Skip Navigation

Privacy at Shoelace

Let’s start with what needs to be said: Shoelace takes privacy very seriously. We realise that retargeting lives in a space that can be controversial and sometimes abused. Everything we do is designed to be in the best interests of you, the merchant, and your marketing efforts. We try very hard not to cross any lines. We do not resort to any scammy internet marketing tactics and we don’t help our merchants deliver campaigns that could cross any boundaries.

Shoelace strives to use Facebook’s marketing tools in the most transparent, as-intended way as possible. We were one of the first apps to encourage using your own Facebook ad account so that you own your data. Shoelace has a heavy reliance on both your Shopify and Facebook metrics to make the intelligent campaign we do. We NEVER sell your data to a third party for reuse.

Every tool we use, every data point we store and all analysis we do is in the effort of providing a better service putting together more engaging retargeting campaigns that speak to your customers. We know that even this comes with many responsibilities and we are committed to living up to our end of transparent and safe data use.

What Is GDPR


GDPR stands for the General Data Protection Regulation. It is a piece of privacy legislation adopted by the EU in April 2016, coming into effect 25 May 2018. The main aim of GDPR is to transfer control of personal data back to citizens as well as to unify the regulation within the EU to streamline the regulatory environment for international businesses.

The GDPR lays out various requirements with respects to consent, notification and users’ data rights. It requires companies to do many new things such as gathering explicit consent for data collection, stricter guidelines for disclosure of data breaches and legal ramifications for misuse of user data.

Personal data

A large part of GDPR is concerned with personal data. Specifically, it explicitly places ownership of data in the hands of the end user, the “data subject”. In general, the GDPR substantially expands the definition of personal data.

Personal data is any information relating to an individual, their private, professional or public life. E.g. name, email address, photos, IP address, products purchased, etc. It also covers any data that could be used in conjunction with other data to identify someone.

There are additional safeguards placed on “sensitive data” which includes thing such as race, religious affiliation, political opinions, health records, biometric information, etc. Shoelace has never and does not intend to collect, process or use this kind of data.

Data Controllers and Processors

The GDPR differentiates primarily between three parties: Data controller, data processor and data subject. The data controller determines the purposes for which and the means by which personal data is processed. The data processor processes personal data on behalf of the controller. The data processor is usually a third party external to the company.

For more information on the relationship between controller and processor, please see:

For most relevant cases, the data subject is either the merchant or the buyer, the data controller is the merchant (but sometimes Shoelace) and the data processor is Shopify, Facebook or Shoelace. In many cases Shoelace is a sub-processor to Shopify. For more details on Shoelace’s relationship to the merchant, please see “Data We Collect” below.

It is primarily the responsibility of the data controller to ensure that consent is gathered and data is handled responsibly by processors.

Shopify’s Whitepaper on the GDRP provides more details on the relationship between the merchant and Shopify:

Lawful Data Processing

All data processing must lawful, fair and transparent. Further, data processing should be relevant and limited to what is required to operate. The GDPR speaks to the circumstance under which data may lawfully be processed. Generally speaking, there are four bases for legal processing of data:

  • Explicit consent – the individual concerned provides consent
  • Contract – there exists a legal contract with the individual concerned
  • Legal obligation – data is processed as required by the prevailing laws
  • Legitimate interest – the most flexible of the criteria, where data is processed in a way that the individual might reasonably expect and with minimal privacy impact

GDPR Outside the EU

The GDPR protects European data subjects not matter where they transact online. It does not matter if the company is based outside the EU if the user lives there. Our customers are Shopify merchants and as such come from all over the world. Of course, many Shopify merchants are also based in Europe and many non-EU stores sell to Europeans. In all these cases, the merchant is responsible for GDRP compliance.

Anything we do for data privacy and protection is good for all our merchants and is available to all our merchants. It is unnecessary for Shoelace to distinguish between EU and non-EU Shoelace users, data protection is important for everyone.

Shoelace GDPR Compliance

Shoelace is prepared for GDPR, is aware of its obligations and has always tried to minimise data collection and potential impact. We have worked hard on understanding our exact obligations (like in this document) and are continuing work on rolling out more feature to deeper support the GDPR’s specific Data Subject Rights.

There are currently no certifications that would make any company GDPR compliant. The GDPR is a vast and untested piece of legislation that touches on all aspects of digital life. Shoelace is doing everything we can and have implemented a lot of changes and documentation to address GDPR requirements. This is not a one-off exercise; GDPR will continue to inform how we communicate with you, how we deal with your data and what tools we build to help you exercise your rights.

Data Subject Rights

The fundamental principle under the GDPR is that the users (i.e. data subjects), not the collector of the data, own their data. To enable this, certain specific rights are explicitly listed and must be supported to be GDPR compliant. Several of these rights are explained below and additional details can be found here:

Right to Erasure

Article 17 provides that the data subject has the right to request erasure of personal data related to them on any one of a number of grounds. Shoelace supports this right in several ways. On uninstalling Shopify requests that a merchant’s customers’ data is deleted and Shoelace stores these requests and fully anonymises the relevant data. Buyers also have the ability to request deletion of their own data which again is passed to Shoelace from Shopify after being initiated with the merchant. Those records are completely erased. Lastly, Shoelace will respond to any request for full deletion through our own dashboard or by contacting us by email.

Right to Portability and Access

Article 15 and Article 20 provide that the data subject has the right to access and copy all their data being held by a controller. While technically separate rights, the implementation is similar in that the data subject may request a copy of all data being held by a controller, i.e. Shoelace. In many instances Shoelace is a subprocessor, however, Shoelace is able to fulfill its obligation as a controller in this respect.

Right to Rectification

Article 16 states that a data subject should have the right at any time to correct any information about themselves with the data controller. Shoelace has an adequate settings page and should you feel any information is about you is incorrect, will promptly correct it in our systems.

Automated Decision Making

Article 22 protects the data subject against fully automated decision making. Shoelace does not have any black box decision making processes and as such is able to explain any data processing undertaken.

Data We Collect - controller vs processor

Shoelace has always operated under the mindset that we should collect as little data as we need to do our work and that we have a responsibility to be good stewards of this data. Much of the data in our care belongs to you, the merchant and we treat it as such. We never have and never will make a business of selling or sharing your data. In some cases, the data in our care belongs to your customers, the buyers. There are certain additional requirements that affect buyer data imposed by Shopify, which we fully agree with and abide by.

Legal Basis for Data Processing

When the merchant installs the Shoelace app we interpret implied consent to process their data as required to provide our service. As part of the installation process Shopify gathers explicit consent for Shoelace to subprocess data supplied through the Shopify API.

By using the merchant’s ad account, we act as an agent on their behalf. All campaigns are approved by the merchant through explicit consent. Any processing of Facebook data required to produce campaigns is assumed under legitimate interest as a core part of Shoelace’s business.

Shoelace sends transactional and marketing emails. These can be unsubscribed from though not receiving transactional emails will impact Shoelace’s ability to deliver service.

Data Storage

GDPR does not make any attempts to control where data is stored or processed, it is concerned with the rights of the data’s owner. However, all Shoelace’s data is stored in the United States and Canada. Shoelace does not operate its own servers or data centres, instead relying on cloud providers (primarily Amazon AWS and Microsoft Azure but several others as well). Cloud providers simplify our development burden but also mean that we can leverage their security and privacy best practices without implementing complicated features ourselves.

If you have more specific questions about data storage, please reach out to Shoelace directly and we can answer any concerns.

Data Retention

Shoelace stores only the minimum amount of data required to perform our service and provide the best possible campaigns. Shoelace fully complies with all deletion request and on uninstall makes a merchants’ buyers’ data non-identifiable as required by Shopify.

Over and above this, Shoelace removes any data about a user after 48 months of inactivity.

Shoelace as a Data Controller

Shoelace acts as a controller in several capacities. Primarily these activities revolve around opening, maintaining, administering the provision of service to merchants.

Shoelace collects personal information such as name, email and phone number so that we can communicate with and market to merchants. All marketing communication can be easily opted out of though some transactional messages are required as they may pertain to payment or critical parts of a merchant’s advertising accounts. We utilise processors such as SendGrid and Intercom to enable communication with merchants.

Shoelace uses processors such as Stripe to assist with payment and thus can be considered a controller in these instances.

As a controller Shoelace stores data including the following:

  • Campaign Data such as name, budget, start date, status, action history, ad text, Facebook Campaign ID, preview products, initiator, ad type
  • Discounts – used in Campaign creation
  • Facebook relevant Campaign data such as objective, optimization, custom audiences, demographic targeting
  • Industry – used to provide the most effective Campaign
  • Journey structure information which dictates ultimate Facebook Campaign settings and visual display of Campaign information
  • Pricing plan information to correctly administer accounts
  • Shipping information – used in Campaign creation
  • SMS conversation records used to track conversations, responses and Campaign approvals
  • User information such as email, phone number, name

Shoelace as a Data Processor

Shoelace processes merchant data on behalf of merchants in order to compose, create and monitor retargeting campaigns. All data generated by these campaigns is ultimately owned by the merchant. In many instance Shoelace is a subprocessor to Shopify and Facebook data controlled by the merchant.

Below is an overview of processing activities and their purpose.

Shopify Data

  • Collections – used in collection campaigns and to categorise products for more effective campaigns and product exclusions
  • Markers for other apps used to optimize pixel loading and firing to prevent conflicts
  • Orders – used to determine metrics about the store such as order size, shipping costs, repeat purchases, total order value, etc. which is used in classifying merchant to provide the most effective Campaign
  • Products – required to sync product catalogs with Facebook
  • Product Images – processed to correctly size images for ad campaign requirements
  • Shop Information
    • country – used to create most effective Campaign
    • currency – used to better process order information
    • domain – used for links in campaigns
    • email address – used to communicate with the user
    • myshopify URL – used to uniquely identify stores
    • province – used for billing and tax purposes
    • shopify Plan – used to segment customer groups internally
    • timezone – stored for potential future campaign optimization

Facebook Data

  • Ad account parameters
    • age – used to determine legitimacy of ad accounts
    • associated business – used to correctly set up access permissions for creating campaigns
    • currency – required to correctly interpret all monetary values related to ad campaigns
    • name – used to identify ad accounts in a human readable format
    • status – used to determine if new campaigns can be created on an ad account
    • timezone – used for correct campaign scheduling
  • Campaign Insights (metrics) – used to monitor campaign performance, report to back to merchants and adjust structure as required
  • Page
    • banner image – used in certain campaigns
    • likes – used to determine legitimacy of Facebook Page
    • name – used to identify Facebook Page in a human readable format
    • page avatar – used to identify Page in dropdown menus etc
    • page backing Instagram ID – used for Instagram Campaign creation
  • Custom Audience counts – used as a metric for determining effective Campaign structure and spend
  • Pixel Event counts - used as a metric for determining effective Campaign structure and spend
  • Product Catalogue Feeds and Product Sets – required to correctly sync data between Shopify and Facebook

Google Analytics Data

For Merchants who enable the Google Analytics integration, we use Google user event information to supplement Custom Audience information in classifying merchants to provide the most effective Campaign.

Buyer Data

Orders fall into a special category as orders contain data about the buyer as well as the merchant. Shoelace stores the minimal set of required data (e.g. we do not store shipping addresses) and has no use or desire to personally identify buyers. Buyer information is only used in aggregate e.g. for Facebook Custom Audiences.

List of Processors and Sub-processors

Technical Infrastructure

Shoelace makes use of a variety of hosted solution for the simple reason that as a small startup we cannot build everything ourselves. By leveraging existing infrastructure, we can buy in technology that already has the best practices, performance and security built in. Our technical stack is comprised of:

  • Atlassian
  • AWS EC2
  • AWS S3
  • Azure
  • Blendo
  • Cloudimage
  • DigitalOcean
  • mLab
  • Papertrail
  • Sendgrid
  • Twilio
  • Url2Png

Business Tools

Shoelace makes use of SaaS tools to help us deliver the best possible service to merchants

  • Amplitude
  • ChartMogul
  • G Suite (Gmail, Calendar, Drive, etc)
  • Intercom
  • Mixpanel
  • Slack
  • Stripe
  • Stunning
  • Tableau
  • Zapier

Marketing Tools

Shoelace uses industry standard marketing tools to communicate with our merchants and share important information. These marketing tools are only used to market Shoelace itself and thus these are data processors to data of which Shoelace is a controller, not sub-processors of merchant data.

  • Autopilot
  • AdRoll
  • Facebook
  • Google Ads
  • Google Analytics
  • HubSpot
  • Intercom
  • LinkedIn
  • Twitter
  • Pinterest

Merchant Responsibilities

The merchant is the data controller for the bulk of data and it is the merchant’s responsibility to ensure they are GDRP compliant with respect to their customers’ data. Merchants must conduct all the relevant consent gathering and notification. Shoelace cannot give specific advice as each case is different and merchant’s must satisfy themselves that they are doing what is required of them.

Facebook Pixel

Shoelace uses the merchant’s Facebook Pixel to trigger tracking of events. We highly recommend using Shopify’s Facebook Pixel integration to simplify and streamline any Pixel related process. Shoelace also uses the merchant’s ad account so that the merchant has full control of this data. In this case the merchant is the data controller and Facebook is the data processor. For more information on this relationship please see:

In addition to the Standard Events (, Shoelace triggers the following custom events on behalf of the merchant:

  • ShoelaceViewContent acts the same as the ViewContent event; used primarily to ensure the Shoelace script has loaded correctly; this event isn’t used in the creation of custom audiences
  • ShoelacePurchase acts the same as the Purchase event; used in cases where there we may have identified accuracy issues with the Purchase event
  • ShoelaceAddToCart acts the same as the AdddToCart event; used in cases where there we may have identified accuracy issues with the AdddToCart event
  • SL-TimeOnPage used to track buyer behaviour and classify buying intent
  • SL-NewSession used to provide a rough count of the unique users sessions and tailor custom audiences based on user interest and return visits
  • SL-ScrollDepth used to track buyer behaviour and classify buying intent

Areas Shoelace is working on

We are currently able to comply with all required data subject requests, however, we are working on automating a lot of these processes so that requests can be served quicker and with less administrative overhead.

Shoelace currently has a privacy policy but we are working on an updated policy. This GDPR document should provide information pertaining to the GDPR in the interim.

Shoelace is in the process of hiring security and privacy consultants to assist with anything we may have overlooked or that needs additional work.

Who do I contact

For any additional question, comments or specific GDRP request please contact Shoelace via email at [email protected].