The compliance basics
- GDPR applies if you sell to EU residents — regardless of where your store is based.
- Personalization data is personal data — names, dates, photos, logos all count.
- Legal basis: contract performance covers most personalization use cases.
- Retention: 30-90 days for active personalization data; 6-7 years for order records (legal requirement).
- Privacy policy must disclose what you collect, why, retention, sharing, and customer rights.
This is general guidance, not legal advice. Consult a privacy lawyer for your specific situation.
Who this applies to
GDPR (the EU General Data Protection Regulation) applies if any of the following are true:
- Your store is based in the EU/EEA.
- You ship products to EU/EEA customers (even occasionally).
- You market to EU/EEA customers (translated pages, EU shipping calculator, EU pricing).
- You track EU/EEA visitors via analytics or cookies.
For most Shopify stores in 2026, this means GDPR effectively applies. The good news: compliance is mostly about good data hygiene + proper disclosure.
What personalization data you're collecting
| Data type | Sensitivity | Legal basis |
|---|---|---|
| Customer's own name (engraved) | Standard | Contract performance |
| Engraved date | Standard | Contract performance |
| Custom message text | Standard | Contract performance |
| Uploaded logos (customer's brand) | Standard | Contract performance |
| Uploaded photos (no faces) | Standard | Contract performance |
| Uploaded photos (with faces) | Higher (biometric) | Explicit consent recommended |
| Photos of children | Highest | Parental consent + special protections |
| Memorial/sympathy data | Higher | Explicit consent + sensitive handling |
Retention limits
GDPR Article 5(1)(e) — data should be kept "no longer than necessary." For personalization data:
- Active personalizer state (customer mid-order): kept until order ships.
- Order line-item properties (text, font, color, photo URLs): kept on the Shopify order indefinitely (or 6-7 years for tax/VAT compliance).
- Uploaded files (customer photos and logos): retain for 30-90 days post-fulfillment to handle reprints. Then archive or delete.
- Customer email and contact info: standard order retention, typically 6-7 years for tax records.
Customer rights you must honor
- Right to access (Article 15): Customer can request a copy of all data you hold on them. Provide within 30 days.
- Right to erasure (Article 17, "right to be forgotten"): Customer can request deletion. Honor unless you have a legal reason to keep (tax records).
- Right to rectification (Article 16): Correct errors in their data on request.
- Right to portability (Article 20): Provide their data in a machine-readable format.
- Right to object (Article 21): Customer can object to certain processing (marketing emails, but generally not order fulfillment).
Privacy policy language
Add a personalization-specific section to your privacy policy:
Personalization data we collect. When you personalize a product, we collect the text, font, color, and any uploaded photos or logos you provide. We use this data solely to fulfill your order. The legal basis is contract performance (GDPR Article 6(1)(b)).
Photo uploads. By uploading a photo, you confirm that you have rights to use it and that any identifiable individuals in the photo have given permission. We delete uploaded photos 90 days after order fulfillment.
Retention. Personalization text and metadata are kept on the order record for 7 years (tax compliance). Uploaded files are deleted 90 days post-fulfillment unless you request earlier deletion.
Your rights. Email support@yourstore.com to access, correct, delete, or port your personalization data. We respond within 30 days.
How Print It My Way handles GDPR
- Data processor role. You're the data controller; Print It My Way processes data on your behalf under Shopify's standard DPA.
- Encryption. Uploaded files encrypted in transit (TLS) and at rest.
- Retention controls. Configurable retention periods on Pro and Advanced plans.
- Erasure support. Right-to-be-forgotten requests can be processed via the Print It My Way admin or by emailing support@printitmyway.com.
- Sub-processor transparency. Cloud storage providers and other sub-processors documented in our DPA.
- Breach notification. Print It My Way notifies you within 24 hours of any data breach affecting your customers.
See the Print It My Way privacy policy for full details.
GDPR-friendly Shopify personalizer
Print It My Way is built with EU compliance in mind — encryption, configurable retention, easy data deletion, and a transparent privacy policy.
Install Print It My Way — Free Read privacy policy →Frequently asked questions
Does GDPR apply to Shopify stores selling personalized products?
Yes if you process personal data of EU residents — even if your store is based outside the EU. Personalized products typically collect customer name (for engraving), uploaded photos that may show people, and contact info via the order. All of these are personal data under GDPR. Comply or face fines up to 4% of global revenue.
What customer data does product personalization typically collect?
Engraved/printed text (often names, dates, messages), uploaded photos, uploaded logos, and standard order data. Photos are the most sensitive — under GDPR Article 9, biometric data (faces) requires explicit consent and additional safeguards.
What's the legal basis for processing personalization data?
Most stores rely on contract performance under GDPR Article 6(1)(b) — the customer placed an order; you need their personalization data to fulfill it. This works for the customer's own name/text. For uploaded photos containing other people, you may need explicit consent.
How long can I retain customer personalization data?
Order fulfillment plus reasonable post-sale support: typically 30-90 days for active retention, then archive or delete. Legal requirements (tax/VAT) may require keeping order records for 6-7 years; personalization-specific data (uploaded photos) should be deleted earlier.
Do I need explicit consent for photo uploads?
Best practice: yes, with a clear checkbox. The customer should affirm they have rights to the photo and consent to it being used for production. For photos that may contain other identifiable individuals, the customer should also confirm permission.
What rights do EU customers have over personalization data?
Right to access (data subject access request), right to erasure ('right to be forgotten'), right to portability (export their data), right to rectification (correct errors), and right to object to processing. Set up clear processes for handling these requests within 30 days.
Is Print It My Way GDPR compliant?
Print It My Way operates as a data processor under GDPR — you are the data controller. The app handles customer personalization data per Shopify's standard data-processing agreement. Print It My Way encrypts uploaded files, supports right-to-erasure requests, and stores files only as long as needed.
What should my privacy policy say about personalization?
At minimum, disclose: what personalization data you collect, why you collect it (order fulfillment), legal basis (contract performance), how long you retain it, who you share it with, and how customers can request deletion. Update your Shopify privacy policy to add a specific personalization section.