Dedicated to the Hydrogen framework, headless commerce, and building custom storefronts using the Storefront API.
We recently made some updates to the Shopify Partner Program Agreement (PPA) and the Shopify API License and Terms of Use (API Terms). These changes encourage the best possible merchant experience within our developer and partner ecosystem and protect the integrity of the Shopify platform.
Please review this summary of some of the changes we’ve introduced on our Developer changelog. We encourage you to take a few moments to review the updated PPA and Shopify API Terms to better understand how all of the updates may impact your business.
Irene | Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit the Shopify Help Center or the Shopify Blog
What does this exactly mean: "All data relating to a merchant’s customers that a partner collects on behalf of the merchant (excluding any sensitive personal information) must be sent back to Shopify."
"All data relating to a merchant’s customers that a partner collects on behalf of the merchant (excluding any sensitive personal information) must be sent back to Shopify."
I don't find this statement explained in the latest Partner & API terms page. Shopify needs to provide a mechanism to send back this customer data. If the customer data is received via Shopify API then is it still required to be sent back and how? Or does this apply only to customer data collected outside of Shopify? Very confusing change that we don't know how to implement before the deadline of May 12, 2019. Apps team please clarify. Thx
Hey everyone, I'm going to be going through the thread and responding to every post, and we're working on some docs right now to clarify some of the more complex issues in more detail. I'll update the main post once we've got some more detailed content for you.
I've got a couple of responses started, I'll post these for now while we work on the other content. We're definitely listening.
@sentzational wrote:What does this exactly mean: "All data relating to a merchant’s customers that a partner collects on behalf of the merchant (excluding any sensitive personal information) must be sent back to Shopify."
Good question. A good rule of thumb is : If it can be stored in a structured way on the Customer object, then it should be stored there to make it available in the merchant's admin. There's a doc that details this here. We don't want to be in a place where all of the data on a merchant's leads are exclusively controlled by someone other than the merchant.
@mikeferrari wrote:More changes to the partner program that DON'T benefit the partner/developer in anyway.....
We are generally open to changing things if you have specific concerns around any of the policy changes. If you feel like a few of these points have really hurt you, then post some details so that we can make sure we're not missing anything.
@Nesters wrote:Hey,
I would really like to understand what are the implications of your recent announcement that all payment processing should go through Shopify checkout.
All checkout and payment processing must go through Shopify checkout. Partners cannot bypass Shopify checkout unless authorized by Shopify in writing.I see this as being targeted toward app developers(for example, ReCharge). They would charge 1% commission on their Custom Checkout experience, which theoretically would be lost commission for you. I get that.
However, there is another scenario. For the market I am currently developing for, Shopify Checkout is lacking. Common means of payment are banking integrations and shipping is often done to Pickup points, both features not possible to implement with Shopify Checkout.
So custom checkout makes sense - for shipping support and at least for some payment processing.
So, now, as a Partner I would not be able to deliver this functionality, essentially, making Shopify a very unattractive choice for this market.
However, if someone, who is not a Partner, would instead get a Staff account on the Merchant's store and developed this checkout on their own - they would not be breaching any ToS agreement and would be good to go.
How come I, as a Partner, have been put in a disadvantageous position when it comes to delivering solutions for my clients.
This definitely makes sense to us, and is the reason that we explicitly call out the fact that there are exceptions in the TOS. First and foremost, we want to deliver value to merchants. That being said, there are a lot of poor checkout experiences. We're working really hard on ways to solve this problem at scale. Documentation is incoming.
@Naren1 wrote:"All data relating to a merchant’s customers that a partner collects on behalf of the merchant (excluding any sensitive personal information) must be sent back to Shopify."
I don't find this statement explained in the latest Partner & API terms page. Shopify needs to provide a mechanism to send back this customer data. If the customer data is received via Shopify API then is it still required to be sent back and how? Or does this apply only to customer data collected outside of Shopify? Very confusing change that we don't know how to implement before the deadline of May 12, 2019. Apps team please clarify. Thx
If you're an app that's collecting data on the storefront, there's a chance the merchant can't access their customer data unless they go through your service. We want merchants to be able to access this data through the admin. If you're just interacting with the Customer resource through the Admin API, you don't need to worry about this change.
Shayne | Developer Advocate @ Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit Shopify.dev or the Shopify Web Design and Development Blog
There are a few concerns that should be addressed.
Certain merchants I've worked with are using Shopify not for its web checkout but for its content management system and its related tools and apps on the backend. They've chosen not to use Shopify Checkout on purpose and have developed custom web checkouts. Sometimes it is due the fact that Shopify does not provide support for certain payment gateways or they require very specific functionalities. They also do not want to use Shopify Plus, which also do not have these functionalities.
Shopify is simply a part of the overall technology stack and not the primary technology stack. They could very well have developed their websites using Webflow or just plain old Wordpress. Instead, they chose Shopify for its product and order management, but not for its web checkout.
Some early conversations I've had with merchants since yesterday indicate that they are exploring options of moving off of Shopify completely due to this API ToU change, given their heavy investments into their own customizations. Mind you, these are paying Shopify customers.
I think the Shopify team need to address this segment of the market. It seems the updated API ToU does not address this quite common use case and the negative impact this might have on not just developers, but on merchants themselves. The whole idea of having an API in the first place is so that merchants and developers can create solutions that Shopify won't or can't support. The logic and argument that Shopify is trying hard to solve problems "at scale" does not work when it is apparent that there are edge cases/needs of individual merchants aren't met.
@Nesters wrote:Hey,
I would really like to understand what are the implications of your recent announcement that all payment processing should go through Shopify checkout.
All checkout and payment processing must go through Shopify checkout. Partners cannot bypass Shopify checkout unless authorized by Shopify in writing.I see this as being targeted toward app developers(for example, ReCharge). They would charge 1% commission on their Custom Checkout experience, which theoretically would be lost commission for you. I get that.
However, there is another scenario. For the market I am currently developing for, Shopify Checkout is lacking. Common means of payment are banking integrations and shipping is often done to Pickup points, both features not possible to implement with Shopify Checkout.
So custom checkout makes sense - for shipping support and at least for some payment processing.
So, now, as a Partner I would not be able to deliver this functionality, essentially, making Shopify a very unattractive choice for this market.
However, if someone, who is not a Partner, would instead get a Staff account on the Merchant's store and developed this checkout on their own - they would not be breaching any ToS agreement and would be good to go.
How come I, as a Partner, have been put in a disadvantageous position when it comes to delivering solutions for my clients.
This definitely makes sense to us, and is the reason that we explicitly call out the fact that there are exceptions in the TOS. First and foremost, we want to deliver value to merchants. That being said, there are a lot of poor checkout experiences. We're working really hard on ways to solve this problem at scale. Documentation is incoming.
@Shayne Are you saying that in this case custom checkout would be okay until you provide more tools to achieve the desired functionality?
What should I (as a developer) and the merchant do in this case to receive a written authorization?
1. Should we provide an explanation why this is necessary for the business?
2. Do we need to showcase a demo that it's a legitimate checkout experience (this seems a bit counter intuitive considering that it's against ToS in the first place)?
3. Explain the technical details of the checkout implementation and processing of customer data?
We are looking forward to hear from you guys. There are multiple projects that are in a situation where custom checkout is the desired way to move forward, however, now we have no clue whether it is okay or not.
It looks like Shopify has issued an update to the API Terms so that section 3.2.18 (checkouts outside of Shopify Checkout) no longer apply to private applications.
@KarlOffenberger, @leteyski, @sharie, @Nesters - might apply to you.
Thanks for listening Shopify 🙂
@donny Thank you! That's the answer we were looking for. We are good to go.
@donny wrote:It looks like Shopify has issued an update to the API Terms so that section 3.2.18 (checkouts outside of Shopify Checkout) no longer apply to private applications.
@KarlOffenberger, @leteyski, @sharie, @Nesters - might apply to you.
Thanks for listening Shopify 🙂
Thanks for all the feedback everyone. As @donny mentioned, we've updated the terms for clarity. The intention was never to remove the ability for partners to provide bespoke solutions for their clients. The merchant owns their data, and their API credentials are there so that they can access it.
We really appreciate the depth of responses in this thread, thanks to everyone for taking the time.
Shayne | Developer Advocate @ Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit Shopify.dev or the Shopify Web Design and Development Blog
More changes to the partner program that DON'T benefit the partner/developer in anyway.....
Hey,
I would really like to understand what are the implications of your recent announcement that all payment processing should go through Shopify checkout.
All checkout and payment processing must go through Shopify checkout. Partners cannot bypass Shopify checkout unless authorized by Shopify in writing.
I see this as being targeted toward app developers(for example, ReCharge). They would charge 1% commission on their Custom Checkout experience, which theoretically would be lost commission for you. I get that.
However, there is another scenario. For the market I am currently developing for, Shopify Checkout is lacking. Common means of payment are banking integrations and shipping is often done to Pickup points, both features not possible to implement with Shopify Checkout.
So custom checkout makes sense - for shipping support and at least for some payment processing.
So, now, as a Partner I would not be able to deliver this functionality, essentially, making Shopify a very unattractive choice for this market.
However, if someone, who is not a Partner, would instead get a Staff account on the Merchant's store and developed this checkout on their own - they would not be breaching any ToS agreement and would be good to go.
How come I, as a Partner, have been put in a disadvantageous position when it comes to delivering solutions for my clients.
I will quickly add that in addition to raising my concerns over on the FB partners group, I totally agree with @Nesters and it's a major pain point for me going forward with Shopify.
I've put a good 6 weeks in to developing a design system targeted at ReactJS based SSRs such as Gatsby or Next exactly because I wanted to provide a storefront solution that has less limitations for merchants. One of the options there is for checkout to bypass Shopify's checkout completely because let's face it people - if you have a storefront like it's 2019 and then you redirect to a checkout that's like 2014 and on top of that it's on a different URL because you can't frame it in to your PWA app... well I am short of civil words to describe this situation. It is not nice!
Look, I get it that you want to keep transactions revenues and I am totally okay with that and so is anyone signing up for Shopify. That's not really the issue or motivation to bypass checkout.
The reason to bypass Shopify checkout is you are NOT listening and from what I can tell from 2013 onward backlogs in these forums have staunchly held position that Shopify checkout is optimal and if you believe it isn't "look at your Plus plan".
So yes, guys & gals, you have my support and all if you wish to forbid bypassing Shopify checkout - but please allow us to use it properly first!
@Irene wrote:We recently made some updates to the Shopify Partner Program Agreement (PPA) and the Shopify API License and Terms of Use (API Terms). These changes encourage the best possible merchant experience within our developer and partner ecosystem and protect the integrity of the Shopify platform.
Please review this summary of some of the changes we’ve introduced on our Developer changelog. We encourage you to take a few moments to review the updated PPA and Shopify API Terms to better understand how all of the updates may impact your business.
"All checkout and payment processing must go through Shopify checkout. Partners cannot bypass Shopify checkout unless authorized by Shopify in writing."
@Irene Given the fact that we already operate a solution that violates this policy, who can we contact to discuss a potential authorization by Shopify?
Also, how will this impact merchants that already rely on our solution?
Thanks for the heads up @donny ! Also, respect to the Shopify team for the quick update and additional documentation.
However, my initial question still remains:
Given the fact that we already operate a solution that violates this policy, who can we contact to discuss a potential authorization by Shopify?
Also, how will this impact merchants that already rely on our solution?
Our competitors in the face of Bold, One Click Checkout and Carthook have all released statements, that their custom checkouts have been authorized to keep working. What are the rules/conditions that we need to comply with to get this authorization? Who can we talk to? Also, what will happen to our current customer base?
It would be a shame if you cherry-pick some custom checkouts and kill-off smaller projects, just because they have an internal connection with Shopify. We've all chosen to build software for Shopify, because of the open API's and the opportunity to stand out if you build a better product, I would hate to see my app being shutted down, while the exact same alternative product keeps working with Shopify's blessing.
Good point @leteyski . I was wondering what would happen to those vendors you mention. The fact they already released statements that they will not be affected does suggest they knew upfront.
Our competitors in the face of Bold, One Click Checkout and Carthook have all released statements, that their custom checkouts have been authorized to keep working. What are the rules/conditions that we need to comply with to get this authorization? Who can we talk to? Also, what will happen to our current customer base?
Thank you to @Shayne and the Shopify team for the clarifications. It's a Friday, so extra props and thank you's for your quick responses!
In regards to @leteyski's comments, could @Shayne or someone from Shopify comment about it? For example, my software sells a combination of a software product/customization service using private APIs. As outlined in the Terms of Use, we don't use Shopify's OAuth/Public App Store integration, but technically speaking, we do have a URL (our website) where customers can come and go through the installation to see how things work and contact us for further customization needs within our software.
Again, thanks again to Shopify's team in addressing this change. How you guys have responded really puts into focus the word "Partner" in Shopify Partners.
All checkout and payment processing must go through Shopify checkout. Partners cannot bypass Shopify checkout unless authorized by Shopify in writing.
Our app has currently a solution that bypasses Shopify checkout mainly due to the fact the checkout API is not providing enough functionality to achieve what merchants require.
Moreover, there are merchants who originally didn't use Shopify due to certain features missing and finding out they can achieve them using this method, decided to join Shopify.
Also, you are requiring partners to implement changes outlined here within 60 days, without providing an alternative solution, which in some cases may be affecting months of development, with such a small grace period.
How can you bring out new rules like this; then we get total radio silence on the issue?
WE NEED ANSWERS!!
I need to make changes to my business if the new rules are so, can you please clear up painpoints with this.
In the API Terms, section 2.3.18 says this:
"not use an alternative to Shopify Checkout for web checkout or payment processing, or register any transactions through the Shopify API, without Shopify’s express written authorization."
Does this mean that we're no longer able to use the Orders API Create Transaction endpoint at all for any reason without Shopify's permission?
@donny wrote:In the API Terms, section 2.3.18 says this:
"not use an alternative to Shopify Checkout for web checkout or payment processing, or register any transactions through the Shopify API, without Shopify’s express written authorization."
Does this mean that we're no longer able to use the Orders API Create Transaction endpoint at all for any reason without Shopify's permission?
Can we please get some clarification on this?
Thanks for updating the language but also have questions similar to @heng .
We are very different from other folks here - we are a Private App that uses the APIs to extract data and build marketing models for our clients including direct mail models. We at times will get updated suppression lists from their direct mail or email platforms. Do we need to push back this updated marketing information into the customer model?
Thanks,
Dan
I've just read the updated ToU section 2.3.17, and the justification provided in the email sent out today seems fair. Thanks for qualifying that, Shopify.
I'd still be interested in some clarification of the terms I listed above, i.e., public vs private apps, and the nature of transactions subject to the checkout API.
Hi Shopify Team,
Thanks for the email and update on API License and Terms today.
One question for us. If we utilize API to pull in our customer and order data and then also separately use Mailchimp APIs to pull in our email data, do we need to update Shopify accepts_marketing and accepts_marketing_updated_at because Mailchimp will no longer be directly connected. Currently we don't update because we assume the Mailchimp integration takes care of it.
Thanks,
Dan
@DaasityDan wrote:Thanks for updating the language but also have questions similar to @heng .
We are very different from other folks here - we are a Private App that uses the APIs to extract data and build marketing models for our clients including direct mail models. We at times will get updated suppression lists from their direct mail or email platforms. Do we need to push back this updated marketing information into the customer model?
Thanks,
Dan
Is anyone replying to this thread anymore. Please can you clarify this point:
In the API Terms, section 2.3.18 says this:
"not use an alternative to Shopify Checkout for web checkout or payment processing, or register any transactions through the Shopify API, without Shopify’s express written authorization."
Does this mean that we're no longer able to use the Orders API Create Transaction endpoint at all for any reason without Shopify's permission?
These restrictions don't apply for private apps. I hope Shopify continue to reinforce this.
Too late... our app just got blocked by Shopify.
The fact Shopify effective blocked the installation of our app before warning us just make things looks even more wrong. According Shopify TOS, as also discussed on this thread, our app did not break any rules, I made a lot of research before putting 6 months of work with other 6 developers on the team.
The API Terms Section 2.3.18 says not to use an alternative to Shopify Checkout for web checkout or payment processing, or register any transactions through the Shopify API, without Shopify’s express written authorization.
But it also says the following: *This Section 2.3.18 only applies to Public Applications.* Again, as also discussed in this thread.
We have a private app, that completely replaces Shopify checkout, therefore we did not break any rules whatsoever.
In the email Shopify sent me, it was written: "Additionally, due to the installation requirements (disabling Shopify checkout, adding javascript), this has been causing an increase in support debt for Shopify’s support team."
Here is the thing - merchants do not have to disable Shopify checkout and add any Javascript whatsoever. There is not cause for increase in support for Shopify's team. Our merchant simply have install our app. That's all. Just like our competitors do. So I really don't understand what is happening.
Like one of the guys here previously said: "Now, how come I, as a Partner, have been put in a disadvantageous position when it comes to delivering solutions for my clients, while others do the same."
Here is a few similar apps running the same kind of solution that we do, without any blocks:
- carthook.com
- recart.com
- zipify.com/ocu
- boldcommerce.com
- rechargepayments.com
The decision Shopify took on us totally breaks the Partners trust we put in Shopify while building apps for merchants.
Regarding: 'Developers cannot create multiple applications that offer substantially the same services.'
We have a software platform that powers fulfillment applications. Though our applications have the same service in that they support drop shipping each application is managed by a separate business, each with their own unique product lines.
I'd like to know if this provision is meant to discourage our business model, a model in which only encourages people to provide services to Shopify stores and gives Shopify retailers access to brands and products they otherwise would not be privy to.
Thanks for responding with updated documentation and clarification on many concerns raised here. I am no lawyer so all this legal lingo is a little beyond me, but could you also be more explicit about
You're a partner that works with individual merchants on custom checkout needs using a private app. These changes don't affect your current engagements with these existing merchants.
mentioned in documentation. The bold text implies that the changes do not affect existing private apps but leaves a little uncertainty about new private apps. Am I reading too much in to this? The ToS simply exclude all private apps and make no mention of existing or new engagements.
Thanks for listening and being open!
@KarlOffenberger wrote:
Thanks for responding with updated documentation and clarification on many concerns raised here. I am no lawyer so all this legal lingo is a little beyond me, but could you also be more explicit about
You're a partner that works with individual merchants on custom checkout needs using a private app. These changes don't affect your current engagements with these existing merchants.mentioned in documentation. The bold text implies that the changes do not affect existing private apps but leaves a little uncertainty about new private apps. Am I reading too much in to this? The ToS simply exclude all private apps and make no mention of existing or new engagements.
Thanks for listening and being open!
No worries Karl, better safe than sorry. Private apps, new or old, are not affected.
Shayne | Developer Advocate @ Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit Shopify.dev or the Shopify Web Design and Development Blog
I'll throw my hat in the ring here, and welcome clarification from whoever might want to pitch in. I've already contacted Shopify directly, but it would be nice to get a broader opinion on this.
We're a few weeks into developing an integration between our standalone inventory management and point of sale system and Shopify. Our plan is to start by coupling as loosely as possible with Shopify by only syncing items first listed on our end with Shopify products. We'll then track all quantity changes to keep inventory levels in sync for this subset of the merchant's items, and listen for sales so we can handle some consignment workflows.
The customer data requirement is not a showstopper for us, but it doesn't seem to make much sense because Shopify's justification for the policy is to provide the merchant access to their customer data (which we do). However, our merchants have already chosen to trust us, and we're referring them to Shopify as an ancillary partner. What makes Shopify more trustworthy than our software? Additionally, our point of sale is only meant to be used for brick-and-mortar sales, not for web sales, which makes the segment of customers we track in our software pretty distinct from the segment of customers who purchase items through Shopify. It seems to me that the merchant has entrusted us with brick-and-mortar customer data; Shopify with online customer data. Finally, it's the merchants themselves who enter data into our system, at no time do we interact directly with the customer.
The bigger issue for us, of course, is the requirement to use Shopify's own checkout. The criticism that a checkout experience might be bad for a customer doesn't really hold water for us, since our checkout experience is merchant-facing; again, at no point do we interact directly with a customer. Like several other folks in this thread, our POS is custom-made because it supports some specific use cases having to do with our market. Additionally, the same argument applies that Shopify's value-add for us here has nothing to do with brick-and-mortar sales, we're more interested in using Shopify to enable our merchants to make online sales. It sounds like we can apply here for an exception, and there's no reason for Shopify to turn us down, but I also am curious about the details of how to go about that, on what criteria the checkout is judged, etc.
I was also curious to have a few terms defined, specifically with reference to our use case, where we're less of an app, and just as much a "platform" as Shopify is.
Sorry if this was a bit long-winded! It's a complex matter, and appears to have some major potential downsides for us, to the point that we'd have to abandon Shopify for an inferior solution. Shopify is the best out there though, so we'd love to make this work.
> All data relating to a merchant’s customers that a partner collects on behalf of the merchant (excluding any sensitive personal information) must be sent back to Shopify.
I'd like some clarification on this as well. We are a platform that enables merchants to chat with their customers online, through email and social channels. This means that any email the merchant receives at their email channel or through those channels, appear on our platform. In those conversations, we collect the other party's name and email address, and the contacts which exist on our platform for a merchant might or might not be relevant to Shopify (could be that the merchant is in an email conversation with another app provider), so it doesn't seem to make a lot of sense to sync the data back to Shopify. In fact there's no real way of determining whether a contact is relevant to Shopify as a Customer resource or not.
The other issue is that if multiple apps collect name + email + phone, and with each app syncing their own version of the data back to Shopify, wouldn't that conflict (last write wins) and possibly mess up the customer information on the Shopify side? Wouldn't this also result in a large number of Shopify Customer objects being created on the merchant's store, regardless if the customer was actually a customer or purchased anything?