Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Blaze (BLAZE Solutions Inc., USA) is a B2B ecommerce and point of sale platform purpose built for cannabis retailers, providing online ordering, inventory, compliance and payment workflows.
BLAZE is a web technology service that delivers embedded modules, tracking and partner integrations to host websites. It is deployed via an asynchronous JavaScript snippet that fetches configuration from the BLAZE API, renders interactive components and reports usage events back to the BLAZE backend. Typical use cases include in page widgets, behavioural triggers, on site personalisation and downstream integrations with marketing and analytics platforms.
The BLAZE snippet writes first party cookies for visitor identification, session correlation and consent state. It also sends event payloads containing the visitor IP, user agent, referrer, page URL, custom attributes and interaction events to the BLAZE backend. Personal data may flow back to BLAZE before reaching the destination integrations, which makes BLAZE a processor of personal data for the website operator.
Under Article 5(3) of the ePrivacy Directive, the BLAZE script cannot be loaded before consent because it sets non strictly necessary cookies. Under the GDPR the website operator is controller and the BLAZE provider is processor, with a Data Processing Agreement under Article 28 required, plus a sub processor list and retention rules.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
BLAZE infrastructure is based in the United States, with assets delivered through global CDN edge nodes. Transfers must be covered by Standard Contractual Clauses under Article 46(2)(c) GDPR and may rely on the EU US Data Privacy Framework where the relevant entity is certified. A transfer impact assessment is recommended.
Block the BLAZE snippet by default in your CMP and load it only after explicit consent, sign the BLAZE DPA, list CDN and infrastructure sub processors, document retention rules, separate strictly necessary from optional behaviour and offer a clear way for visitors to access, rectify, erase their data or withdraw consent.
Websites using Blaze must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA under Art. 35 GDPR is strongly recommended whenever Blaze is used for an EU facing storefront because of the systematic processing of shopper data, sensitive purchase patterns related to cannabis, age verification, payment data, transfers to the United States and integration with multiple third party providers (Stripe, analytics, marketing). The DPIA must assess proportionality, the necessity of US transfers, data minimisation and retention.
Sample consent text
Our online store is powered by Blaze (BLAZE Solutions Inc., United States). With your consent, Blaze and its sub processors set analytics and marketing cookies, process your order and payment details and transfer your personal data to the United States under the EU US Data Privacy Framework and Standard Contractual Clauses. Click Accept to continue.
Third-party domains contacted
blaze.comapp.blaze.meapi.blaze.mecdn.blaze.comevents.blaze.comblaze.meapi.blaze.comcdn.blaze.mejs.stripe.comwww.google-analytics.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| blaze_session | first_party | session | Session token used by Blaze to authenticate dispensary staff and shoppers across requests to app.blaze.me. |
| blaze_visitor | HTTP | 13 months | Persistent BLAZE visitor identifier used to recognise returning users across sessions. |
| blaze_visitor | first_party | 1 year | Persistent visitor identifier used to recognize returning shoppers, link orders and feed analytics. |
| blaze_session | HTTP | 30 minutes | BLAZE session identifier used to correlate events within a single browsing session. |
| _blaze_cart | first_party | 30 days | Stores cart contents so a shopper can resume an order across visits. |
| blaze_consent | HTTP | 6 months | Stores the consent state for BLAZE to suppress repeated banners. |
| blaze_variant | HTTP | 30 days | Stores the personalisation or A/B test variant assigned to the visitor. |
| blaze_age_verified | first_party | 30 days | Records that the user has completed age verification, required for cannabis ecommerce. |
| _ga | third_party | 2 years | Google Analytics 4 cookie commonly loaded with Blaze storefronts to measure traffic and conversions. |
| __stripe_mid | third_party | 1 year | Stripe fraud prevention identifier loaded during checkout to assess payment risk. |
| __stripe_sid | third_party | 30 minutes | Stripe session identifier used during the checkout flow for fraud detection. |
| ajs_anonymous_id | third_party | 1 year | Segment anonymous user identifier used when Blaze stores forward events to Segment for analytics and marketing. |
Blaze uses cookies for user preferences — inform visitors with a consent banner.
Blaze sets first party session, authentication and cart cookies on its domain (blaze_session, blaze_visitor, _blaze_cart) and typically loads third party cookies via Google Analytics, tag managers and Stripe for payment fraud prevention.
Yes. Beyond strictly necessary session cookies, Blaze relies on analytics, marketing and third party scripts that fall under Art. 5(3) ePrivacy and Art. 6(1)(a) GDPR. Prior consent through a CMP is required before non strictly necessary scripts load.
Art. 6(1)(b) GDPR for cart and order management, Art. 6(1)(c) GDPR for age verification and tax records, Art. 6(1)(a) GDPR for analytics and marketing cookies, Art. 6(1)(f) GDPR for fraud prevention. Cannabis specific data may trigger Art. 9 GDPR safeguards.
Yes. Blaze is a US headquartered SaaS vendor hosted on AWS in US regions. EU operators must use SCCs (and the EU US DPF where Blaze is certified), perform a Transfer Impact Assessment and consider additional safeguards.
Yes. The combination of large scale shopper tracking, payments, age verification, potentially sensitive purchase data and US transfers triggers Art. 35 GDPR. A DPIA is strongly recommended.
Block analytics and marketing scripts until consent is collected via a CMP, sign the Blaze DPA with SCCs, document the TIA, ensure PCI DSS through Stripe, limit data sent to Blaze, set short retention for browsing and cart data and audit local cannabis regulations.
For EU facing ecommerce, alternatives include Shopify (with EU regions where available), PrestaShop, Sylius and WooCommerce. None of them currently match Blaze's deep cannabis specific compliance features but they may offer better data protection posture for EU operators.
Document Blaze and its sub processors (Stripe, Google Analytics, support tools) with cookie names, durations, purposes and the US transfer basis (SCCs, EU US DPF where applicable). Update at least annually and after any change to the Blaze integration.