Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Hyva Themes is a frontend theme framework for Magento 2 built on Tailwind CSS and Alpine.js. It replaces the default Magento Luma theme stack to deliver fast, lightweight stores with very little JavaScript. Hyva Themes does not embed analytics, tracking pixels, or third party marketing scripts by default, which keeps the consent surface small and helps merchants reach GDPR and ePrivacy compliance more easily.
Hyva Themes is a frontend theme framework for Magento 2 built on Tailwind CSS and Alpine.js. It replaces the heavy default Luma and RequireJS stack with a much smaller bundle of CSS and JavaScript. Merchants choose Hyva to gain better Core Web Vitals, faster page rendering, and a simpler frontend codebase. Hyva is distributed under a commercial license, and the license is validated server side from the Magento backend against the Hyva license server.
Hyva Themes itself is a frontend stack. It does not ship analytics, advertising pixels, or persistent tracking cookies. The Magento session cookie and the form key cookie used by Magento 2 are still set by the Magento backend, exactly as they would be on any other theme. Personal data such as cart contents, addresses, and order data is processed by Magento, not by Hyva.
Because Hyva does not store information on the device beyond what is strictly necessary to display the requested store, it falls under the strictly necessary exemption of article 5(3) of the ePrivacy Directive. No prior consent is required to load Hyva templates and assets. GDPR obligations on a Hyva powered store relate to the underlying Magento processing of customer accounts, orders, and payments, not to the theme framework itself.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Most consent risk on a Hyva store comes from the analytics and marketing extensions merchants layer on top: Google Analytics 4, Google Tag Manager, Meta Pixel, TikTok Pixel, Hotjar, and similar. Each of those still needs informed, granular, prior consent before any cookie is set or any identifier is shared with the vendor. Hyva does not block them by itself, the merchant must integrate a Consent Management Platform.
Hyva BV is a Dutch company and the Hyva license validation traffic stays within the European Union. There is no transfer of customer personal data from a Hyva powered store to Hyva itself, since the framework only exchanges license metadata with the Hyva server. Merchant hosting and any third party scripts decide whether customer personal data ends up outside the EEA.
Document Hyva Themes in your records of processing activities as a no cookie frontend framework. List the Magento session and form key cookies as strictly necessary in your cookie policy. Wire every analytics or advertising script through a Consent Management Platform that blocks them until consent is given. Keep an audit trail of license checks and Magento processing activities to demonstrate accountability under article 5(2) GDPR.
Websites using Hyva Themes must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for Hyva Themes alone, since the framework processes no personal data on its own. A DPIA may still be needed for the surrounding Magento 2 store if it processes large volumes of customer data, special category data, or runs intrusive marketing scripts on top of Hyva.
Sample consent text
Our store uses the Hyva Themes frontend framework to display pages. Hyva loads only essential CSS and JavaScript needed to render the site and does not set tracking cookies. No consent is required for Hyva itself, only for any analytics or marketing tools we add on top.
Third-party domains contacted
hyva.iolicense.hyva.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| PHPSESSID | session | session | Magento 2 PHP session cookie that maintains the customer session, cart state and login. Set by Magento, not by Hyva Themes itself. Strictly necessary under article 5(3) ePrivacy. |
| form_key | session | session | Magento 2 CSRF protection cookie used to validate forms. Set by Magento, not by Hyva Themes itself. Strictly necessary for store security. |
Hyva Themes collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Hyva Themes itself does not set tracking cookies. The Magento 2 backend continues to use its standard cookies, mainly the PHPSESSID session cookie, the form_key CSRF cookie, and depending on Magento configuration the persistent shopping cart cookie and the recently viewed products cookie. These are all set by Magento, not by Hyva. Any analytics or marketing cookies appear only if the merchant installs the corresponding scripts on top of Hyva.
Hyva Themes itself does not require prior cookie consent because the framework only loads CSS and JavaScript that are strictly necessary to display the requested store. Under article 5(3) ePrivacy, strictly necessary storage is exempt from consent. Merchants still need consent for any analytics, advertising, or personalisation tools that they layer over Hyva.
Loading the Hyva frontend assets falls under the strictly necessary exemption, so no consent or specific GDPR legal basis is needed for the framework itself. License validation between the Magento backend and the Hyva license server is the legitimate interest of the merchant in operating a properly licensed store, with no personal data of end users involved.
No. Hyva BV is based in the Netherlands and license validation traffic stays within the EU. Hyva Themes does not transfer customer personal data outside the EEA. Any cross border transfer would come from the merchant's hosting choice or from third party scripts such as Google Analytics or Meta Pixel, not from Hyva itself.
A standalone DPIA for Hyva Themes is generally not required, since the framework processes no personal data. A DPIA may still be appropriate at the level of the Magento 2 store as a whole, especially when processing large volumes of customer data, special categories, or running intrusive profiling tools on top of Hyva.
Install Hyva from a licensed source, list the underlying Magento cookies as strictly necessary in the cookie policy, and route every analytics or advertising script through a Consent Management Platform that respects user choice. Document Hyva in your records of processing activities as a frontend framework. Keep an audit trail of license checks and Magento processing.
Alternatives include the default Magento Luma theme, the PWA Studio frontend, custom headless setups based on Next.js or Vue Storefront, and other Magento 2 themes such as Porto or Ultimo. From a privacy standpoint Hyva is attractive because it ships without bloated third party trackers, which keeps the consent surface smaller than most heavier themes.
List the strictly necessary Magento cookies, document the Hyva license check as a server to server EU transfer with no end user data, and clearly separate analytics and advertising cookies that depend on consent. Review the policy every time a new module or pixel is added to the store, and keep the cookie policy in sync with the Consent Management Platform configuration.