Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Kickflip is a Canadian product configurator platform that lets e commerce shops embed a 3D, real time customizer so visitors can personalize products before adding them to cart. It loads scripts and stores configuration state through first party cookies and Kickflip APIs.
Kickflip provides an embedded product configurator that renders 3D, real time previews of customizable products on merchant websites. The widget loads JavaScript and assets from Kickflip domains, captures user choices such as colors, materials, text, and dimensions, and sends those configurations back to merchant carts. It is widely used by manufacturers and e commerce stores in apparel, sports gear, furniture, and promotional goods. Because the configurator runs inside the visitor browser and exchanges data with Kickflip servers, integrating it into a website that targets EU or UK users brings the activity within the scope of GDPR, the ePrivacy Directive, and national cookie laws.
Kickflip typically sets first party cookies tied to the merchant domain to keep the configurator session, save in progress designs, and persist preferences across page loads. It may also store data in localStorage and IndexedDB for offline rendering and design caching. The platform processes IP addresses, device and browser identifiers, configuration payloads, uploaded images or text, and event metadata such as add to cart actions. Depending on the merchant setup, optional analytics events may be forwarded to a connected Google Analytics or marketing pixel, in which case those tools are responsible for their own cookies and identifiers.
Where the configurator is strictly necessary to deliver the requested service, for instance keeping a design across the checkout flow, processing can rest on legitimate interests under GDPR Art. 6(1)(f) and the strictly necessary exemption of ePrivacy Art. 5(3). However, any analytics, A/B testing, personalization, or advertising signals derived from configurator behavior fall outside that exemption and require prior, freely given, specific, informed, and unambiguous consent from EU and UK visitors. User generated uploads (logos, photos, names) can also include special category or children data, which raises the bar for documentation and minimization.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Kickflip operates from Canada and uses cloud infrastructure that may store and process data in Canada and the United States. EU and UK controllers must therefore document a valid transfer mechanism. Transfers to Canada benefit from a partial adequacy decision for commercial organizations subject to PIPEDA, while US transfers commonly rely on Standard Contractual Clauses and, where applicable, the EU US Data Privacy Framework. A transfer impact assessment should evaluate the categories of personal data sent (IP, design payloads, images), the legal regime in the destination country, and any supplementary measures such as encryption in transit and at rest.
Merchants embedding Kickflip should treat it as a third party processor and update their record of processing, privacy notice, and cookie banner accordingly. The strictly necessary part of the configurator can load before consent, but any optional analytics, retargeting, or session replay overlays must be gated behind an opt in. A consent management platform should block Kickflip scripts and cookies until the user accepts, or load a reduced version that does not perform analytics. The cookie policy should list the cookies set on the merchant domain along with their purpose and retention.
Start by signing a data processing agreement with Kickflip and identifying its sub processors. Map the data flows from the configurator widget to Kickflip APIs and any analytics or CRM integrations. Configure the cookie banner to load only strictly necessary configurator features by default and to enable analytics or marketing only after consent. Document the lawful basis for each processing purpose, set retention limits for saved designs, and offer users a clear way to delete their configurations. Review the setup regularly and re run a transfer impact assessment whenever Kickflip changes hosting regions or sub processors.
Websites using Kickflip must obtain user consent under GDPR regulations.
DPIA considerations
A Data Protection Impact Assessment is recommended when Kickflip is deployed at scale, when uploads can include images of people or children, or when configurator data is combined with profiling and advertising tools. Document categories of personal data, transfers to Canada and the United States, retention of saved designs, and supplementary measures. Reference EDPB guidelines on processor due diligence and CNIL guidance on cookies and trackers.
Sample consent text
We use Kickflip to provide an interactive product configurator. Strictly necessary features keep your design during your visit. Optional analytics and personalization help us improve the experience and require your consent. You can accept, refuse, or change your choices at any time from the cookie settings.
Third-party domains contacted
kickflip.ioapi.kickflip.iocdn.kickflip.ioassets.kickflip.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| kf_session | first_party | Session | Maintains the active configurator session and links the user to their in progress design. |
| kf_design | first_party | 30 days | Stores a reference to the user saved configuration so it persists across visits and devices when signed in. |
| kf_pref | first_party | 1 year | Remembers configurator preferences such as preferred unit system or last selected variant. |
| kf_csrf | first_party | Session | Protects configurator API calls against cross site request forgery. |
Kickflip collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Kickflip sets first party cookies on the merchant domain to maintain the configurator session, persist saved designs, and store user preferences. It can also use localStorage and IndexedDB for design caching. Names and durations vary by integration, so list them in your cookie policy after auditing the live site, and review them again after each Kickflip update.
The strictly necessary parts of the configurator can usually load without prior consent under the ePrivacy strict necessity exemption, since they are required to deliver a service the user actively requested. However, optional analytics, marketing pixels, and A/B testing tools layered on top of Kickflip require prior opt in consent in the EU and UK.
Strictly necessary configurator processing typically relies on legitimate interests under GDPR Art. 6(1)(f) or contract performance under Art. 6(1)(b). Analytics, personalization, and advertising require Art. 6(1)(a) consent and ePrivacy Art. 5(3) opt in. Document each purpose separately rather than treating the whole integration as one block.
Yes. Kickflip is based in Canada and uses US cloud regions, so configuration data, IP addresses, and uploaded content can leave the EEA. Use Standard Contractual Clauses for the US leg, rely on the partial Canadian adequacy decision where appropriate, and run a transfer impact assessment covering the data categories actually sent.
Run a DPIA if Kickflip is used at scale, if uploads can contain images of identifiable people or children, or if configurator data feeds profiling, scoring, or marketing systems. Document data flows, transfers, retention of saved designs, and the safeguards in place. EU regulators expect a DPIA whenever risk to data subjects is non trivial.
Map the Kickflip script and any companion analytics tags into your consent management platform. Allow strictly necessary configurator scripts to load by default and gate optional features behind explicit consent. Verify that, when consent is denied, no analytics or advertising payloads are sent to Kickflip APIs or third party services.
Alternatives include Threekit, Zakeke, Spiff, and Cylindo. Each has different hosting, data flows, and pricing. The compliance evaluation does not change much in nature: you still need to assess cookies, transfers, sub processors, and the legal bases for the analytics and marketing components.
Review the cookie list at least once per quarter, and any time Kickflip releases a major widget update, you change the configurator features, or you add new analytics integrations. Capture cookie names, purposes, retention, and whether they are first or third party in your public cookie policy.