Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
EcomScout is a Shopify focused ad attribution and analytics platform that helps direct to consumer brands measure how their advertising spend on Meta, Google, TikTok and Snapchat translates into orders. It uses a JavaScript pixel, first party cookies and server side conversion APIs. For EU merchants, EcomScout transfers shopper data to the United States and triggers GDPR and ePrivacy obligations, including prior consent and a documented data transfer mechanism.
EcomScout is a Shopify focused advertising attribution and analytics platform. It loads a JavaScript pixel on the storefront, sets first party cookies that survive iOS Intelligent Tracking Prevention longer than third party cookies, and pushes server side conversion events to Meta, Google Ads, TikTok and Snapchat through their Conversion APIs. The goal is to reduce the signal loss caused by browser restrictions and ad blockers.
EcomScout collects IP address, user agent, click identifiers (fbclid, gclid, ttclid, scid), UTM parameters, browser fingerprint signals, page view events, add to cart, checkout and purchase events, order value, currency and hashed customer email and phone for advanced matching. Shopify customer identifiers are also relayed via the Shopify pixel APIs.
EcomScout writes and reads cookies and forwards identifiers to third party advertising platforms. Both client side cookies and server side conversion calls fall under article 5(3) ePrivacy and require prior consent. Merchants act as the data controller and EcomScout as a processor. A signed DPA, a documented sub processor list and a clear retention policy are required.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
EcomScout, including its server side pipeline, must only fire after the visitor has actively accepted analytics and advertising cookies. Use Shopify''s Customer Privacy API and a Consent Management Platform to block the pixel until consent is captured. The same logic must propagate to the server side conversion calls so that a refusal removes the entire signal flow.
EcomScout is hosted in the United States. Shopper data, including IP and hashed identifiers, is transferred to the US. Transfers must rely on Standard Contractual Clauses, on the EU US Data Privacy Framework where EcomScout is certified, and supplementary measures such as encryption in transit and at rest, minimisation and strict access controls.
Sign a DPA with SCCs, connect EcomScout to Shopify''s Customer Privacy API, configure the Consent Management Platform to block EcomScout until consent is given, run a DPIA documenting the attribution use case, list EcomScout in the cookie policy with vendor, purposes and retention, set short retention periods on hashed identifiers, and review the integration whenever EcomScout adds new sub processors.
Websites using EcomScout must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended where EcomScout is used at scale on EU stores. Document necessity, retention, data minimisation, the use of email hashes, the server side conversion pipeline, the transfer to the US under SCCs, and supplementary measures such as IP truncation and encryption.
Sample consent text
We use EcomScout to measure our advertising performance on Meta, Google, TikTok and Snapchat. EcomScout stores cookies on your device and transfers order related data to the United States under Standard Contractual Clauses. We will only activate EcomScout if you click Accept.
Third-party domains contacted
ecomscout.ioapp.ecomscout.iocdn.ecomscout.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| ec_visitor | persistent | 1 year | First party visitor identifier used by EcomScout to stitch sessions to a single shopper for attribution. Requires consent. |
| ec_session | session | 30 minutes | Short lived session identifier used by EcomScout to group page views and events into a session. Requires consent. |
| ec_utm | persistent | 90 days | Stores the first touch UTM parameters and click identifiers seen on entry, used for marketing attribution. Requires consent. |
EcomScout collects user analytics data — you legally need a consent banner. Try FlowConsent free.
EcomScout sets first party cookies on the Shopify storefront to identify the visitor across sessions, store the first touch UTM and click parameters, and tie page views to orders. It can also write to localStorage. Cookie names typically start with ec_ or ecs_ depending on the deployment, and may include an attribution session identifier and a long lived visitor identifier.
Yes. EcomScout reads and writes information on the device and forwards data to Meta, Google, TikTok and Snapchat. Article 5(3) ePrivacy requires prior consent for both the cookie storage and the third party sharing. Server side conversion calls inherit the same requirement when they rely on identifiers obtained from the device.
The legal basis is consent under article 6(1)(a) GDPR combined with article 5(3) ePrivacy. Advertising attribution is not strictly necessary, so legitimate interest cannot replace the consent requirement set by ePrivacy. The merchant must capture and log the consent before EcomScout fires.
Yes. EcomScout is hosted in the United States. Shopper data is transferred to US infrastructure and must be covered by Standard Contractual Clauses, by the EU US Data Privacy Framework where applicable, and by supplementary safeguards such as encryption, minimisation and strict access controls.
A DPIA is recommended whenever the store processes large volumes of EU shopper data with EcomScout. The DPIA must cover the cross border transfer, the use of email hashes, the server side conversion pipeline, retention, and any risk of indirect re identification.
Sign the DPA with SCCs, integrate EcomScout with Shopify's Customer Privacy API, block the pixel and server side calls through a Consent Management Platform until consent is recorded, document EcomScout in the records of processing, list it in the cookie policy and run a DPIA.
Alternatives include Triple Whale, Northbeam, Polar Analytics, Lifesight, native Shopify Analytics with consented enrichment, server side GTM hosted in the EU, Piwik PRO, and Matomo with custom attribution. Several can be hosted within the EEA, which reduces transfer risk.
List EcomScout in the cookie policy with vendor name, purposes, categories of data, cookie names, lifetime, third country transfer to the US and legal basis (consent). Provide a link to opt out and to the EcomScout privacy notice. Refresh every time the vendor adds new sub processors or new tracking methods.