Legal

GDPR & Data Rights

Last updated: July 18, 2026

This page explains how myshop.au handles personal data under the EU and UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), and the Australian Privacy Principles (APPs), and how you can exercise your rights. It supplements our Privacy Policy.

1. Controller and processor roles

myshop.au runs a two-sided platform, so our role depends on the data:

  • Merchant account data — for the data of shop owners who sign up with us, myshop.au is the controller.
  • Shopper data in a store — for personal data that a merchant collects from their customers through their myshop.au store, the merchant is the controller and myshop.au acts as a processor on their instructions.

For privacy or data requests, contact us at privacy@myshop.au. If we appoint an EU/UK representative or Data Protection Officer, their details will be published here.

2. What personal data we process

  • Account data — email, name, and (for Google sign-in) your profile picture, via our authentication provider.
  • Shop content — your shop details, product listings, images, and store settings.
  • Order and customer data— a shopper's name, contact and shipping details, and order history, processed on the merchant's behalf to complete purchases.
  • Payment data — limited transaction details from our payment processor; we do not store full card numbers.
  • Usage and technical data — basic, largely anonymized analytics and security logs.

3. Purposes and legal bases (GDPR Art. 6)

  • Performance of a contract — to host your shop, display your products, and process orders and payments you and your customers request.
  • Consent — for optional features and any marketing communications. You may withdraw consent at any time.
  • Legitimate interests — to secure, maintain, and improve the Service and prevent fraud, where not overridden by your rights.
  • Legal obligation — to keep transaction records and comply with applicable law.

4. Recipients and sub-processors

We share personal data only with service providers who process it on our behalf under contract, including our payment processor to take payments and pay out merchants, our authentication provider, hosting and infrastructure providers, and email and notification providers. We do not sell your personal data.

5. International transfers

Some providers may process data outside your country, including in the United States. Where required, such transfers are protected by appropriate safeguards such as the European Commission's Standard Contractual Clauses (and the UK Addendum) or an adequacy decision.

6. Retention

We keep personal data only for as long as necessary to provide the Service and for legitimate or legal purposes — including keeping order and tax records for the period required by law — after which it is deleted or anonymized. You can request deletion at any time (see below).

7. Your rights under the GDPR / UK GDPR

  • Access — obtain a copy of your personal data;
  • Rectification — correct inaccurate or incomplete data;
  • Erasure — request deletion (“right to be forgotten”);
  • Restriction — limit how we process your data;
  • Portability — receive your data in a portable, machine-readable format;
  • Objection — object to processing based on legitimate interests;
  • Withdraw consent — at any time, without affecting prior lawful processing;
  • Automated decisions — not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. myshop.au does not make such decisions about you.
  • Complain — lodge a complaint with your supervisory authority (e.g. your EU Data Protection Authority, the UK ICO, or the Australian OAIC).

If you are a shopper and want to exercise rights over data held by a store, please contact that merchant first, since they are the controller. We will assist the merchant in responding.

8. California rights (CCPA/CPRA)

California residents have the right to know what personal information we collect and how it is used and shared, to request deletion or correction, and to not be discriminated against for exercising these rights. We do not “sell” or “share” personal information for cross-context behavioral advertising as those terms are defined under the CPRA.

9. Australian Privacy Principles (APPs)

For users in Australia, we handle personal information in accordance with the Privacy Act 1988 (Cth) and the APPs, including being open about our practices, collecting only what we need, keeping it secure, and giving you access to and correction of your information. Complaints can be made to the Office of the Australian Information Commissioner (OAIC).

10. How to exercise your rights

Email privacy@myshop.au from the address associated with your account. We will verify your identity and respond within the timeframe required by applicable law (generally within one month under the GDPR). There is normally no charge, and you may ask someone to make a request on your behalf.

11. Updates

We may update this page to reflect changes in law or our practices. The date above shows the latest revision. Questions? Contact privacy@myshop.au.