Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Budbee is a Swedish last mile delivery and logistics company based in Stockholm, part of the Instabee group. Retailers integrate the Budbee delivery widget on their checkout page to expose home delivery and parcel locker options, and they share customer address and order details with Budbee to fulfil shipments. The widget sets cookies on the customer browser and loads scripts from Budbee servers, which triggers GDPR transparency obligations and may require prior consent for the optional tracking it performs.
Budbee is a Stockholm based last mile delivery and logistics provider founded in 2012 and now part of the Instabee group, which also operates Instabox. Budbee specialises in scheduled home delivery, evening delivery, returns and parcel locker drop offs in the Nordics, the Netherlands and Belgium. Retailers integrate Budbee by embedding a delivery widget on their checkout page and by exchanging order, address and tracking data through the Budbee API. The widget is widely used by fashion, beauty and electronics merchants targeting Nordic customers.
When the Budbee widget is loaded on a checkout page it sets a small number of first party and third party cookies on the customer browser to remember the chosen delivery method, link checkout sessions across page reloads and, optionally, measure widget engagement. On the server side Budbee receives the order ID, recipient name, delivery address, phone number, email, time slot preference and any special instruction provided by the customer. After delivery the platform also processes proof of delivery photos and recipient confirmations.
The cookies that are strictly necessary to remember the delivery method during checkout fall under Article 5(3) of the ePrivacy Directive and do not require consent. Any analytics or marketing cookies set by the widget go beyond strictly necessary and trigger the consent requirement under the ePrivacy implementations in each EU member state. The sharing of name, address, phone and email with Budbee is necessary to perform the delivery contract and therefore relies on Article 6(1)(b) GDPR, but transparency obligations under Articles 13 and 14 GDPR still apply.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The lawful basis for processing the recipient personal data needed to deliver the parcel is contract performance under Article 6(1)(b) GDPR. Fraud prevention measures, such as failed delivery scoring or address normalisation across orders, are based on legitimate interest under Article 6(1)(f) GDPR. Marketing analytics and behavioural cookies set by the Budbee widget rely on consent under Article 6(1)(a) GDPR. A data processing agreement under Article 28 GDPR with Budbee AB is required because Budbee acts as a processor on behalf of the merchant for the delivery service.
Budbee operates from Sweden and processes most data on AWS infrastructure in EU regions, primarily Stockholm and Frankfurt. Limited transfers to the United States can occur through AWS sub processors and through optional integrations such as Google Maps APIs and SMS gateways used to notify recipients. These transfers should rely on Standard Contractual Clauses and on the EU US Data Privacy Framework where applicable, and should be documented in the privacy notice alongside the recipient categories and retention durations.
Sign the Budbee data processing agreement, list Budbee AB as a sub processor in your privacy notice and document the EU hosting model. Classify the Budbee cookies between strictly necessary delivery cookies (always on) and optional analytics cookies (consent gated). Configure the widget to only collect the data fields strictly required for delivery, and clearly explain to the customer that their address, phone and email are shared with Budbee to fulfil the chosen delivery option.
Websites using Budbee must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not generally required for using Budbee as a parcel carrier integration, because the processing is limited to the data strictly necessary to deliver a parcel (name, address, phone, email, order reference). A DPIA becomes relevant when the operator combines the Budbee widget with extensive location tracking, repeat customer profiling or the optional marketing pixel from Budbee that can fire on the storefront and the success page.
Sample consent text
Our checkout uses the Budbee delivery widget by Budbee AB (Sweden) to let you choose between home delivery, evening delivery and parcel lockers. Strictly necessary cookies are used to remember your delivery choice; these do not need your consent. With your permission we also activate the optional Budbee analytics cookies that help us improve the delivery experience and may share aggregated data with Budbee.
Third-party domains contacted
budbee.comapi.budbee.comwidget.budbee.comcdn.budbee.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| budbee_session | third_party | Session | Session identifier set by the Budbee widget to map the checkout session to a Budbee server side session and remember the selected delivery option. |
| budbee_delivery | first_party | 30 days | Stores the chosen Budbee delivery option (home delivery, evening, locker) on the merchant domain so the choice survives page reloads and is preselected on the next visit. |
| budbee_geo | third_party | 30 days | Holds approximate visitor location used to determine which Budbee delivery options are available in the checkout. Considered functional and consent gated in some jurisdictions. |
| budbee_consent | first_party | 6 months | Stores the visitor consent state for Budbee analytics cookies so optional measurement only fires when the visitor has accepted the relevant CMP category. |
Budbee uses cookies for user preferences — inform visitors with a consent banner.
The Budbee checkout widget typically writes one or two first party cookies on the merchant domain to remember the chosen delivery option and ensure consistent rendering across page reloads, plus one third party cookie on the Budbee domain to map the checkout session to a Budbee server side session. Optional analytics cookies set by the widget are non strictly necessary and require consent.
The strictly necessary cookies that store the chosen delivery option fall under the ePrivacy Article 5(3) exemption and do not require consent. Optional analytics cookies and any pixel that Budbee may load for marketing measurement do require consent. The transfer of name, address, phone and email to Budbee for fulfilling the delivery does not require consent because it relies on contract performance.
For the data needed to deliver a parcel (name, address, phone, email, order reference, optional special instructions) the legal basis is contract performance under Article 6(1)(b) GDPR. For fraud prevention and operational analytics (delivery success rate, average delay) Budbee usually relies on legitimate interest under Article 6(1)(f) GDPR. For marketing analytics cookies set by the widget, the basis is consent under Article 6(1)(a) GDPR.
Budbee processes most data on AWS in EU regions (Stockholm and Frankfurt) which keeps the bulk of personal data inside the EEA. Some sub processors used for SMS notifications, mapping (Google Maps APIs) and customer support can involve US controllers, in which case transfers rely on Standard Contractual Clauses and on the EU US Data Privacy Framework. These transfers should be disclosed in the operator privacy notice.
A DPIA is not generally required when Budbee is used as a parcel carrier integration, because the data processed is limited to what is needed to deliver an order. A DPIA becomes relevant when the operator combines Budbee with continuous location tracking, profile based marketing or large scale delivery analytics that go beyond the carrier role, in which case Article 35 GDPR triggers should be assessed.
Sign the Budbee data processing agreement, list Budbee AB as a sub processor in your privacy notice, and document the EU hosting model. Block any analytics or marketing cookies set by the widget behind your CMP. Limit the address book fields sent to Budbee to those strictly required for delivery, and configure retention to delete recipient data shortly after delivery and any returns window.
For European last mile delivery integrations, alternatives include Instabox (also Instabee), PostNord, Bring, DHL Parcel, DPD, Colissimo, Mondial Relay and Sendcloud as a multi carrier orchestration platform. From a GDPR perspective they all process broadly similar data, so the comparison focuses on coverage, price and service level rather than on a fundamentally different risk profile.
Add a checkout integration section to your cookie policy describing the Budbee cookies (name, duration, purpose) and noting that the cookie remembering the delivery method is strictly necessary. Add Budbee AB to the list of recipients in your privacy notice, describe the categories of data shared (recipient identity, address, contact, order reference) and document any onward transfer triggered by AWS sub processors or SMS providers.