GDPR & Customer Reviews: What Every Shopify Store Must Know
Collecting reviews means handling personal data. Here's everything you need to stay compliant with GDPR and protect your customers' privacy.
If you sell to customers in the European Union or United Kingdom, GDPR applies to every piece of personal data you collect — including names, email addresses, and the content of customer reviews. Non-compliance can result in fines of up to €20 million or 4% of global annual turnover.
What counts as personal data in reviews?
- Customer name (first name alone can be sufficient to identify someone in some contexts).
- Email address used to send review requests.
- Profile photos submitted with reviews.
- Any personal information included in the review text itself.
- IP addresses and browser data collected during form submission.
Lawful basis for processing
To process customer data for review collection, you need a lawful basis under GDPR. The most appropriate basis for post-purchase review requests is legitimate interest — you have a reasonable business interest in collecting feedback, and customers have a reasonable expectation that you may contact them about their order.
Document your legitimate interest assessment (LIA) and make it available if requested. Reviewifyd's data processing is designed to support legitimate interest as the lawful basis for review request emails.
Unsubscribe and the right to erasure
Every review request email must include a clear, functioning unsubscribe link. More importantly, if a customer requests deletion of their data under GDPR's right to erasure, you must be able to delete or anonymize their personal data from your review platform within 30 days.
Reviewifyd supports this through its data deletion tools, which allow you to anonymize reviewer data while preserving the review content itself — maintaining your social proof while honoring the customer's right to be forgotten.
Data processing agreements
As a data processor handling your customers' personal data, Reviewifyd provides a Data Processing Agreement (DPA) to all merchants. If you're subject to GDPR, you should have a signed DPA with every third-party service that processes EU personal data on your behalf. Contact our support team to request your DPA.
About the author
Sofia Lane
Sofia is a Shopify growth strategist with 8 years of experience helping DTC brands scale through social proof and conversion optimization.
Ready to collect more reviews?
Install Reviewifyd on your Shopify store — free to start, no credit card required.