Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Unipag is a Russian payment processing gateway and aggregator that exposes a single integration point to multiple regional payment methods. The flow is server-side: shoppers are either redirected to a Unipag-hosted page or interact with a Unipag iframe, while the merchant collects no card data. Although strictly necessary cookies do not require consent, transfers of payment metadata and IP addresses to Russian infrastructure trigger Article 46 GDPR safeguards.
Unipag is a Russian payment gateway and aggregator that exposes a single API and a single hosted checkout to merchants who need to accept payments through several regional methods at once. Instead of integrating with every acquirer and wallet separately, the merchant integrates with Unipag, and Unipag routes each transaction to the appropriate downstream processor. This consolidation simplifies reconciliation and reduces the number of PCI scope boundaries that a merchant has to maintain.
The integration is server-side. The shopper is either redirected from the merchant checkout to a Unipag-hosted payment page or fills in card details inside a Unipag iframe embedded in the merchant page. In both cases, sensitive payment data never lands on the merchant server, which keeps the merchant outside the strictest PCI DSS scope. Cookies are set on the Unipag domain to maintain the payment session, protect against CSRF and feed risk scoring models.
During the payment step, Unipag collects the cardholder data when applicable, the billing details, the IP address, the user agent, device fingerprinting signals and behavioural traits used by anti-fraud models. The merchant transmits the order reference, the amount, the currency and a customer identifier. Cookies set on the Unipag domain hold the payment session, anti-CSRF tokens and short-lived risk scoring identifiers; these cookies stay on the Unipag domain and are not directly accessible from the merchant site.
After the payment, Unipag returns a status, a transaction identifier and, where applicable, a tokenised reference that allows future payments without re-collecting card data. This token, together with the customer identifier, constitutes personal data under GDPR even though it is not a primary account number. Retention of these elements is driven by anti-money-laundering rules, accounting law and the merchant agreement.
From an ePrivacy standpoint, payment cookies on the Unipag domain are strictly necessary to complete the transaction the user explicitly requested. They fall under the Article 5(3) exemption and do not require prior consent. The merchant does not need to wrap the redirect in a consent gate, but the cookie policy must still describe these cookies and their purpose.
From a GDPR standpoint, the lawful basis is performance of the contract for the payment itself (Article 6(1)(b)), legal obligation for AML and accounting retention (Article 6(1)(c)), and legitimate interest for fraud prevention and dispute management (Article 6(1)(f)). Unipag is a processor for the merchant on the payment instruction and an independent controller for fraud scoring and AML obligations that bind it directly.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The structural concern with Unipag is that payment metadata, IP addresses, behavioural signals and customer identifiers are transmitted to infrastructure located in the Russian Federation. Russia has no European adequacy decision, so the merchant must put in place valid Article 46 safeguards, most often the 2021 Standard Contractual Clauses, and conduct a Transfer Impact Assessment to evaluate lawful access risk under Russian legislation and the effectiveness of supplementary measures.
Furthermore, Russian Federal Law 152-FZ imposes local storage of Russian residents personal data, which may force Unipag to maintain copies of data subject records inside Russia and complicates erasure requests. Merchants should also be aware that political and sanctions context may affect the ability of European customers to challenge unlawful access, an element that weighs heavily in the residual risk analysis.
A DPIA is recommended for any EU merchant relying on Unipag. It should describe the payment flow, the data categories, the recipients in Russia, the retention dictated by accounting and AML rules, the supplementary measures (encryption, pseudonymisation, contractual limits on access), and the residual risk for data subjects. The merchant should also document the right to information that is exposed to customers via the privacy notice, with an explicit mention of the destination country.
Concretely: sign the processor agreement, archive the Transfer Impact Assessment, configure your privacy notice to mention Russia, and keep retention aligned with PSD2 and AML obligations rather than indefinite storage. For EU-only customer bases, consider Stripe, Adyen, Mollie, Worldline or a domestic acquirer; these alternatives keep card data and metadata inside the EEA and avoid the Russia transfer risk that dominates the Unipag assessment.
Websites using Unipag must obtain user consent under GDPR regulations.
DPIA considerations
Even though the cookies themselves are strictly necessary, a DPIA is justified because Unipag processes financial transaction data, IP addresses, device signals and customer identifiers, and routes them to infrastructure in the Russian Federation. The DPIA should cover lawful access risk under Russian law, retention for AML and PSD2, supplementary measures, and whether an EU acquirer is a feasible alternative for the merchant base.
Sample consent text
Payments on this site are processed by Unipag, which receives your payment details, IP address and order data, and stores them on servers located in the Russian Federation. This is strictly necessary to complete the transaction you requested, so we do not ask for consent for the payment cookies themselves. Read the privacy notice for the safeguards we apply to this international transfer.
Third-party domains contacted
unipag.compay.unipag.comapi.unipag.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| unipag_sid | Strictly necessary | Session | Maintains the payment session between the merchant redirect, the Unipag hosted page and the callback to the merchant. |
| unipag_csrf | Strictly necessary | Session | Anti-CSRF token protecting the payment form against cross-site request forgery attacks. |
| unipag_risk | Strictly necessary | 30 minutes | Short-lived risk scoring identifier used by the anti-fraud engine during a single payment attempt. |
| unipag_3ds | Strictly necessary | 15 minutes | Carries the state of the 3-D Secure authentication challenge between the issuer ACS and the Unipag flow. |
Unipag places tracking cookies for advertising — comply with GDPR using FlowConsent.
Unipag sets strictly necessary cookies on its own domain: a payment session cookie, an anti-CSRF token, a short-lived risk scoring identifier and a 3-D Secure state cookie. These cookies remain on the Unipag domain and are not directly readable from the merchant site. No marketing or analytics cookies are involved in the core payment flow.
No banner consent is required for the payment cookies themselves: they are strictly necessary to complete the transaction the user explicitly initiated. The merchant must still describe these cookies in the cookie policy and obtain consent for any other tracking technology (analytics, marketing) loaded on the rest of the site.
Performance of the contract (Article 6(1)(b) GDPR) for the payment instruction itself, legal obligation (Article 6(1)(c)) for AML and accounting retention, and legitimate interest (Article 6(1)(f)) for fraud prevention and dispute management. Each basis must be reflected in the privacy notice with a clear scope.
Payment metadata, IP addresses and customer identifiers are transmitted to Unipag infrastructure in the Russian Federation. The merchant must sign the Standard Contractual Clauses, complete a Transfer Impact Assessment, document supplementary measures and mention Russia as a destination country in the privacy notice. Residual risk is generally rated high.
A DPIA is recommended. Financial data, IP addresses, behavioural signals and customer identifiers leave the EEA for a non-adequate country and feed automated fraud scoring. Two EDPB criteria are met (large-scale financial data plus transfers with potential risk), which justifies a formal assessment of the transfer chain and the residual risk for data subjects.
Sign the data processing agreement and SCCs, complete the Transfer Impact Assessment, document supplementary measures (TLS in transit, pseudonymisation of customer identifiers, access controls), align retention with PSD2 and AML, mention Russia in the privacy notice, and offer customers a clear point of contact for data subject rights.
Yes. Stripe, Adyen, Mollie, Worldline, Nexi and many domestic acquirers offer comparable aggregation across European payment methods while keeping data inside the EEA. For specific verticals (subscriptions, marketplaces, BNPL) regional specialists are also available with EU data residency.
Add a row in the cookie table for each Unipag cookie (unipag_sid, unipag_csrf, unipag_risk, unipag_3ds), describing type, duration and purpose. In the international transfers section, name the Russian Federation, cite Article 46 SCCs and reference the Transfer Impact Assessment. List Unipag among processors and update the policy whenever the payment flow changes.