Every Shopify store needs a minimum set of legal pages before going live. These aren't just box-ticking exercises — they protect your business from chargebacks, regulatory fines, and customer disputes. This guide covers exactly which pages you need, what each must contain, how to add them to Shopify, and why Shopify's built-in generator often isn't enough.
Which Legal Pages Does a Shopify Store Need?
Shopify itself recognizes four core legal pages and provides a built-in Policy section under Settings for each:
- Privacy Policy — legally required under GDPR, CCPA, and multiple other laws
- Refund Policy — required by Shopify Payments and expected by customers
- Terms of Service — your contract with customers covering purchases, disputes, and acceptable use
- Shipping Policy — sets delivery expectations and reduces customer service inquiries
Depending on your customer base, you may also need:
- A GDPR-specific Privacy Policy (if selling to EU customers)
- A CCPA Privacy Policy (if selling to California residents)
- A Cookie Policy (required under EU ePrivacy rules)
- An Affiliate Disclosure (if you promote via affiliate marketing)
How to Add Legal Pages to Shopify
Method 1: Settings > Policies (Recommended)
Shopify has a dedicated section for legal policies at Admin → Settings → Policies. This is the preferred method because Shopify automatically:
- Links your Refund Policy at checkout so customers see it before purchasing
- Adds Privacy Policy and Terms of Service links to your store footer
- Makes policies accessible from the Shopify checkout page
Simply paste your generated policy text into each field and save. Shopify renders it as a formatted page automatically.
Method 2: Online Store > Pages
For additional legal pages not covered by the Policies section (like a Cookie Policy or GDPR policy), create them as standard pages under Online Store → Pages → Add Page. Then link them in your navigation or footer using Online Store → Navigation.
Shopify's Auto-Generated Policies: Are They Good Enough?
Shopify's generated policies are better than nothing, but they have significant gaps:
- They don't address digital products, subscriptions, or custom-made items
- The Privacy Policy doesn't cover GDPR lawful bases or data subject rights in detail
- The Refund Policy doesn't distinguish between defective items, change-of-mind returns, or EU statutory rights
- There is no mention of arbitration clauses, class action waivers, or governing law
What Your Shopify Privacy Policy Must Cover
Your Privacy Policy must disclose every piece of customer data you collect and why. For a typical Shopify store, this includes:
- Order data: Name, address, email, phone, payment info (handled by Shopify/payment processor)
- Account data: Login credentials if you offer customer accounts
- Analytics data: IP addresses, browser type, pages visited (via Google Analytics, Shopify Analytics, Facebook Pixel, etc.)
- Marketing data: Email addresses collected for newsletters, abandoned cart recovery
- Cookie data: Tracking cookies, retargeting pixels, preference cookies
You must also disclose which third-party services process customer data on your behalf — including Shopify itself, your payment processor, shipping carriers, email marketing tools, and any advertising platforms.
What Your Shopify Refund Policy Must Include
A clear, specific Refund Policy reduces chargebacks and customer service workload. It should address:
- Return window: How many days after purchase customers can request a return (30 days is common)
- Condition requirements: Must items be unused, in original packaging, with tags attached?
- Refund method: Original payment method, store credit, or exchange
- Non-returnable items: Digital downloads, perishables, personalized items, final sale items
- Who pays return shipping: Customer or store?
- Processing time: How long until the refund appears
- Damaged or defective items: Different process than standard returns
EU Customers: Statutory 14-Day Right of Withdrawal
If you sell to EU customers, they have a statutory 14-day right to return goods without giving any reason under the EU Consumer Rights Directive. Your Refund Policy must acknowledge this right and cannot override it with a shorter return window for EU buyers.
Generate Your Shopify Legal Pages Free
Create a professional Refund Policy and Privacy Policy in 60 seconds. Tailored to your store. Free + No Signup required.
↩️ Refund Policy → 🔒 Privacy Policy →What Your Shopify Terms of Service Must Cover
Your ToS establishes the legal relationship between your store and your customers. Key sections include:
- Order acceptance: When a purchase becomes a binding contract (usually upon shipment, not order placement)
- Pricing and availability: Right to correct pricing errors and refuse orders
- Intellectual property: Your ownership of store content, product photos, branding
- Prohibited uses: Scraping, fraudulent orders, impersonation
- Limitation of liability: Cap on damages for product issues
- Governing law: Which state/country's laws apply
- Dispute resolution: Arbitration or small claims court
GDPR and Your Shopify Store
If any of your customers are located in the EU or EEA, GDPR applies to your store regardless of where you are based. Specifically for Shopify merchants:
- You must have a GDPR-compliant Privacy Policy disclosing lawful bases for processing
- Email marketing requires opt-in consent — pre-ticked boxes are not valid under GDPR
- Abandoned cart emails require prior consent or a legitimate interests assessment
- Facebook Pixel and Google Analytics require cookie consent before loading for EU visitors
- You must be able to fulfill data deletion requests from EU customers
Shopify has built-in tools to help with GDPR compliance, but you are responsible for ensuring your policies and practices meet the regulation's requirements.
Shopify Payments Legal Requirements
If you use Shopify Payments as your payment processor, Shopify's terms of service require that your store have a clearly visible:
- Privacy Policy
- Refund/Return Policy
- Contact information or contact page
Stores without these pages risk having their Shopify Payments account suspended. Other payment processors (Stripe, PayPal) have similar requirements.
Frequently Asked Questions
Yes. Shopify strongly recommends and practically requires a Privacy Policy for all stores. If you use Shopify Payments, a Privacy Policy is mandatory. Additionally, laws like GDPR and CCPA legally require one if you have customers in the EU or California.
Shopify's built-in policy generator produces very basic templates. They are a starting point but are not tailored to your specific products, return windows, shipping locations, or legal jurisdiction. Generating a custom policy is always preferable for legal protection and customer trust.
In your Shopify Admin, go to Settings > Policies to add your Privacy Policy, Refund Policy, Terms of Service, and Shipping Policy. Shopify automatically links these pages in your checkout and footer. You can also create them as standard pages under Online Store > Pages.
If you sell to EU customers, yes — your Privacy Policy must meet GDPR standards. This includes disclosing lawful bases for processing, data subject rights, international data transfers, and your cookie usage. A standard privacy policy may not cover all GDPR requirements.