Shopify Pays Through Stripe — Where Does the Data Go?

The setup most merchants don't realize they accepted

Shopify is Canadian-headquartered. Ottawa-based. CA$11+ billion in 2024 revenue. Tobias Lütke retains roughly 40% of voting power through a Founder Share — operationally Canadian-resident, listed primary on the NYSE. The brand reads Canadian. The corporate logic is Canadian. The payment rails are not.

We are not breaking news here. We are pointing at something that sits in plain sight on Shopify's own privacy page and on Stripe's privacy center, that almost no one — merchant or consumer — actually reads.

Shopify Payments runs on Stripe

Shopify Payments is the default payment processor enabled when a merchant signs up for Shopify in Canada. It is integrated into the merchant admin, branded as Shopify, billed by Shopify, and supported by Shopify. The text on shopify.com/payments describes it as "powered by Shopify."

What the marketing copy does not lead with: Shopify Payments runs on Stripe's processing infrastructure. Stripe, Inc. is incorporated in Delaware. Its primary processing operations are U.S.-resident. Stripe processes the card-network handshakes, the tokenization, the fraud checks, the settlement. Shopify is the merchant-of-record interface; Stripe is the actual money-and-data engine underneath.

The data flow on every transaction

When you check out on a Canadian Shopify store, the data flow looks like this:

Your browser POSTs your card details to a Stripe-hosted iframe (Shopify uses Stripe Elements for PCI-compliance offloading). The card data lands on Stripe infrastructure — not on the Canadian merchant's server, not on Shopify's. Stripe forwards a tokenized authorization to Visa / Mastercard / AMEX over their networks. The card network responds. Stripe captures the response. Settlement: funds move from card-network to Stripe's banking partner to the merchant's Canadian bank account, typically T+2.

Steps 1 and 2 are where your raw card data sits on U.S.-resident systems. PCI-DSS governs how that data is secured. PCI-DSS does not govern which jurisdiction gets to read it.

Stripe's own description of who they are

Stripe's Privacy Center is unusually candid about this, once you know what to look for. Stripe distinguishes between:

Business User — the merchant (a Canadian Shopify store owner, in our case) End Customer — the cardholder (you, the Canadian consumer) End User — someone using Stripe-direct services like Link or Stripe Climate

For card transactions, the Canadian merchant is the Business User, and the customer is the End Customer. Stripe processes End Customer card data on behalf of the Business User. Per Stripe's own categorization, Stripe is a data processor for that flow — but the processing happens on Stripe-controlled, U.S.-resident infrastructure, and Stripe is a U.S. company with a controller's full set of obligations to U.S. authorities.

What this means in one sentence

A Canadian customer, paying a Canadian merchant in Canadian dollars on a Canadian-branded checkout, has their card data processed by a Delaware corporation on U.S.-resident infrastructure, subject to U.S. extraterritorial process, on every transaction.

News · Daily Web · 2026-05-10

The lede

Shopify Payments is the default checkout for every Canadian Shopify merchant. Shopify Payments is built on Stripe's processing infrastructure. Stripe, Inc. is Delaware-incorporated, San Francisco-headquartered. Every Canadian-merchant transaction routes raw card data through U.S.-resident systems before settlement returns funds to the merchant's Canadian bank account.

Numbers

Shopify processes a meaningful percentage of Canadian e-commerce. Public-record GMV (Gross Merchandise Volume) across Shopify-powered Canadian stores is in the tens of billions of CAD annually. Shopify Payments adoption among Canadian merchants on the platform is the majority case — it is the default and the path of least friction. Stripe's processing operations: U.S.-resident, U.S.-incorporated, U.S.-jurisdictional.

Why the U.S. CLOUD Act applies

The U.S. CLOUD Act (Pub. L. 115-141 div. V, 2018) compels U.S. corporations to produce data they "control" — regardless of physical location of the data — when served with a U.S. court order. Stripe, Inc. is the textbook subject. Card-payment data Stripe holds for any Canadian merchant on the Shopify Payments platform is in Stripe's possession and control, in U.S.-resident infrastructure. The order does not require Canadian sign-off.

What this means for Canadians

If you bought from a Canadian-branded Shopify store today, your card data was processed in U.S. jurisdiction. The Canadian merchant remained PIPEDA-accountable, but PIPEDA accountability does not stop a U.S. court order to Stripe. The Privacy Commissioner of Canada has no direct recourse against Stripe.

Press Release · CanadaGuards Notice

CanadaGuards calls for visible disclosure of payment-jurisdiction at Canadian merchant checkouts

Ottawa-based advocacy initiative CanadaGuards is calling on the Office of the Privacy Commissioner, the Department of Finance Canada, and the Canadian Marketing Association to issue voluntary guidance — and, where supported, regulatory amendment — requiring Canadian e-commerce merchants to visibly disclose at checkout when payment processing routes through a foreign-jurisdictional processor.

The current disclosure regime relies on linked privacy policies, almost universally unread, that disclose cross-border data flow in technical terms buried under multiple click-throughs. CanadaGuards' position is that this is not informed consent for cross-border transfer of payment-card Personal Information.

What CanadaGuards is requesting

Visible checkout disclosure — a single line near the "Place order" button reading, e.g., "Your card data will be processed in the United States by Stripe, Inc." with a link to a one-page summary of jurisdictional implications. OPC guidance — formal Office of the Privacy Commissioner of Canada guidance on what constitutes informed consent for routine cross-border transfer of payment data, distinct from one-time disclosure in a privacy policy. Optional Canadian-resident processor labeling — a "Canadian-resident processing" label that merchants who use processors like Helcim or Moneris can display, the way "Made in Canada" labels exist for goods.

Tip line for Canadian merchants

If you are a Canadian merchant who has done the analysis on jurisdiction-of-card-data and switched processors — or considered it and stayed — write to tips@canadaguards.ca. We are mapping which Canadian merchants have made this choice deliberately versus by default.

Legal Breakdown · Who can subpoena Stripe for your card data

Authority over a Canadian's card payment data, today

Regime Effective reach Canadian adjudication?

PIPEDA accountability Binds the Canadian merchant + Shopify; flows to Stripe by contract. Yes — OPC against the Canadian organization, not against Stripe directly.

U.S. CLOUD Act Compels Stripe, Inc. to produce data it controls — extraterritorial. No — Canada has not concluded a CLOUD Act executive agreement.

U.S. state laws (e.g. CCPA) Apply where Stripe processes data of a California resident; do not directly cover Canadian End Customers. No — state-level, not federal.

PCI-DSS Card-data security standard. Operative; jurisdiction-neutral. N/A — security only, not jurisdiction.

What a Canadian merchant can do today

A Canadian Shopify merchant who wants Canadian-resident processing has options — none of them as frictionless as Shopify Payments default:

Disable Shopify Payments and use a Canadian-resident gateway — Helcim (Calgary-headquartered, Canadian processing), Moneris (BMO+RBC), Bambora/Worldline. Trade-off: more setup, sometimes higher fees. Disclose explicitly in the merchant's checkout page that card processing routes through Stripe (US) and that customer data crosses into U.S. jurisdiction. Trade-off: some customers will abandon. That is the trade-off existing disclosure-by-fine-print is designed to avoid.

Disclaimer

This breakdown is intelligence reporting on jurisdictional architecture of Canadian payment processing. It is not legal advice. CanadaGuards is not alleging that Shopify Inc., Stripe Inc., or any individual merchant has acted improperly or in violation of law. The facts cited are public-record, and the framing is intelligence analysis for reader literacy.

Government Relations · Open questions for parliamentarians

What CanadaGuards is asking Parliament to look at

1. To the Minister of Innovation, Science and Industry

Does the Government of Canada have a position on whether default cross-border payment-data flow through a single foreign-jurisdictional processor (Stripe) — covering a meaningful share of Canadian e-commerce — constitutes a Canadian payment-system sovereignty risk worth treating as a public-policy file?

2. To the Privacy Commissioner of Canada

Has the OPC formed an operational view on whether informed consent for cross-border transfer of payment-card Personal Information is adequately captured by linked-privacy-policy disclosure, or whether more visible checkout-time disclosure should be required?

3. To the Minister of Finance

What is the Government's position on a Canada–U.S. CLOUD Act Executive Agreement? Negotiations have been concluded by the United Kingdom (2019, in force 2022) and Australia (2021). Are Canadian negotiations active, paused, or unstarted? If unstarted, why?

4. To the Minister of National Revenue

Does the Canada Revenue Agency receive transaction data from Stripe under any agreement? If yes, under what authority and with what safeguards, given Stripe's U.S.-jurisdictional posture?

5. To the Standing Committee on Industry and Technology

Would the Committee consider tabling a study on Canadian payment-system sovereignty, with witnesses from Shopify, Stripe, the Canadian Bankers Association, the OPC, and Canadian-resident processors (Helcim, Moneris, Bambora)?

What the federal government can do without legislation

OPC can publish guidance on visible-checkout disclosure standards under existing PIPEDA authority. Innovation, Science and Industry can fund a market-mapping report on Canadian-resident-processing alternatives to drive merchant awareness. Department of Finance can open or accelerate Canada–U.S. CLOUD Act executive-agreement negotiations. Canadian Marketing Association + Retail Council of Canada can self-regulate visible disclosure as best-practice.

None of these requires a Parliamentary majority. All are within the existing authority of the named bodies.