Customer Data and GDPR

Overview

When navigating data privacy laws, such as the General Data Protection Regulation (GDPR), Shoplift is committed to ensuring that merchants can stay compliant effortlessly while still benefiting from powerful A/B testing and revenue optimization tools.

In this article, we will explain Shoplift’s role as a data processor, how merchants are responsible as data controllers, and the steps we take to ensure that data collection is only done with visitor consent.

We will also discuss how Shoplift uses a blend of essential and analytics tracking methods to maintain a seamless website experience, even when consent is declined.

For a full overview of our data collection practices, see our Data Processing Addendum.

Data controllers and data processors

Firstly, it's important to understand the distinction between data controllers and data processors under GDPR:

Merchants as Data Controllers

Merchants who use Shoplift are considered data controllers, meaning they determine the purpose and legal basis for collecting and processing visitor data. This also means that merchants are responsible for obtaining visitor consent in regions where it is required (such as the European Union) before any data is collected.

Shoplift as a Data Processor

Shoplift acts as a data processor, meaning we handle data on behalf of merchants based on the permissions and consent that merchants obtain from their visitors. Our responsibility is to process data securely and only in line with the merchant’s instructions and the applicable privacy laws.

Obtaining consent for data collection

Depending on the regions in which a you operate your store, GDPR and other privacy laws may require explicit visitor consent before any data collection occurs. Shoplift makes it easy for merchants to stay compliant out of the box.

Shopify's Customer Privacy API

By default, Shoplift leverages Shopify’s Customer Privacy API, which determines whether a visitor has granted consent to collect data. If you use Shopify's data compliance tools, then no action is required to ensure Shoplift remains compliant with customer privacy laws:

  • If consent is granted, Shoplift collects anonymized event data to run and measure experiment performance.

  • If consent is declined, Shoplift ensures that no visitor data is collected, logged, or stored in any way, allowing merchants to respect the privacy choices of their visitors.

This process is seamless, meaning that merchants can focus on running their business without worrying about GDPR compliance.

Third-Party Consent Management Tools

If you use third-party tools to manage consent, Shoplift will be compliant out-of-the-box as long as your consent management platform is able to hook into Shopify's Customer Privacy API.

We are working on a method to allow consent to be passed to Shoplift from third-party tools that don't leverage Shopify's Customer Privacy API in November 2024.

Tracking methods to ensure compliance

To provide the best possible user experience, Shoplift uses a combination of essential tracking and analytics tracking:

  • Essential tracking ensures that the website operates smoothly and delivers necessary functionality, regardless of consent.

  • Analytics tracking is only activated if consent is granted by the visitor. This allows us to collect valuable, anonymized data to drive A/B testing, personalization, and optimization efforts.

Shoplift’s approach ensures that there is no “flicker” effect—an undesirable momentary disruption in the website’s appearance or performance—when conducting tests. Even if consent is denied, Shoplift maintains a stable and optimized user experience, ensuring your website performs at its best while respecting user privacy.

Does Shoplift collect identifiable information about website visitors?

When collecting data about website visitors, Shoplift does not log or store any personal identifiable information (PII). This includes information like name, email, phone number, IP address, or location.

Why does Shopify say Shoplift needs access to sensitive customer data when I install the app?

In order to access web pixel events from Shopify's servers, our app requires access to Shopify's Customer Event data.

In order to access this Customer Event data, Shoplift needs to request the necessary access scopes. The scopes required to access to this anonymized event data are bundled in with access to PII data like name, address, and phone number. This is why Shopify will display a message informing you of access to sensitive customer data during install.

Shoplift does not collect, log, or store any personal identifiable information from customers.

How does geo-targeting work if you don't store IP address?

When tests leverage geo-based audience targeting (at the country level) we derive an approximation of country from the metadata from IP addresses and match that against a database to return a country code, before immediately discarding the IP-address data.

PreviousPrivacy and ComplianceNextShoplift Partner Program

Last updated

Contact Us

Get helpGive feedbackRequest a feature

Helpful Links

ShopliftShopify App Store