational measures appropriate to the type of personal data at hand to prevent data breaches or unauthorized data losses. 

How to Minimize Data Leakage With Shopify Apps

1. Review all permissions and evaluate

When you first install an app, you will be asked to give permission for access to different categories of personal data. It is best to go through each data category that a third-party app asks to access and evaluate whether it’s  necessary.

If you believe that the collection of customers’ personal data by an app is not necessary, don’t use the app. When possible look for alternatives as there are many competitive apps for a desired service in the Shopify App Store. 

The most trustworthy and best Shopify Apps will only request what's absolutely necessary.  

2. Review the Apps’ Privacy Policy and Terms & Conditions

Shopify requires all approved apps listed in the Shopify App Store to provide a privacy policy that explains the collection and use of personal data. 

You need to review these privacy policies to understand the following to achieve GDPR compliance:

• What data is being collected
• How is this data being used
• Does it sell or share personal data to third parties
• How long is the data stored and what method is used to delete or destroy it
• What  technical and organizational measures are taken to protect personal data
• Along with the app’s Privacy Policy, you also need to look at the provided data processing agreement (DPA), which is often a part of the Terms and Conditions.

In the DPA, make sure that the  timeframe for responding to data subject requests such as deletion and change requests is compliant with GDPR or any other major domestic or international privacy regulation. Additionally, ensure that the app is explicit regarding  the  security measures being used to safeguard customer data.

Shopify does require that Third-Party apps handle GDPR requests, but remember that ultimately the responsibility is on you to ensure that any integrated app is adhering to those guidelines.

3. Check Data Retention Periods 

In accordance with the storage limitation under the GDPR, the third-party app should retain personal data only so long as it is necessary and proportionate.

You need to ensure that the DPA includes a clear limit on the retention period.

4. Revoke Permissions if Necessary

Shopify allows you to review permissions you gave earlier and potentially revoke them in two simple steps.

To review the previous permissions you provide:

1. Go to Shopify Admin and click Apps;
2. Click on "About” beside the app to view the types of personal data that the app is accessing. 

In this section, you can see all the details about the app's permissions. You can also easily access the Shopify apps privacy policy for reference. 

Final Thoughts

Installing third-party apps on your Shopify stores, such as marketing analytics and customer service tools, can bring direct and measurable benefits, but it is not without risks.

Because you are the data controller under the GDPR, it's your responsibility to make sure third-party apps only collect data that they truly need and are only using  that information for legitimate business purposes.

When you install an app, you should begin by reviewing the app's privacy policy, terms of service, and developer website. Keep in mind that you, the Shopify store owner, have the power to choose which apps you feel most trustworthy, and as such, the responsibility for proper data usage and protection ultimately lies with you.