Trust and security on Shopify’s platform

More than 1,000,000 merchants, and millions of customers, entrust Shopify with their private information, and we take that responsibility seriously. Shopify takes every step to keep user data secure and private. We expect the same from every developer building on our platform.

Guiding principles

The rules for using Shopify’s platform are designed to make it fair and transparent for everyone. We want our developer partners to share the rewards of building this platform together. That also means enforcing limits and rules that keep it fair.

This page briefly outlines the rules of this developer community, but you may have other legal obligations that aren’t fully articulated here.

Shopify’s API License and Terms of Service are always the final word on what you can and can’t do on Shopify’s platform.

API Rules in brief

Authentication and API keys
  • All API calls have to be authenticated using approved authentication methods.
  • All API calls have to be made over encrypted HTTPS connections. Shopify’s API rejects unencrypted HTTP requests.
  • Keep API tokens secret at all times. Never share them between applications.
API rate limits
  • Our APIs use a “leaky bucket” method to limit requests. In general, apps that average 2 requests per second or less will not hit the limit.
  • Rate limits are doubled for Shopify Plus merchants.
  • API responses include headers to help apps manage their API usage. Please use them.
  • Use industry-standard techniques to queue API calls, cache results, and retry requests when necessary.
API versioning
  • Shopify releases new versions of its API each quarter, at the beginning of January, April, July and October.
  • Older API versions will always be available for up to 9 months, but we encourage developers to update API calls to the most recent version as soon as possible.
  • Developers can test their apps against upcoming API features with Release Candidate versions.
  • Always check the Changelog for the latest updates on Shopify API changes.

Data privacy and sharing in brief

Shopify developer partners are granted access to merchant data in order to empower those entrepreneurs to grow their business. Merchants own their data, and they own the relationship with their customer.

That means developers have certain obligations to Shopify merchants:

  • Ask only for the minimum information you need to complete a task.
  • Transmit, store, and delete data securely at all times.
  • Sync value-added information back to the merchant, via Shopify.
Global GDPR compliance

The European Union’s General Data Protection Regulation (GDPR) governs how companies may use personal information about private individuals. While the framework is law only inside the EU, Shopify enforces GDPR compliance worldwide.

You should consult your own lawyer on what GDPR compliance means for your apps. But the general rule is that all customers have the right:

  • to know what personal information you have about them.
  • to correct that data if it contains errors.
  • to have that data deleted in a timely way on request.
Mandatory webhooks for data privacy

To ensure GDPR compliance, all public apps must include mandatory webhooks that programmatically send data deletion requests to the app’s developer. Make sure your app development process accounts for these requirements.