Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Upstack Data is a server-side data platform for Shopify and ecommerce stores that captures conversion events and forwards them to advertising and analytics destinations such as Meta, Google, TikTok, and Pinterest, often through a first-party reverse proxy.
Upstack Data is a server-side conversion platform aimed at Shopify and other ecommerce stacks. It captures pageviews, product views, add to cart, checkout, and purchase events, then forwards them to advertising and analytics destinations through server-to-server APIs such as the Meta Conversions API, Google Ads Enhanced Conversions, TikTok Events API, and Pinterest Conversions API. A small loader script runs on the storefront, while order events are read from Shopify webhooks. Many EU merchants install the loader through a reverse proxy on their own domain so that the visible request endpoint matches the storefront origin.
Even with a server-side architecture, Upstack Data still relies on browser identifiers to stitch sessions and conversions. Typical artefacts include a first-party identifier cookie, the standard advertising cookies emitted by destinations such as _fbp for Meta, plus hashed customer identifiers like email and phone derived at checkout. The platform also processes IP addresses, user agents, order numbers, line items, and revenue. Because the proxy is on a first-party subdomain, cookies are written with the SameSite and Secure attributes of the merchant domain, which extends their effective lifetime in browsers that limit third-party storage.
Server-side does not mean consent free. Under ePrivacy Article 5(3) and the CNIL 2020 guidelines, any read or write of identifiers on the visitor device requires consent unless strictly necessary, regardless of whether the subsequent processing happens in the browser or on a server. Forwarding hashed emails, IPs, and order data to Meta, Google, TikTok, and Pinterest constitutes processing of personal data under GDPR Article 4 and routinely involves joint controllership for advertising audiences. Merchants therefore need a documented legal basis, normally consent, plus transparent information in the privacy notice.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Upstack Data infrastructure runs on AWS in the United States, and most advertising destinations are US controllers. Transfers must rely on Standard Contractual Clauses and, where applicable, the EU: US Data Privacy Framework certification of the destination. After the Schrems II ruling, controllers must complete a transfer impact assessment, evaluate supplementary measures such as IP truncation, hashing of identifiers before sending, and minimisation of payloads, and keep that documentation available for the supervisory authority.
Tags should not fire and the proxy should not forward marketing events until the visitor has granted consent for advertising and analytics. Integrate Upstack Data with your consent management platform so that the loader reads the TCF or custom signal, gates each destination accordingly, and refrains from setting non essential cookies before opt in. Order confirmation pages must respect the same logic, since the post purchase event is the most valuable but also the most sensitive payload sent to advertising APIs.
List Upstack Data and each downstream destination in your records of processing and your cookie policy, including the categories of data, retention, and transfer mechanism. Run a DPIA before going live, contractually bind Upstack Data as a processor with sub processors disclosed, and verify that hashed identifiers are sent only after consent. Test the reverse proxy with consent denied to confirm no marketing event leaves the domain, and review the configuration whenever a new destination is added.
Websites using Upstack Data must obtain user consent under GDPR regulations.
DPIA considerations
A data protection impact assessment is recommended because Upstack Data combines server-side conversion tracking, advertising audience enrichment, and transfers to the United States. Document the categories of event and identifier data, the reverse proxy architecture, the SCCs and DPF reliance for each downstream destination, and the retention applied to raw event logs. The CNIL and EDPB expect a transfer impact assessment alongside the DPIA whenever Meta, Google, TikTok, or Pinterest receive enriched conversion signals.
Sample consent text
We use Upstack Data to send conversion events to advertising and analytics partners through a server-side pipeline, including transfers to the United States. With your consent, we share hashed identifiers, cart, and order data so that campaigns can be measured and audiences refined. You can accept, refuse, or change your choice at any time from the cookie settings link in the footer.
Third-party domains contacted
upstackdata.comapi.upstackdata.comcdn.upstackdata.comgraph.facebook.comgoogleads.g.doubleclick.netbusiness-api.tiktok.comct.pinterest.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _uc_visitor | first_party | 1 year | Persistent first-party identifier set by the Upstack Data loader to stitch sessions and conversions across pages and channels. |
| _uc_session | first_party | 30 minutes | Session cookie used by Upstack Data to group events that belong to the same visit and to deduplicate server-side calls. |
| _fbp | first_party | 90 days | Meta browser identifier dropped via the Upstack Data integration and forwarded to the Meta Conversions API for ad attribution. |
| _gcl_au | first_party | 90 days | Google Ads conversion linker cookie written through the Upstack Data loader to support Enhanced Conversions and attribution. |
| _ttp | first_party | 13 months | TikTok pixel identifier set on the merchant domain by the Upstack Data integration to associate visits with TikTok ad campaigns. |
| _pin_unauth | first_party | 1 year | Pinterest identifier deployed via Upstack Data to attribute conversions sent through the Pinterest Conversions API. |
Upstack Data places tracking cookies for advertising — comply with GDPR using FlowConsent.
Yes. Even though the heavy lifting happens on the server, Upstack Data writes a first-party identifier cookie to stitch sessions and forward events, and downstream destinations such as Meta and Google still drop their own cookies through the integration. Because these identifiers are stored on the visitor device, ePrivacy Article 5(3) applies and consent is required before they are written or read.
In almost all real deployments, yes. Server-side tagging only changes where the request is processed, not whether identifiers are stored on the device or whether personal data is shared with advertising partners. CNIL, the Spanish AEPD, and the German DSK have all confirmed that server-side proxies do not bypass the consent rule, so the loader and downstream APIs must wait for an opt in to advertising and analytics.
Marketing events sent through Upstack Data to Meta, Google, TikTok, or Pinterest rely on Article 6(1)(a) consent. The platforms act as joint or independent controllers depending on the destination, and most of them require attestations that consent has been collected. Legitimate interest is generally not appropriate for advertising audience building because of the EDPB guidance on direct marketing and profiling.
They can be, but only with the right safeguards. Upstack Data hosts on AWS in the US, and most destinations are US controllers, so transfers rely on Standard Contractual Clauses and, where the recipient is certified, the EU: US Data Privacy Framework. Controllers should complete a transfer impact assessment, document supplementary measures such as identifier hashing and IP minimisation, and keep evidence ready for supervisory authorities.
A DPIA is strongly recommended. The combination of large scale ecommerce monitoring, advertising audience enrichment, and US transfers triggers several criteria from the EDPB DPIA guidelines. The assessment should describe the data flows through the reverse proxy, the destinations, the legal basis, the retention, and the residual risk after mitigations such as consent gating and data minimisation.
Connect Upstack Data to your consent management platform so the loader reads the consent signal before initialising and respects it for each destination. Configure the platform to suppress marketing events when advertising consent is denied, and to fall back to anonymous analytics when only statistics consent is granted. Test the post purchase page with consent denied to confirm that no event reaches Meta, Google, or TikTok.
When consent is refused, restrict Upstack Data to strictly necessary order processing or disable it entirely. You can keep aggregated, identifier free reporting through internal Shopify analytics or a privacy first analytics tool, and rely on contextual advertising. Some merchants also build a server only conversion measurement pathway that excludes any device identifier and processes only minimised purchase data under legitimate interest, with a documented balancing test.
List Upstack Data in the policy as a server-side data platform, mention that it operates through a reverse proxy on a first-party subdomain, and describe the cookies it sets along with their duration and purpose. Disclose downstream destinations such as Meta, Google, TikTok, and Pinterest, the categories of data shared, the legal basis, the use of SCCs and the EU: US Data Privacy Framework, and the contact details for exercising data subject rights.