OP reports their private login email and residential address were auto-inserted into the store’s publicly visible privacy policy during setup, leading to daily spam, and asks if Shopify leaked this data.
Most replies say it’s not a leak: public business contact info is expected, and the privacy policy auto-populates from the store contact email. Email harvesters scrape public pages and domain records (WHOIS, a public domain ownership directory). OP notes they have WHOIS privacy and used a different domain email, suggesting the policy/store pages were the source.
Recommendations:
A screenshot dispute arises: one user says the message appears to be a genuine public reply, while OP believes it’s spam.
Status: No confirmed Shopify change or fix. Discussion remains open; unresolved whether Shopify should warn/prevent using login emails/addresses in autogenerated policies.
Didn’t know that in privacy policy, shopify decided to give out my login email and address. Its leaked and now im getting spam everyday from scammers.
Is there any other way they could have access to it?
theres this guy who’s doing the same thing on here
Also, why is spotify still putting private info in the privacy policy. I’ve seen posts about this from months ago !
You have a registered domain, whether through Shopify or a third party. That means it’s public. It’s not “leaked”. It’s nothing new either. Almost every new store gets flooded with scammer emails. Email harvesting bots look through public data, especially WHOIS and get your email address.
As for the privacy policy, that is automatically generated unless you choose to do custom. It will populate the email from the Store. Again. Public. Your business email. Not sure why you would want to hide your contact from the customer. If you need to change it to a professional email, you can do that through your Shopify Settings.
I’ve got WHOIS protection and I’ve used a different email to register that domain anyway. So its not from there.
When setting up the store i was just messing around, and trying things out. Didnt have my email sorted out at the time. So shopify used my PRIVATE EMAIL THAT I USE TO LOGIN instead. I also used my residential address to sign up. Which was also automatically inserted into the privacy policy.
im not the only person thats done this, there should be a warning about it
This is for public businesses. It’s not a social media profile. There is no private information. The warning is self-explanatory when you sign up. Like getting a business license and opening a brick and mortar shop. It’s all public access.
Hey there @dwd1234 as other people have already rightly mentioned, there was no leaking done here as the email is in deed within public access. As for the bots, my best advice for now would be to try find out the major areas where the spams are coming from get certain location blocker apps that can help prevent them.
Hey @dwd1234,
In the shared ScreenShot it’s not the spamming message. It’s look like Pere want to help you with the issue that you facing.
And the best thing is that he didn’t contact you via the email. He contact on this platform public reply.
So this is not the red sign. Also, sharing the email on your Store is really necessary because this helps customer so that they can contact you.
Hope this help.
I suggest you read with more comprehension. I didn’t say that my store shouldn’t have a contact email?
but thanks for your wise reply now i know that an email helps customers contact me. WOW 
That pere01 is deffo some sort of spammer, he would have replied to the thread I’ve made instead of messaging me privately. Also this is the exact same messages im getting on my email.
Hi @dwd1234
If your email address and physical address were listed in any privacy policy or store page that’s visible to the public, that may be the spam source. Shopify does not provide your login credentials or personal email to third parties. Your store contact information and WHOIS domain registration, and any publicly visible sections. Use a different business email for public facing pages, enable SPF/DKIM/DMARC on your email, and possibly use a spam filter or alias for incoming mail. Don’t put email addresses on personal emails on store policies or theme files, if you are you running the risk of getting scraped by scammers.
