Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
AfterShip is a Hong Kong based SaaS platform that aggregates shipment tracking data from more than 1100 carriers and powers branded tracking pages, post purchase notifications and returns automation. The tracking widget sets first party cookies on the merchant domain and transmits order, shipment and contact data to AfterShip servers in Hong Kong, the United States and the EU.
AfterShip is a Hong Kong based SaaS platform launched in 2012 and operated by AfterShip Limited. It connects to more than 1100 carriers worldwide and provides merchants with branded tracking pages, transactional notifications, returns management and post purchase upsells. Stores embed an AfterShip widget or redirect customers to a hosted tracking page, and order data flow into the AfterShip platform via API.
On the merchant domain AfterShip sets first party cookies such as afid (AfterShip device identifier) and _aftership_session (session identifier). On the hosted aftership.com tracking page additional cookies for analytics, A B testing and marketing pixels (Meta, Google, TikTok) may be set when the merchant activates them. AfterShip also processes order numbers, tracking numbers, shipping address, email and phone for notifications.
Core tracking serves the contract between merchant and buyer and qualifies under Art. 6(1)(b) GDPR. Optional analytics, marketing notifications and retargeting pixels go beyond contractual necessity and need consent under Art. 6(1)(a) GDPR and Art. 5(3) ePrivacy Directive. AfterShip acts as processor for the merchant and as controller for its own service improvement and aggregate analytics.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Strictly necessary tracking cookies and the transactional shipment status email or SMS do not need prior consent. Any marketing channel, behavioural retargeting on the branded tracking page or post purchase upsell offer that uses behavioural data requires opt in consent collected by a CMP and propagated to AfterShip via tag manager rules or AfterShip consent settings.
Order and contact data flow to AfterShip infrastructure in the United States and Hong Kong, with optional EU residency for enterprise plans. Hong Kong has no adequacy decision under Art. 45 GDPR, so transfers rely on Standard Contractual Clauses (Art. 46 GDPR) and supplementary measures. A Transfer Impact Assessment is mandatory and the privacy policy must list AfterShip as a recipient outside the EEA.
Sign the AfterShip Data Processing Addendum, include the SCCs in module two configuration, run a Transfer Impact Assessment for Hong Kong and the United States, configure the CMP to block marketing pixels and analytics on the tracking page until consent, list AfterShip as a subprocessor in the privacy policy and document the retention periods set in the AfterShip dashboard.
Websites using AfterShip must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended whenever AfterShip is deployed beyond strictly necessary tracking, in particular when post purchase marketing notifications, branded tracking page analytics, retargeting pixels or AI powered estimated delivery models are enabled. Address the international transfer to Hong Kong and the United States, the volume of order and contact data, and the use of contact details for behavioural triggers. Document the supplementary measures around the SCCs.
Sample consent text
We use AfterShip to keep you informed about your shipments. The afid and _aftership_session cookies are strictly necessary for tracking your order and are set on the basis of contractual necessity. Optional marketing notifications, retargeting and tracking page analytics are activated only after you click accept in our privacy banner.
Third-party domains contacted
aftership.comcdn.aftership.comapi.aftership.comtrack.aftership.comanalytics.aftership.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| afid | first party | 1 year | AfterShip device identifier used to recognise the same visitor across visits to the branded tracking page. |
| _aftership_session | first party | session | Session identifier for the current visit to the tracking widget or branded tracking page. |
| _aftership_visitor | first party | 1 year | Stable visitor identifier used to attribute marketing events on the branded tracking page. |
| _aftership_ab | first party | 90 days | Stores A B testing variants assigned by AfterShip on the branded tracking page. |
| _ga | third party | 2 years | Google Analytics 4 client identifier loaded by AfterShip when the merchant connects a GA4 property. |
AfterShip uses cookies for user preferences — inform visitors with a consent banner.
AfterShip sets first party cookies afid (1 year), _aftership_session (session), _aftership_visitor (1 year) and _aftership_ab (90 days) for tracking and A B testing. When the merchant enables analytics or marketing integrations, AfterShip also injects _ga, Meta Pixel, TikTok Pixel and Google Ads cookies on the branded tracking page.
Strictly necessary tracking cookies and the transactional notifications rely on contractual necessity, so no consent is required. Optional analytics, marketing pixels and behavioural retargeting on the branded tracking page require explicit opt in consent under Art. 5(3) ePrivacy Directive and Art. 6(1)(a) GDPR.
Core shipment tracking and transactional updates rely on Art. 6(1)(b) GDPR (performance of the sales contract). Marketing notifications and retargeting rely on Art. 6(1)(a) GDPR (consent). Internal fraud prevention and product analytics by AfterShip rely on Art. 6(1)(f) GDPR (legitimate interest).
Yes. Order and contact data flow to AfterShip infrastructure in the United States and Hong Kong by default, with optional EU residency for enterprise plans. Hong Kong has no adequacy decision, so AfterShip relies on Standard Contractual Clauses plus supplementary measures, and a Transfer Impact Assessment is required.
A DPIA is recommended for deployments that include marketing notifications, behavioural retargeting, AI estimated delivery models or processing of large order volumes. Cover the international transfer to Hong Kong and the United States, the volume of contact data and the post purchase profiling.
Sign the AfterShip DPA with SCCs, run a Transfer Impact Assessment, integrate AfterShip behind your CMP so marketing pixels and analytics on the tracking page are blocked before consent, configure data retention and customer deletion in the AfterShip dashboard, and list AfterShip as a subprocessor in the privacy policy.
EU based alternatives include Shipup (France), Sendcloud Tracking (Netherlands), parcelLab (Germany), Trackify and Outvio (Spain). For self hosted control, merchants can build a custom integration directly with carrier APIs and host the tracking page on EU infrastructure.
List the afid, _aftership_session, _aftership_visitor and _aftership_ab cookies under functional cookies with their respective durations, mention AfterShip Limited as a Hong Kong based subprocessor, link to the AfterShip privacy policy and state that transfers rely on Standard Contractual Clauses.