What Is Shop?

Shop is Shopify’s official shopping companion app. It helps you:

• Track online orders from multiple stores,
• Get delivery notifications,
• Discover and purchase directly from Shopify merchants.

It’s convenient — and widely used.
If you’ve ever seen a “Powered by Shopify” checkout, you’ve already interacted with the same ecosystem.

The Issue

Recently, while ordering my favourite chili oil, I noticed something curious.

After checkout, the store suggested I “track my order with Shop”.
I downloaded it, entered my email, and — voilà — it automatically pulled in previous orders from other Shopify-based stores. Impressive. Seamless. Clever.

Then came the next step. The app asked me to connect my email account to track my orders. It appeared during the setup process, and you can see in my settings view below that the app still shows the missing access.

That’s when my protective instincts kicked in, just before clicking on the accept button. Why would it need access to my entire Gmail if my orders were already visible?

What Happens Under the Hood

Let’s look at how the modern authentication process works and what specific data the Shop app actually asks for.

Modern authentication scheme

When apps request access to data from services like Gmail or Outlook, they use a secure standard called OAuth 2.0.
It redirects you to Google or Microsoft, where you can review and approve specific permissions (“scopes”) — for example:

• View your basic profile information
• Read your calendar
• Read your emails

This diagram is simplified: to show the general idea, I’ve omitted token exchanges, additional requests, and redirects. Notice that in the consent screen above, Shop already has some permissions — listed below.

That’s why it no longer asks for my email or profile data each time I use it; I’ve already granted those.
That’s the expected behaviour — but if I give this additional consent, it means the app will have ongoing access to my private emails.

OAuth is like giving a valet the key to your car. Useful in certain situations — but you shouldn’t hand over all your keys to anyone who asks.

What the Shop App Asks For

When redirected to Google, the Shop app requests permission to read all of your Gmail messages. That’s not hidden — it’s clearly shown in the Google consent screen.
And you always read and fully understand those screens… right?

Shopify likely requests this OAuth scope:

https://www.googleapis.com/auth/gmail.readonly

From Google’s Gmail API documentation, it allows the app to:

Read all resources and their metadata — no write operations.

This is the technical permission displayed in the consent screen during the OAuth flow.
Google marks such access as restricted, which means the developer must pass a verification process. That might sound serious, but it’s quite common; many apps go through it routinely.
Even if an app promises to use this only to detect order confirmations, the permission itself grants unrestricted access to every email.
That’s the critical distinction.

Shopify’s Own Privacy Policy

Shopify’s Privacy Policy (as of October 2025) confirms that the company may:

“collect, use, and disclose information to provide and improve our Services, including testing new features, improving performance, and developing new products.”

Also, specifically for email integrations:

Third parties: We receive information from partners who help us provide you with our services including the following:

Email providers. If you use the Shop App and you connect your third party inboxes, such as Gmail or Outlook (according to their terms and policies and as permitted by applicable law), we receive information to identify shopping-related emails and display within Shop information about specific orders you have made, stores you have engaged with in the past, and other related information.

The policy doesn’t explicitly describe how the Shop App processes data obtained through Gmail or Outlook integrations. As noted earlier, there’s no more granular Gmail API permission that limits access to shopping emails only — filtering must happen on the Shop side… or not.

The policy’s language is broad — understandable for a large platform, but concerning given the level of access users may grant. In practice, the boundaries of how email data is handled remain opaque to most users.

My Take

As a Solutions Architect working in a highly regulated environment, I’ve designed and reviewed integrations using OAuth and APIs like Microsoft Graph or Google Workspace.
Even when a system needs limited access — for example, to check calendar availability or pull meeting metadata — it can trigger major compliance discussions.

Why? Because theoretical access to personal data can be as risky as its actual use. Even if a vendor promises not to store or misuse data, once access is granted, it exists — and could be exploited or exposed in a breach.

So when a consumer app casually asks for permission to read all your emails “to improve your experience,” it’s worth pausing to consider what that really means.

Mindset

Most people, understandably, don’t overthink permissions.
We’ve all developed habits like:

• “If it’s in the App Store, it must be safe.”
• “Everyone uses it, so it’s fine.”
• “I trust Google to protect my account.”

The app says it needs this to track orders; without permission, some features won’t work; it’s a big, reputable company — what could go wrong?

You’re one of millions of users, effectively anonymous, so you tap Allow without much hesitation. And because the app already shows you some order data even without that access, it doesn’t feel like a critical decision.

But ask yourself: Is this level of access essential — or just convenient (or profitable) for the company?

Even more telling: tracking already works without scanning your emails. Here’s my tracking view without granting consent:

The only extra feature seems to be automated import of some orders that weren’t already added to the app but could be found in your inbox.
You could spend 20 seconds adding them manually. Are you really willing to risk exposing your private emails for that?

Why This Matters

Email accounts are often the single richest source of personal information in our digital lives:

• Banking and tax communication
• Online purchase receipts
• Work correspondence
• Family photos and private messages

Granting full read access — even to a reputable company — effectively hands over a copy of your digital identity.

To be clear: There’s no evidence that Shopify is misusing this data, and I’m not suggesting it is. I’m using this app simply to highlight a wider problem.

However, the potential exposure is significant, particularly if data were ever accessed improperly, breached, or repurposed.
It’s even more concerning when you realize you may have legally granted access to your private emails to a foreign company — virtually without restriction. That should raise the next question…

Why Isn’t This a Bigger Discussion? Why people don’t care?

Perhaps because we trust large, familiar platforms.
Perhaps because permission prompts have become so routine that we stop paying attention.

OAuth solved a complex problem — letting apps share data securely without passwords — and it made things easy.
Maybe too easy. We’ve become accustomed to convenience.

Most users would panic if an app asked directly for their Gmail login and password to read messages (which was exactly how it worked years ago). But when it’s wrapped in a polished consent screen, we rarely think twice.

What You Can Do

• Read permission requests before approving them.
• Limit access to only what’s necessary for the feature you need.
• Revoke unused app permissions periodically (Google and Microsoft both allow this).
• Ask questions — transparency improves only when users demand it.

Final Thoughts

Shopify’s Shop App is polished, popular, and generally trustworthy — but even reputable companies can make design choices that deserve scrutiny.

The concern here isn’t about bad intent; it’s about disproportionate access and lack of transparency. As users, professionals, and architects, we should ensure such permissions are widely understood and openly discussed.

Because the privacy of millions of users — and the risk of exposing all your emails — shouldn’t depend on whether someone took the time to read a consent screen.

If a courier offered to pick up your physical mailbox key “just to check for delivery updates,” would you hand it over? Probably not. Yet many of us do the digital equivalent every day.

Written by Marcin — Solutions Architect sharing practical insights on cloud, architecture, and IT strategy. Also on Instagram @Clouditect.

The Shopify App Could Read All Your Private Emails was originally published in Clouditect on Medium, where people are continuing the conversation by highlighting and responding to this story.