gridlyx.com / Write a Privacy Policy with AI / shopify-privacy-policy

Generate a Privacy Policy for Your Shopify Store

Tested prompts for privacy policy generator for shopify compared across 5 leading AI models.

BEST BY JUDGE SCORE Claude Haiku 4.5 8/10

If you just launched a Shopify store or are preparing to run ads, you need a privacy policy before you go live. Shopify requires one, Meta and Google require one to run ads, and most payment processors expect it too. Without it, your store is out of compliance before you make your first sale.

The problem is that writing a privacy policy from scratch is slow and easy to get wrong. A lawyer costs hundreds of dollars for a document most small store owners treat as a checkbox. AI-generated privacy policies solve this for the 80% use case: a real, readable, store-specific policy in minutes, not days.

This page shows you exactly how to prompt an AI to generate a privacy policy tailored to your Shopify store, what good output looks like across four models, and where the approach has limits. If you collect email addresses, use Shopify Payments, run retargeting ads, or ship internationally, keep reading.

When to use this

This approach works best when you are launching or relaunching a Shopify store and need a compliant starting document fast. It is the right tool if you sell physical products, digital downloads, or subscriptions, use standard Shopify apps like Klaviyo or Meta Pixel, and ship to customers in the US, UK, EU, Canada, or Australia.

  • You are launching a new Shopify store and need a privacy policy before going live
  • You added a new app (email marketing, retargeting, analytics) and need to update your existing policy
  • You are setting up Facebook or Google Ads and the ad platform flagged a missing or incomplete privacy policy
  • You ship to EU customers and need GDPR language around data rights and cookie consent
  • You are a solo founder or small team with no legal budget and need a credible first draft to hand to a lawyer for a quick review

When this format breaks down

  • You operate in a heavily regulated industry such as healthcare, financial services, or children's products where HIPAA, COPPA, or FINRA compliance requires attorney-drafted language
  • Your store collects sensitive personal data beyond standard e-commerce fields, such as biometrics, government IDs, or health information
  • You are a large retailer with complex data-sharing agreements, third-party data brokers, or co-marketing partnerships that require custom legal definitions
  • You need a policy that will hold up in active litigation or regulatory investigation without any legal review

The prompt we tested

You are a legal writing assistant specializing in e-commerce compliance. Generate a comprehensive, Shopify-ready privacy policy based on the store details provided below.

Rules and format:
Output a complete privacy policy in clean Markdown with these sections in order: Introduction, Information We Collect, How We Use Your Information, Sharing Your Information (including Shopify, payment processors, and shipping partners), Cookies and Tracking Technologies, Your Rights (GDPR and CCPA), Data Retention, International Transfers, Children's Privacy, Changes to This Policy, and Contact Us. Use plain, professional language suitable for customers, include placeholders in brackets like [Store Name], [Contact Email], and [Effective Date] where store-specific details are missing, and keep the total length between 700 and 1000 words. Do not include legal disclaimers about seeking an attorney inside the policy itself.

Store details:
Store name: Lumen & Loom, based in Austin, Texas, selling handmade home décor internationally. We use Shopify Payments, Klaviyo for email marketing, Google Analytics, and Meta Pixel. Contact email is hello@lumenandloom.com and we ship worldwide via USPS and DHL.

Produce the full privacy policy now, ready to paste into the Shopify admin under Settings > Policies.

Model comparison

ModelQualityCostLatencyTokens
Claude Opus 4.7 8 $0.1602 25.2s 458 / 2045
Claude Haiku 4.5 8 $0.0084 15.1s 302 / 1613
GPT-5.4 8 $0.0247 28.5s 254 / 1602
Grok 4.1 Fast Reasoning 8 $0.0007 14.5s 403 / 1295

Outputs

Claude Opus 4.7 8/10 
# Privacy Policy

**Effective Date:** [Effective Date]

## Introduction

Welcome to Lumen & Loom ("we," "us," or "our"). We are a handmade home décor company based in Austin, Texas, shipping our products to customers around the world. This Privacy Policy explains how we collect, use, share, and protect your personal information when you visit our website, make a purchase, or otherwise interact with us.

By using our website or services, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use our website.

## Information We Collect

We collect information that helps us operate our store, fulfill orders, and improve your shopping experience. The types of information we collect include:

- **Identity and Contact Information:** Name, shipping address, billing address, email address, and phone number.
- **Order and Payment Information:** Products purchased, order history, and payment details (payment card information is processed securely by Shopify Payments and is not stored by us).
- **Account Information:** Login credentials and preferences if you create an account.
- **Communications:** Messages you send us through email, contact forms, or customer service channels.
- **Marketing Preferences:** Your subscription status and engagement with our marketing emails.
- **Technical and Usage Data:** IP address, browser type, device type, operating system, referring URLs, pages viewed, and time spent on our site.
- **Cookies and Tracking Data:** Information collected through cookies, pixels, and similar technologies (see "Cookies and Tracking Technologies" below).

## How We Use Your Information

We use your personal information for the following purposes:

- To process and fulfill your orders, including shipping, returns, and customer support.
- To communicate with you about your orders, account, or inquiries.
- To send marketing emails and promotions through Klaviyo, where you have opted in.
- To personalize your shopping experience and recommend products.
- To analyze site performance and customer behavior through tools like Google Analytics and Meta Pixel.
- To detect, prevent, and address fraud, security issues, and technical problems.
- To comply with legal obligations and enforce our terms and policies.

## Sharing Your Information

We do not sell your personal information. We share it only with trusted service providers and partners who help us operate our business, including:

- **Shopify:** Our e-commerce platform, which hosts our online store and securely handles customer data and transactions.
- **Shopify Payments:** Our payment processor, which securely processes credit card and other payment transactions.
- **Shipping Partners:** USPS and DHL, which receive your name and shipping address to deliver your orders worldwide.
- **Klaviyo:** Our email marketing platform, which stores customer contact information and engagement data to deliver marketing communications.
- **Google Analytics:** A web analytics service that helps us understand site usage.
- **Meta Pixel:** A Meta Platforms tool used to measure ad effectiveness and deliver targeted advertising on Facebook and Instagram.
- **Legal and Regulatory Authorities:** When required by law, subpoena, or other legal process, or to protect our rights, property, or safety.
- **Business Transfers:** In connection with a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

## Cookies and Tracking Technologies

We use cookies, pixels, and similar tracking technologies to operate and improve our website. These include:

- **Essential Cookies:** Required for core functions like shopping cart and checkout.
- **Analytics Cookies:** Help us understand how visitors use our site (e.g., Google Analytics).
- **Advertising Cookies:** Used by Meta Pixel to deliver relevant ads and measure performance.
- **Marketing Cookies:** Used by Klaviyo to personalize communications.

You can manage cookies through your browser settings or our cookie consent banner. Disabling certain cookies may limit your ability to use some features of our site.

## Your Rights

### GDPR (European Economic Area, UK, and Switzerland)

If you are located in the EEA, UK, or Switzerland, you have the right to:

- Access the personal data we hold about you.
- Request correction or deletion of your data.
- Restrict or object to our processing of your data.
- Request data portability.
- Withdraw consent at any time for processing based on consent.
- Lodge a complaint with your local data protection authority.

### CCPA (California Residents)

If you are a California resident, you have the right to:

- Know what personal information we collect, use, and share.
- Request deletion of your personal information.
- Opt out of the sale or sharing of personal information (we do not sell personal information).
- Not be discriminated against for exercising your privacy rights.

To exercise any of these rights, contact us at hello@lumenandloom.com. We will verify your request and respond within the timeframes required by law.

## Data Retention

We retain personal information only for as long as necessary to fulfill the purposes described in this policy, including order fulfillment, customer service, legal and tax compliance, and dispute resolution. When your information is no longer needed, we securely delete or anonymize it.

## International Transfers

Because we ship worldwide and use service providers located in various countries, your personal information may be transferred to, stored in, and processed in countries other than your own, including the United States. We rely on appropriate safeguards, such as Standard Contractual Clauses, to protect your data during international transfers.

## Children's Privacy

Our website and products are not directed to children under the age of 13 (or the minimum age under applicable law). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will promptly delete it.

## Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will post the updated policy on this page and revise the "Effective Date" above. Material changes will be communicated through our website or email where appropriate.

## Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact us:

**Lumen & Loom**
Austin, Texas, USA
Email: hello@lumenandloom.com
Judge notes: The policy is production-ready and well-tailored to the store details, but it slightly exceeds the 1000-word cap and omits a cookie consent banner note for GDPR compliance that would be expected for an internationally-shipping store.
Claude Haiku 4.5 8/10 
# Privacy Policy

**Effective Date:** [Effective Date]

## Introduction

Welcome to Lumen & Loom ("we," "us," "our," or "Company"). We are committed to protecting your privacy and ensuring you have a positive experience on our website. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website and make purchases from us.

Please read this Privacy Policy carefully. If you do not agree with our policies and practices, please do not use our site. By accessing and using Lumen & Loom, you acknowledge that you have read and understood this Privacy Policy.

## Information We Collect

We collect information in several ways:

**Information You Provide Directly**
- Account information: name, email address, password, and account preferences
- Purchase information: billing address, shipping address, phone number, and payment details
- Customer service communications: emails, messages, and support requests
- Marketing preferences: newsletter signup information and communication preferences
- Survey responses and customer feedback

**Information Collected Automatically**
- Device information: browser type, operating system, device identifiers, and IP address
- Browsing activity: pages visited, links clicked, time spent on pages, and referring URLs
- Transaction information: purchase history, order details, and transaction amounts
- Location data: general geographic location based on IP address (not precise GPS location)

**Information From Third Parties**
- Shipping partners (USPS and DHL) may provide delivery status updates
- Payment processors provide transaction verification information
- Third-party analytics and marketing platforms collect usage data with your consent

## How We Use Your Information

We use the information we collect for the following purposes:

- **Processing Orders:** Fulfilling purchases, managing payments, and coordinating shipping
- **Customer Service:** Responding to inquiries, resolving issues, and providing support
- **Marketing Communications:** Sending promotional emails, newsletters, and product recommendations (only with your consent via Klaviyo)
- **Analytics and Improvement:** Understanding user behavior, improving website functionality, and optimizing user experience through Google Analytics
- **Advertising:** Displaying personalized ads through Meta Pixel based on your browsing activity
- **Fraud Prevention:** Detecting and preventing fraudulent transactions and unauthorized access
- **Legal Compliance:** Fulfilling legal obligations and enforcing our Terms of Service

## Sharing Your Information

We do not sell your personal information. However, we share information with trusted partners to operate our business:

**Shopify:** Our website is hosted on Shopify's platform. Shopify processes order and customer data according to their privacy practices and our data processing agreement.

**Payment Processing:** Shopify Payments processes your payment information securely. We do not store complete credit card details on our servers.

**Email Marketing:** Klaviyo receives your email address and purchase history to send marketing communications. You can unsubscribe from marketing emails at any time using the link in each message.

**Analytics:** Google Analytics collects anonymized data about website usage to help us understand customer behavior and improve our site.

**Advertising:** Meta Pixel tracks user interactions to enable targeted advertising. You can opt out of personalized ads in your Meta account settings.

**Shipping Partners:** USPS and DHL receive your name, address, phone number, and order details to process and deliver your shipment.

**Legal Requirements:** We may disclose your information if required by law, court order, or governmental request.

## Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to enhance your experience:

- **Essential Cookies:** Required for website functionality, security, and payment processing
- **Analytics Cookies:** Track user behavior to improve our website (Google Analytics)
- **Marketing Cookies:** Enable targeted advertising and email marketing campaigns (Meta Pixel, Klaviyo)
- **Preference Cookies:** Remember your settings and preferences

You can control cookies through your browser settings. Disabling cookies may limit website functionality. For more information about cookies, visit [www.allaboutcookies.org](https://www.allaboutcookies.org).

## Your Rights

**GDPR Rights (European Residents)**

If you reside in the European Union, United Kingdom, or European Economic Area, you have the following rights under GDPR:

- **Right of Access:** Request a copy of your personal data
- **Right to Rectification:** Correct inaccurate or incomplete information
- **Right to Erasure:** Request deletion of your data (with exceptions)
- **Right to Restrict Processing:** Limit how we use your information
- **Right to Data Portability:** Receive your data in a portable format
- **Right to Object:** Opt out of marketing and certain processing activities
- **Right to Withdraw Consent:** Withdraw consent for data processing at any time

**CCPA Rights (California Residents)**

California residents have the following rights under the California Consumer Privacy Act:

- **Right to Know:** Request what personal information we collect, use, and share
- **Right to Delete:** Request deletion of personal information
- **Right to Opt-Out:** Opt out of the sale or sharing of your personal information
- **Right to Correct:** Request correction of inaccurate data
- **Right to Limit Use:** Limit use of sensitive personal information

To exercise any of these rights, contact us at hello@lumenandloom.com with your request.

## Data Retention

We retain your information for as long as necessary to fulfill the purposes for which it was collected:

- **Account Data:** Retained for the duration of your account and one year after closure
- **Transaction Data:** Retained for seven years for tax and legal compliance
- **Marketing Data:** Retained until you unsubscribe
- **Analytics Data:** Retained in anonymized form for up to 26 months

## International Transfers

Lumen & Loom is based in Austin, Texas, USA. Your information may be transferred to, stored in, and processed in the United States or other countries. By using our site, you consent to such transfers. We implement safeguards including data processing agreements and standard contractual clauses to protect your information during transfers.

## Children's Privacy

Our website is not directed toward children under 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected information from a child under 13, we will delete such information promptly. Parents or guardians who believe their child has provided information to us should contact us immediately.

## Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by posting the revised policy on our website and updating the Effective Date. Your continued use of our site constitutes acceptance of the updated Privacy Policy.

## Contact Us

If you have questions about this Privacy Policy, wish to exercise your rights, or have privacy concerns, please contact us:

**Lumen & Loom**  
Austin, Texas, USA  
Email: hello@lumenandloom.com

We will respond to your inquiry within 30 days or as required by applicable law.

---

*This Privacy Policy is effective as of [Effective Date] and was last updated on [Last Updated Date].*
Judge notes: The policy is production-ready and correctly incorporates all store-specific details (Klaviyo, Meta Pixel, USPS/DHL, Austin TX), but it runs noticeably over the 1000-word limit specified in the prompt, which is a real compliance issue with the task instructions.
GPT-5.4 8/10 
# Privacy Policy

**Effective Date:** [Effective Date]

## Introduction

At **Lumen & Loom** (“we,” “us,” or “our”), we respect your privacy and are committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and protect information when you visit our website, place an order, sign up for our emails, or otherwise interact with our business.

Lumen & Loom is based in Austin, Texas and sells handmade home décor to customers worldwide through our Shopify-powered online store. By using our website, you acknowledge the practices described in this Privacy Policy.

## Information We Collect

We collect information you provide directly to us, information collected automatically when you use our site, and information from trusted third parties.

**Information you provide directly** may include:
- Your name
- Billing and shipping address
- Email address
- Phone number
- Payment and transaction details
- Account login details, if you create an account
- Order history
- Any information you submit when contacting us, leaving a review, or subscribing to marketing emails

**Information collected automatically** may include:
- IP address
- Browser type and device information
- Operating system
- Referring website
- Pages viewed and time spent on our site
- Shopping activity, such as products viewed or added to cart
- General location information based on IP address
- Cookie and tracking data

**Information from third parties** may include:
- Payment confirmation and limited payment-related details from **Shopify Payments**
- Marketing and engagement data from **Klaviyo**
- Website usage data from **Google Analytics**
- Advertising and conversion data from **Meta Pixel**
- Shipping and delivery updates from **USPS** and **DHL**

## How We Use Your Information

We use your information to operate our business, fulfill orders, and improve your experience. Specifically, we may use your information to:

- Process and fulfill your orders
- Send order confirmations, shipping updates, and customer service messages
- Process payments and prevent fraudulent transactions
- Communicate with you about your purchases, returns, or inquiries
- Provide marketing emails and promotions, where permitted by law
- Personalize your shopping experience
- Improve our website, products, and services
- Analyze site traffic, customer behavior, and marketing performance
- Deliver relevant advertising on platforms such as Meta
- Comply with legal obligations and enforce our terms and policies

Where required by applicable law, we rely on legal bases such as contract performance, legitimate interests, consent, and legal compliance to process personal data.

## Sharing Your Information

We do not sell your personal information for money. However, we share information with trusted service providers and partners as necessary to operate our store and provide services to you.

**Shopify:**  
Our store is hosted by Shopify, which provides the e-commerce platform that allows us to sell our products. Shopify may process your personal information, including contact, order, device, and payment-related information, to support store functionality, security, and checkout services.

**Payment processors:**  
We use **Shopify Payments** to securely process payments. Payment information is handled by payment processing providers and is subject to their own privacy and security practices. We do not store full payment card details on our own systems.

**Email marketing provider:**  
We use **Klaviyo** to manage email subscriptions and send newsletters, promotions, abandoned cart reminders, and other marketing communications. Klaviyo may collect information such as your email address, purchase activity, and interactions with our emails.

**Analytics and advertising partners:**  
We use **Google Analytics** to understand how visitors use our site and improve performance. We also use **Meta Pixel** to measure advertising effectiveness, build audiences, and show relevant ads on Meta platforms such as Facebook and Instagram.

**Shipping partners:**  
We share shipping information, such as your name, address, phone number, and order details, with **USPS** and **DHL** to deliver your orders and provide tracking updates.

**Legal and business transfers:**  
We may disclose information if required by law, subpoena, or legal process, or if we believe disclosure is necessary to protect our rights, prevent fraud, or comply with a governmental request. We may also share information in connection with a merger, acquisition, financing, or sale of business assets.

## Cookies and Tracking Technologies

We use cookies, pixels, tags, and similar technologies to operate our website, remember your preferences, analyze traffic, and support marketing activities.

These technologies may be used to:
- Keep items in your cart
- Enable checkout and site functionality
- Remember your settings and preferences
- Measure website performance
- Understand browsing and shopping behavior
- Deliver and measure personalized advertising

Some cookies are essential for the website to function, while others support analytics and advertising. Depending on your location, you may have the ability to accept or reject certain non-essential cookies through your browser settings or cookie banner. Please note that disabling some cookies may affect site functionality.

## Your Rights (GDPR and CCPA)

Depending on where you live, you may have certain privacy rights regarding your personal information.

**For individuals in the European Economic Area, United Kingdom, or similar jurisdictions (GDPR-style rights), you may have the right to:**
- Access the personal data we hold about you
- Request correction of inaccurate data
- Request deletion of your data
- Restrict or object to certain processing
- Request data portability
- Withdraw consent where processing is based on consent
- Lodge a complaint with your local data protection authority

**For California residents (CCPA/CPRA), you may have the right to:**
- Know what personal information we collect, use, disclose, or share
- Request deletion of personal information, subject to exceptions
- Request correction of inaccurate personal information
- Opt out of certain sharing for cross-context behavioral advertising, where applicable
- Not be discriminated against for exercising your privacy rights

To exercise any of these rights, please contact us at **hello@lumenandloom.com**. We may need to verify your identity before processing your request.

## Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, including providing our services, maintaining business records, resolving disputes, enforcing agreements, and complying with legal, tax, accounting, and regulatory obligations.

For example, we may retain order and transaction information for recordkeeping and legal compliance, and we may retain marketing subscription information until you unsubscribe or request deletion, subject to applicable law.

## International Transfers

Because we sell and ship internationally, your personal information may be transferred to, stored in, or processed in countries other than your own, including the United States. These countries may have data protection laws that differ from those in your jurisdiction.

When required, we take reasonable steps to ensure appropriate safeguards are in place for international transfers of personal information, including reliance on service providers that offer contractual and technical protections.

## Children's Privacy

Our website and services are not directed to children under the age of 13, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at **hello@lumenandloom.com**, and we will take appropriate steps to delete it.

## Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other operational reasons. When we make changes, we will post the updated policy on this page and revise the Effective Date above. Your continued use of our website after any updates indicates your acceptance of the revised policy.

## Contact Us

If you have questions about this Privacy Policy or would like to exercise your privacy rights, please contact us at:

**Lumen & Loom**  
Austin, Texas, USA  
**Email:** hello@lumenandloom.com
Judge notes: The policy is production-ready and well-tailored to the store's specifics, but the word count significantly exceeds the 1000-word ceiling specified in the prompt (approximately 1,100+ words), and the `[Effective Date]` placeholder remains unfilled despite specific store details being provided for everything else.
Grok 4.1 Fast Reasoning 8/10 
# Privacy Policy

**Effective Date: [Effective Date]**

## Introduction

Welcome to Lumen & Loom ("we," "us," or "our"), a store based in Austin, Texas, specializing in handmade home décor. We are committed to protecting your privacy and handling your personal information responsibly. This Privacy Policy explains how we collect, use, share, and protect your information when you visit our website (lumenandloom.com or any related sites), make a purchase, or interact with our services. It applies to all users worldwide, including those in the European Economic Area (EEA), United Kingdom (UK), and California.

By using our site or services, you consent to the practices described here. We comply with applicable laws like GDPR and CCPA/CPRA. If you have questions, contact us at hello@lumenandloom.com.

## Information We Collect

We collect information to provide our services, process orders, and improve your experience. This includes:

- **Personal Information**: Name, billing and shipping address, email address, phone number, and payment details (e.g., credit card number, processed securely without storage by us).
- **Account Information**: If you create an account, username, password, and order history.
- **Order and Payment Data**: Items purchased, order details, delivery preferences, and transaction records.
- **Communication Data**: Information from emails, chats, or surveys, like support tickets or feedback.
- **Device and Usage Data**: IP address, browser type, device ID, pages visited, time spent on site, and referral sources.
- **Marketing and Analytics Data**: Preferences from email interactions (via Klaviyo) and browsing behavior (via Google Analytics and Meta Pixel).

We collect this directly from you (e.g., forms, checkout), automatically (e.g., cookies), or from third parties (e.g., Shopify).

## How We Use Your Information

We use your information for legitimate business purposes:

- To process and fulfill orders, including payment processing and shipping.
- To communicate with you about orders, accounts, promotions, or updates (e.g., via Klaviyo emails).
- To provide customer support and respond to inquiries.
- To personalize your experience, recommend products, and send targeted marketing.
- To analyze site performance, detect fraud, and improve our services (using Google Analytics and Meta Pixel).
- To comply with legal obligations, like tax reporting or disputes.
- For internal operations, such as inventory management and business analytics.

We only use sensitive data (e.g., payment info) for order fulfillment.

## Sharing Your Information

We do not sell your personal information. We share it only as needed with trusted partners:

- **Shopify**: Our e-commerce platform (hosted in Canada/US) for site hosting, payments (via Shopify Payments), and order management.
- **Payment Processors**: Shopify Payments and partners like Stripe for secure transactions.
- **Shipping Partners**: USPS and DHL for worldwide delivery; we share name, address, and order details.
- **Marketing and Email Services**: Klaviyo for email campaigns and preferences.
- **Analytics and Advertising**: Google Analytics for traffic insights and Meta Pixel for ad performance (anonymized where possible).
- **Service Providers**: Cloud hosting (e.g., AWS), fraud detection tools, and legal advisors, bound by confidentiality.
- **Legal Requirements**: With authorities if required by law, subpoenas, or to protect rights/safety.

For international customers, data may transfer to these US/Canada-based providers under standard contractual clauses.

## Cookies and Tracking Technologies

We use cookies, pixels, and similar tools to enhance functionality and track usage. Types include:

- **Essential Cookies**: For cart functionality, login, and site security (cannot be disabled).
- **Performance Cookies**: Via Google Analytics to measure site speed and traffic.
- **Marketing Cookies**: Meta Pixel for ad retargeting and Klaviyo for email personalization.

You can manage preferences via browser settings (e.g., opt out of Google Analytics here: [https://tools.google.com/dlpage/gaoptout](https://tools.google.com/dlpage/gaoptout)) or our cookie banner. Note: Disabling may limit features. We respect Do Not Track signals.

## Your Rights (GDPR and CCPA)

You have rights over your data. To exercise them, email hello@lumenandloom.com with verification:

- **Access**: Request a copy of your data.
- **Correction**: Update inaccurate info.
- **Deletion**: Ask us to delete (subject to legal retention).
- **Opt-Out**: Unsubscribe from marketing; opt out of sales/sharing (CCPA).
- **Portability**: Receive data in portable format (GDPR).
- **Objection/Restriction**: Object to processing or restrict it.
- **CCPA Specifics**: No sales in last 12 months; opt-out of sharing for cross-context ads.

EEA/UK residents: Controller is Lumen & Loom, Austin, TX. Complaints to local data authority (e.g., ICO).

We respond within 45 days (extendable).

## Data Retention

We keep data only as long as needed:

- Order data: 7 years for tax/legal compliance.
- Account info: Until deletion request or inactivity (notify first).
- Marketing data: Until opt-out or 2 years post-interaction.
- Analytics: Anonymized after 26 months (Google Analytics).

Deleted data is securely erased or anonymized.

## International Transfers

Lumen & Loom is US-based. Data may transfer internationally (e.g., to Shopify in Canada, Google in US/Ireland). We use adequacy decisions, Standard Contractual Clauses (SCCs), or Binding Corporate Rules for GDPR compliance. Transfers protect data equivalently.

## Children's Privacy

Our site is not for children under 13 (US) or 16 (EEA/UK). We do not knowingly collect data from children. Parents/guardians: Contact us to delete if discovered.

## Changes to This Policy

We may update this policy to reflect changes. We'll notify via email or site notice. Continued use after changes means acceptance. Check periodically.

## Contact Us

Questions? Email hello@lumenandloom.com or write to:

Lumen & Loom  
[Store Address, Austin, TX]  

For GDPR/CCPA: Data Protection Officer at hello@lumenandloom.com.

*(Word count: 852)*
Judge notes: Production-ready and well-tailored to the store's specifics, but the DPO claim is legally dubious (SMBs typically aren't required to appoint one), and "Effective Date: [Effective Date]" was left as a placeholder despite the store details providing enough context to flag this more usefully.

What makes these work

  1. 01
    Name every app and tool you use

    The most common reason AI-generated privacy policies miss the mark is a vague prompt. List every Shopify app that touches customer data: Klaviyo, Recharge, Meta Pixel, Google Analytics, Postscript, Gorgias, and so on. Each tool is a third-party data processor and needs to be disclosed. If you skip it in the prompt, the AI skips it in the policy.

  2. 02
    Specify your shipping geography upfront

    Shipping to the EU triggers GDPR requirements. Shipping to California triggers CCPA considerations. Shipping only within the US simplifies things significantly. Telling the AI exactly where you ship lets it include the right legal framework and skip irrelevant ones, which keeps the policy accurate and readable.

  3. 03
    State what data you do NOT collect

    Privacy policies are easier to trust when they include explicit negatives. If you do not sell data, do not collect health information, or do not store payment card numbers yourself, say so in the prompt. The AI will include those statements, which builds customer trust and reduces support questions about data handling.

  4. 04
    Ask for an effective date placeholder and contact email slot

    Always include a line in your prompt like 'include a placeholder for the effective date and a slot for our contact email.' This prevents you from publishing a policy with no update date, which is one of the first things regulators and ad platforms check when they review your policy page.

More example scenarios

#01 · Basic DTC apparel store, US-only shipping
Input
Generate a privacy policy for my Shopify store called 'Harbor & Stitch.' We sell men's casual clothing. We ship only within the United States. We collect names, email addresses, shipping addresses, and payment info through Shopify Payments. We use Klaviyo for email marketing and Google Analytics for site traffic. We do not sell customer data to third parties.
Expected output
A structured privacy policy covering: data collected (name, email, address, payment), how it is used (order fulfillment, email marketing via Klaviyo, analytics via Google Analytics), that payment data is processed by Shopify Payments and not stored by Harbor & Stitch, a statement that data is not sold, a contact email for data requests, and an effective date placeholder.
#02 · EU-shipping store needing GDPR rights section
Input
Write a Shopify privacy policy for 'Luminos Candles,' a UK-based candle shop that ships to the UK and EU. We use Shopify, Mailchimp, and Meta Pixel. We want to include GDPR rights: access, erasure, portability, and objection. Our contact email is hello@luminoscandles.com.
Expected output
A privacy policy with a dedicated GDPR section listing lawful bases for processing (contract performance, legitimate interest), customer rights (access, rectification, erasure, portability, restriction, objection), how to exercise those rights via hello@luminoscandles.com, third-party processors named (Shopify, Mailchimp, Meta), cookie and pixel disclosure, and a note about the right to lodge a complaint with the ICO.
#03 · Digital downloads store with no physical shipping
Input
I run a Shopify store called 'Type & Form' selling digital font licenses. No physical products are shipped. I collect email and payment info only. I use Shopify Payments and SendOwl for delivery. I want the policy to clarify that no shipping addresses are collected.
Expected output
A privacy policy clarifying that Type & Form collects only email addresses and payment information, no physical addresses are requested or stored, digital products are delivered via SendOwl, payment processing is handled by Shopify Payments, and customers can contact the store to request data deletion.
#04 · Subscription box store with recurring billing
Input
Generate a privacy policy for 'Roots Box,' a monthly plant subscription box on Shopify. We collect name, email, shipping address, and credit card info for recurring billing via Shopify Payments. We use Recharge for subscriptions and Postscript for SMS marketing. We ship to the US and Canada.
Expected output
A privacy policy noting that Roots Box collects data for recurring billing managed through Recharge, SMS marketing consent collected via Postscript (with opt-out instructions), data shared with shipping carriers in the US and Canada, payment data processed by Shopify Payments, and a section on how subscribers can cancel and request data deletion.
#05 · Dropshipping store using a third-party fulfillment supplier
Input
Write a privacy policy for my Shopify dropshipping store 'CoastalGear.' We sell outdoor gear fulfilled by a third-party supplier in China. Customer shipping addresses are passed to the supplier for fulfillment. We use Shopify, Facebook Pixel, and Mailchimp. We ship worldwide.
Expected output
A privacy policy disclosing that customer shipping addresses are shared with a third-party fulfillment partner for order processing, that Facebook Pixel collects browsing behavior for advertising purposes, that Mailchimp stores email addresses for marketing with an unsubscribe option, and that international data transfers may occur given worldwide shipping, with a contact method for data inquiries.

Common mistakes to avoid

  • Using a generic template without customizing

    Shopify's built-in policy generator and most free templates produce boilerplate that does not mention your specific apps or data practices. Publishing a policy that says 'we use analytics tools' without naming Google Analytics or Meta Pixel does not satisfy GDPR or FTC disclosure standards and can be flagged during ad account reviews.

  • Forgetting to update after adding new apps

    Adding Postscript for SMS or Gorgias for customer support introduces new data processors. If your privacy policy was generated six months ago and does not mention them, you are out of compliance. Set a reminder to review your policy every time you install a new Shopify app that collects or receives customer data.

  • Publishing AI output without any review

    AI models occasionally hallucinate legal terms, invent regulatory requirements that do not apply to your jurisdiction, or omit critical disclosures. Treat the generated policy as a strong first draft, not a finished document. Read it once before publishing and have a lawyer skim it if you ship to the EU or California.

  • Hiding the policy where customers cannot find it

    A privacy policy buried three clicks deep does not count as adequate disclosure under GDPR or CCPA. Shopify requires the link in your footer. Ad platforms check that it is reachable from your homepage. Make sure your published policy is linked in your Shopify footer navigation before running any paid traffic.

  • Confusing privacy policy with terms of service

    A privacy policy explains how you collect and use data. Terms of service cover refunds, liability, and acceptable use. You need both, and they are separate documents. Prompting an AI to 'write a privacy policy and terms of service in one document' produces something that satisfies neither requirement.

Related queries

AdSense Privacy Policy Generator App Store Privacy Policy Requirements Privacy Policy Generator for Bloggers CCPA Privacy Policy Template Generator Writing a Privacy Policy with ChatGPT Cookie Policy Generator with AI

Frequently asked questions

Does Shopify provide a privacy policy generator built in?

Shopify includes a basic policy generator under Settings > Policies, but it produces a generic template that does not account for the specific apps you have installed, your shipping regions, or your data practices. It is a starting point, not a finished document. You should customize it to reflect your actual store setup before publishing.

Is an AI-generated privacy policy legally valid?

An AI-generated privacy policy can be legally sufficient for most small Shopify stores if it accurately describes your data practices and includes the required disclosures for your jurisdiction. It is not a substitute for legal advice if you operate in regulated industries or handle sensitive data. For stores shipping to the EU, a quick legal review is worth the cost.

Do I need a separate privacy policy for GDPR if I ship to Europe?

You do not need a separate document, but your single privacy policy must include GDPR-specific sections: lawful bases for processing, a list of customer data rights, named data processors, and how customers can exercise their rights. Make sure your prompt specifies EU shipping so the AI includes this language.

What does a Shopify privacy policy need to include for running Meta or Google Ads?

Both Meta and Google require your privacy policy to disclose that you use tracking pixels or tags, that data is used for advertising purposes, and that users can opt out. Your policy must be live, linked from your homepage, and specifically mention the use of cookies or pixels for advertising. Without this, your ad account can be rejected or suspended.

How often should I update my Shopify privacy policy?

Update it any time you add or remove an app that handles customer data, change your shipping regions, start collecting new types of data, or when a major regulation changes in a market you serve. At minimum, review it once a year. Always update the effective date when you make changes.

Can I use one privacy policy for my Shopify store and my email list?

Yes, a single privacy policy can cover both your Shopify storefront and your email marketing list as long as it discloses both data collection points. Make sure the policy mentions how email addresses are collected, what platform stores them (such as Klaviyo or Mailchimp), and how subscribers can unsubscribe or request deletion.